Analysis
-
max time kernel
188s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
hesaphareketi000,pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
hesaphareketi000,pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
hesaphareketi000,pdf.exe
-
Size
938KB
-
MD5
1d77691991b358cddb9e88b28380b124
-
SHA1
e815d27cdf5fde77c3ac60388408bb27304dc75a
-
SHA256
a9892834c6f030fd7a292b213a39270e2fc991b6c9287fff73b540dd2b36e290
-
SHA512
6660827d12b5e21f9116ea5cbf48e484e95c3fdc41969a3a9e78677c29c36768f8652656c126007814db8d27d242d7bc748ece8a26f179da24a57036048fdc0b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.slbdc-lk.org - Port:
587 - Username:
[email protected] - Password:
finance2017
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2192-182-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Executes dropped EXE 8 IoCs
Processes:
hesaphareketi000,pdf.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeapp.exeRegAsm.exepid process 3336 hesaphareketi000,pdf.exe 4772 icsys.icn.exe 4908 explorer.exe 4528 spoolsv.exe 4972 svchost.exe 4700 spoolsv.exe 2852 app.exe 2192 RegAsm.exe -
Modifies Installed Components in the registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
hesaphareketi000,pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation hesaphareketi000,pdf.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
reg.exeexplorer.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\app = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\app.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
app.exedescription pid process target process PID 2852 set thread context of 2192 2852 app.exe RegAsm.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exeexplorer.exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4616 2852 WerFault.exe app.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exeexplorer.exesvchost.exepid process 4772 icsys.icn.exe 4772 icsys.icn.exe 4908 explorer.exe 4908 explorer.exe 4908 explorer.exe 4908 explorer.exe 4908 explorer.exe 4908 explorer.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe 4972 svchost.exe 4972 svchost.exe 4908 explorer.exe 4908 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 4908 explorer.exe 4972 svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
hesaphareketi000,pdf.exe app.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3336 hesaphareketi000,pdf.exe Token: SeDebugPrivilege 2852 app.exe Token: SeDebugPrivilege 2192 RegAsm.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
hesaphareketi000,pdf.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 4720 hesaphareketi000,pdf.exe 4720 hesaphareketi000,pdf.exe 4772 icsys.icn.exe 4772 icsys.icn.exe 4908 explorer.exe 4908 explorer.exe 4528 spoolsv.exe 4528 spoolsv.exe 4972 svchost.exe 4972 svchost.exe 4700 spoolsv.exe 4700 spoolsv.exe 4908 explorer.exe 4908 explorer.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
hesaphareketi000,pdf.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exehesaphareketi000,pdf.exe cmd.exeapp.exedescription pid process target process PID 4720 wrote to memory of 3336 4720 hesaphareketi000,pdf.exe hesaphareketi000,pdf.exe PID 4720 wrote to memory of 3336 4720 hesaphareketi000,pdf.exe hesaphareketi000,pdf.exe PID 4720 wrote to memory of 3336 4720 hesaphareketi000,pdf.exe hesaphareketi000,pdf.exe PID 4720 wrote to memory of 4772 4720 hesaphareketi000,pdf.exe icsys.icn.exe PID 4720 wrote to memory of 4772 4720 hesaphareketi000,pdf.exe icsys.icn.exe PID 4720 wrote to memory of 4772 4720 hesaphareketi000,pdf.exe icsys.icn.exe PID 4772 wrote to memory of 4908 4772 icsys.icn.exe explorer.exe PID 4772 wrote to memory of 4908 4772 icsys.icn.exe explorer.exe PID 4772 wrote to memory of 4908 4772 icsys.icn.exe explorer.exe PID 4908 wrote to memory of 4528 4908 explorer.exe spoolsv.exe PID 4908 wrote to memory of 4528 4908 explorer.exe spoolsv.exe PID 4908 wrote to memory of 4528 4908 explorer.exe spoolsv.exe PID 4528 wrote to memory of 4972 4528 spoolsv.exe svchost.exe PID 4528 wrote to memory of 4972 4528 spoolsv.exe svchost.exe PID 4528 wrote to memory of 4972 4528 spoolsv.exe svchost.exe PID 4972 wrote to memory of 4700 4972 svchost.exe spoolsv.exe PID 4972 wrote to memory of 4700 4972 svchost.exe spoolsv.exe PID 4972 wrote to memory of 4700 4972 svchost.exe spoolsv.exe PID 4972 wrote to memory of 4796 4972 svchost.exe at.exe PID 4972 wrote to memory of 4796 4972 svchost.exe at.exe PID 4972 wrote to memory of 4796 4972 svchost.exe at.exe PID 3336 wrote to memory of 4100 3336 hesaphareketi000,pdf.exe cmd.exe PID 3336 wrote to memory of 4100 3336 hesaphareketi000,pdf.exe cmd.exe PID 3336 wrote to memory of 4100 3336 hesaphareketi000,pdf.exe cmd.exe PID 4100 wrote to memory of 4580 4100 cmd.exe reg.exe PID 4100 wrote to memory of 4580 4100 cmd.exe reg.exe PID 4100 wrote to memory of 4580 4100 cmd.exe reg.exe PID 4972 wrote to memory of 2280 4972 svchost.exe at.exe PID 4972 wrote to memory of 2280 4972 svchost.exe at.exe PID 4972 wrote to memory of 2280 4972 svchost.exe at.exe PID 3336 wrote to memory of 2852 3336 hesaphareketi000,pdf.exe app.exe PID 3336 wrote to memory of 2852 3336 hesaphareketi000,pdf.exe app.exe PID 3336 wrote to memory of 2852 3336 hesaphareketi000,pdf.exe app.exe PID 2852 wrote to memory of 2192 2852 app.exe RegAsm.exe PID 2852 wrote to memory of 2192 2852 app.exe RegAsm.exe PID 2852 wrote to memory of 2192 2852 app.exe RegAsm.exe PID 2852 wrote to memory of 2192 2852 app.exe RegAsm.exe PID 2852 wrote to memory of 2192 2852 app.exe RegAsm.exe PID 2852 wrote to memory of 2192 2852 app.exe RegAsm.exe PID 2852 wrote to memory of 2192 2852 app.exe RegAsm.exe PID 2852 wrote to memory of 2192 2852 app.exe RegAsm.exe PID 4972 wrote to memory of 5012 4972 svchost.exe at.exe PID 4972 wrote to memory of 5012 4972 svchost.exe at.exe PID 4972 wrote to memory of 5012 4972 svchost.exe at.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi000,pdf.exe"C:\Users\Admin\AppData\Local\Temp\hesaphareketi000,pdf.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\hesaphareketi000,pdf.exec:\users\admin\appdata\local\temp\hesaphareketi000,pdf.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v app /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v app /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 13044⤵
- Program crash
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 07:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 07:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2852 -ip 28521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeFilesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
C:\Users\Admin\AppData\Local\Temp\RegAsm.exeFilesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi000,pdf.exeFilesize
664KB
MD59ab7fad672f6817dfbf663c473a8602f
SHA1a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01
SHA25605b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d
SHA5121d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
274KB
MD5dbc587269e5c08f455c321d4bc83ab04
SHA1871b0f1f5f97b69b9433ead91b0a99c85f184acd
SHA2566bf20ee6b02f3e9dc93b924a50f3af4f6104190a4bceda329e80ab7d397dd382
SHA512be5779e5f751a921f4ea7d4eca9a97234ef174f16168dcb4fdf93c641e4d33616cc684ce0099e18a2e8e2381637f2d9d39f32c1e84f63b5fc545ed80bbc14004
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
274KB
MD5dbc587269e5c08f455c321d4bc83ab04
SHA1871b0f1f5f97b69b9433ead91b0a99c85f184acd
SHA2566bf20ee6b02f3e9dc93b924a50f3af4f6104190a4bceda329e80ab7d397dd382
SHA512be5779e5f751a921f4ea7d4eca9a97234ef174f16168dcb4fdf93c641e4d33616cc684ce0099e18a2e8e2381637f2d9d39f32c1e84f63b5fc545ed80bbc14004
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exeFilesize
664KB
MD59ab7fad672f6817dfbf663c473a8602f
SHA1a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01
SHA25605b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d
SHA5121d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exeFilesize
664KB
MD59ab7fad672f6817dfbf663c473a8602f
SHA1a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01
SHA25605b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d
SHA5121d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
274KB
MD570eee8f643d52d475ae1fa696b7f24dc
SHA155b983526cf05b79ceb8632530bc2a6b900aca6c
SHA256ad87cf7a8526e50f2b08e8f152f81b573fb5cbf8b598437bc51972c107bb33e5
SHA5125186d35bf6af9299e6e831b66fe6ba69e34bc298226bd17ff8bf711df645f2d920b77a0416cb880f3821681477f46b0889f04f82ded4ac76cccfff834064ecc6
-
C:\Windows\System\explorer.exeFilesize
274KB
MD5854ab8c4e3207df88f583433e3ed8bcc
SHA1ca9d0c927c7147db5d7dd1c487a6c6f2027dfb4b
SHA2569102c3a74275ad713eb7a45190b453a73a9685412cb9fdc857e106b20251e37c
SHA512a6a74e32ef1c4fec673962870b083f078536840d195a988855d0c70ad2e0572ee5382346343e60ac77e1e19bf6e6e5041a0b5dc02859fe3c65b44ff9ff5cd298
-
C:\Windows\System\spoolsv.exeFilesize
274KB
MD50480973ac1599e7102888e3fa0ac570f
SHA1d0aad56d0afa2b42f0647849215049336124efa0
SHA2562e943d739788011276022bcf72d923b79f42a1dba8a93c65df80d50f534822dc
SHA512ada34855c81f882e06705fde18d1f8f54598d79b0ab832d2a635dfce920b4e3dd0405d75791cc99d5718e30713dad1bd558f32bf116bbe457d18c967d68b9ed4
-
C:\Windows\System\spoolsv.exeFilesize
274KB
MD50480973ac1599e7102888e3fa0ac570f
SHA1d0aad56d0afa2b42f0647849215049336124efa0
SHA2562e943d739788011276022bcf72d923b79f42a1dba8a93c65df80d50f534822dc
SHA512ada34855c81f882e06705fde18d1f8f54598d79b0ab832d2a635dfce920b4e3dd0405d75791cc99d5718e30713dad1bd558f32bf116bbe457d18c967d68b9ed4
-
C:\Windows\System\svchost.exeFilesize
274KB
MD598699d7a42255f12419bac2898b8046a
SHA1d216e81a005c30684e041809157ca327fc920a50
SHA25676055bc3bde5fc00f2b1f6536a25829bbbf1c0e7f0118b7441dfd267df0379b4
SHA512082191225031dd25b30a3e17ed9bf0d2f3c2488db9b9b8ee15077a3f97f74eb6c312c18f1f6bc35cdd79a2c9dcdbc3e30d6ab72ad7c515609adc032785c597eb
-
\??\c:\users\admin\appdata\local\temp\hesaphareketi000,pdf.exeFilesize
664KB
MD59ab7fad672f6817dfbf663c473a8602f
SHA1a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01
SHA25605b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d
SHA5121d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c
-
\??\c:\windows\system\explorer.exeFilesize
274KB
MD5854ab8c4e3207df88f583433e3ed8bcc
SHA1ca9d0c927c7147db5d7dd1c487a6c6f2027dfb4b
SHA2569102c3a74275ad713eb7a45190b453a73a9685412cb9fdc857e106b20251e37c
SHA512a6a74e32ef1c4fec673962870b083f078536840d195a988855d0c70ad2e0572ee5382346343e60ac77e1e19bf6e6e5041a0b5dc02859fe3c65b44ff9ff5cd298
-
\??\c:\windows\system\spoolsv.exeFilesize
274KB
MD50480973ac1599e7102888e3fa0ac570f
SHA1d0aad56d0afa2b42f0647849215049336124efa0
SHA2562e943d739788011276022bcf72d923b79f42a1dba8a93c65df80d50f534822dc
SHA512ada34855c81f882e06705fde18d1f8f54598d79b0ab832d2a635dfce920b4e3dd0405d75791cc99d5718e30713dad1bd558f32bf116bbe457d18c967d68b9ed4
-
\??\c:\windows\system\svchost.exeFilesize
274KB
MD598699d7a42255f12419bac2898b8046a
SHA1d216e81a005c30684e041809157ca327fc920a50
SHA25676055bc3bde5fc00f2b1f6536a25829bbbf1c0e7f0118b7441dfd267df0379b4
SHA512082191225031dd25b30a3e17ed9bf0d2f3c2488db9b9b8ee15077a3f97f74eb6c312c18f1f6bc35cdd79a2c9dcdbc3e30d6ab72ad7c515609adc032785c597eb
-
memory/2192-182-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2192-181-0x0000000000000000-mapping.dmp
-
memory/2192-185-0x0000000005220000-0x00000000052BC000-memory.dmpFilesize
624KB
-
memory/2192-187-0x0000000005E20000-0x0000000005E86000-memory.dmpFilesize
408KB
-
memory/2280-176-0x0000000000000000-mapping.dmp
-
memory/2852-177-0x0000000000000000-mapping.dmp
-
memory/3336-133-0x0000000000000000-mapping.dmp
-
memory/3336-136-0x0000000000210000-0x00000000002BC000-memory.dmpFilesize
688KB
-
memory/3336-172-0x00000000059B0000-0x0000000005F54000-memory.dmpFilesize
5.6MB
-
memory/3336-173-0x0000000005500000-0x0000000005592000-memory.dmpFilesize
584KB
-
memory/4100-174-0x0000000000000000-mapping.dmp
-
memory/4528-149-0x0000000000000000-mapping.dmp
-
memory/4528-167-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4580-175-0x0000000000000000-mapping.dmp
-
memory/4700-166-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4700-161-0x0000000000000000-mapping.dmp
-
memory/4720-168-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4772-170-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4772-137-0x0000000000000000-mapping.dmp
-
memory/4796-169-0x0000000000000000-mapping.dmp
-
memory/4908-180-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4908-143-0x0000000000000000-mapping.dmp
-
memory/4972-155-0x0000000000000000-mapping.dmp
-
memory/5012-186-0x0000000000000000-mapping.dmp