Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 11:09
Static task
static1
Behavioral task
behavioral1
Sample
64.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
64.exe
Resource
win10v20210410
General
-
Target
64.exe
-
Size
1.6MB
-
MD5
2510bc30669edc05f9aeb06f5c92bed2
-
SHA1
3ac2a1e223d74323c18c9d4788ec3195c382dc64
-
SHA256
428280c60495d98bb323401c877783e641d21f649684fbacbb29bc8067bf6635
-
SHA512
9140358e8b8587b415ef65f0f13005920cf98ea3e98bf984aded7e1a10408b9a7f8bb4bde22de5e698f6ec3bf9d32abca849194e0b1c9daa8cb08961d03bddfb
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
Processes:
dxdiag.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 2140 dxdiag.exe 2764 svchost.exe 2700 svchost.exe 4060 svchost.exe 3796 svchost.exe 3692 svchost.exe 2088 svchost.exe 2148 svchost.exe 2764 svchost.exe -
Stops running service(s) 3 TTPs
-
Drops file in Windows directory 39 IoCs
Processes:
64.exedxdiag.exedescription ioc process File created C:\Windows\Fonts\Ms\Eter.exe 64.exe File created C:\Windows\Fonts\Ms\puls.exe 64.exe File created C:\Windows\Help\dxdiag.exe 64.exe File created C:\Windows\Fonts\Ms\svchost.exe 64.exe File created C:\Windows\Fonts\Ms\wget.exe 64.exe File created C:\Windows\Fonts\Ms\cnli-1.dll 64.exe File created C:\Windows\Fonts\Ms\crli-0.dll 64.exe File created C:\Windows\Fonts\Ms\exma-1.dll 64.exe File created C:\Windows\Fonts\Ms\trfo-2.dll 64.exe File created C:\Windows\Fonts\Ms\cm.bat 64.exe File created C:\Windows\Fonts\Ms\tich-1.dll 64.exe File created C:\Windows\Fonts\Ms\xdvl-0.dll 64.exe File created C:\Windows\svchost.exe dxdiag.exe File created C:\Windows\Fonts\Ms\Eter.xml 64.exe File created C:\Windows\Fonts\Ms\libeay32.dll 64.exe File created C:\Windows\Fonts\Ms\NansHou.dll 64.exe File created C:\Windows\Fonts\Ms\tufo-2.dll 64.exe File created C:\Windows\Fonts\Ms\lb.bat 64.exe File created C:\Windows\Fonts\Ms\mance.xml 64.exe File created C:\Windows\Fonts\Ms\taskhost.exe 64.exe File created C:\Windows\Fonts\Ms\trch-1.dll 64.exe File created C:\Windows\Fonts\Ms\dmgd-4.dll 64.exe File created C:\Windows\Fonts\Ms\libxml2.dll 64.exe File created C:\Windows\Fonts\Ms\tucl-1.dll 64.exe File created C:\Windows\Fonts\Ms\any.bat 64.exe File created C:\Windows\Fonts\Ms\tibe-2.dll 64.exe File created C:\Windows\Fonts\Ms\ucl.dll 64.exe File created C:\Windows\Fonts\Ms\ld.bat 64.exe File created C:\Windows\Fonts\Ms\neibu.bat 64.exe File created C:\Windows\Fonts\Ms\puls.xml 64.exe File created C:\Windows\Fonts\Ms\p.txt 64.exe File created C:\Windows\Fonts\Ms\Eter.dll 64.exe File created C:\Windows\Fonts\Ms\posh-0.dll 64.exe File created C:\Windows\Fonts\Ms\zlib1.dll 64.exe File opened for modification C:\Windows\svchost.exe dxdiag.exe File created C:\Windows\Fonts\Ms\mance.exe 64.exe File created C:\Windows\Fonts\Ms\coli-0.dll 64.exe File created C:\Windows\Fonts\Ms\Doubl.dll 64.exe File created C:\Windows\Fonts\Ms\ssleay32.dll 64.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3096 schtasks.exe 1556 schtasks.exe -
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3796 taskkill.exe 2596 taskkill.exe 2112 taskkill.exe 2980 taskkill.exe 2692 taskkill.exe 3888 taskkill.exe 2756 taskkill.exe 848 taskkill.exe 3544 taskkill.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
svchost.exepid process 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe 3692 svchost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3544 taskkill.exe Token: SeDebugPrivilege 2980 taskkill.exe Token: SeDebugPrivilege 2112 taskkill.exe Token: SeDebugPrivilege 2692 taskkill.exe Token: SeDebugPrivilege 3796 taskkill.exe Token: SeDebugPrivilege 3888 taskkill.exe Token: SeDebugPrivilege 2756 taskkill.exe Token: SeDebugPrivilege 848 taskkill.exe Token: SeDebugPrivilege 2596 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
dxdiag.exesvchost.exepid process 2140 dxdiag.exe 4060 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
64.execmd.exesvchost.exenet.exenet.exedescription pid process target process PID 4084 wrote to memory of 2140 4084 64.exe dxdiag.exe PID 4084 wrote to memory of 2140 4084 64.exe dxdiag.exe PID 4084 wrote to memory of 2140 4084 64.exe dxdiag.exe PID 4084 wrote to memory of 2388 4084 64.exe cmd.exe PID 4084 wrote to memory of 2388 4084 64.exe cmd.exe PID 4084 wrote to memory of 2388 4084 64.exe cmd.exe PID 2388 wrote to memory of 2764 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 2764 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 2764 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 2700 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 2700 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 2700 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 488 2388 cmd.exe sc.exe PID 2388 wrote to memory of 488 2388 cmd.exe sc.exe PID 2388 wrote to memory of 488 2388 cmd.exe sc.exe PID 2388 wrote to memory of 3796 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 3796 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 3796 2388 cmd.exe svchost.exe PID 3692 wrote to memory of 4088 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 4088 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 4088 3692 svchost.exe cmd.exe PID 2388 wrote to memory of 3120 2388 cmd.exe net.exe PID 2388 wrote to memory of 3120 2388 cmd.exe net.exe PID 2388 wrote to memory of 3120 2388 cmd.exe net.exe PID 3120 wrote to memory of 1052 3120 net.exe net1.exe PID 3120 wrote to memory of 1052 3120 net.exe net1.exe PID 3120 wrote to memory of 1052 3120 net.exe net1.exe PID 2388 wrote to memory of 1492 2388 cmd.exe net.exe PID 2388 wrote to memory of 1492 2388 cmd.exe net.exe PID 2388 wrote to memory of 1492 2388 cmd.exe net.exe PID 1492 wrote to memory of 3968 1492 net.exe net1.exe PID 1492 wrote to memory of 3968 1492 net.exe net1.exe PID 1492 wrote to memory of 3968 1492 net.exe net1.exe PID 2388 wrote to memory of 2088 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 2088 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 2088 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 2148 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 2148 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 2148 2388 cmd.exe svchost.exe PID 2388 wrote to memory of 3516 2388 cmd.exe sc.exe PID 2388 wrote to memory of 3516 2388 cmd.exe sc.exe PID 2388 wrote to memory of 3516 2388 cmd.exe sc.exe PID 2388 wrote to memory of 2764 2388 cmd.exe PING.EXE PID 2388 wrote to memory of 2764 2388 cmd.exe PING.EXE PID 2388 wrote to memory of 2764 2388 cmd.exe PING.EXE PID 3692 wrote to memory of 4004 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 4004 3692 svchost.exe cmd.exe PID 3692 wrote to memory of 4004 3692 svchost.exe cmd.exe PID 2388 wrote to memory of 3052 2388 cmd.exe cmd.exe PID 2388 wrote to memory of 3052 2388 cmd.exe cmd.exe PID 2388 wrote to memory of 3052 2388 cmd.exe cmd.exe PID 2388 wrote to memory of 1556 2388 cmd.exe schtasks.exe PID 2388 wrote to memory of 1556 2388 cmd.exe schtasks.exe PID 2388 wrote to memory of 1556 2388 cmd.exe schtasks.exe PID 2388 wrote to memory of 1368 2388 cmd.exe attrib.exe PID 2388 wrote to memory of 1368 2388 cmd.exe attrib.exe PID 2388 wrote to memory of 1368 2388 cmd.exe attrib.exe PID 2388 wrote to memory of 1052 2388 cmd.exe attrib.exe PID 2388 wrote to memory of 1052 2388 cmd.exe attrib.exe PID 2388 wrote to memory of 1052 2388 cmd.exe attrib.exe PID 2388 wrote to memory of 3120 2388 cmd.exe cmd.exe PID 2388 wrote to memory of 3120 2388 cmd.exe cmd.exe PID 2388 wrote to memory of 3120 2388 cmd.exe cmd.exe PID 2388 wrote to memory of 3856 2388 cmd.exe cacls.exe -
Views/modifies file attributes 1 TTPs 6 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 848 attrib.exe 2220 attrib.exe 1368 attrib.exe 1052 attrib.exe 1052 attrib.exe 2360 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\64.exe"C:\Users\Admin\AppData\Local\Temp\64.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Help\dxdiag.exe"C:\Windows\Help\dxdiag.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\any.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\Ms\svchost.exesvchost install MSSQLD "C:\Windows\Fonts\Ms\cm.bat"3⤵
- Executes dropped EXE
-
C:\Windows\Fonts\Ms\svchost.exesvchost install "MSSQLD" C:\Windows\Fonts\Ms\cm.bat3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exesc config "MSSQLD" start= AUTO3⤵
-
C:\Windows\Fonts\Ms\svchost.exesvchost start "MSSQLD"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\net.exenet start "MSSQLD"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "MSSQLD"4⤵
-
C:\Windows\SysWOW64\net.exenet stop "MicrosoftMsql"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "MicrosoftMsql"4⤵
-
C:\Windows\Fonts\Ms\svchost.exesvchost stop "MicrosoftMsql"3⤵
- Executes dropped EXE
-
C:\Windows\Fonts\Ms\svchost.exesvchost remove "MicrosoftMsql" confirm3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\sc.exesc delete "MicrosoftMsql"3⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /TN "At8" /TR "C:\Windows\Fonts\Ms\neibu.bat" /SC daily /ST 10:40:00 /RU SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\windows\tasks\At*.job3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\System32\Tasks\At*3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At6 /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At* /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At6.job /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At6 /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At6 /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\net.exenet start schedule3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start schedule4⤵
-
C:\Windows\SysWOW64\sc.exesc start schedule3⤵
-
C:\Windows\Fonts\Ms\svchost.exesvchost start schedule3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /TN "At8" /TR "C:\Windows\Fonts\Ms\neibu.bat" /SC daily /ST 10:40:00 /RU SYSTEM3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\attrib.exeattrib -r C:\windows\tasks\At*.job3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -r C:\Windows\System32\Tasks\At*3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At8.job /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\windows\tasks\At8.job /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At8 /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\System32\Tasks\At8 /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\Msql\*.* /c /e /t /g everyone:F3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo y"3⤵
-
C:\Windows\SysWOW64\cacls.execacls C:\Windows\Fonts\Msql\*.* /c /e /t /g system:F3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\Fonts\Msql\*.*3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib -h -s -r C:\Windows\Fonts\Msql3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ss.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im c32.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im c64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im 64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im service.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ll.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im ql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Fonts\Ms\svchost.exeC:\Windows\Fonts\Ms\svchost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\Ms\cm.bat" "2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Fonts\Ms\any.batMD5
f3ce82845d4d64d0083bef0bbcabe64b
SHA115161c5ddfeecf09c85150af69e9bcb346896194
SHA256a34508f4fd08a101c6e6fa66eeb73f911c2de4232c9efe6c0034c91ac3e891c9
SHA5127109a3e522c2c62aaf81ec78857c6a90628b296643bf78f54522af02dfaa7fe64e0b746d2d08b35b8af5d0277edac628c4a6f462e6f102750f10ae2a47bad7c2
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Fonts\Ms\svchost.exeMD5
7afcf45907f225e3e3cfeece3bbcd410
SHA19747e4c11bcf0393e1d1a2ac4b7c43af590da0bc
SHA256c5a346bd16c246db669605c70a547204313c0fa2325332a3d8427a4449e5b40e
SHA512ce091728b83bc4edb57dfbbeec4ce0de0220de82965ae3b2d6f71ce822be60a81c28ef7c605a8411c1113ee23513e06670029ec3b7af09ab0682b0358064c44f
-
C:\Windows\Help\dxdiag.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
C:\Windows\Help\dxdiag.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
C:\Windows\svchost.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
C:\Windows\svchost.exeMD5
3f16cd0ddc89cee34e2a17516d3cdaf7
SHA195980b35711abe98275faa6ecd6ca40f4ca41ead
SHA256309b9f57044afd1c8b0e0381da3e54cdd3f45aafd924bfbff2fd1d5aa0166e48
SHA51245b4e193b77f818c2f418e2b4dafb86c107dc6f9ec9f07eca9b44c7370bd234dbc3547cc8ea1f022d0b46f3dcf6b155836c8a60fbf342fbfbd423cda9a404f6b
-
memory/488-128-0x0000000000000000-mapping.dmp
-
memory/848-191-0x0000000000000000-mapping.dmp
-
memory/988-159-0x0000000000000000-mapping.dmp
-
memory/988-183-0x0000000000000000-mapping.dmp
-
memory/1052-177-0x0000000000000000-mapping.dmp
-
memory/1052-136-0x0000000000000000-mapping.dmp
-
memory/1052-190-0x0000000000000000-mapping.dmp
-
memory/1052-149-0x0000000000000000-mapping.dmp
-
memory/1108-175-0x0000000000000000-mapping.dmp
-
memory/1108-188-0x0000000000000000-mapping.dmp
-
memory/1368-148-0x0000000000000000-mapping.dmp
-
memory/1368-164-0x0000000000000000-mapping.dmp
-
memory/1432-152-0x0000000000000000-mapping.dmp
-
memory/1484-153-0x0000000000000000-mapping.dmp
-
memory/1492-137-0x0000000000000000-mapping.dmp
-
memory/1556-147-0x0000000000000000-mapping.dmp
-
memory/2088-139-0x0000000000000000-mapping.dmp
-
memory/2088-180-0x0000000000000000-mapping.dmp
-
memory/2112-172-0x0000000000000000-mapping.dmp
-
memory/2116-162-0x0000000000000000-mapping.dmp
-
memory/2140-158-0x0000000000000000-mapping.dmp
-
memory/2140-122-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/2140-171-0x0000000000000000-mapping.dmp
-
memory/2140-114-0x0000000000000000-mapping.dmp
-
memory/2148-141-0x0000000000000000-mapping.dmp
-
memory/2220-192-0x0000000000000000-mapping.dmp
-
memory/2360-178-0x0000000000000000-mapping.dmp
-
memory/2388-117-0x0000000000000000-mapping.dmp
-
memory/2432-154-0x0000000000000000-mapping.dmp
-
memory/2432-179-0x0000000000000000-mapping.dmp
-
memory/2596-169-0x0000000000000000-mapping.dmp
-
memory/2620-156-0x0000000000000000-mapping.dmp
-
memory/2644-163-0x0000000000000000-mapping.dmp
-
memory/2680-160-0x0000000000000000-mapping.dmp
-
memory/2692-186-0x0000000000000000-mapping.dmp
-
memory/2692-161-0x0000000000000000-mapping.dmp
-
memory/2700-124-0x0000000000000000-mapping.dmp
-
memory/2756-167-0x0000000000000000-mapping.dmp
-
memory/2764-119-0x0000000000000000-mapping.dmp
-
memory/2764-144-0x0000000000000000-mapping.dmp
-
memory/2764-173-0x0000000000000000-mapping.dmp
-
memory/2980-194-0x0000000000000000-mapping.dmp
-
memory/2988-170-0x0000000000000000-mapping.dmp
-
memory/2988-157-0x0000000000000000-mapping.dmp
-
memory/3052-146-0x0000000000000000-mapping.dmp
-
memory/3096-176-0x0000000000000000-mapping.dmp
-
memory/3120-135-0x0000000000000000-mapping.dmp
-
memory/3120-150-0x0000000000000000-mapping.dmp
-
memory/3516-182-0x0000000000000000-mapping.dmp
-
memory/3516-143-0x0000000000000000-mapping.dmp
-
memory/3544-193-0x0000000000000000-mapping.dmp
-
memory/3576-184-0x0000000000000000-mapping.dmp
-
memory/3588-185-0x0000000000000000-mapping.dmp
-
memory/3796-187-0x0000000000000000-mapping.dmp
-
memory/3796-129-0x0000000000000000-mapping.dmp
-
memory/3856-151-0x0000000000000000-mapping.dmp
-
memory/3872-165-0x0000000000000000-mapping.dmp
-
memory/3888-189-0x0000000000000000-mapping.dmp
-
memory/3968-138-0x0000000000000000-mapping.dmp
-
memory/4004-145-0x0000000000000000-mapping.dmp
-
memory/4080-166-0x0000000000000000-mapping.dmp
-
memory/4084-168-0x0000000000000000-mapping.dmp
-
memory/4084-155-0x0000000000000000-mapping.dmp
-
memory/4084-181-0x0000000000000000-mapping.dmp
-
memory/4088-134-0x0000000000000000-mapping.dmp