Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-09-2021 09:10
Behavioral task
behavioral1
Sample
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe
Resource
win7-en-20210920
General
-
Target
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe
-
Size
732KB
-
MD5
a1c0d1485d1f2ac0d660ea28502e79ae
-
SHA1
fcd8a01e7c022c086747a680bb8995f9279aaa8c
-
SHA256
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0
-
SHA512
d44e3ecaefe8012aeaf5b3b4adf0d4aa6e2b9cf4565960def0c665d6294f7b21fa006a8d99b4e847b2a2f8eb0e9981bc4ce2f2f377541e53d84295b94108ad1f
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
marbeyli.ddns.net:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
darkcomet
Sazan
marbeyli.ddns.net:443
DC_MUTEX-WF3HSVR
-
InstallPath
MSDCSC\svchost.exe
-
gencode
CTg6jh11p8Xh
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\svchost.exe" 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe -
Async RAT payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CHROME.EXE asyncrat C:\Users\Admin\AppData\Local\Temp\CHROME.EXE asyncrat C:\Users\Admin\Documents\MSDCSC\svchost.exe asyncrat C:\Users\Admin\Documents\MSDCSC\svchost.exe asyncrat C:\Users\Admin\AppData\Local\Temp\CHROME.EXE asyncrat C:\Users\Admin\AppData\Roaming\svchost.exe asyncrat C:\Users\Admin\AppData\Roaming\svchost.exe asyncrat -
Executes dropped EXE 8 IoCs
Processes:
CHROME.EXESVCHOST.EXEsvchost.exeCHROME.EXESVCHOST.EXEsvchost.exeServer.exeServer.exepid process 1320 CHROME.EXE 1360 SVCHOST.EXE 1860 svchost.exe 2276 CHROME.EXE 2356 SVCHOST.EXE 3664 svchost.exe 2216 Server.exe 2008 Server.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\svchost.exe" 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3776 schtasks.exe 3064 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4004 timeout.exe -
Modifies registry class 1 IoCs
Processes:
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
CHROME.EXEpid process 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE 1320 CHROME.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SVCHOST.EXEpid process 1360 SVCHOST.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exesvchost.exeCHROME.EXEsvchost.exeSVCHOST.EXEdescription pid process Token: SeIncreaseQuotaPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeSecurityPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeTakeOwnershipPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeLoadDriverPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeSystemProfilePrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeSystemtimePrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeProfSingleProcessPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeIncBasePriorityPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeCreatePagefilePrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeBackupPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeRestorePrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeShutdownPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeDebugPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeSystemEnvironmentPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeChangeNotifyPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeRemoteShutdownPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeUndockPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeManageVolumePrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeImpersonatePrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeCreateGlobalPrivilege 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: 33 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: 34 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: 35 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: 36 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe Token: SeIncreaseQuotaPrivilege 1860 svchost.exe Token: SeSecurityPrivilege 1860 svchost.exe Token: SeTakeOwnershipPrivilege 1860 svchost.exe Token: SeLoadDriverPrivilege 1860 svchost.exe Token: SeSystemProfilePrivilege 1860 svchost.exe Token: SeSystemtimePrivilege 1860 svchost.exe Token: SeProfSingleProcessPrivilege 1860 svchost.exe Token: SeIncBasePriorityPrivilege 1860 svchost.exe Token: SeCreatePagefilePrivilege 1860 svchost.exe Token: SeBackupPrivilege 1860 svchost.exe Token: SeRestorePrivilege 1860 svchost.exe Token: SeShutdownPrivilege 1860 svchost.exe Token: SeDebugPrivilege 1860 svchost.exe Token: SeSystemEnvironmentPrivilege 1860 svchost.exe Token: SeChangeNotifyPrivilege 1860 svchost.exe Token: SeRemoteShutdownPrivilege 1860 svchost.exe Token: SeUndockPrivilege 1860 svchost.exe Token: SeManageVolumePrivilege 1860 svchost.exe Token: SeImpersonatePrivilege 1860 svchost.exe Token: SeCreateGlobalPrivilege 1860 svchost.exe Token: 33 1860 svchost.exe Token: 34 1860 svchost.exe Token: 35 1860 svchost.exe Token: 36 1860 svchost.exe Token: SeDebugPrivilege 1320 CHROME.EXE Token: SeDebugPrivilege 3664 svchost.exe Token: SeDebugPrivilege 1360 SVCHOST.EXE Token: 33 1360 SVCHOST.EXE Token: SeIncBasePriorityPrivilege 1360 SVCHOST.EXE Token: 33 1360 SVCHOST.EXE Token: SeIncBasePriorityPrivilege 1360 SVCHOST.EXE Token: 33 1360 SVCHOST.EXE Token: SeIncBasePriorityPrivilege 1360 SVCHOST.EXE Token: 33 1360 SVCHOST.EXE Token: SeIncBasePriorityPrivilege 1360 SVCHOST.EXE Token: 33 1360 SVCHOST.EXE Token: SeIncBasePriorityPrivilege 1360 SVCHOST.EXE Token: 33 1360 SVCHOST.EXE Token: SeIncBasePriorityPrivilege 1360 SVCHOST.EXE Token: 33 1360 SVCHOST.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1860 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exesvchost.exeSVCHOST.EXECHROME.EXEcmd.execmd.exedescription pid process target process PID 912 wrote to memory of 1320 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe CHROME.EXE PID 912 wrote to memory of 1320 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe CHROME.EXE PID 912 wrote to memory of 1320 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe CHROME.EXE PID 912 wrote to memory of 1360 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe SVCHOST.EXE PID 912 wrote to memory of 1360 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe SVCHOST.EXE PID 912 wrote to memory of 1860 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe svchost.exe PID 912 wrote to memory of 1860 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe svchost.exe PID 912 wrote to memory of 1860 912 820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe svchost.exe PID 1860 wrote to memory of 2276 1860 svchost.exe CHROME.EXE PID 1860 wrote to memory of 2276 1860 svchost.exe CHROME.EXE PID 1860 wrote to memory of 2276 1860 svchost.exe CHROME.EXE PID 1860 wrote to memory of 2356 1860 svchost.exe SVCHOST.EXE PID 1860 wrote to memory of 2356 1860 svchost.exe SVCHOST.EXE PID 1360 wrote to memory of 3776 1360 SVCHOST.EXE schtasks.exe PID 1360 wrote to memory of 3776 1360 SVCHOST.EXE schtasks.exe PID 1320 wrote to memory of 2228 1320 CHROME.EXE cmd.exe PID 1320 wrote to memory of 2228 1320 CHROME.EXE cmd.exe PID 1320 wrote to memory of 2228 1320 CHROME.EXE cmd.exe PID 1320 wrote to memory of 4076 1320 CHROME.EXE cmd.exe PID 1320 wrote to memory of 4076 1320 CHROME.EXE cmd.exe PID 1320 wrote to memory of 4076 1320 CHROME.EXE cmd.exe PID 2228 wrote to memory of 3064 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 3064 2228 cmd.exe schtasks.exe PID 2228 wrote to memory of 3064 2228 cmd.exe schtasks.exe PID 4076 wrote to memory of 4004 4076 cmd.exe timeout.exe PID 4076 wrote to memory of 4004 4076 cmd.exe timeout.exe PID 4076 wrote to memory of 4004 4076 cmd.exe timeout.exe PID 4076 wrote to memory of 3664 4076 cmd.exe svchost.exe PID 4076 wrote to memory of 3664 4076 cmd.exe svchost.exe PID 4076 wrote to memory of 3664 4076 cmd.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe"C:\Users\Admin\AppData\Local\Temp\820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9843.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Documents\MSDCSC\svchost.exe"C:\Users\Admin\Documents\MSDCSC\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"C:\Users\Admin\AppData\Local\Temp\CHROME.EXE"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXE"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Server.exe.logMD5
ada37846cea22757d6153e65b720a367
SHA1d9c9e33987d095b32c364fe40dd6f054feaf7ea9
SHA2567daa4e8a6296b9e3df9669f6a574cbe481f2df9c751affbeb41a541173264520
SHA512592640e40ad0c6bcd8719f2cdbf828f2e322ad729c23ac3b44dd252a9c0b08d370a1cfcbcb9038cdffed0866ae4d2f8762c421f5e1a89c8d9273f482d9d2662f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CHROME.EXE.logMD5
605f809fab8c19729d39d075f7ffdb53
SHA1c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA2566904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA51282cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
aac877ad70ee726e75616b4153d88526
SHA17386c1a573b7a5fba3a671f10dcc27962743fd34
SHA2567373d95ee79c58916f291fb6dd7ba69bf9b987a3c40c9090850b14279c045ebb
SHA51262fa4d1e3d5e3d087f0ed0b9a1b0df01a5bf5ad13f2494435e43643fe54f9160a51e726e1072868dae5f3011f028c9700701a439324a56cd8d9a1593a4b695dd
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
aac877ad70ee726e75616b4153d88526
SHA17386c1a573b7a5fba3a671f10dcc27962743fd34
SHA2567373d95ee79c58916f291fb6dd7ba69bf9b987a3c40c9090850b14279c045ebb
SHA51262fa4d1e3d5e3d087f0ed0b9a1b0df01a5bf5ad13f2494435e43643fe54f9160a51e726e1072868dae5f3011f028c9700701a439324a56cd8d9a1593a4b695dd
-
C:\Users\Admin\AppData\Local\Temp\CHROME.EXEMD5
aac877ad70ee726e75616b4153d88526
SHA17386c1a573b7a5fba3a671f10dcc27962743fd34
SHA2567373d95ee79c58916f291fb6dd7ba69bf9b987a3c40c9090850b14279c045ebb
SHA51262fa4d1e3d5e3d087f0ed0b9a1b0df01a5bf5ad13f2494435e43643fe54f9160a51e726e1072868dae5f3011f028c9700701a439324a56cd8d9a1593a4b695dd
-
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXEMD5
869007a489b3a503d2d7c2bdadb63b8b
SHA1781612f639b3a070bf5be90d701b9cd4c0e45733
SHA25645ac13a13bc961103f78c3c2d0b03aa9883147c003100cb1ac102f353dd8c3ba
SHA512674d4d262ec7f454d0e3390e3ea7cf6fdd4bbc2d4df6e27bcdbe6aa5601a52d9cbee1da42f99c425435a333b72d4d92dd353ef1dc3ab5a7c6690ed0efd9d98ae
-
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXEMD5
869007a489b3a503d2d7c2bdadb63b8b
SHA1781612f639b3a070bf5be90d701b9cd4c0e45733
SHA25645ac13a13bc961103f78c3c2d0b03aa9883147c003100cb1ac102f353dd8c3ba
SHA512674d4d262ec7f454d0e3390e3ea7cf6fdd4bbc2d4df6e27bcdbe6aa5601a52d9cbee1da42f99c425435a333b72d4d92dd353ef1dc3ab5a7c6690ed0efd9d98ae
-
C:\Users\Admin\AppData\Local\Temp\SVCHOST.EXEMD5
869007a489b3a503d2d7c2bdadb63b8b
SHA1781612f639b3a070bf5be90d701b9cd4c0e45733
SHA25645ac13a13bc961103f78c3c2d0b03aa9883147c003100cb1ac102f353dd8c3ba
SHA512674d4d262ec7f454d0e3390e3ea7cf6fdd4bbc2d4df6e27bcdbe6aa5601a52d9cbee1da42f99c425435a333b72d4d92dd353ef1dc3ab5a7c6690ed0efd9d98ae
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
869007a489b3a503d2d7c2bdadb63b8b
SHA1781612f639b3a070bf5be90d701b9cd4c0e45733
SHA25645ac13a13bc961103f78c3c2d0b03aa9883147c003100cb1ac102f353dd8c3ba
SHA512674d4d262ec7f454d0e3390e3ea7cf6fdd4bbc2d4df6e27bcdbe6aa5601a52d9cbee1da42f99c425435a333b72d4d92dd353ef1dc3ab5a7c6690ed0efd9d98ae
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
869007a489b3a503d2d7c2bdadb63b8b
SHA1781612f639b3a070bf5be90d701b9cd4c0e45733
SHA25645ac13a13bc961103f78c3c2d0b03aa9883147c003100cb1ac102f353dd8c3ba
SHA512674d4d262ec7f454d0e3390e3ea7cf6fdd4bbc2d4df6e27bcdbe6aa5601a52d9cbee1da42f99c425435a333b72d4d92dd353ef1dc3ab5a7c6690ed0efd9d98ae
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
869007a489b3a503d2d7c2bdadb63b8b
SHA1781612f639b3a070bf5be90d701b9cd4c0e45733
SHA25645ac13a13bc961103f78c3c2d0b03aa9883147c003100cb1ac102f353dd8c3ba
SHA512674d4d262ec7f454d0e3390e3ea7cf6fdd4bbc2d4df6e27bcdbe6aa5601a52d9cbee1da42f99c425435a333b72d4d92dd353ef1dc3ab5a7c6690ed0efd9d98ae
-
C:\Users\Admin\AppData\Local\Temp\tmp9843.tmp.batMD5
9b0bc423dc4192f9bdfa805870fe9702
SHA15539689feccc05ce1b89ed90e982bbd4474bc871
SHA256910c467ac4ea58bc887c288fd7b1aed23f99fa3d37d3dec915fba78ebcbec2b1
SHA512eae4b744b747f1469e587f1e90d1371fdb401f9c353194ab494e0802c38d4d87bec62d0c1cb0687e21803a11553d5c7fb08bedd18047bad47c64db655747c34d
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
aac877ad70ee726e75616b4153d88526
SHA17386c1a573b7a5fba3a671f10dcc27962743fd34
SHA2567373d95ee79c58916f291fb6dd7ba69bf9b987a3c40c9090850b14279c045ebb
SHA51262fa4d1e3d5e3d087f0ed0b9a1b0df01a5bf5ad13f2494435e43643fe54f9160a51e726e1072868dae5f3011f028c9700701a439324a56cd8d9a1593a4b695dd
-
C:\Users\Admin\AppData\Roaming\svchost.exeMD5
aac877ad70ee726e75616b4153d88526
SHA17386c1a573b7a5fba3a671f10dcc27962743fd34
SHA2567373d95ee79c58916f291fb6dd7ba69bf9b987a3c40c9090850b14279c045ebb
SHA51262fa4d1e3d5e3d087f0ed0b9a1b0df01a5bf5ad13f2494435e43643fe54f9160a51e726e1072868dae5f3011f028c9700701a439324a56cd8d9a1593a4b695dd
-
C:\Users\Admin\Documents\MSDCSC\svchost.exeMD5
a1c0d1485d1f2ac0d660ea28502e79ae
SHA1fcd8a01e7c022c086747a680bb8995f9279aaa8c
SHA256820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0
SHA512d44e3ecaefe8012aeaf5b3b4adf0d4aa6e2b9cf4565960def0c665d6294f7b21fa006a8d99b4e847b2a2f8eb0e9981bc4ce2f2f377541e53d84295b94108ad1f
-
C:\Users\Admin\Documents\MSDCSC\svchost.exeMD5
a1c0d1485d1f2ac0d660ea28502e79ae
SHA1fcd8a01e7c022c086747a680bb8995f9279aaa8c
SHA256820f2381fe1860a8b6f9e66032ac4bb79ac6b7b9269264c547e4c63151593df0
SHA512d44e3ecaefe8012aeaf5b3b4adf0d4aa6e2b9cf4565960def0c665d6294f7b21fa006a8d99b4e847b2a2f8eb0e9981bc4ce2f2f377541e53d84295b94108ad1f
-
memory/912-114-0x0000000000570000-0x000000000061E000-memory.dmpFilesize
696KB
-
memory/1320-141-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB
-
memory/1320-144-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/1320-125-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/1320-115-0x0000000000000000-mapping.dmp
-
memory/1360-117-0x0000000000000000-mapping.dmp
-
memory/1360-123-0x0000000001210000-0x000000000121B000-memory.dmpFilesize
44KB
-
memory/1360-124-0x000000001C402000-0x000000001C403000-memory.dmpFilesize
4KB
-
memory/1360-120-0x0000000000D50000-0x0000000000D51000-memory.dmpFilesize
4KB
-
memory/1860-139-0x00000000004D0000-0x000000000057E000-memory.dmpFilesize
696KB
-
memory/1860-127-0x0000000000000000-mapping.dmp
-
memory/2008-169-0x000000001AFA0000-0x000000001AFA2000-memory.dmpFilesize
8KB
-
memory/2216-163-0x000000001ABE0000-0x000000001ABE2000-memory.dmpFilesize
8KB
-
memory/2228-145-0x0000000000000000-mapping.dmp
-
memory/2276-142-0x00000000047E0000-0x00000000047E1000-memory.dmpFilesize
4KB
-
memory/2276-130-0x0000000000000000-mapping.dmp
-
memory/2356-132-0x0000000000000000-mapping.dmp
-
memory/2356-140-0x000000001BA02000-0x000000001BA03000-memory.dmpFilesize
4KB
-
memory/3064-149-0x0000000000000000-mapping.dmp
-
memory/3664-156-0x0000000005401000-0x0000000005402000-memory.dmpFilesize
4KB
-
memory/3664-151-0x0000000000000000-mapping.dmp
-
memory/3776-143-0x0000000000000000-mapping.dmp
-
memory/4004-150-0x0000000000000000-mapping.dmp
-
memory/4076-146-0x0000000000000000-mapping.dmp