darkcomet | a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782

Analysis

max time kernel
151s
max time network
92s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
Size

759KB
MD5

7b5e4a417463943030ed84d16bdffc80
SHA1

3e2b57bdd296e786aa1cc7cc134d2156abcbd731
SHA256

a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782
SHA512

9fca612c056977ac1539359adceaa8aef8350876b27e420d2600b2a8347b52d51819db2bcb8204bf4063cff99017a5faaf86207b2a988fb0bb04101e0bfcc9a5
SSDEEP

12288:qM3iXBPCO36urpV5HODRH0xh9W1gx7K8hiz1v8hvwxUj1ShwONxyibDwd:oqEdTE0X9WSxG8IZv8hI21ShFNxyoM

Score

10^/10

darkcomet musicago agilenet persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

MusicAGO

mantrust.noip.me:3013

Mutex

DC_MUTEX-80DX6FJ

Attributes

gencode
5GYC98Amy0Ur
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Executes dropped EXE 3 IoCs

Processes:

wmiApSrv.exeSamSs.exewmiApSrv.exe

pid process

1768 wmiApSrv.exe
1728 SamSs.exe
2028 wmiApSrv.exe
Loads dropped DLL 3 IoCs

Processes:

a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exewmiApSrv.exeSamSs.exe

pid process

1760 a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1768 wmiApSrv.exe
1728 SamSs.exe

pid	process
1768	wmiApSrv.exe
1728	SamSs.exe
2028	wmiApSrv.exe

Obfuscated with Agile.Net obfuscator 6 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe	agile_net
C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe	agile_net
\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wmiApSrv.exewmiApSrv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WMI Performance Adapter = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft FxCop\\wmiApSrv.exe"	wmiApSrv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WMI Performance Adapter = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft FxCop\\wmiApSrv.exe"	wmiApSrv.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exeSamSs.exe

description	pid	process	target process
PID 1760 set thread context of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1728 set thread context of 768	1728	SamSs.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exewmiApSrv.exeSamSs.exe

pid	process
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1768	wmiApSrv.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1768	wmiApSrv.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1768	wmiApSrv.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1768	wmiApSrv.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1768	wmiApSrv.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1768	wmiApSrv.exe
1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
1728	SamSs.exe
1728	SamSs.exe
1728	SamSs.exe
1728	SamSs.exe
1728	SamSs.exe
1728	SamSs.exe
1728	SamSs.exe
1728	SamSs.exe
1728	SamSs.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exeAppLaunch.exewmiApSrv.exeSamSs.exeAppLaunch.exewmiApSrv.exe

description	pid	process
Token: SeDebugPrivilege	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
Token: SeIncreaseQuotaPrivilege	1136	AppLaunch.exe
Token: SeSecurityPrivilege	1136	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	1136	AppLaunch.exe
Token: SeLoadDriverPrivilege	1136	AppLaunch.exe
Token: SeSystemProfilePrivilege	1136	AppLaunch.exe
Token: SeSystemtimePrivilege	1136	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	1136	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	1136	AppLaunch.exe
Token: SeCreatePagefilePrivilege	1136	AppLaunch.exe
Token: SeBackupPrivilege	1136	AppLaunch.exe
Token: SeRestorePrivilege	1136	AppLaunch.exe
Token: SeShutdownPrivilege	1136	AppLaunch.exe
Token: SeDebugPrivilege	1136	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	1136	AppLaunch.exe
Token: SeChangeNotifyPrivilege	1136	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	1136	AppLaunch.exe
Token: SeUndockPrivilege	1136	AppLaunch.exe
Token: SeManageVolumePrivilege	1136	AppLaunch.exe
Token: SeImpersonatePrivilege	1136	AppLaunch.exe
Token: SeCreateGlobalPrivilege	1136	AppLaunch.exe
Token: 33	1136	AppLaunch.exe
Token: 34	1136	AppLaunch.exe
Token: 35	1136	AppLaunch.exe
Token: SeDebugPrivilege	1768	wmiApSrv.exe
Token: SeDebugPrivilege	1728	SamSs.exe
Token: SeIncreaseQuotaPrivilege	768	AppLaunch.exe
Token: SeSecurityPrivilege	768	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	768	AppLaunch.exe
Token: SeLoadDriverPrivilege	768	AppLaunch.exe
Token: SeSystemProfilePrivilege	768	AppLaunch.exe
Token: SeSystemtimePrivilege	768	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	768	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	768	AppLaunch.exe
Token: SeCreatePagefilePrivilege	768	AppLaunch.exe
Token: SeBackupPrivilege	768	AppLaunch.exe
Token: SeRestorePrivilege	768	AppLaunch.exe
Token: SeShutdownPrivilege	768	AppLaunch.exe
Token: SeDebugPrivilege	768	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	768	AppLaunch.exe
Token: SeChangeNotifyPrivilege	768	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	768	AppLaunch.exe
Token: SeUndockPrivilege	768	AppLaunch.exe
Token: SeManageVolumePrivilege	768	AppLaunch.exe
Token: SeImpersonatePrivilege	768	AppLaunch.exe
Token: SeCreateGlobalPrivilege	768	AppLaunch.exe
Token: 33	768	AppLaunch.exe
Token: 34	768	AppLaunch.exe
Token: 35	768	AppLaunch.exe
Token: SeDebugPrivilege	2028	wmiApSrv.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AppLaunch.exe

pid process

1136 AppLaunch.exe

pid	process
1136	AppLaunch.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exewmiApSrv.exeSamSs.exe

description	pid	process	target process
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1136	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	AppLaunch.exe
PID 1760 wrote to memory of 1768	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	wmiApSrv.exe
PID 1760 wrote to memory of 1768	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	wmiApSrv.exe
PID 1760 wrote to memory of 1768	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	wmiApSrv.exe
PID 1760 wrote to memory of 1768	1760	a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe	wmiApSrv.exe
PID 1768 wrote to memory of 1728	1768	wmiApSrv.exe	SamSs.exe
PID 1768 wrote to memory of 1728	1768	wmiApSrv.exe	SamSs.exe
PID 1768 wrote to memory of 1728	1768	wmiApSrv.exe	SamSs.exe
PID 1768 wrote to memory of 1728	1768	wmiApSrv.exe	SamSs.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 768	1728	SamSs.exe	AppLaunch.exe
PID 1728 wrote to memory of 2028	1728	SamSs.exe	wmiApSrv.exe
PID 1728 wrote to memory of 2028	1728	SamSs.exe	wmiApSrv.exe
PID 1728 wrote to memory of 2028	1728	SamSs.exe	wmiApSrv.exe
PID 1728 wrote to memory of 2028	1728	SamSs.exe	wmiApSrv.exe

C:\Users\Admin\AppData\Local\Temp\a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe
"C:\Users\Admin\AppData\Local\Temp\a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Roaming\Microsoft FxCop\SamSs.exe
"C:\Users\Admin\AppData\Roaming\Microsoft FxCop\SamSs.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe
"C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft FxCop\SamSs.exe
Filesize
759KB

MD5
7b5e4a417463943030ed84d16bdffc80

SHA1
3e2b57bdd296e786aa1cc7cc134d2156abcbd731

SHA256
a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782

SHA512
9fca612c056977ac1539359adceaa8aef8350876b27e420d2600b2a8347b52d51819db2bcb8204bf4063cff99017a5faaf86207b2a988fb0bb04101e0bfcc9a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft FxCop\SamSs.exe
Filesize
759KB

MD5
7b5e4a417463943030ed84d16bdffc80

SHA1
3e2b57bdd296e786aa1cc7cc134d2156abcbd731

SHA256
a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782

SHA512
9fca612c056977ac1539359adceaa8aef8350876b27e420d2600b2a8347b52d51819db2bcb8204bf4063cff99017a5faaf86207b2a988fb0bb04101e0bfcc9a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe
Filesize
18KB

MD5
97235ac11c44acda447e9b8b393ae1da

SHA1
370e8a69c78e677dfccc40aceb7238cd8b8596eb

SHA256
10017309dab7a06278fdac82ee487e63b2f6ea4ec1309e2e31928d1323885698

SHA512
ff44929eaed0ef767122f065071c1030f5987835e17fbe516898c724b4beffee9f827e3378b552480f07629aa76dc1a1370b8ede5edb8f6bdb7b22245d044f0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe
Filesize
18KB

MD5
97235ac11c44acda447e9b8b393ae1da

SHA1
370e8a69c78e677dfccc40aceb7238cd8b8596eb

SHA256
10017309dab7a06278fdac82ee487e63b2f6ea4ec1309e2e31928d1323885698

SHA512
ff44929eaed0ef767122f065071c1030f5987835e17fbe516898c724b4beffee9f827e3378b552480f07629aa76dc1a1370b8ede5edb8f6bdb7b22245d044f0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe
Filesize
18KB

MD5
97235ac11c44acda447e9b8b393ae1da

SHA1
370e8a69c78e677dfccc40aceb7238cd8b8596eb

SHA256
10017309dab7a06278fdac82ee487e63b2f6ea4ec1309e2e31928d1323885698

SHA512
ff44929eaed0ef767122f065071c1030f5987835e17fbe516898c724b4beffee9f827e3378b552480f07629aa76dc1a1370b8ede5edb8f6bdb7b22245d044f0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe
Filesize
18KB

MD5
97235ac11c44acda447e9b8b393ae1da

SHA1
370e8a69c78e677dfccc40aceb7238cd8b8596eb

SHA256
10017309dab7a06278fdac82ee487e63b2f6ea4ec1309e2e31928d1323885698

SHA512
ff44929eaed0ef767122f065071c1030f5987835e17fbe516898c724b4beffee9f827e3378b552480f07629aa76dc1a1370b8ede5edb8f6bdb7b22245d044f0b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft FxCop\SamSs.exe
Filesize
759KB

MD5
7b5e4a417463943030ed84d16bdffc80

SHA1
3e2b57bdd296e786aa1cc7cc134d2156abcbd731

SHA256
a2f302ed3f2ca2dff3be4ca2ae02c642b94a54b0707546182acb41b2a2367782

SHA512
9fca612c056977ac1539359adceaa8aef8350876b27e420d2600b2a8347b52d51819db2bcb8204bf4063cff99017a5faaf86207b2a988fb0bb04101e0bfcc9a5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe
Filesize
18KB

MD5
97235ac11c44acda447e9b8b393ae1da

SHA1
370e8a69c78e677dfccc40aceb7238cd8b8596eb

SHA256
10017309dab7a06278fdac82ee487e63b2f6ea4ec1309e2e31928d1323885698

SHA512
ff44929eaed0ef767122f065071c1030f5987835e17fbe516898c724b4beffee9f827e3378b552480f07629aa76dc1a1370b8ede5edb8f6bdb7b22245d044f0b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft FxCop\wmiApSrv.exe
Filesize
18KB

MD5
97235ac11c44acda447e9b8b393ae1da

SHA1
370e8a69c78e677dfccc40aceb7238cd8b8596eb

SHA256
10017309dab7a06278fdac82ee487e63b2f6ea4ec1309e2e31928d1323885698

SHA512
ff44929eaed0ef767122f065071c1030f5987835e17fbe516898c724b4beffee9f827e3378b552480f07629aa76dc1a1370b8ede5edb8f6bdb7b22245d044f0b

Download Submit
memory/768-118-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/768-111-0x000000000048F888-mapping.dmp

Download
memory/1136-83-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-91-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1136-72-0x000000000048F888-mapping.dmp

Download
memory/1728-93-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-88-0x0000000000000000-mapping.dmp

Download
memory/1728-92-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1760-94-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-56-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1760-55-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-95-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-85-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-80-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-76-0x0000000000000000-mapping.dmp

Download
memory/2028-119-0x0000000000000000-mapping.dmp

Download
memory/2028-123-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-124-0x0000000074FB0000-0x000000007555B000-memory.dmp

Filesize
5.7MB

Download