Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-05-2021 11:19
Static task
static1
Behavioral task
behavioral1
Sample
b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5.dll
Resource
win10v20210410
General
-
Target
b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5.dll
-
Size
5.0MB
-
MD5
17464a712d66c4dc954e392394f920dd
-
SHA1
45fd965dc3e2a325c1f132f1f30e38ce1d89d44e
-
SHA256
b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5
-
SHA512
fc97ea8fc0f99c1f15673f2e3d01f39db44f3c5cf35e82b4baca1b503a2684688830d30cc73345b816ddc10ce870c2f69471765630a37ccb843afd352eb3f7d2
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications mssecsvc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1" mssecsvc.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3064 created 1212 3064 WerFault.exe mssecsvc.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1212 mssecsvc.exe 4052 mssecsvc.exe -
Drops file in System32 directory 5 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3064 1212 WerFault.exe mssecsvc.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
mssecsvc.exemssecsvc.exeWerFault.exepid process 1212 mssecsvc.exe 1212 mssecsvc.exe 4052 mssecsvc.exe 4052 mssecsvc.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe 3064 WerFault.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 1212 mssecsvc.exe 4052 mssecsvc.exe 4052 mssecsvc.exe 4052 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
mssecsvc.exemssecsvc.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1212 mssecsvc.exe Token: SeDebugPrivilege 4052 mssecsvc.exe Token: SeRestorePrivilege 3064 WerFault.exe Token: SeBackupPrivilege 3064 WerFault.exe Token: SeDebugPrivilege 3064 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 2116 wrote to memory of 3168 2116 rundll32.exe rundll32.exe PID 2116 wrote to memory of 3168 2116 rundll32.exe rundll32.exe PID 2116 wrote to memory of 3168 2116 rundll32.exe rundll32.exe PID 3168 wrote to memory of 1212 3168 rundll32.exe mssecsvc.exe PID 3168 wrote to memory of 1212 3168 rundll32.exe mssecsvc.exe PID 3168 wrote to memory of 1212 3168 rundll32.exe mssecsvc.exe PID 1212 wrote to memory of 560 1212 mssecsvc.exe winlogon.exe PID 1212 wrote to memory of 560 1212 mssecsvc.exe winlogon.exe PID 1212 wrote to memory of 560 1212 mssecsvc.exe winlogon.exe PID 1212 wrote to memory of 560 1212 mssecsvc.exe winlogon.exe PID 1212 wrote to memory of 560 1212 mssecsvc.exe winlogon.exe PID 1212 wrote to memory of 560 1212 mssecsvc.exe winlogon.exe PID 1212 wrote to memory of 636 1212 mssecsvc.exe lsass.exe PID 1212 wrote to memory of 636 1212 mssecsvc.exe lsass.exe PID 1212 wrote to memory of 636 1212 mssecsvc.exe lsass.exe PID 1212 wrote to memory of 636 1212 mssecsvc.exe lsass.exe PID 1212 wrote to memory of 636 1212 mssecsvc.exe lsass.exe PID 1212 wrote to memory of 636 1212 mssecsvc.exe lsass.exe PID 1212 wrote to memory of 716 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 716 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 716 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 716 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 716 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 716 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 720 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 720 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 720 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 720 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 720 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 720 1212 mssecsvc.exe fontdrvhost.exe PID 1212 wrote to memory of 732 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 732 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 732 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 732 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 732 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 732 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 800 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 800 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 800 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 800 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 800 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 800 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 840 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 840 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 840 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 840 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 840 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 840 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 896 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 896 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 896 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 896 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 896 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 896 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 984 1212 mssecsvc.exe dwm.exe PID 1212 wrote to memory of 984 1212 mssecsvc.exe dwm.exe PID 1212 wrote to memory of 984 1212 mssecsvc.exe dwm.exe PID 1212 wrote to memory of 984 1212 mssecsvc.exe dwm.exe PID 1212 wrote to memory of 984 1212 mssecsvc.exe dwm.exe PID 1212 wrote to memory of 984 1212 mssecsvc.exe dwm.exe PID 1212 wrote to memory of 1012 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 1012 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 1012 1212 mssecsvc.exe svchost.exe PID 1212 wrote to memory of 1012 1212 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 12245⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3b41⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k rpcss1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
ccca5e8df7b968fc829edca79c129d35
SHA1f8c88dc2f0e2fea59df40322df4c6b5bf7513ab3
SHA2565b16162218e51f2661bc42706c1dd083e3f919ca754d6fe2acda57ad4b1299ae
SHA5121a26bbad4b23d11ce1afa099d41d737682e2bf08c0bad7f98644a9af8b58d6e5562ed59e4793c2e64ab0e4785eaf9e2f2e2fd799d906de4598a61bb301836d82
-
C:\Windows\mssecsvc.exeMD5
ccca5e8df7b968fc829edca79c129d35
SHA1f8c88dc2f0e2fea59df40322df4c6b5bf7513ab3
SHA2565b16162218e51f2661bc42706c1dd083e3f919ca754d6fe2acda57ad4b1299ae
SHA5121a26bbad4b23d11ce1afa099d41d737682e2bf08c0bad7f98644a9af8b58d6e5562ed59e4793c2e64ab0e4785eaf9e2f2e2fd799d906de4598a61bb301836d82
-
C:\Windows\mssecsvc.exeMD5
ccca5e8df7b968fc829edca79c129d35
SHA1f8c88dc2f0e2fea59df40322df4c6b5bf7513ab3
SHA2565b16162218e51f2661bc42706c1dd083e3f919ca754d6fe2acda57ad4b1299ae
SHA5121a26bbad4b23d11ce1afa099d41d737682e2bf08c0bad7f98644a9af8b58d6e5562ed59e4793c2e64ab0e4785eaf9e2f2e2fd799d906de4598a61bb301836d82
-
memory/1212-115-0x0000000000000000-mapping.dmp
-
memory/1212-119-0x000000007FE90000-0x000000007FE9C000-memory.dmpFilesize
48KB
-
memory/3168-114-0x0000000000000000-mapping.dmp