Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
29-07-2024 02:32
General
-
Target
34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe
-
Size
3.9MB
-
MD5
3fc02228a6229bc91c086bc24899361b
-
SHA1
3d33e93f771a1c77f2f01c2e15d52307f88d3bf0
-
SHA256
34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710
-
SHA512
1dbaeaa5855fca79ddb44f0570e5e4282347919d1629d32a6df1f9bce0f198e38ebb461f68518754116a3fa650e6e4f9541ff09ca067b10218962c162fd7ef99
-
SSDEEP
98304:Vbbzx+3YGfZNMGFWmkukCbYvziRNPRmB58hSKHO:Vd+1RNXFWuksaf7
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 24 IoCs
-
DCRat payload 7 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Disables Task Manager via registry modification
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 16 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe"C:\Users\Admin\AppData\Local\Temp\34be0ed06faf7cf7e8af122810e391dc4c09958bba1303a226103218b1c79710.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\pIqe6hsiC.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\BlockPortWinDhcp\Comref.exe"C:\BlockPortWinDhcp\Comref.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\BlockPortWinDhcp\taskhost.exe"C:\BlockPortWinDhcp\taskhost.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3d8bb28-9544-4d67-b79a-54403e34d04f.vbs"6⤵
- Suspicious use of WriteProcessMemory
-
C:\BlockPortWinDhcp\taskhost.exeC:\BlockPortWinDhcp\taskhost.exe7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8e15704-1d8f-425d-987e-393a70840c7b.vbs"8⤵
- Suspicious use of WriteProcessMemory
-
C:\BlockPortWinDhcp\taskhost.exeC:\BlockPortWinDhcp\taskhost.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e83737a4-8e01-469d-b073-20bb9a8804ef.vbs"10⤵
- Suspicious use of WriteProcessMemory
-
C:\BlockPortWinDhcp\taskhost.exeC:\BlockPortWinDhcp\taskhost.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d096aae4-5c3e-41b7-92ec-932147c60f7d.vbs"12⤵
- Suspicious use of WriteProcessMemory
-
C:\BlockPortWinDhcp\taskhost.exeC:\BlockPortWinDhcp\taskhost.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\140f9bf5-6656-4a2c-ad1c-a98c9081b0ca.vbs"14⤵
-
C:\BlockPortWinDhcp\taskhost.exeC:\BlockPortWinDhcp\taskhost.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c72b1245-e1e2-4c40-958b-21aa7df85902.vbs"16⤵
-
C:\BlockPortWinDhcp\taskhost.exeC:\BlockPortWinDhcp\taskhost.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3512ed6e-dcad-45c5-8f0e-c8cbd4af672c.vbs"16⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\451b56d5-3450-42e8-9c23-ea739cf425e3.vbs"14⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbd8c4b3-fed7-479f-af64-6f58aea53d14.vbs"12⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5da5c8fa-5cb5-4e5b-946e-969ef13b4e49.vbs"10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f90a93d-bf7f-4d08-b796-ecacc4d616d3.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbe40291-5bb1-420f-8d41-6b97f6ada2bc.vbs"6⤵
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockPortWinDhcp\file.vbs"2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Comref.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Comref" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Comref.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ComrefC" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Comref.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\BlockPortWinDhcp\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\BlockPortWinDhcp\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\BlockPortWinDhcp\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\BlockPortWinDhcp\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\BlockPortWinDhcp\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BlockPortWinDhcp\RuejCowmnwM9YNHuglg.batFilesize
144B
MD5ce3dd3c96548149537e6d3a679917a26
SHA10faba6346d98fe426902f01be3337bdb700bb4fa
SHA2563d7dfa7a908d3eef1344c70e6ea39e14dba844fcc727fc6b2d4f07f488303c7c
SHA5127326f45903c3eca92bc3de0ee50f13042f3f6cc6494da0273ba65a53308ba63b7607ac7f6b27dba20e649717781fc90254173ffd837fd7d98f21aa211f3af23d
-
C:\BlockPortWinDhcp\file.vbsFilesize
34B
MD5677cc4360477c72cb0ce00406a949c61
SHA1b679e8c3427f6c5fc47c8ac46cd0e56c9424de05
SHA256f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b
SHA5127cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a
-
C:\BlockPortWinDhcp\pIqe6hsiC.vbeFilesize
209B
MD5fe9707d9d0f3a70f1672c83f8ab78cab
SHA14d25ca2d7b215e7757eec53b2c55060756cf3fc0
SHA256e50eaf2ab143000660efab3e91bef57d2407c372820d022a10dac8c06e0c8e99
SHA512fab4bbb58aa50e636fb553fc9d01fa69ad63fbdf7e7d677ed8b7b29838ed9525489d871af2e7c3b5b7e6afb34f79fb2ad7ef0897f4b8ad52d887c4ab096a84e0
-
C:\Users\Admin\AppData\Local\Temp\140f9bf5-6656-4a2c-ad1c-a98c9081b0ca.vbsFilesize
707B
MD5bdc2c4cebd572734bb38ebe4918d0ffc
SHA196cd62fc13b0270b911c42e14412aa5c5f8f7449
SHA2565b53981e96f8f6f04b80a5c7fec657b8e092aa3e5ded5cba9e7df85f88754131
SHA51221ae3a947fb6364a3ee84fb60a66918846081b6e6e93b1ebff9489e9992f143221a430020df4e92ffa468e355eee4cfe20c7c8a169d8a766cbd42ee60b06781b
-
C:\Users\Admin\AppData\Local\Temp\c72b1245-e1e2-4c40-958b-21aa7df85902.vbsFilesize
708B
MD5ab2fcecf63be6f38bf4024d9e59cff2d
SHA13a394314acb4e75e49de1af98444a5ab1661a95a
SHA2561fa00e464374da22b111a791c8587e0500acdf640f62b87180ffb3006ec1a1b1
SHA5122fe862eed00174470c1ead31871f6a3ed17c9de8880243f70146acbd87d2dfcf69d39eb9556961276650a34000997ae7abd6d5fd9d088097d3a2758ec45b9167
-
C:\Users\Admin\AppData\Local\Temp\d096aae4-5c3e-41b7-92ec-932147c60f7d.vbsFilesize
708B
MD51c05cee77e4a7d626c4152794da154b0
SHA157410191af8f1eafd9425163e5d0c22f4f8ba8ea
SHA25657c4ee8f1d604f15c2f70ffc9ad0cf526bb27b040ca6e9c119c4ab845cb80e30
SHA512fa1689a49dd108b8953986d28f206e74eb316d6a8a09b1ab68c184dfa3604be998cd6f33d8ac0c021631a3ef368680aae20d77395039c6db75cad828438ee280
-
C:\Users\Admin\AppData\Local\Temp\d8e15704-1d8f-425d-987e-393a70840c7b.vbsFilesize
708B
MD5d97c412dca7077b6b56bb302816fc8d6
SHA1e2a30068251cb61eedcfced96f664ed4321cc5ee
SHA256aa5072f662f47f4f5a629f3166f0653bec4cb53dc8ae05489a81d7701112b802
SHA5125f1d3ddd2783bbc3f273cf2fbb3e78241449f3ca8deb408f03e70937b00da2b70df8ee5002fb77629c16cd87897ba395f27afc9d0ea457f8bcaf449ea82e9bf3
-
C:\Users\Admin\AppData\Local\Temp\e83737a4-8e01-469d-b073-20bb9a8804ef.vbsFilesize
708B
MD559dd3508e519fa1a8013b905e174ffb1
SHA1c9e0b98bff5c0a5c262973ba681717c7aac1b6bb
SHA256c1be38e88a60428513baa0ec2ef4a4e23f13333c99d3b3a770a56088c8dcad50
SHA512b851a3dc614f0b778de42edd1f03c9e640468bd8782626e3f21efe824c994b357247fcc2adc204bbdbb044eee4898a37a42c496c44b602e3d4b86d2413bd4b17
-
C:\Users\Admin\AppData\Local\Temp\f3d8bb28-9544-4d67-b79a-54403e34d04f.vbsFilesize
708B
MD507c0825cfb76d8707c80bc83bc66ca34
SHA1fe818ebedfb03feb8348804a1ad8c9f01b7751e3
SHA2562644bd89ecbeff73fd0e27f526e344633d5bef834b6cbdf2bac9657f47285fc1
SHA512902fcba04968a4221c854154975b55c1bd3c46d5d21960036253255e539bffb5c4786e3c5ac85f4ffa9bd757e10287a8771ad4d6c6835f4faf536998fd68b4e1
-
C:\Users\Admin\AppData\Local\Temp\fbe40291-5bb1-420f-8d41-6b97f6ada2bc.vbsFilesize
484B
MD50952383b37fc58c5ba161df787bc4852
SHA1b2414cd45ac288b28752409e7d9be4a60e09fc39
SHA2564ac5139bc536fc2246b19b3094d0f7365fb8111ac00d8f8318ecce6d87f5f43d
SHA51289f2bd0ec31060b6d6c247c2706ed6bfe0d9ad3bbfb0fcb9aaebea4af2ff71db69e433dfdfa3521827213c287c1afb40d077d04f60892842cca4965ba0817434
-
\BlockPortWinDhcp\Comref.exeFilesize
3.6MB
MD5020fcee4acad7e7412ad0f27501ae749
SHA14282618cca56b75eb3921653c5daa2137eaa5ffa
SHA25640ddad4ca2337022808328174ced0149caa955dcdf7a3b9eaf062818ffa43669
SHA512e6c6749f7b8a67a5acc4910ccb59931582cb929392f7647f51d7d133cec3980375edc7d56be4d5cbac0f1d0ab1e46204b46b7349980aedaeb5a680a745fd7f9f
-
memory/972-110-0x00000000002E0000-0x000000000068C000-memory.dmpFilesize
3.7MB
-
memory/1388-61-0x0000000001380000-0x000000000172C000-memory.dmpFilesize
3.7MB
-
memory/1388-63-0x00000000006B0000-0x00000000006C2000-memory.dmpFilesize
72KB
-
memory/1388-62-0x0000000000470000-0x00000000004C6000-memory.dmpFilesize
344KB
-
memory/1456-98-0x0000000000390000-0x000000000073C000-memory.dmpFilesize
3.7MB
-
memory/2660-134-0x00000000004F0000-0x0000000000502000-memory.dmpFilesize
72KB
-
memory/2944-86-0x0000000002240000-0x0000000002252000-memory.dmpFilesize
72KB
-
memory/2944-85-0x00000000002F0000-0x000000000069C000-memory.dmpFilesize
3.7MB
-
memory/2948-122-0x0000000000CF0000-0x000000000109C000-memory.dmpFilesize
3.7MB
-
memory/2976-22-0x00000000003A0000-0x00000000003B6000-memory.dmpFilesize
88KB
-
memory/2976-35-0x000000001AB90000-0x000000001AB9A000-memory.dmpFilesize
40KB
-
memory/2976-36-0x000000001ABA0000-0x000000001ABAC000-memory.dmpFilesize
48KB
-
memory/2976-34-0x0000000002620000-0x0000000002628000-memory.dmpFilesize
32KB
-
memory/2976-32-0x0000000000CC0000-0x0000000000CC8000-memory.dmpFilesize
32KB
-
memory/2976-33-0x0000000002610000-0x000000000261E000-memory.dmpFilesize
56KB
-
memory/2976-31-0x00000000006A0000-0x00000000006AE000-memory.dmpFilesize
56KB
-
memory/2976-30-0x00000000005A0000-0x00000000005AA000-memory.dmpFilesize
40KB
-
memory/2976-29-0x0000000000590000-0x0000000000598000-memory.dmpFilesize
32KB
-
memory/2976-27-0x0000000000570000-0x0000000000578000-memory.dmpFilesize
32KB
-
memory/2976-28-0x0000000000580000-0x0000000000588000-memory.dmpFilesize
32KB
-
memory/2976-26-0x00000000004C0000-0x00000000004D2000-memory.dmpFilesize
72KB
-
memory/2976-25-0x0000000000430000-0x000000000043C000-memory.dmpFilesize
48KB
-
memory/2976-24-0x00000000003E0000-0x0000000000436000-memory.dmpFilesize
344KB
-
memory/2976-23-0x00000000003C0000-0x00000000003CA000-memory.dmpFilesize
40KB
-
memory/2976-21-0x0000000000170000-0x0000000000178000-memory.dmpFilesize
32KB
-
memory/2976-20-0x0000000000150000-0x000000000016C000-memory.dmpFilesize
112KB
-
memory/2976-19-0x0000000000140000-0x000000000014E000-memory.dmpFilesize
56KB
-
memory/2976-18-0x0000000000D50000-0x00000000010FC000-memory.dmpFilesize
3.7MB