Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 12:17
Behavioral task
behavioral1
Sample
75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe
Resource
win7-20220812-en
General
-
Target
75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe
-
Size
842KB
-
MD5
209358b1bb8353a5bc3aa31016147e61
-
SHA1
9032fa902bb5279270a64e89207543c77f3b8eb3
-
SHA256
75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965
-
SHA512
a80fa8af67cebf271e6495b4baf1691266a05db8899ad3cd5d589aaa91f49bf66d1db653690477908012c01072a4abd94796cece1690a94c53fae2ad57f886a5
-
SSDEEP
12288:I9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hbwZAI:8Z1xuVVjfFoynPaVBUR8f+kN10EBCZAI
Malware Config
Extracted
darkcomet
Sazan
uysalimben.duckdns.org:25565
DC_MUTEX-QTEVKQM
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
6imH2lmx94gX
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe -
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3372 msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3144 attrib.exe 860 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" iexplore.exe -
Drops file in System32 directory 3 IoCs
Processes:
75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exedescription ioc process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 3372 set thread context of 1568 3372 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeSecurityPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeTakeOwnershipPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeLoadDriverPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeSystemProfilePrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeSystemtimePrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeProfSingleProcessPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeIncBasePriorityPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeCreatePagefilePrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeBackupPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeRestorePrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeShutdownPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeDebugPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeSystemEnvironmentPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeChangeNotifyPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeRemoteShutdownPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeUndockPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeManageVolumePrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeImpersonatePrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeCreateGlobalPrivilege 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: 33 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: 34 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: 35 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: 36 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe Token: SeIncreaseQuotaPrivilege 3372 msdcsc.exe Token: SeSecurityPrivilege 3372 msdcsc.exe Token: SeTakeOwnershipPrivilege 3372 msdcsc.exe Token: SeLoadDriverPrivilege 3372 msdcsc.exe Token: SeSystemProfilePrivilege 3372 msdcsc.exe Token: SeSystemtimePrivilege 3372 msdcsc.exe Token: SeProfSingleProcessPrivilege 3372 msdcsc.exe Token: SeIncBasePriorityPrivilege 3372 msdcsc.exe Token: SeCreatePagefilePrivilege 3372 msdcsc.exe Token: SeBackupPrivilege 3372 msdcsc.exe Token: SeRestorePrivilege 3372 msdcsc.exe Token: SeShutdownPrivilege 3372 msdcsc.exe Token: SeDebugPrivilege 3372 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3372 msdcsc.exe Token: SeChangeNotifyPrivilege 3372 msdcsc.exe Token: SeRemoteShutdownPrivilege 3372 msdcsc.exe Token: SeUndockPrivilege 3372 msdcsc.exe Token: SeManageVolumePrivilege 3372 msdcsc.exe Token: SeImpersonatePrivilege 3372 msdcsc.exe Token: SeCreateGlobalPrivilege 3372 msdcsc.exe Token: 33 3372 msdcsc.exe Token: 34 3372 msdcsc.exe Token: 35 3372 msdcsc.exe Token: 36 3372 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1568 iexplore.exe Token: SeSecurityPrivilege 1568 iexplore.exe Token: SeTakeOwnershipPrivilege 1568 iexplore.exe Token: SeLoadDriverPrivilege 1568 iexplore.exe Token: SeSystemProfilePrivilege 1568 iexplore.exe Token: SeSystemtimePrivilege 1568 iexplore.exe Token: SeProfSingleProcessPrivilege 1568 iexplore.exe Token: SeIncBasePriorityPrivilege 1568 iexplore.exe Token: SeCreatePagefilePrivilege 1568 iexplore.exe Token: SeBackupPrivilege 1568 iexplore.exe Token: SeRestorePrivilege 1568 iexplore.exe Token: SeShutdownPrivilege 1568 iexplore.exe Token: SeDebugPrivilege 1568 iexplore.exe Token: SeSystemEnvironmentPrivilege 1568 iexplore.exe Token: SeChangeNotifyPrivilege 1568 iexplore.exe Token: SeRemoteShutdownPrivilege 1568 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 1568 iexplore.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.execmd.execmd.exemsdcsc.exeiexplore.exedescription pid process target process PID 3680 wrote to memory of 4976 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe cmd.exe PID 3680 wrote to memory of 4976 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe cmd.exe PID 3680 wrote to memory of 4976 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe cmd.exe PID 3680 wrote to memory of 4600 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe cmd.exe PID 3680 wrote to memory of 4600 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe cmd.exe PID 3680 wrote to memory of 4600 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe cmd.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 3680 wrote to memory of 3540 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe notepad.exe PID 4976 wrote to memory of 3144 4976 cmd.exe attrib.exe PID 4976 wrote to memory of 3144 4976 cmd.exe attrib.exe PID 4976 wrote to memory of 3144 4976 cmd.exe attrib.exe PID 4600 wrote to memory of 860 4600 cmd.exe attrib.exe PID 4600 wrote to memory of 860 4600 cmd.exe attrib.exe PID 4600 wrote to memory of 860 4600 cmd.exe attrib.exe PID 3680 wrote to memory of 3372 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe msdcsc.exe PID 3680 wrote to memory of 3372 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe msdcsc.exe PID 3680 wrote to memory of 3372 3680 75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe msdcsc.exe PID 3372 wrote to memory of 1568 3372 msdcsc.exe iexplore.exe PID 3372 wrote to memory of 1568 3372 msdcsc.exe iexplore.exe PID 3372 wrote to memory of 1568 3372 msdcsc.exe iexplore.exe PID 3372 wrote to memory of 1568 3372 msdcsc.exe iexplore.exe PID 3372 wrote to memory of 1568 3372 msdcsc.exe iexplore.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe PID 1568 wrote to memory of 3892 1568 iexplore.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 860 attrib.exe 3144 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe"C:\Users\Admin\AppData\Local\Temp\75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\75d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
842KB
MD5209358b1bb8353a5bc3aa31016147e61
SHA19032fa902bb5279270a64e89207543c77f3b8eb3
SHA25675d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965
SHA512a80fa8af67cebf271e6495b4baf1691266a05db8899ad3cd5d589aaa91f49bf66d1db653690477908012c01072a4abd94796cece1690a94c53fae2ad57f886a5
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeFilesize
842KB
MD5209358b1bb8353a5bc3aa31016147e61
SHA19032fa902bb5279270a64e89207543c77f3b8eb3
SHA25675d51610bad46c1d3678d6efdbbedac4fdb0459d3ef8cb4e0d638d70b4561965
SHA512a80fa8af67cebf271e6495b4baf1691266a05db8899ad3cd5d589aaa91f49bf66d1db653690477908012c01072a4abd94796cece1690a94c53fae2ad57f886a5
-
memory/860-136-0x0000000000000000-mapping.dmp
-
memory/3144-135-0x0000000000000000-mapping.dmp
-
memory/3372-137-0x0000000000000000-mapping.dmp
-
memory/3540-134-0x0000000000000000-mapping.dmp
-
memory/3892-140-0x0000000000000000-mapping.dmp
-
memory/4600-133-0x0000000000000000-mapping.dmp
-
memory/4976-132-0x0000000000000000-mapping.dmp