Analysis
-
max time kernel
330s -
max time network
395s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
dashdV.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
dashdV.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
dashdV.exe
Resource
win7v20210410
General
-
Target
dashdV.exe
-
Size
17.1MB
-
MD5
765f570a565d578f2ace3ccb41cef038
-
SHA1
89b44e3aa8f3c93f80ae29f7a36a9486b080229d
-
SHA256
0d7c515d3483b45d5725717070e8497435c39b3450af59194b2a32a33c2867e8
-
SHA512
941862a1d09e70725f9826b05dc8a8c7442add91229f39ac7ea9d4e6b8d0f751d749ac6b6ac2202290122945e14bab06516680a7007598af7cca62ac1b465898
Malware Config
Signatures
-
Processes:
resource yara_rule C:\ProgramData\aye.exe Dark_crystal_rat C:\ProgramData\aye.exe Dark_crystal_rat -
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities\\OfficeClickToRun.exe\", \"C:\\Windows\\explorer\\explorer.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\", \"C:\\Windows\\System32\\INETRES\\dllhost.exe\", \"C:\\Windows\\System32\\BioIso\\winlogon.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities\\OfficeClickToRun.exe\", \"C:\\Windows\\explorer\\explorer.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\", \"C:\\Windows\\System32\\INETRES\\dllhost.exe\", \"C:\\Windows\\System32\\BioIso\\winlogon.exe\", \"C:\\Windows\\System32\\nshhttp\\taskhostw.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities\\OfficeClickToRun.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities\\OfficeClickToRun.exe\", \"C:\\Windows\\explorer\\explorer.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities\\OfficeClickToRun.exe\", \"C:\\Windows\\explorer\\explorer.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities\\OfficeClickToRun.exe\", \"C:\\Windows\\explorer\\explorer.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\", \"C:\\Windows\\System32\\INETRES\\dllhost.exe\"" netDhcpDriverruntimeCommon.exe -
Drops file in Drivers directory 1 IoCs
Processes:
taskhostw.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts taskhostw.exe -
Executes dropped EXE 3 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exetaskhostw.exepid process 1748 aye.exe 2784 netDhcpDriverruntimeCommon.exe 3956 taskhostw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\INETRES\\dllhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\nshhttp\\taskhostw.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\nshhttp\\taskhostw.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities\\OfficeClickToRun.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Internet Explorer\\images\\wininit.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\INETRES\\dllhost.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\BioIso\\winlogon.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ClientCapabilities\\OfficeClickToRun.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\explorer\\explorer.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\explorer\\explorer.exe\"" netDhcpDriverruntimeCommon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\BioIso\\winlogon.exe\"" netDhcpDriverruntimeCommon.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 ip-api.com 36 ipinfo.io 37 ipinfo.io -
Drops file in System32 directory 13 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exedescription ioc process File opened for modification C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe aye.exe File created C:\Windows\System32\INETRES\dllhost.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\System32\nshhttp\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988 netDhcpDriverruntimeCommon.exe File opened for modification C:\Windows\SysWOW64\D2RrWRv0Po.vbe aye.exe File created C:\Windows\System32\INETRES\5940a34987c99120d96dace90a3f93f329dcad63 netDhcpDriverruntimeCommon.exe File created C:\Windows\System32\BioIso\winlogon.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259289187 aye.exe File created C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat aye.exe File opened for modification C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.bat aye.exe File created C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe aye.exe File created C:\Windows\SysWOW64\D2RrWRv0Po.vbe aye.exe File created C:\Windows\System32\BioIso\cc11b995f2a76da408ea6a601e682e64743153ad netDhcpDriverruntimeCommon.exe File created C:\Windows\System32\nshhttp\taskhostw.exe netDhcpDriverruntimeCommon.exe -
Drops file in Program Files directory 5 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities\OfficeClickToRun.exe netDhcpDriverruntimeCommon.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities\e6c9b481da804f07baff8eff543b0a1441069b5d netDhcpDriverruntimeCommon.exe File created C:\Program Files (x86)\Internet Explorer\images\wininit.exe netDhcpDriverruntimeCommon.exe File created C:\Program Files (x86)\Internet Explorer\images\560854153607923c4c5f107085a7db67be01f252 netDhcpDriverruntimeCommon.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities\OfficeClickToRun.exe netDhcpDriverruntimeCommon.exe -
Drops file in Windows directory 2 IoCs
Processes:
netDhcpDriverruntimeCommon.exedescription ioc process File created C:\Windows\explorer\explorer.exe netDhcpDriverruntimeCommon.exe File created C:\Windows\explorer\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 netDhcpDriverruntimeCommon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 632 schtasks.exe 296 schtasks.exe 204 schtasks.exe 2888 schtasks.exe 2280 schtasks.exe 2072 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
aye.exenetDhcpDriverruntimeCommon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings aye.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings netDhcpDriverruntimeCommon.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
netDhcpDriverruntimeCommon.exetaskhostw.exepid process 2784 netDhcpDriverruntimeCommon.exe 2784 netDhcpDriverruntimeCommon.exe 2784 netDhcpDriverruntimeCommon.exe 3956 taskhostw.exe 3956 taskhostw.exe 3956 taskhostw.exe 3956 taskhostw.exe 3956 taskhostw.exe 3956 taskhostw.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
dashdV.exenetDhcpDriverruntimeCommon.exetaskhostw.exedescription pid process Token: SeDebugPrivilege 3152 dashdV.exe Token: SeDebugPrivilege 2784 netDhcpDriverruntimeCommon.exe Token: SeDebugPrivilege 3956 taskhostw.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
dashdV.exeaye.exeWScript.execmd.exenetDhcpDriverruntimeCommon.execmd.exedescription pid process target process PID 3152 wrote to memory of 1748 3152 dashdV.exe aye.exe PID 3152 wrote to memory of 1748 3152 dashdV.exe aye.exe PID 3152 wrote to memory of 1748 3152 dashdV.exe aye.exe PID 1748 wrote to memory of 2076 1748 aye.exe WScript.exe PID 1748 wrote to memory of 2076 1748 aye.exe WScript.exe PID 1748 wrote to memory of 2076 1748 aye.exe WScript.exe PID 2076 wrote to memory of 4036 2076 WScript.exe cmd.exe PID 2076 wrote to memory of 4036 2076 WScript.exe cmd.exe PID 2076 wrote to memory of 4036 2076 WScript.exe cmd.exe PID 4036 wrote to memory of 2784 4036 cmd.exe netDhcpDriverruntimeCommon.exe PID 4036 wrote to memory of 2784 4036 cmd.exe netDhcpDriverruntimeCommon.exe PID 2784 wrote to memory of 632 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 632 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 632 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 296 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 296 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 296 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 204 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 204 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 204 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 2888 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 2888 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 2888 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 2280 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 2280 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 2280 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 2072 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 2072 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 2072 2784 netDhcpDriverruntimeCommon.exe schtasks.exe PID 2784 wrote to memory of 2076 2784 netDhcpDriverruntimeCommon.exe cmd.exe PID 2784 wrote to memory of 2076 2784 netDhcpDriverruntimeCommon.exe cmd.exe PID 2076 wrote to memory of 3304 2076 cmd.exe chcp.com PID 2076 wrote to memory of 3304 2076 cmd.exe chcp.com PID 2076 wrote to memory of 396 2076 cmd.exe PING.EXE PID 2076 wrote to memory of 396 2076 cmd.exe PING.EXE PID 2076 wrote to memory of 3956 2076 cmd.exe taskhostw.exe PID 2076 wrote to memory of 3956 2076 cmd.exe taskhostw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dashdV.exe"C:\Users\Admin\AppData\Local\Temp\dashdV.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\aye.exe"C:\ProgramData\aye.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\D2RrWRv0Po.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\System32\kk946QGUYfip6zCEWvxdUIQltPP.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exe"C:\Windows\system32\netDhcpDriverruntimeCommon.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities\OfficeClickToRun.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\explorer\explorer.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\wininit.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\INETRES\dllhost.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\BioIso\winlogon.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\nshhttp\taskhostw.exe'" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Public\LSInqPny0Y.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
C:\Windows\system32\PING.EXEping -n 5 localhost7⤵
- Runs ping.exe
-
C:\Windows\System32\nshhttp\taskhostw.exe"C:\Windows\System32\nshhttp\taskhostw.exe"7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\ProgramData\aye.exeMD5
fed9979b059967674138a00a535310e9
SHA1de3001de07bb5f6a19649540512b9d29acb8a7d9
SHA2564a0eda4125af78fee87b855f00379513adaeebf66eedd34ba61af90874eed366
SHA512e1445d4f149594901ee86542856f856a8874ea2caf2076a729d2fea3fe57cdf934d9912882dccb8d4e295035fc836d1d9cf81418973affd2da4d3bc40778345d
-
C:\Users\Public\LSInqPny0Y.batMD5
d254391ca40e7726eac85dd50e0038b8
SHA1426d2007e28b1dd8199ebd9cf3df2d919f7c93e6
SHA2564ea3c472506bbb849bb209719e6f8dd473faa8344df2236f465c1397f0493083
SHA512a30aacafa8351cdc60c4bcf684a3efb473645d8e6234e571bee141f55b918d0b543d86967774f8fea4b25905dfb197fe9589d141b13e0099ead78ab84ce283d1
-
C:\Windows\SysWOW64\D2RrWRv0Po.vbeMD5
b57cdbe6bff09c4719cfeeeb11736d47
SHA1040ace85289b8b111e3e44e979a73277bd8284b6
SHA2560d76dd655a3bf305df6382093705ca9a0ec946651fd593c14ce81b0b286c6a5b
SHA51255fc21fcd6c0572c595271fc2a15d7b9eeab6dfd0ad055a498acfeba05a09e0ebc32fe674f985c101c62f6419c2404f314acc8ec5a8744b67971daaaca2b4451
-
C:\Windows\SysWOW64\kk946QGUYfip6zCEWvxdUIQltPP.batMD5
b95e24d87d79c2b36fc0f8ef4434cfb7
SHA10e2a2c904e15f7f2e68a89f238d262b1d0b0f2e5
SHA2568fef5c403a59ab01e615e97319fe70c8a3e0234272334cb2d63ffd9f784ee726
SHA512e4cb26aed7aaf65cce7b4ed72c1f2edcf30bd46868d302836b55e976a3762cf6e30f5bf539b1b9b44f300e400fca68f79b6893ab936b8f49921823927c41f46b
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\SysWOW64\netDhcpDriverruntimeCommon.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\System32\nshhttp\taskhostw.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
C:\Windows\System32\nshhttp\taskhostw.exeMD5
6e6663ec26bed1a1b0e513aafddff490
SHA196b6a2c50e4662058799efee8278e1b2252f525b
SHA256a7479ec985fd5c474ef5ee35110c61f10abf40e950f8673405c4f89777f28571
SHA512dd6b62c08cdddc94750eb408c804e76c0e3c14196f18c419025f00958916d9e45fa2a537e15afc59dd291456507e4b61d472cb00e498f12af6936e434a4669af
-
memory/204-139-0x0000000000000000-mapping.dmp
-
memory/296-138-0x0000000000000000-mapping.dmp
-
memory/396-146-0x0000000000000000-mapping.dmp
-
memory/632-137-0x0000000000000000-mapping.dmp
-
memory/1748-121-0x0000000000000000-mapping.dmp
-
memory/2072-142-0x0000000000000000-mapping.dmp
-
memory/2076-126-0x0000000000000000-mapping.dmp
-
memory/2076-143-0x0000000000000000-mapping.dmp
-
memory/2280-141-0x0000000000000000-mapping.dmp
-
memory/2784-131-0x0000000000000000-mapping.dmp
-
memory/2784-136-0x000001DF0FB40000-0x000001DF0FB42000-memory.dmpFilesize
8KB
-
memory/2784-134-0x000001DF0F700000-0x000001DF0F701000-memory.dmpFilesize
4KB
-
memory/2888-140-0x0000000000000000-mapping.dmp
-
memory/3152-128-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/3152-117-0x0000000004CE0000-0x0000000004CE1000-memory.dmpFilesize
4KB
-
memory/3152-114-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/3152-120-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/3152-119-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/3152-118-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/3152-116-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/3304-145-0x0000000000000000-mapping.dmp
-
memory/3956-153-0x000002B17AF30000-0x000002B17AF31000-memory.dmpFilesize
4KB
-
memory/3956-157-0x000002B17C750000-0x000002B17C752000-memory.dmpFilesize
8KB
-
memory/3956-152-0x000002B17D0B0000-0x000002B17D0B2000-memory.dmpFilesize
8KB
-
memory/3956-162-0x000002B17D0B4000-0x000002B17D0B5000-memory.dmpFilesize
4KB
-
memory/3956-154-0x000002B17AF10000-0x000002B17AF16000-memory.dmpFilesize
24KB
-
memory/3956-155-0x000002B17C700000-0x000002B17C707000-memory.dmpFilesize
28KB
-
memory/3956-156-0x000002B17AF00000-0x000002B17AF02000-memory.dmpFilesize
8KB
-
memory/3956-147-0x0000000000000000-mapping.dmp
-
memory/3956-158-0x000002B17C760000-0x000002B17C762000-memory.dmpFilesize
8KB
-
memory/3956-159-0x000002B17C770000-0x000002B17C772000-memory.dmpFilesize
8KB
-
memory/3956-160-0x000002B17C8A0000-0x000002B17C8A1000-memory.dmpFilesize
4KB
-
memory/3956-161-0x000002B17D0B2000-0x000002B17D0B4000-memory.dmpFilesize
8KB
-
memory/3956-163-0x000002B17D0B5000-0x000002B17D0B7000-memory.dmpFilesize
8KB
-
memory/3956-164-0x000002B17D0B7000-0x000002B17D0B9000-memory.dmpFilesize
8KB
-
memory/4036-130-0x0000000000000000-mapping.dmp