Analysis
-
max time kernel
292s -
max time network
293s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
dashdV.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
dashdV.exe
Resource
win7v20210410
General
-
Target
dashdV.exe
-
Size
17.1MB
-
MD5
765f570a565d578f2ace3ccb41cef038
-
SHA1
89b44e3aa8f3c93f80ae29f7a36a9486b080229d
-
SHA256
0d7c515d3483b45d5725717070e8497435c39b3450af59194b2a32a33c2867e8
-
SHA512
941862a1d09e70725f9826b05dc8a8c7442add91229f39ac7ea9d4e6b8d0f751d749ac6b6ac2202290122945e14bab06516680a7007598af7cca62ac1b465898
Malware Config
Signatures
-
Processes:
resource yara_rule C:\ProgramData\aye.exe Dark_crystal_rat C:\ProgramData\aye.exe Dark_crystal_rat -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\smss.exe\", \"C:\\odt\\dwm.exe\", \"C:\\ProgramData\\Documents\\OfficeClickToRun.exe\", \"C:\\Boot\\qps-ploc\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WmiPrvSE.exe\", \"C:\\odt\\services.exe\", \"C:\\Windows\\System32\\wbem\\WmiApSrv\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\smss.exe\", \"C:\\odt\\dwm.exe\", \"C:\\ProgramData\\Documents\\OfficeClickToRun.exe\", \"C:\\Boot\\qps-ploc\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WmiPrvSE.exe\", \"C:\\odt\\services.exe\", \"C:\\Windows\\System32\\wbem\\WmiApSrv\\WmiPrvSE.exe\", \"C:\\Windows\\System32\\TaskApis\\dwm.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\smss.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\smss.exe\", \"C:\\odt\\dwm.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\smss.exe\", \"C:\\odt\\dwm.exe\", \"C:\\ProgramData\\Documents\\OfficeClickToRun.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\smss.exe\", \"C:\\odt\\dwm.exe\", \"C:\\ProgramData\\Documents\\OfficeClickToRun.exe\", \"C:\\Boot\\qps-ploc\\wininit.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\smss.exe\", \"C:\\odt\\dwm.exe\", \"C:\\ProgramData\\Documents\\OfficeClickToRun.exe\", \"C:\\Boot\\qps-ploc\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\odt\\smss.exe\", \"C:\\odt\\dwm.exe\", \"C:\\ProgramData\\Documents\\OfficeClickToRun.exe\", \"C:\\Boot\\qps-ploc\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WmiPrvSE.exe\", \"C:\\odt\\services.exe\"" netDhcpDriverruntimeCommon.exe -
Drops file in Drivers directory 1 IoCs
Processes:
dwm.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts dwm.exe -
Executes dropped EXE 3 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exedwm.exepid process 1308 aye.exe 2312 netDhcpDriverruntimeCommon.exe 3840 dwm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\TaskApis\\dwm.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Boot\\qps-ploc\\wininit.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\WmiApSrv\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\WmiApSrv\\WmiPrvSE.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\odt\\smss.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\odt\\smss.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\odt\\dwm.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\ProgramData\\Documents\\OfficeClickToRun.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\System32\\TaskApis\\dwm.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\odt\\dwm.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\ProgramData\\Documents\\OfficeClickToRun.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Boot\\qps-ploc\\wininit.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\"" netDhcpDriverruntimeCommon.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 ip-api.com -
Drops file in System32 directory 11 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exedescription ioc process File created C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat aye.exe File created C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe aye.exe File opened for modification C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe aye.exe File created C:\Windows\SysWOW64\D2RrWRv0Po.vbe aye.exe File opened for modification C:\Windows\SysWOW64\D2RrWRv0Po.vbe aye.exe File created C:\Windows\System32\wbem\WmiApSrv\WmiPrvSE.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\System32\TaskApis\dwm.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259319359 aye.exe File opened for modification C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat aye.exe File created C:\Windows\System32\wbem\WmiApSrv\24dbde2999530ef5fd907494bc374d663924116c netDhcpDriverruntimeCommon.exe File created C:\Windows\System32\TaskApis\6cb0b6c459d5d3455a3da700e713f2e2529862ff netDhcpDriverruntimeCommon.exe -
Drops file in Program Files directory 2 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\WmiPrvSE.exe netDhcpDriverruntimeCommon.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\24dbde2999530ef5fd907494bc374d663924116c netDhcpDriverruntimeCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3836 schtasks.exe 3600 schtasks.exe 1496 schtasks.exe 1628 schtasks.exe 3396 schtasks.exe 676 schtasks.exe 2408 schtasks.exe 788 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings aye.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings netDhcpDriverruntimeCommon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
netDhcpDriverruntimeCommon.exedwm.exepid process 2312 netDhcpDriverruntimeCommon.exe 2312 netDhcpDriverruntimeCommon.exe 2312 netDhcpDriverruntimeCommon.exe 2312 netDhcpDriverruntimeCommon.exe 2312 netDhcpDriverruntimeCommon.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe 3840 dwm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
dashdV.exenetDhcpDriverruntimeCommon.exedwm.exedescription pid process Token: SeDebugPrivilege 624 dashdV.exe Token: SeDebugPrivilege 2312 netDhcpDriverruntimeCommon.exe Token: SeDebugPrivilege 3840 dwm.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
dashdV.exeaye.exeWScript.execmd.exenetDhcpDriverruntimeCommon.execmd.exedescription pid process target process PID 624 wrote to memory of 1308 624 dashdV.exe aye.exe PID 624 wrote to memory of 1308 624 dashdV.exe aye.exe PID 624 wrote to memory of 1308 624 dashdV.exe aye.exe PID 1308 wrote to memory of 1504 1308 aye.exe WScript.exe PID 1308 wrote to memory of 1504 1308 aye.exe WScript.exe PID 1308 wrote to memory of 1504 1308 aye.exe WScript.exe PID 1504 wrote to memory of 636 1504 WScript.exe cmd.exe PID 1504 wrote to memory of 636 1504 WScript.exe cmd.exe PID 1504 wrote to memory of 636 1504 WScript.exe cmd.exe PID 636 wrote to memory of 2312 636 cmd.exe netDhcpDriverruntimeCommon.exe PID 636 wrote to memory of 2312 636 cmd.exe netDhcpDriverruntimeCommon.exe PID 2312 wrote to memory of 676 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 676 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 676 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 2408 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 2408 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 2408 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 788 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 788 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 788 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 3836 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 3836 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 3836 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 3600 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 3600 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 3600 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 1496 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 1496 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 1496 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 1628 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 1628 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 1628 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 3396 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 3396 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 3396 2312 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2312 wrote to memory of 2120 2312 netDhcpDriverruntimeCommon.exe cmd.exe PID 2312 wrote to memory of 2120 2312 netDhcpDriverruntimeCommon.exe cmd.exe PID 2120 wrote to memory of 1124 2120 cmd.exe chcp.com PID 2120 wrote to memory of 1124 2120 cmd.exe chcp.com PID 2120 wrote to memory of 1148 2120 cmd.exe PING.EXE PID 2120 wrote to memory of 1148 2120 cmd.exe PING.EXE PID 2120 wrote to memory of 3840 2120 cmd.exe dwm.exe PID 2120 wrote to memory of 3840 2120 cmd.exe dwm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dashdV.exe"C:\Users\Admin\AppData\Local\Temp\dashdV.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\aye.exe"C:\ProgramData\aye.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\D2RrWRv0Po.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\kk946QGUYfip6zCEWvxdUIQltPP.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe"C:\Windows\system32\netDhcpDriverruntimeCommon.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\ProgramData\Documents\OfficeClickToRun.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Boot\qps-ploc\wininit.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\WmiPrvSE.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\WmiApSrv\WmiPrvSE.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\System32\TaskApis\dwm.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\CFskEsiPSt.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost7⤵
- Runs ping.exe
-
C:\Windows\System32\TaskApis\dwm.exe"C:\Windows\System32\TaskApis\dwm.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\Users\Public\CFskEsiPSt.batMD5
197bea0ff97bc646cabc24cc77b8749e
SHA10ec5fa9710c6569c64001055932b4a3ffde7da4d
SHA256bfdab8e05e0e890c02ee13d08f8df154b16c1bbce4cbedb7548cf76ba44a84e5
SHA5127783fa1f661ac89c21e95d26484b1f0777c6bcc4348d0f298e45ced2a2facca2dae679787aa70f006a6fee4e1e215a53d275c8beb58377375508c66152612bdd
-
C:\Windows\SysWOW64\D2RrWRv0Po.vbeMD5
b57cdbe6bff09c4719cfeeeb11736d47
SHA1040ace85289b8b111e3e44e979a73277bd8284b6
SHA2560d76dd655a3bf305df6382093705ca9a0ec946651fd593c14ce81b0b286c6a5b
SHA51255fc21fcd6c0572c595271fc2a15d7b9eeab6dfd0ad055a498acfeba05a09e0ebc32fe674f985c101c62f6419c2404f314acc8ec5a8744b67971daaaca2b4451
-
C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.batMD5
b95e24d87d79c2b36fc0f8ef4434cfb7
SHA10e2a2c904e15f7f2e68a89f238d262b1d0b0f2e5
SHA2568fef5c403a59ab01e615e97319fe70c8a3e0234272334cb2d63ffd9f784ee726
SHA512e4cb26aed7aaf65cce7b4ed72c1f2edcf30bd46868d302836b55e976a3762cf6e30f5bf539b1b9b44f300e400fca68f79b6893ab936b8f49921823927c41f46b
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\System32\TaskApis\dwm.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\System32\TaskApis\dwm.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
memory/624-128-0x0000000005210000-0x00000000052A2000-memory.dmpFilesize
584KB
-
memory/624-118-0x0000000005210000-0x00000000052A2000-memory.dmpFilesize
584KB
-
memory/624-114-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/624-116-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/624-117-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/624-120-0x0000000005210000-0x00000000052A2000-memory.dmpFilesize
584KB
-
memory/624-119-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/636-130-0x0000000000000000-mapping.dmp
-
memory/676-137-0x0000000000000000-mapping.dmp
-
memory/788-139-0x0000000000000000-mapping.dmp
-
memory/1124-147-0x0000000000000000-mapping.dmp
-
memory/1148-148-0x0000000000000000-mapping.dmp
-
memory/1308-121-0x0000000000000000-mapping.dmp
-
memory/1496-142-0x0000000000000000-mapping.dmp
-
memory/1504-126-0x0000000000000000-mapping.dmp
-
memory/1628-143-0x0000000000000000-mapping.dmp
-
memory/2120-145-0x0000000000000000-mapping.dmp
-
memory/2312-131-0x0000000000000000-mapping.dmp
-
memory/2312-134-0x0000022FB5330000-0x0000022FB5331000-memory.dmpFilesize
4KB
-
memory/2312-136-0x0000022FCF9C0000-0x0000022FCF9C2000-memory.dmpFilesize
8KB
-
memory/2408-138-0x0000000000000000-mapping.dmp
-
memory/3396-144-0x0000000000000000-mapping.dmp
-
memory/3600-141-0x0000000000000000-mapping.dmp
-
memory/3836-140-0x0000000000000000-mapping.dmp
-
memory/3840-157-0x0000016C3D960000-0x0000016C3D967000-memory.dmpFilesize
28KB
-
memory/3840-160-0x0000016C3BEF0000-0x0000016C3BEF2000-memory.dmpFilesize
8KB
-
memory/3840-155-0x0000016C3BEE0000-0x0000016C3BEE6000-memory.dmpFilesize
24KB
-
memory/3840-156-0x0000016C3C060000-0x0000016C3C061000-memory.dmpFilesize
4KB
-
memory/3840-149-0x0000000000000000-mapping.dmp
-
memory/3840-158-0x0000016C3D970000-0x0000016C3D972000-memory.dmpFilesize
8KB
-
memory/3840-159-0x0000016C3D950000-0x0000016C3D952000-memory.dmpFilesize
8KB
-
memory/3840-154-0x0000016C3BE70000-0x0000016C3BE72000-memory.dmpFilesize
8KB
-
memory/3840-161-0x0000016C3C040000-0x0000016C3C042000-memory.dmpFilesize
8KB
-
memory/3840-162-0x0000016C3BF10000-0x0000016C3BF11000-memory.dmpFilesize
4KB
-
memory/3840-163-0x0000016C3BE72000-0x0000016C3BE74000-memory.dmpFilesize
8KB
-
memory/3840-164-0x0000016C3BE78000-0x0000016C3BE7A000-memory.dmpFilesize
8KB
-
memory/3840-165-0x0000016C3BE74000-0x0000016C3BE76000-memory.dmpFilesize
8KB
-
memory/3840-166-0x0000016C3BE76000-0x0000016C3BE78000-memory.dmpFilesize
8KB