Analysis
-
max time kernel
190s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 04:20
Static task
static1
Behavioral task
behavioral1
Sample
RFQ T7-30032020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ T7-30032020.exe
Resource
win10v2004-20220414-en
General
-
Target
RFQ T7-30032020.exe
-
Size
697KB
-
MD5
a189817dbab853329eb05c34f1c8e5e5
-
SHA1
68f28e839fc32aa4f2b62d8aaac49c8127b18e0a
-
SHA256
4850ce25c3caf99fc7f558ec6666d08c43d69ed4e1be9a8fd37f289db69561ab
-
SHA512
3a5756d37b4de9f2a6b2ef59a11ab01ffd145791c5a136a882e1a520072cb344b697a84e4520c3a58246fc924f7a0f316ac1bc0c8ba9458ba3e88a1ba6cd8041
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.fipco-sa.com - Port:
587 - Username:
[email protected] - Password:
breakingnews77
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" svchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4312-157-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Executes dropped EXE 8 IoCs
Processes:
rfq t7-30032020.exe icsys.icn.exeexplorer.exespoolsv.exerfq t7-30032020.exe rfq t7-30032020.exe svchost.exespoolsv.exepid process 3380 rfq t7-30032020.exe 4144 icsys.icn.exe 2124 explorer.exe 2596 spoolsv.exe 4432 rfq t7-30032020.exe 4312 rfq t7-30032020.exe 4996 svchost.exe 4968 spoolsv.exe -
Modifies Installed Components in the registry 2 TTPs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
rfq t7-30032020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rfq t7-30032020.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rfq t7-30032020.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rfq t7-30032020.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rfq t7-30032020.exedescription pid process target process PID 3380 set thread context of 4312 3380 rfq t7-30032020.exe rfq t7-30032020.exe -
Drops file in Windows directory 6 IoCs
Processes:
icsys.icn.exeexplorer.exespoolsv.exesvchost.exedescription ioc process File opened for modification \??\c:\windows\system\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\system\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe spoolsv.exe File opened for modification \??\c:\windows\system\explorer.exe explorer.exe File opened for modification \??\c:\windows\system\svchost.exe svchost.exe File opened for modification C:\Windows\system\udsys.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
icsys.icn.exerfq t7-30032020.exe rfq t7-30032020.exe explorer.exepid process 4144 icsys.icn.exe 4144 icsys.icn.exe 3380 rfq t7-30032020.exe 3380 rfq t7-30032020.exe 4312 rfq t7-30032020.exe 4312 rfq t7-30032020.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe 2124 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2124 explorer.exe 4996 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rfq t7-30032020.exe rfq t7-30032020.exedescription pid process Token: SeDebugPrivilege 3380 rfq t7-30032020.exe Token: SeDebugPrivilege 4312 rfq t7-30032020.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
RFQ T7-30032020.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exerfq t7-30032020.exepid process 4148 RFQ T7-30032020.exe 4148 RFQ T7-30032020.exe 4144 icsys.icn.exe 4144 icsys.icn.exe 2124 explorer.exe 2124 explorer.exe 2596 spoolsv.exe 2596 spoolsv.exe 4996 svchost.exe 2124 explorer.exe 2124 explorer.exe 4996 svchost.exe 4968 spoolsv.exe 4968 spoolsv.exe 4312 rfq t7-30032020.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
RFQ T7-30032020.exeicsys.icn.exeexplorer.exerfq t7-30032020.exe spoolsv.exesvchost.exerfq t7-30032020.exedescription pid process target process PID 4148 wrote to memory of 3380 4148 RFQ T7-30032020.exe rfq t7-30032020.exe PID 4148 wrote to memory of 3380 4148 RFQ T7-30032020.exe rfq t7-30032020.exe PID 4148 wrote to memory of 3380 4148 RFQ T7-30032020.exe rfq t7-30032020.exe PID 4148 wrote to memory of 4144 4148 RFQ T7-30032020.exe icsys.icn.exe PID 4148 wrote to memory of 4144 4148 RFQ T7-30032020.exe icsys.icn.exe PID 4148 wrote to memory of 4144 4148 RFQ T7-30032020.exe icsys.icn.exe PID 4144 wrote to memory of 2124 4144 icsys.icn.exe explorer.exe PID 4144 wrote to memory of 2124 4144 icsys.icn.exe explorer.exe PID 4144 wrote to memory of 2124 4144 icsys.icn.exe explorer.exe PID 2124 wrote to memory of 2596 2124 explorer.exe spoolsv.exe PID 2124 wrote to memory of 2596 2124 explorer.exe spoolsv.exe PID 2124 wrote to memory of 2596 2124 explorer.exe spoolsv.exe PID 3380 wrote to memory of 4432 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 3380 wrote to memory of 4432 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 3380 wrote to memory of 4432 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 3380 wrote to memory of 4312 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 3380 wrote to memory of 4312 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 3380 wrote to memory of 4312 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 3380 wrote to memory of 4312 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 3380 wrote to memory of 4312 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 3380 wrote to memory of 4312 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 3380 wrote to memory of 4312 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 3380 wrote to memory of 4312 3380 rfq t7-30032020.exe rfq t7-30032020.exe PID 2596 wrote to memory of 4996 2596 spoolsv.exe svchost.exe PID 2596 wrote to memory of 4996 2596 spoolsv.exe svchost.exe PID 2596 wrote to memory of 4996 2596 spoolsv.exe svchost.exe PID 4996 wrote to memory of 4968 4996 svchost.exe spoolsv.exe PID 4996 wrote to memory of 4968 4996 svchost.exe spoolsv.exe PID 4996 wrote to memory of 4968 4996 svchost.exe spoolsv.exe PID 4996 wrote to memory of 2320 4996 svchost.exe at.exe PID 4996 wrote to memory of 2320 4996 svchost.exe at.exe PID 4996 wrote to memory of 2320 4996 svchost.exe at.exe PID 4312 wrote to memory of 5116 4312 rfq t7-30032020.exe netsh.exe PID 4312 wrote to memory of 5116 4312 rfq t7-30032020.exe netsh.exe PID 4312 wrote to memory of 5116 4312 rfq t7-30032020.exe netsh.exe PID 4996 wrote to memory of 2720 4996 svchost.exe at.exe PID 4996 wrote to memory of 2720 4996 svchost.exe at.exe PID 4996 wrote to memory of 2720 4996 svchost.exe at.exe -
outlook_office_path 1 IoCs
Processes:
rfq t7-30032020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rfq t7-30032020.exe -
outlook_win_path 1 IoCs
Processes:
rfq t7-30032020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rfq t7-30032020.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ T7-30032020.exe"C:\Users\Admin\AppData\Local\Temp\RFQ T7-30032020.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4148 -
\??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe"c:\users\admin\appdata\local\temp\rfq t7-30032020.exe "2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380 -
\??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe"{path}"3⤵
- Executes dropped EXE
PID:4432 -
\??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe"{path}"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4312 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile4⤵PID:5116
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4144 -
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2124 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4996 -
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4968 -
C:\Windows\SysWOW64\at.exeat 07:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2320
-
C:\Windows\SysWOW64\at.exeat 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵PID:2720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rfq t7-30032020.exe .logFilesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
C:\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exeFilesize
423KB
MD593410fd2945b880f9cb6a4dcc0637bbc
SHA1fa86831282f50ed8efbdf10eeb31900e03ee66a3
SHA256a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e
SHA512d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4
-
C:\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exeFilesize
423KB
MD593410fd2945b880f9cb6a4dcc0637bbc
SHA1fa86831282f50ed8efbdf10eeb31900e03ee66a3
SHA256a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e
SHA512d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4
-
C:\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exeFilesize
423KB
MD593410fd2945b880f9cb6a4dcc0637bbc
SHA1fa86831282f50ed8efbdf10eeb31900e03ee66a3
SHA256a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e
SHA512d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
274KB
MD5f8937266c07855421a0970755755d1d9
SHA1e08d738ed3e6d3c780c5b5241f5cef44fc411601
SHA256ebcdda59f95aa9871bedc35d75f956c555c810471317179596ec4e58b624fd3f
SHA512d15c14dd72c7daa994e72d976a247118c88b9b65db954eb31235e4244647c9ebabaad9914137f02b19d2f22ef6d9434eb9bd3d728633e5ca42a3fb39f524e8f6
-
C:\Users\Admin\AppData\Local\icsys.icn.exeFilesize
274KB
MD5f8937266c07855421a0970755755d1d9
SHA1e08d738ed3e6d3c780c5b5241f5cef44fc411601
SHA256ebcdda59f95aa9871bedc35d75f956c555c810471317179596ec4e58b624fd3f
SHA512d15c14dd72c7daa994e72d976a247118c88b9b65db954eb31235e4244647c9ebabaad9914137f02b19d2f22ef6d9434eb9bd3d728633e5ca42a3fb39f524e8f6
-
C:\Users\Admin\AppData\Roaming\mrsys.exeFilesize
274KB
MD525743231bbcf8aadd7a099c87b86fd12
SHA12ef5247b4ee56072a06995ba81c2187939a15330
SHA2564c62b21669245450b007e1b47a89dbed9092003607cae8ca6c9f37fd94f3e45c
SHA5128e1ea25f524504dc06bf426c17074b19d86bfba2437f96ab760276748dbad514dcc53368397ab2521b9c6b63c2a37cf5e271f58cf7402315aef820fcb282494e
-
C:\Windows\System\explorer.exeFilesize
274KB
MD57eeacbb6524cf1718d84a48d8ccac228
SHA1188108f52e30d4d4c85297d8134f006535b22560
SHA256172e22d1b7982934227ef69ff49b819020379f0003f86216195bf3f1d1e1d4ee
SHA512bddf852e7a23abf11f6cd9358934a666cc60b89415097a42c70e8d6879e83283506171560d7dc55bb3d0cc21eaaadf37b1081bedfa320d2e69035bbb01f080ec
-
C:\Windows\System\spoolsv.exeFilesize
274KB
MD5e7b58958dcc5ad7b3162caffb259bd16
SHA1a6cff40840af18bfab6e36a9f98be95298370453
SHA256332255590c4eeda99744ca34d32ae0b788c44fe0fa347d1cefaea14aaff5ccb6
SHA512c72eb88e4c57e3e5caa4d0120b6e9bcf64efea4118c754cad632bc7f727c322535a7c798ed4fdbf77f93d54fccaa8458ec0cf07810e014338026dea214932491
-
C:\Windows\System\spoolsv.exeFilesize
274KB
MD5e7b58958dcc5ad7b3162caffb259bd16
SHA1a6cff40840af18bfab6e36a9f98be95298370453
SHA256332255590c4eeda99744ca34d32ae0b788c44fe0fa347d1cefaea14aaff5ccb6
SHA512c72eb88e4c57e3e5caa4d0120b6e9bcf64efea4118c754cad632bc7f727c322535a7c798ed4fdbf77f93d54fccaa8458ec0cf07810e014338026dea214932491
-
C:\Windows\System\svchost.exeFilesize
274KB
MD5f656ff6aa1d0061ee3b55360d0abdc2e
SHA142c0c10c8d440d744fd2a4bd757b7d04b2f6627a
SHA256afaa5fe7c441811d6464ddecad87020eb898dcb8e0b4d10f012d48e009ed769a
SHA51293de5cd8257b4bcf565a7311c11b3402ff82a51a0886c1af5e19583dba19e87f6e42ab5a6ab7c5e0dd4bc77ca4f93e476e8c5ac30247636acc59f0ca5ee0dfe3
-
\??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exeFilesize
423KB
MD593410fd2945b880f9cb6a4dcc0637bbc
SHA1fa86831282f50ed8efbdf10eeb31900e03ee66a3
SHA256a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e
SHA512d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4
-
\??\c:\windows\system\explorer.exeFilesize
274KB
MD57eeacbb6524cf1718d84a48d8ccac228
SHA1188108f52e30d4d4c85297d8134f006535b22560
SHA256172e22d1b7982934227ef69ff49b819020379f0003f86216195bf3f1d1e1d4ee
SHA512bddf852e7a23abf11f6cd9358934a666cc60b89415097a42c70e8d6879e83283506171560d7dc55bb3d0cc21eaaadf37b1081bedfa320d2e69035bbb01f080ec
-
\??\c:\windows\system\spoolsv.exeFilesize
274KB
MD5e7b58958dcc5ad7b3162caffb259bd16
SHA1a6cff40840af18bfab6e36a9f98be95298370453
SHA256332255590c4eeda99744ca34d32ae0b788c44fe0fa347d1cefaea14aaff5ccb6
SHA512c72eb88e4c57e3e5caa4d0120b6e9bcf64efea4118c754cad632bc7f727c322535a7c798ed4fdbf77f93d54fccaa8458ec0cf07810e014338026dea214932491
-
\??\c:\windows\system\svchost.exeFilesize
274KB
MD5f656ff6aa1d0061ee3b55360d0abdc2e
SHA142c0c10c8d440d744fd2a4bd757b7d04b2f6627a
SHA256afaa5fe7c441811d6464ddecad87020eb898dcb8e0b4d10f012d48e009ed769a
SHA51293de5cd8257b4bcf565a7311c11b3402ff82a51a0886c1af5e19583dba19e87f6e42ab5a6ab7c5e0dd4bc77ca4f93e476e8c5ac30247636acc59f0ca5ee0dfe3
-
memory/2124-142-0x0000000000000000-mapping.dmp
-
memory/2320-176-0x0000000000000000-mapping.dmp
-
memory/2596-148-0x0000000000000000-mapping.dmp
-
memory/2596-174-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/2720-179-0x0000000000000000-mapping.dmp
-
memory/3380-160-0x0000000074930000-0x0000000074EE1000-memory.dmpFilesize
5.7MB
-
memory/3380-133-0x0000000000000000-mapping.dmp
-
memory/4144-173-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4144-136-0x0000000000000000-mapping.dmp
-
memory/4148-175-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4312-157-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4312-155-0x0000000000000000-mapping.dmp
-
memory/4432-150-0x0000000000000000-mapping.dmp
-
memory/4968-167-0x0000000000000000-mapping.dmp
-
memory/4968-172-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4996-161-0x0000000000000000-mapping.dmp
-
memory/4996-180-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5116-178-0x0000000000000000-mapping.dmp