Analysis
-
max time kernel
1740s -
max time network
1788s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-12-2020 15:24
Static task
static1
Behavioral task
behavioral1
Sample
Password_Recovery.doc
Resource
win7v20201028
General
-
Target
Password_Recovery.doc
-
Size
161KB
-
MD5
21d18d229d6774e235ead04adf578217
-
SHA1
7c48f714185a73eb6f5f791bb5573e0bea4d13ad
-
SHA256
5a4181ad51b08e58df1353614fffd6898f1c45f2350b679dbf73f18a38fa3204
-
SHA512
eb44a7cab05f6c34ace776e29006d5556a6a125155c8be28386933a413fe56129dc5b34a82f60f4e291ee43f03cb15b43b5b6307eb1a11a8b8e2fea8a977da02
Malware Config
Extracted
metasploit
windows/reverse_tcp
3.17.7.232:17405
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 604 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1560 cmd.exe 1560 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\nBUOiUrUetKxT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vYxjhYcGK.vbs" svchost.exe -
Drops file in System32 directory 21 IoCs
Processes:
powershell.execmd.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5df55dd2-70de-464b-a063-8f427d57093c powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9bac7c35-ffad-4fae-a0b6-cfa33fe08a65 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8f9a594b-d232-44ec-9238-2876a085704e powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7ed40230-319c-40a0-985f-a4d97e6e68d0 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ba30c8fe-4ea9-47dd-bb69-ec9fdc1e0427 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_985f9388-4a1c-4e0d-8706-b38d511a8ff7 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_266cb6ac-a82f-43d1-a787-f5aff7323218 powershell.exe File opened for modification C:\Windows\system32\csvwvr.exe cmd.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_eecc82e5-f2ea-45ca-81b3-bcb7ceb32639 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7479a4b0-3992-413f-90dd-9be4453c1641 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d08d477f-1519-44cf-b1bd-19b2686bfdb6 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fc15c89-c8f3-4ef0-8bd3-9642364a0fed powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a0283a92-232a-4ec4-81ef-d8a6085fbc0c powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c6b713d7-72b2-4007-af21-6faa758ecf08 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6744f1f8-8095-42ce-9964-db35471b75f5 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6b218b08-911b-4871-9158-f78e1830e08c powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_be73a89f-7e35-48e1-8024-f87369fe62a6 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5ea39c10-8a7e-4ffa-8f6c-33b15bed8393 powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d9916baa-9dc5-4042-b312-9a9f550f335f powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ebf3fc7-0bec-4124-a1a6-672d3391c0e9 powershell.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 240 ipconfig.exe -
Launches Equation Editor 1 TTPs 2 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
Processes:
EQNEDT32.EXEEQNEDT32.EXEpid process 1708 EQNEDT32.EXE 1636 EQNEDT32.EXE -
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE -
Modifies data under HKEY_USERS 4 IoCs
Processes:
powershell.execalc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e07893ac77cdd601 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Calc calc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Calc\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff4b0000004b0000006b030000a3020000 calc.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1080 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 944 powershell.exe 944 powershell.exe 332 powershell.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
svchost.exepowershell.exepowershell.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 604 svchost.exe Token: SeAuditPrivilege 604 svchost.exe Token: SeBackupPrivilege 604 svchost.exe Token: SeChangeNotifyPrivilege 604 svchost.exe Token: SeCreateGlobalPrivilege 604 svchost.exe Token: SeCreatePagefilePrivilege 604 svchost.exe Token: SeCreatePermanentPrivilege 604 svchost.exe Token: 35 604 svchost.exe Token: SeCreateTokenPrivilege 604 svchost.exe Token: SeDebugPrivilege 604 svchost.exe Token: SeEnableDelegationPrivilege 604 svchost.exe Token: SeImpersonatePrivilege 604 svchost.exe Token: SeIncBasePriorityPrivilege 604 svchost.exe Token: SeIncreaseQuotaPrivilege 604 svchost.exe Token: 33 604 svchost.exe Token: SeLoadDriverPrivilege 604 svchost.exe Token: SeLockMemoryPrivilege 604 svchost.exe Token: SeMachineAccountPrivilege 604 svchost.exe Token: SeManageVolumePrivilege 604 svchost.exe Token: SeProfSingleProcessPrivilege 604 svchost.exe Token: 32 604 svchost.exe Token: SeRemoteShutdownPrivilege 604 svchost.exe Token: SeRestorePrivilege 604 svchost.exe Token: SeSecurityPrivilege 604 svchost.exe Token: SeShutdownPrivilege 604 svchost.exe Token: SeSyncAgentPrivilege 604 svchost.exe Token: SeSystemEnvironmentPrivilege 604 svchost.exe Token: SeSystemProfilePrivilege 604 svchost.exe Token: SeSystemtimePrivilege 604 svchost.exe Token: SeTakeOwnershipPrivilege 604 svchost.exe Token: SeTcbPrivilege 604 svchost.exe Token: 34 604 svchost.exe Token: 31 604 svchost.exe Token: SeUndockPrivilege 604 svchost.exe Token: 0 604 svchost.exe Token: SeDebugPrivilege 944 powershell.exe Token: SeDebugPrivilege 332 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1080 WINWORD.EXE 1080 WINWORD.EXE -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
EQNEDT32.EXEcmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1636 wrote to memory of 1560 1636 EQNEDT32.EXE cmd.exe PID 1636 wrote to memory of 1560 1636 EQNEDT32.EXE cmd.exe PID 1636 wrote to memory of 1560 1636 EQNEDT32.EXE cmd.exe PID 1636 wrote to memory of 1560 1636 EQNEDT32.EXE cmd.exe PID 1560 wrote to memory of 604 1560 cmd.exe svchost.exe PID 1560 wrote to memory of 604 1560 cmd.exe svchost.exe PID 1560 wrote to memory of 604 1560 cmd.exe svchost.exe PID 1560 wrote to memory of 604 1560 cmd.exe svchost.exe PID 268 wrote to memory of 944 268 cmd.exe powershell.exe PID 268 wrote to memory of 944 268 cmd.exe powershell.exe PID 268 wrote to memory of 944 268 cmd.exe powershell.exe PID 1840 wrote to memory of 1988 1840 cmd.exe svchost.exe PID 1840 wrote to memory of 1988 1840 cmd.exe svchost.exe PID 1840 wrote to memory of 1988 1840 cmd.exe svchost.exe PID 896 wrote to memory of 548 896 cmd.exe PING.EXE PID 896 wrote to memory of 548 896 cmd.exe PING.EXE PID 896 wrote to memory of 548 896 cmd.exe PING.EXE PID 896 wrote to memory of 240 896 cmd.exe ipconfig.exe PID 896 wrote to memory of 240 896 cmd.exe ipconfig.exe PID 896 wrote to memory of 240 896 cmd.exe ipconfig.exe PID 896 wrote to memory of 1392 896 cmd.exe reg.exe PID 896 wrote to memory of 1392 896 cmd.exe reg.exe PID 896 wrote to memory of 1392 896 cmd.exe reg.exe PID 896 wrote to memory of 960 896 cmd.exe reg.exe PID 896 wrote to memory of 960 896 cmd.exe reg.exe PID 896 wrote to memory of 960 896 cmd.exe reg.exe PID 896 wrote to memory of 1000 896 cmd.exe reg.exe PID 896 wrote to memory of 1000 896 cmd.exe reg.exe PID 896 wrote to memory of 1000 896 cmd.exe reg.exe PID 896 wrote to memory of 1636 896 cmd.exe conhost.exe PID 896 wrote to memory of 1636 896 cmd.exe conhost.exe PID 896 wrote to memory of 1636 896 cmd.exe conhost.exe PID 896 wrote to memory of 332 896 cmd.exe powershell.exe PID 896 wrote to memory of 332 896 cmd.exe powershell.exe PID 896 wrote to memory of 332 896 cmd.exe powershell.exe PID 896 wrote to memory of 1948 896 cmd.exe svchost.exe PID 896 wrote to memory of 1948 896 cmd.exe svchost.exe PID 896 wrote to memory of 1948 896 cmd.exe svchost.exe PID 896 wrote to memory of 1692 896 cmd.exe calc.exe PID 896 wrote to memory of 1692 896 cmd.exe calc.exe PID 896 wrote to memory of 1692 896 cmd.exe calc.exe PID 1584 wrote to memory of 1744 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1744 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1744 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1752 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1752 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1752 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1076 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1076 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1076 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 240 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 240 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 240 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1576 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1576 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 1576 1584 cmd.exe cmd.exe PID 1584 wrote to memory of 916 1584 cmd.exe runas.exe PID 1584 wrote to memory of 916 1584 cmd.exe runas.exe PID 1584 wrote to memory of 916 1584 cmd.exe runas.exe PID 1584 wrote to memory of 1796 1584 cmd.exe runas.exe PID 1584 wrote to memory of 1796 1584 cmd.exe runas.exe PID 1584 wrote to memory of 1796 1584 cmd.exe runas.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Password_Recovery.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c%tmp%\svchost.exe AC2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe AC3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell5⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exesvchost.exe5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
C:\Windows\system32\ipconfig.exeipconfig5⤵
- Gathers network information
-
C:\Windows\system32\reg.exereg5⤵
-
C:\Windows\system32\reg.exereg /?5⤵
-
C:\Windows\system32\reg.exeREG DELETE *.*5⤵
-
C:\Windows\system32\conhost.execonhost.exe5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exesvchost.exe5⤵
-
C:\Windows\system32\calc.execalc.exe5⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe5⤵
-
C:\Windows\system32\cmd.execmd.exe5⤵
-
C:\Windows\system32\cmd.execmd.exe5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K test.bat5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K test.bat5⤵
-
C:\Windows\system32\runas.exerunas /h5⤵
-
C:\Windows\system32\runas.exerunas cmd.exe5⤵
-
C:\Windows\system32\cmd.execmd.exe /c echo gecizp > \\.\pipe\gecizp1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
f028af90d27f82513bca2ca140435b2a
SHA1d3725f56a5b3c02db8100e315319ca35b6f200cc
SHA25622cf28f589cbc3b2a381906a5d162b6e2b4f43ae5decc1c248dba444e1b65e62
SHA5120ff38a544510ff23cbab0caedf051a8466d6f06f851a76e72dca6d83a6b5e0f8b49e8cd6d6a434f9b28932b052bce7ecafeb05abd9d1b898df432473bc742454
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
f028af90d27f82513bca2ca140435b2a
SHA1d3725f56a5b3c02db8100e315319ca35b6f200cc
SHA25622cf28f589cbc3b2a381906a5d162b6e2b4f43ae5decc1c248dba444e1b65e62
SHA5120ff38a544510ff23cbab0caedf051a8466d6f06f851a76e72dca6d83a6b5e0f8b49e8cd6d6a434f9b28932b052bce7ecafeb05abd9d1b898df432473bc742454
-
C:\Users\Admin\Desktop\test.batMD5
afc3ba125d6a73ebd49f62b4100ae9db
SHA1f5721c6b88eb4e38645f0abaaa6f9ebb2b3ab93c
SHA2560c2ec8ec3a1f9ead9b2b50c6d2884a0f84b5d538ea1c72e20d08793213c4bbb3
SHA5127980afcc1d4835b3c78470a688c31ed633b46fe5e2c8793ef3f713c15e2b9be7c7ccfd811ccb442119482b0920cfa6fb447753d9e27493cd0d7d225dd8f2d395
-
C:\test.batMD5
6db0c623da97ebd70852685cbf988a0c
SHA18d400ed92604507d295ad11634043ea0647a4765
SHA25632ac0564956ac33bf66fdd9ca143ff71d72a2dc57393f1b1486549d6ec48f872
SHA51270e24f8f2270aed29ea4fdbdefbf25a1188eda77937f2582fb5cff27bb03c8bda4496f878e501152516880e1347c84aa07c0831c24ef720b7b328c4ca4d2974e
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
f028af90d27f82513bca2ca140435b2a
SHA1d3725f56a5b3c02db8100e315319ca35b6f200cc
SHA25622cf28f589cbc3b2a381906a5d162b6e2b4f43ae5decc1c248dba444e1b65e62
SHA5120ff38a544510ff23cbab0caedf051a8466d6f06f851a76e72dca6d83a6b5e0f8b49e8cd6d6a434f9b28932b052bce7ecafeb05abd9d1b898df432473bc742454
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
f028af90d27f82513bca2ca140435b2a
SHA1d3725f56a5b3c02db8100e315319ca35b6f200cc
SHA25622cf28f589cbc3b2a381906a5d162b6e2b4f43ae5decc1c248dba444e1b65e62
SHA5120ff38a544510ff23cbab0caedf051a8466d6f06f851a76e72dca6d83a6b5e0f8b49e8cd6d6a434f9b28932b052bce7ecafeb05abd9d1b898df432473bc742454
-
memory/240-18-0x0000000000000000-mapping.dmp
-
memory/240-84-0x0000000000000000-mapping.dmp
-
memory/240-83-0x0000000000000000-mapping.dmp
-
memory/332-56-0x0000000002860000-0x0000000002861000-memory.dmpFilesize
4KB
-
memory/332-41-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/332-57-0x000000001A910000-0x000000001A911000-memory.dmpFilesize
4KB
-
memory/332-38-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/332-49-0x000000001B690000-0x000000001B691000-memory.dmpFilesize
4KB
-
memory/332-72-0x0000000002360000-0x0000000002361000-memory.dmpFilesize
4KB
-
memory/332-48-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/332-71-0x0000000001EA0000-0x0000000001EA1000-memory.dmpFilesize
4KB
-
memory/332-40-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/332-39-0x0000000002450000-0x0000000002451000-memory.dmpFilesize
4KB
-
memory/332-23-0x0000000000000000-mapping.dmp
-
memory/332-24-0x0000000000000000-mapping.dmp
-
memory/332-25-0x000007FEF5940000-0x000007FEF632C000-memory.dmpFilesize
9.9MB
-
memory/332-32-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/332-37-0x00000000023F0000-0x00000000023F1000-memory.dmpFilesize
4KB
-
memory/548-17-0x0000000000000000-mapping.dmp
-
memory/604-6-0x0000000000000000-mapping.dmp
-
memory/916-89-0x0000000000000000-mapping.dmp
-
memory/944-12-0x0000000001C70000-0x0000000001C71000-memory.dmpFilesize
4KB
-
memory/944-10-0x0000000000000000-mapping.dmp
-
memory/944-15-0x0000000002030000-0x0000000002031000-memory.dmpFilesize
4KB
-
memory/944-14-0x0000000001F20000-0x0000000001F21000-memory.dmpFilesize
4KB
-
memory/944-13-0x000000001ABB0000-0x000000001ABB1000-memory.dmpFilesize
4KB
-
memory/944-11-0x000007FEF5940000-0x000007FEF632C000-memory.dmpFilesize
9.9MB
-
memory/960-20-0x0000000000000000-mapping.dmp
-
memory/1000-21-0x0000000000000000-mapping.dmp
-
memory/1076-82-0x0000000000000000-mapping.dmp
-
memory/1076-81-0x0000000000000000-mapping.dmp
-
memory/1392-19-0x0000000000000000-mapping.dmp
-
memory/1560-2-0x0000000000000000-mapping.dmp
-
memory/1576-86-0x0000000000000000-mapping.dmp
-
memory/1576-87-0x0000000000000000-mapping.dmp
-
memory/1636-22-0x0000000000000000-mapping.dmp
-
memory/1692-76-0x0000000000000000-mapping.dmp
-
memory/1692-75-0x0000000000000000-mapping.dmp
-
memory/1744-78-0x0000000000000000-mapping.dmp
-
memory/1744-77-0x0000000000000000-mapping.dmp
-
memory/1752-79-0x0000000000000000-mapping.dmp
-
memory/1752-80-0x0000000000000000-mapping.dmp
-
memory/1796-90-0x0000000000000000-mapping.dmp
-
memory/1948-73-0x0000000000000000-mapping.dmp
-
memory/1948-74-0x0000000000000000-mapping.dmp
-
memory/1988-16-0x0000000000000000-mapping.dmp