Analysis
-
max time kernel
152s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 17:47
Behavioral task
behavioral1
Sample
ZulaHax.exe
Resource
win7-20220414-en
General
-
Target
ZulaHax.exe
-
Size
659KB
-
MD5
949573ea355757e37f217798fd335478
-
SHA1
ba103d18dd84409cd2cba837ae64d42ec75613e7
-
SHA256
222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
-
SHA512
ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
Malware Config
Extracted
darkcomet
Sazan
sussysdfffdfff343.duckdns.org:1604
DC_MUTEX-5BJ61CT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
hSQMSMbHss9o
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
ZulaHax.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ZulaHax.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
suricata: ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful
suricata: ET MALWARE Backdoor.Win32.DarkComet Screenshot Upload Successful
-
Disables RegEdit via registry modification 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 836 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
ZulaHax.exepid process 1976 ZulaHax.exe 1976 ZulaHax.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
iexplore.exeZulaHax.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" ZulaHax.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 836 set thread context of 1160 836 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
taskmgr.exepid process 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ZulaHax.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 1976 ZulaHax.exe Token: SeSecurityPrivilege 1976 ZulaHax.exe Token: SeTakeOwnershipPrivilege 1976 ZulaHax.exe Token: SeLoadDriverPrivilege 1976 ZulaHax.exe Token: SeSystemProfilePrivilege 1976 ZulaHax.exe Token: SeSystemtimePrivilege 1976 ZulaHax.exe Token: SeProfSingleProcessPrivilege 1976 ZulaHax.exe Token: SeIncBasePriorityPrivilege 1976 ZulaHax.exe Token: SeCreatePagefilePrivilege 1976 ZulaHax.exe Token: SeBackupPrivilege 1976 ZulaHax.exe Token: SeRestorePrivilege 1976 ZulaHax.exe Token: SeShutdownPrivilege 1976 ZulaHax.exe Token: SeDebugPrivilege 1976 ZulaHax.exe Token: SeSystemEnvironmentPrivilege 1976 ZulaHax.exe Token: SeChangeNotifyPrivilege 1976 ZulaHax.exe Token: SeRemoteShutdownPrivilege 1976 ZulaHax.exe Token: SeUndockPrivilege 1976 ZulaHax.exe Token: SeManageVolumePrivilege 1976 ZulaHax.exe Token: SeImpersonatePrivilege 1976 ZulaHax.exe Token: SeCreateGlobalPrivilege 1976 ZulaHax.exe Token: 33 1976 ZulaHax.exe Token: 34 1976 ZulaHax.exe Token: 35 1976 ZulaHax.exe Token: SeIncreaseQuotaPrivilege 836 msdcsc.exe Token: SeSecurityPrivilege 836 msdcsc.exe Token: SeTakeOwnershipPrivilege 836 msdcsc.exe Token: SeLoadDriverPrivilege 836 msdcsc.exe Token: SeSystemProfilePrivilege 836 msdcsc.exe Token: SeSystemtimePrivilege 836 msdcsc.exe Token: SeProfSingleProcessPrivilege 836 msdcsc.exe Token: SeIncBasePriorityPrivilege 836 msdcsc.exe Token: SeCreatePagefilePrivilege 836 msdcsc.exe Token: SeBackupPrivilege 836 msdcsc.exe Token: SeRestorePrivilege 836 msdcsc.exe Token: SeShutdownPrivilege 836 msdcsc.exe Token: SeDebugPrivilege 836 msdcsc.exe Token: SeSystemEnvironmentPrivilege 836 msdcsc.exe Token: SeChangeNotifyPrivilege 836 msdcsc.exe Token: SeRemoteShutdownPrivilege 836 msdcsc.exe Token: SeUndockPrivilege 836 msdcsc.exe Token: SeManageVolumePrivilege 836 msdcsc.exe Token: SeImpersonatePrivilege 836 msdcsc.exe Token: SeCreateGlobalPrivilege 836 msdcsc.exe Token: 33 836 msdcsc.exe Token: 34 836 msdcsc.exe Token: 35 836 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1160 iexplore.exe Token: SeSecurityPrivilege 1160 iexplore.exe Token: SeTakeOwnershipPrivilege 1160 iexplore.exe Token: SeLoadDriverPrivilege 1160 iexplore.exe Token: SeSystemProfilePrivilege 1160 iexplore.exe Token: SeSystemtimePrivilege 1160 iexplore.exe Token: SeProfSingleProcessPrivilege 1160 iexplore.exe Token: SeIncBasePriorityPrivilege 1160 iexplore.exe Token: SeCreatePagefilePrivilege 1160 iexplore.exe Token: SeBackupPrivilege 1160 iexplore.exe Token: SeRestorePrivilege 1160 iexplore.exe Token: SeShutdownPrivilege 1160 iexplore.exe Token: SeDebugPrivilege 1160 iexplore.exe Token: SeSystemEnvironmentPrivilege 1160 iexplore.exe Token: SeChangeNotifyPrivilege 1160 iexplore.exe Token: SeRemoteShutdownPrivilege 1160 iexplore.exe Token: SeUndockPrivilege 1160 iexplore.exe Token: SeManageVolumePrivilege 1160 iexplore.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe 616 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1160 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ZulaHax.exemsdcsc.exeiexplore.exedescription pid process target process PID 1976 wrote to memory of 836 1976 ZulaHax.exe msdcsc.exe PID 1976 wrote to memory of 836 1976 ZulaHax.exe msdcsc.exe PID 1976 wrote to memory of 836 1976 ZulaHax.exe msdcsc.exe PID 1976 wrote to memory of 836 1976 ZulaHax.exe msdcsc.exe PID 836 wrote to memory of 1160 836 msdcsc.exe iexplore.exe PID 836 wrote to memory of 1160 836 msdcsc.exe iexplore.exe PID 836 wrote to memory of 1160 836 msdcsc.exe iexplore.exe PID 836 wrote to memory of 1160 836 msdcsc.exe iexplore.exe PID 836 wrote to memory of 1160 836 msdcsc.exe iexplore.exe PID 836 wrote to memory of 1160 836 msdcsc.exe iexplore.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 892 1160 iexplore.exe notepad.exe PID 1160 wrote to memory of 1676 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1676 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1676 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1676 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1740 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1740 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1740 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1740 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1352 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1352 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1352 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1352 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1620 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1620 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1620 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1620 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1948 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1948 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1948 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1948 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1156 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1156 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1156 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 1156 1160 iexplore.exe cmd.exe PID 1160 wrote to memory of 616 1160 iexplore.exe taskmgr.exe PID 1160 wrote to memory of 616 1160 iexplore.exe taskmgr.exe PID 1160 wrote to memory of 616 1160 iexplore.exe taskmgr.exe PID 1160 wrote to memory of 616 1160 iexplore.exe taskmgr.exe PID 1160 wrote to memory of 1636 1160 iexplore.exe taskmgr.exe PID 1160 wrote to memory of 1636 1160 iexplore.exe taskmgr.exe PID 1160 wrote to memory of 1636 1160 iexplore.exe taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZulaHax.exe"C:\Users\Admin\AppData\Local\Temp\ZulaHax.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
-
C:\Windows\SysWOW64\taskmgr.exe"C:\Windows\System32\taskmgr.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
659KB
MD5949573ea355757e37f217798fd335478
SHA1ba103d18dd84409cd2cba837ae64d42ec75613e7
SHA256222e2ddd2cd5cb4156b9d1845c833d644d8a62d367004a271f6ec290a8aa2fb3
SHA512ba7174bd8d6cb88066a7c18a1cd57b603680bfee9a94bf2ceca7a0784246f2e3a35f1856f91e3b9973f7a576cf8366fc3d10ee0268f80a3f077c174b4d2a2881
-
memory/616-69-0x0000000000000000-mapping.dmp
-
memory/836-57-0x0000000000000000-mapping.dmp
-
memory/892-61-0x0000000000000000-mapping.dmp
-
memory/1156-68-0x0000000000000000-mapping.dmp
-
memory/1352-65-0x0000000000000000-mapping.dmp
-
memory/1620-66-0x0000000000000000-mapping.dmp
-
memory/1632-73-0x0000000000000000-mapping.dmp
-
memory/1636-71-0x0000000000000000-mapping.dmp
-
memory/1640-76-0x0000000000000000-mapping.dmp
-
memory/1676-63-0x0000000000000000-mapping.dmp
-
memory/1740-64-0x0000000000000000-mapping.dmp
-
memory/1948-67-0x0000000000000000-mapping.dmp
-
memory/1976-54-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/2044-75-0x0000000000000000-mapping.dmp