Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:26
Static task
static1
Behavioral task
behavioral1
Sample
a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe
Resource
win10v2004-20220901-en
General
-
Target
a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe
-
Size
838KB
-
MD5
5d91eed9eb03df6df240a57e5fded2df
-
SHA1
f86d9f0018030ae5157a2ff63fd296cf1e17d5e0
-
SHA256
a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd
-
SHA512
aa708df0419cd36b650ba0d720987b5e02ea86907a1202ba64a8888cb131d74d72723d5e878a2a24b123f2f8b0fe9129be88d4fdcc80477e8882c95293a8ce9a
-
SSDEEP
24576:Iz6ctR5gNykgh/rmjMrfNYx5M8KCu+y5H8J0ffe4tNO:27D2qu2VYfNwqs
Malware Config
Extracted
darkcomet
Members
emkadns.uni.me:2121
DCMIN_MUTEX-LBZLRNM
-
gencode
mCrAswFlmnAx
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
WUDHost.exeAcctres.exeWUDHost.exepid process 3564 WUDHost.exe 3636 Acctres.exe 1424 WUDHost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exeAcctres.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Acctres.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WUDHost.exeWUDHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe" WUDHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe" WUDHost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exeAcctres.exedescription pid process target process PID 5008 set thread context of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 3636 set thread context of 1172 3636 Acctres.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exepid process 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exevbc.exeWUDHost.exeAcctres.exevbc.exeWUDHost.exedescription pid process Token: SeDebugPrivilege 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe Token: SeIncreaseQuotaPrivilege 3768 vbc.exe Token: SeSecurityPrivilege 3768 vbc.exe Token: SeTakeOwnershipPrivilege 3768 vbc.exe Token: SeLoadDriverPrivilege 3768 vbc.exe Token: SeSystemProfilePrivilege 3768 vbc.exe Token: SeSystemtimePrivilege 3768 vbc.exe Token: SeProfSingleProcessPrivilege 3768 vbc.exe Token: SeIncBasePriorityPrivilege 3768 vbc.exe Token: SeCreatePagefilePrivilege 3768 vbc.exe Token: SeBackupPrivilege 3768 vbc.exe Token: SeRestorePrivilege 3768 vbc.exe Token: SeShutdownPrivilege 3768 vbc.exe Token: SeDebugPrivilege 3768 vbc.exe Token: SeSystemEnvironmentPrivilege 3768 vbc.exe Token: SeChangeNotifyPrivilege 3768 vbc.exe Token: SeRemoteShutdownPrivilege 3768 vbc.exe Token: SeUndockPrivilege 3768 vbc.exe Token: SeManageVolumePrivilege 3768 vbc.exe Token: SeImpersonatePrivilege 3768 vbc.exe Token: SeCreateGlobalPrivilege 3768 vbc.exe Token: 33 3768 vbc.exe Token: 34 3768 vbc.exe Token: 35 3768 vbc.exe Token: 36 3768 vbc.exe Token: SeDebugPrivilege 3564 WUDHost.exe Token: SeDebugPrivilege 3636 Acctres.exe Token: SeIncreaseQuotaPrivilege 1172 vbc.exe Token: SeSecurityPrivilege 1172 vbc.exe Token: SeTakeOwnershipPrivilege 1172 vbc.exe Token: SeLoadDriverPrivilege 1172 vbc.exe Token: SeSystemProfilePrivilege 1172 vbc.exe Token: SeSystemtimePrivilege 1172 vbc.exe Token: SeProfSingleProcessPrivilege 1172 vbc.exe Token: SeIncBasePriorityPrivilege 1172 vbc.exe Token: SeCreatePagefilePrivilege 1172 vbc.exe Token: SeBackupPrivilege 1172 vbc.exe Token: SeRestorePrivilege 1172 vbc.exe Token: SeShutdownPrivilege 1172 vbc.exe Token: SeDebugPrivilege 1172 vbc.exe Token: SeSystemEnvironmentPrivilege 1172 vbc.exe Token: SeChangeNotifyPrivilege 1172 vbc.exe Token: SeRemoteShutdownPrivilege 1172 vbc.exe Token: SeUndockPrivilege 1172 vbc.exe Token: SeManageVolumePrivilege 1172 vbc.exe Token: SeImpersonatePrivilege 1172 vbc.exe Token: SeCreateGlobalPrivilege 1172 vbc.exe Token: 33 1172 vbc.exe Token: 34 1172 vbc.exe Token: 35 1172 vbc.exe Token: 36 1172 vbc.exe Token: SeDebugPrivilege 1424 WUDHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 3768 vbc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exeWUDHost.exeAcctres.exedescription pid process target process PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3768 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe vbc.exe PID 5008 wrote to memory of 3564 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe WUDHost.exe PID 5008 wrote to memory of 3564 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe WUDHost.exe PID 5008 wrote to memory of 3564 5008 a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe WUDHost.exe PID 3564 wrote to memory of 3636 3564 WUDHost.exe Acctres.exe PID 3564 wrote to memory of 3636 3564 WUDHost.exe Acctres.exe PID 3564 wrote to memory of 3636 3564 WUDHost.exe Acctres.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1172 3636 Acctres.exe vbc.exe PID 3636 wrote to memory of 1424 3636 Acctres.exe WUDHost.exe PID 3636 wrote to memory of 1424 3636 Acctres.exe WUDHost.exe PID 3636 wrote to memory of 1424 3636 Acctres.exe WUDHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe"C:\Users\Admin\AppData\Local\Temp\a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3768 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1424
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WUDHost.exe.logFilesize
224B
MD5c19eb8c8e7a40e6b987f9d2ee952996e
SHA16fc3049855bc9100643e162511673c6df0f28bfb
SHA256677e9e30350df17e2bc20fa9f7d730e9f7cc6e870d6520a345f5f7dc5b31f58a
SHA512860713b4a787c2189ed12a47d4b68b60ac00c7a253cae52dd4eb9276dacafeae3a81906b6d0742c8ecfdfaa255777c445beb7c2a532f3c677a9903237ac97596
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeFilesize
838KB
MD55d91eed9eb03df6df240a57e5fded2df
SHA1f86d9f0018030ae5157a2ff63fd296cf1e17d5e0
SHA256a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd
SHA512aa708df0419cd36b650ba0d720987b5e02ea86907a1202ba64a8888cb131d74d72723d5e878a2a24b123f2f8b0fe9129be88d4fdcc80477e8882c95293a8ce9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeFilesize
838KB
MD55d91eed9eb03df6df240a57e5fded2df
SHA1f86d9f0018030ae5157a2ff63fd296cf1e17d5e0
SHA256a9f15c18a5767047dbac78e55fbca75ae305ed794da19e8d042fd152736c0cfd
SHA512aa708df0419cd36b650ba0d720987b5e02ea86907a1202ba64a8888cb131d74d72723d5e878a2a24b123f2f8b0fe9129be88d4fdcc80477e8882c95293a8ce9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exeFilesize
7KB
MD5346cc610f2a43754fbd2ad0bd4d67edf
SHA106fb84bd968978f834820ddfd59075e8d1e21759
SHA256c214b3c08c5abd9c178cb566a6b2beb5026ec1a54197e8bd403d2e3af90e0e74
SHA512eb9fd2dbd7f53b642384311a8f10547c78ae29263cc7d64b3fc2056fb818ddc0c7c80a42d4596c3557a0ac42dcf7d9198f6d742088f7336c4d7868acb52ca940
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exeFilesize
7KB
MD5346cc610f2a43754fbd2ad0bd4d67edf
SHA106fb84bd968978f834820ddfd59075e8d1e21759
SHA256c214b3c08c5abd9c178cb566a6b2beb5026ec1a54197e8bd403d2e3af90e0e74
SHA512eb9fd2dbd7f53b642384311a8f10547c78ae29263cc7d64b3fc2056fb818ddc0c7c80a42d4596c3557a0ac42dcf7d9198f6d742088f7336c4d7868acb52ca940
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exeFilesize
7KB
MD5346cc610f2a43754fbd2ad0bd4d67edf
SHA106fb84bd968978f834820ddfd59075e8d1e21759
SHA256c214b3c08c5abd9c178cb566a6b2beb5026ec1a54197e8bd403d2e3af90e0e74
SHA512eb9fd2dbd7f53b642384311a8f10547c78ae29263cc7d64b3fc2056fb818ddc0c7c80a42d4596c3557a0ac42dcf7d9198f6d742088f7336c4d7868acb52ca940
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exeFilesize
7KB
MD5346cc610f2a43754fbd2ad0bd4d67edf
SHA106fb84bd968978f834820ddfd59075e8d1e21759
SHA256c214b3c08c5abd9c178cb566a6b2beb5026ec1a54197e8bd403d2e3af90e0e74
SHA512eb9fd2dbd7f53b642384311a8f10547c78ae29263cc7d64b3fc2056fb818ddc0c7c80a42d4596c3557a0ac42dcf7d9198f6d742088f7336c4d7868acb52ca940
-
memory/1172-155-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/1172-151-0x0000000000000000-mapping.dmp
-
memory/1424-161-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/1424-160-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/1424-156-0x0000000000000000-mapping.dmp
-
memory/3564-150-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/3564-142-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/3564-143-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/3564-138-0x0000000000000000-mapping.dmp
-
memory/3636-148-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/3636-144-0x0000000000000000-mapping.dmp
-
memory/3636-147-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/3768-141-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3768-137-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3768-136-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3768-135-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3768-134-0x0000000000000000-mapping.dmp
-
memory/5008-149-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/5008-132-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB
-
memory/5008-133-0x0000000075590000-0x0000000075B41000-memory.dmpFilesize
5.7MB