Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 07:59
Static task
static1
Behavioral task
behavioral1
Sample
6c6a951636ae4dee7a842c6af1d43236.exe
Resource
win7v20210410
General
-
Target
6c6a951636ae4dee7a842c6af1d43236.exe
-
Size
1.2MB
-
MD5
6c6a951636ae4dee7a842c6af1d43236
-
SHA1
387e2f026ca3ec2a291b09fa76f88fe40ae7007c
-
SHA256
2ebc7cf945c4eba60eb0f25f6b58eb8d7d0558f6b5622530b2b3808987173952
-
SHA512
3324a70e328be9cdbbe60f47da1254208032b73e6b48cbfea9d070b50378a1ed0f6df32b62c3b16712b78ddcaa0b696ee196f8e9448c3b0f025a9f1d36857311
Malware Config
Extracted
darkcomet
ADSAW
secret92.ddns.net:82
DC_MUTEX-TAUBLES
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
4ltiP4nFeytX
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
darknj.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" darknj.exe -
Executes dropped EXE 5 IoCs
Processes:
R-Launcher.exedarknj.exeNJ.EXEmsdcsc.exeWindowsServices.exepid process 3852 R-Launcher.exe 3208 darknj.exe 940 NJ.EXE 3280 msdcsc.exe 508 WindowsServices.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
darknj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation darknj.exe -
Drops startup file 2 IoCs
Processes:
WindowsServices.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf6e0aafbf214c3565426c44740c8dce.exe WindowsServices.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cf6e0aafbf214c3565426c44740c8dce.exe WindowsServices.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
darknj.exemsdcsc.exeWindowsServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" darknj.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cf6e0aafbf214c3565426c44740c8dce = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cf6e0aafbf214c3565426c44740c8dce = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsServices.exe\" .." WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2148 584 WerFault.exe javaw.exe -
Modifies registry class 1 IoCs
Processes:
darknj.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance darknj.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeNJ.EXEpid process 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE 940 NJ.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 3280 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
darknj.exeWerFault.exemsdcsc.exeNJ.EXEWindowsServices.exedescription pid process Token: SeIncreaseQuotaPrivilege 3208 darknj.exe Token: SeSecurityPrivilege 3208 darknj.exe Token: SeTakeOwnershipPrivilege 3208 darknj.exe Token: SeLoadDriverPrivilege 3208 darknj.exe Token: SeSystemProfilePrivilege 3208 darknj.exe Token: SeSystemtimePrivilege 3208 darknj.exe Token: SeProfSingleProcessPrivilege 3208 darknj.exe Token: SeIncBasePriorityPrivilege 3208 darknj.exe Token: SeCreatePagefilePrivilege 3208 darknj.exe Token: SeBackupPrivilege 3208 darknj.exe Token: SeRestorePrivilege 3208 darknj.exe Token: SeShutdownPrivilege 3208 darknj.exe Token: SeDebugPrivilege 3208 darknj.exe Token: SeSystemEnvironmentPrivilege 3208 darknj.exe Token: SeChangeNotifyPrivilege 3208 darknj.exe Token: SeRemoteShutdownPrivilege 3208 darknj.exe Token: SeUndockPrivilege 3208 darknj.exe Token: SeManageVolumePrivilege 3208 darknj.exe Token: SeImpersonatePrivilege 3208 darknj.exe Token: SeCreateGlobalPrivilege 3208 darknj.exe Token: 33 3208 darknj.exe Token: 34 3208 darknj.exe Token: 35 3208 darknj.exe Token: 36 3208 darknj.exe Token: SeDebugPrivilege 2148 WerFault.exe Token: SeIncreaseQuotaPrivilege 3280 msdcsc.exe Token: SeSecurityPrivilege 3280 msdcsc.exe Token: SeTakeOwnershipPrivilege 3280 msdcsc.exe Token: SeLoadDriverPrivilege 3280 msdcsc.exe Token: SeSystemProfilePrivilege 3280 msdcsc.exe Token: SeSystemtimePrivilege 3280 msdcsc.exe Token: SeProfSingleProcessPrivilege 3280 msdcsc.exe Token: SeIncBasePriorityPrivilege 3280 msdcsc.exe Token: SeCreatePagefilePrivilege 3280 msdcsc.exe Token: SeBackupPrivilege 3280 msdcsc.exe Token: SeRestorePrivilege 3280 msdcsc.exe Token: SeShutdownPrivilege 3280 msdcsc.exe Token: SeDebugPrivilege 3280 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3280 msdcsc.exe Token: SeChangeNotifyPrivilege 3280 msdcsc.exe Token: SeRemoteShutdownPrivilege 3280 msdcsc.exe Token: SeUndockPrivilege 3280 msdcsc.exe Token: SeManageVolumePrivilege 3280 msdcsc.exe Token: SeImpersonatePrivilege 3280 msdcsc.exe Token: SeCreateGlobalPrivilege 3280 msdcsc.exe Token: 33 3280 msdcsc.exe Token: 34 3280 msdcsc.exe Token: 35 3280 msdcsc.exe Token: 36 3280 msdcsc.exe Token: SeDebugPrivilege 940 NJ.EXE Token: SeDebugPrivilege 508 WindowsServices.exe Token: 33 508 WindowsServices.exe Token: SeIncBasePriorityPrivilege 508 WindowsServices.exe Token: 33 508 WindowsServices.exe Token: SeIncBasePriorityPrivilege 508 WindowsServices.exe Token: 33 508 WindowsServices.exe Token: SeIncBasePriorityPrivilege 508 WindowsServices.exe Token: 33 508 WindowsServices.exe Token: SeIncBasePriorityPrivilege 508 WindowsServices.exe Token: 33 508 WindowsServices.exe Token: SeIncBasePriorityPrivilege 508 WindowsServices.exe Token: 33 508 WindowsServices.exe Token: SeIncBasePriorityPrivilege 508 WindowsServices.exe Token: 33 508 WindowsServices.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3280 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6c6a951636ae4dee7a842c6af1d43236.exeR-Launcher.exedarknj.execmd.execmd.exemsdcsc.exedescription pid process target process PID 856 wrote to memory of 3852 856 6c6a951636ae4dee7a842c6af1d43236.exe R-Launcher.exe PID 856 wrote to memory of 3852 856 6c6a951636ae4dee7a842c6af1d43236.exe R-Launcher.exe PID 856 wrote to memory of 3852 856 6c6a951636ae4dee7a842c6af1d43236.exe R-Launcher.exe PID 856 wrote to memory of 3208 856 6c6a951636ae4dee7a842c6af1d43236.exe darknj.exe PID 856 wrote to memory of 3208 856 6c6a951636ae4dee7a842c6af1d43236.exe darknj.exe PID 856 wrote to memory of 3208 856 6c6a951636ae4dee7a842c6af1d43236.exe darknj.exe PID 3852 wrote to memory of 584 3852 R-Launcher.exe javaw.exe PID 3852 wrote to memory of 584 3852 R-Launcher.exe javaw.exe PID 3208 wrote to memory of 2620 3208 darknj.exe cmd.exe PID 3208 wrote to memory of 2620 3208 darknj.exe cmd.exe PID 3208 wrote to memory of 2620 3208 darknj.exe cmd.exe PID 3208 wrote to memory of 196 3208 darknj.exe cmd.exe PID 3208 wrote to memory of 196 3208 darknj.exe cmd.exe PID 3208 wrote to memory of 196 3208 darknj.exe cmd.exe PID 3208 wrote to memory of 940 3208 darknj.exe NJ.EXE PID 3208 wrote to memory of 940 3208 darknj.exe NJ.EXE PID 3208 wrote to memory of 940 3208 darknj.exe NJ.EXE PID 2620 wrote to memory of 972 2620 cmd.exe attrib.exe PID 2620 wrote to memory of 972 2620 cmd.exe attrib.exe PID 2620 wrote to memory of 972 2620 cmd.exe attrib.exe PID 196 wrote to memory of 2816 196 cmd.exe attrib.exe PID 196 wrote to memory of 2816 196 cmd.exe attrib.exe PID 196 wrote to memory of 2816 196 cmd.exe attrib.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 2144 3208 darknj.exe notepad.exe PID 3208 wrote to memory of 3280 3208 darknj.exe msdcsc.exe PID 3208 wrote to memory of 3280 3208 darknj.exe msdcsc.exe PID 3208 wrote to memory of 3280 3208 darknj.exe msdcsc.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe PID 3280 wrote to memory of 2252 3280 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2816 attrib.exe 972 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c6a951636ae4dee7a842c6af1d43236.exe"C:\Users\Admin\AppData\Local\Temp\6c6a951636ae4dee7a842c6af1d43236.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe"C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\R-Launcher.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 584 -s 3524⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\darknj.exe"C:\Users\Admin\AppData\Local\Temp\darknj.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\darknj.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\darknj.exe" +s +h4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\NJ.EXE"C:\Users\Admin\AppData\Local\Temp\NJ.EXE"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exe"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE5⤵
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeMD5
b0fe10b99dd5f8494e7c71b8fda9239b
SHA1e93f7447408e10424ea3f4b3a92473e125d2af6b
SHA256121a202b4ff70f91e823c347f13784ec44525a9b0d4940c449e5db442acc6536
SHA5126c9fdf8b1d097e454c4530a1660ef67aa1daed8e9eab8045c200b3ab1b89a8df84ef0d68be2a3c5affc30000d610dede7ea2fa7760f78c8a9983ad5d0283e518
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeMD5
b0fe10b99dd5f8494e7c71b8fda9239b
SHA1e93f7447408e10424ea3f4b3a92473e125d2af6b
SHA256121a202b4ff70f91e823c347f13784ec44525a9b0d4940c449e5db442acc6536
SHA5126c9fdf8b1d097e454c4530a1660ef67aa1daed8e9eab8045c200b3ab1b89a8df84ef0d68be2a3c5affc30000d610dede7ea2fa7760f78c8a9983ad5d0283e518
-
C:\Users\Admin\AppData\Local\Temp\NJ.EXEMD5
d3b0deb25e223b27361f1024bdbcba0c
SHA18e250d9ea3abf31f589005d9406eb6850a2a02b6
SHA256ee68e3f8ce8f704003575076c1b48a29361adb3af5fe858e0e59b5f41c685d8d
SHA512d392c1202b14b99418158f75dc1496cb35f079911d8c5922d3b23d8d5a188027dee3650dfa145ff14e8f01e57c01c0f0fda09603f210e1884354e5c621565b7d
-
C:\Users\Admin\AppData\Local\Temp\NJ.EXEMD5
d3b0deb25e223b27361f1024bdbcba0c
SHA18e250d9ea3abf31f589005d9406eb6850a2a02b6
SHA256ee68e3f8ce8f704003575076c1b48a29361adb3af5fe858e0e59b5f41c685d8d
SHA512d392c1202b14b99418158f75dc1496cb35f079911d8c5922d3b23d8d5a188027dee3650dfa145ff14e8f01e57c01c0f0fda09603f210e1884354e5c621565b7d
-
C:\Users\Admin\AppData\Local\Temp\R-Launcher.exeMD5
f09f583748cb26682f60279b8bba14c8
SHA1caf750a85d3abd708c080ebfa995bc2cc0b4cafd
SHA2567f5b29de3370f01b63bcdf4fc7939728f2b11428462d0e2ba77a2bb62b7698dc
SHA512cf8c278f297e250966ce2302191718dae3e7b09f5f9e2da2efb2bfe87ba87196f69be5c0fe52bf7048230ce616bee76d005a11fa646986fa8b33688d95861ae9
-
C:\Users\Admin\AppData\Local\Temp\R-Launcher.exeMD5
f09f583748cb26682f60279b8bba14c8
SHA1caf750a85d3abd708c080ebfa995bc2cc0b4cafd
SHA2567f5b29de3370f01b63bcdf4fc7939728f2b11428462d0e2ba77a2bb62b7698dc
SHA512cf8c278f297e250966ce2302191718dae3e7b09f5f9e2da2efb2bfe87ba87196f69be5c0fe52bf7048230ce616bee76d005a11fa646986fa8b33688d95861ae9
-
C:\Users\Admin\AppData\Local\Temp\darknj.exeMD5
b0fe10b99dd5f8494e7c71b8fda9239b
SHA1e93f7447408e10424ea3f4b3a92473e125d2af6b
SHA256121a202b4ff70f91e823c347f13784ec44525a9b0d4940c449e5db442acc6536
SHA5126c9fdf8b1d097e454c4530a1660ef67aa1daed8e9eab8045c200b3ab1b89a8df84ef0d68be2a3c5affc30000d610dede7ea2fa7760f78c8a9983ad5d0283e518
-
C:\Users\Admin\AppData\Local\Temp\darknj.exeMD5
b0fe10b99dd5f8494e7c71b8fda9239b
SHA1e93f7447408e10424ea3f4b3a92473e125d2af6b
SHA256121a202b4ff70f91e823c347f13784ec44525a9b0d4940c449e5db442acc6536
SHA5126c9fdf8b1d097e454c4530a1660ef67aa1daed8e9eab8045c200b3ab1b89a8df84ef0d68be2a3c5affc30000d610dede7ea2fa7760f78c8a9983ad5d0283e518
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeMD5
d3b0deb25e223b27361f1024bdbcba0c
SHA18e250d9ea3abf31f589005d9406eb6850a2a02b6
SHA256ee68e3f8ce8f704003575076c1b48a29361adb3af5fe858e0e59b5f41c685d8d
SHA512d392c1202b14b99418158f75dc1496cb35f079911d8c5922d3b23d8d5a188027dee3650dfa145ff14e8f01e57c01c0f0fda09603f210e1884354e5c621565b7d
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeMD5
d3b0deb25e223b27361f1024bdbcba0c
SHA18e250d9ea3abf31f589005d9406eb6850a2a02b6
SHA256ee68e3f8ce8f704003575076c1b48a29361adb3af5fe858e0e59b5f41c685d8d
SHA512d392c1202b14b99418158f75dc1496cb35f079911d8c5922d3b23d8d5a188027dee3650dfa145ff14e8f01e57c01c0f0fda09603f210e1884354e5c621565b7d
-
memory/196-122-0x0000000000000000-mapping.dmp
-
memory/508-138-0x0000000000000000-mapping.dmp
-
memory/508-141-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/584-120-0x0000000000000000-mapping.dmp
-
memory/940-130-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/940-123-0x0000000000000000-mapping.dmp
-
memory/972-126-0x0000000000000000-mapping.dmp
-
memory/2144-129-0x0000000000000000-mapping.dmp
-
memory/2144-131-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/2252-137-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/2252-135-0x0000000000000000-mapping.dmp
-
memory/2620-121-0x0000000000000000-mapping.dmp
-
memory/2648-142-0x0000000000000000-mapping.dmp
-
memory/2816-127-0x0000000000000000-mapping.dmp
-
memory/3208-128-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/3208-117-0x0000000000000000-mapping.dmp
-
memory/3280-136-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/3280-132-0x0000000000000000-mapping.dmp
-
memory/3852-114-0x0000000000000000-mapping.dmp