Analysis
-
max time kernel
85s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 15:19
Static task
static1
Behavioral task
behavioral1
Sample
30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe
Resource
win7-20220414-en
General
-
Target
30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe
-
Size
124KB
-
MD5
4aaf75b56c518b82039bef2396941bdc
-
SHA1
fd53de3ac5b4cf593de2e9edad450efb145f20ac
-
SHA256
30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d
-
SHA512
3f708f09192d3279d0ca13fd7b4b1f70061bbf6973291f2b11d33c01621c38937c92b0b2f4834438db370be1d3d9e98e48feff76cab5e26af7460b7edac73fdb
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
rwnlws.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" rwnlws.exe -
Processes:
rwnlws.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rwnlws.exe -
Processes:
30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exerwnlws.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rwnlws.exe -
Executes dropped EXE 1 IoCs
Processes:
rwnlws.exepid process 2232 rwnlws.exe -
Processes:
resource yara_rule behavioral2/memory/4740-131-0x0000000002260000-0x00000000032EE000-memory.dmp upx behavioral2/memory/4740-135-0x0000000002260000-0x00000000032EE000-memory.dmp upx behavioral2/memory/2232-134-0x0000000000EF0000-0x0000000001F7E000-memory.dmp upx behavioral2/memory/2232-139-0x0000000000EF0000-0x0000000001F7E000-memory.dmp upx behavioral2/memory/4740-140-0x0000000002260000-0x00000000032EE000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
rwnlws.exepid process 2232 rwnlws.exe -
Processes:
30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exerwnlws.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" rwnlws.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" rwnlws.exe -
Processes:
rwnlws.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rwnlws.exe -
Drops file in System32 directory 3 IoCs
Processes:
30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exerwnlws.exedescription ioc process File created C:\Windows\SysWOW64\rwnlws.exe 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe File opened for modification C:\Windows\SysWOW64\rwnlws.exe 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe File created C:\Windows\SysWOW64\gei33.dll rwnlws.exe -
Drops file in Windows directory 1 IoCs
Processes:
rwnlws.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI rwnlws.exe -
Modifies data under HKEY_USERS 27 IoCs
Processes:
rwnlws.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425 rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1465470298 = "0" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-50721799 = "0" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_3 = "4244248541" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_3 = "4244245497" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1364026700 = "35" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_1 = "1414748499" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_2 = "1359675385" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_2 = "2829496998" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_1 = "2139237134" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_2 = "2829494469" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_0 = "17001001" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_2 = "2846218383" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_3 = "2577324613" rwnlws.exe Key created \REGISTRY\USER\.DEFAULT\Software\Aoqcbk rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S4_0 = "0" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_0 = "9832" rwnlws.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1313304901 = "4B0C1ACCFEF76671CC19B2472947B89ADBC1B3E1DD905C5AB2843C3A84EDCF6F17A4547E0E9250886096036CFAC3A46EE12558210578AE55D6C0F02593FED47E0CC870C0A0F906762622E4855C635CC4EF7D18DBDAC4B2A8E728A18980F31AA51B9984A39616D681334370FCD3CA6786870A5E9E662CFE328DB70D6B0182B0BE" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S1_0 = "3299283285" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S2_1 = "1414745114" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_3 = "4260979152" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = "0" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1414748499 = "155" rwnlws.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-101443598 = "0700687474703A2F2F6A7374686F6D65732E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F61646979616D616E6C696369676B6F66746563696D2E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F616B6F72646B6574727A796E2E7567752E706C2F6C6F676F2E67696600687474703A2F2F616B6361696E736161742E636F6D2F696D672F6C6F676F2E67696600687474703A2F2F616B646172692E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F616C736861727170617065722E6E65742F6C6F676F2E67696600687474703A2F2F61706164616E617075622E636F6D2F6C6F676F2E676966" rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\S3_1 = "1431319418" rwnlws.exe Key created \REGISTRY\USER\.DEFAULT\Software rwnlws.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1516192097 = "256" rwnlws.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rwnlws.exepid process 2232 rwnlws.exe 2232 rwnlws.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exepid process 4740 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
rwnlws.exedescription pid process Token: SeDebugPrivilege 2232 rwnlws.exe Token: SeDebugPrivilege 2232 rwnlws.exe Token: SeDebugPrivilege 2232 rwnlws.exe Token: SeDebugPrivilege 2232 rwnlws.exe Token: SeDebugPrivilege 2232 rwnlws.exe Token: SeDebugPrivilege 2232 rwnlws.exe Token: SeDebugPrivilege 2232 rwnlws.exe Token: SeDebugPrivilege 2232 rwnlws.exe Token: SeDebugPrivilege 2232 rwnlws.exe Token: SeDebugPrivilege 2232 rwnlws.exe Token: SeDebugPrivilege 2232 rwnlws.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rwnlws.exedescription pid process target process PID 2232 wrote to memory of 788 2232 rwnlws.exe fontdrvhost.exe PID 2232 wrote to memory of 792 2232 rwnlws.exe fontdrvhost.exe PID 2232 wrote to memory of 1004 2232 rwnlws.exe dwm.exe PID 2232 wrote to memory of 2416 2232 rwnlws.exe sihost.exe PID 2232 wrote to memory of 2444 2232 rwnlws.exe svchost.exe PID 2232 wrote to memory of 2600 2232 rwnlws.exe taskhostw.exe PID 2232 wrote to memory of 2576 2232 rwnlws.exe Explorer.EXE PID 2232 wrote to memory of 3032 2232 rwnlws.exe svchost.exe PID 2232 wrote to memory of 3268 2232 rwnlws.exe DllHost.exe PID 2232 wrote to memory of 3364 2232 rwnlws.exe StartMenuExperienceHost.exe PID 2232 wrote to memory of 3428 2232 rwnlws.exe RuntimeBroker.exe PID 2232 wrote to memory of 3512 2232 rwnlws.exe SearchApp.exe PID 2232 wrote to memory of 3672 2232 rwnlws.exe RuntimeBroker.exe PID 2232 wrote to memory of 3568 2232 rwnlws.exe RuntimeBroker.exe PID 2232 wrote to memory of 3976 2232 rwnlws.exe RuntimeBroker.exe PID 2232 wrote to memory of 2476 2232 rwnlws.exe backgroundTaskHost.exe PID 2232 wrote to memory of 4740 2232 rwnlws.exe 30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
rwnlws.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rwnlws.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe"C:\Users\Admin\AppData\Local\Temp\30509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d.exe"2⤵
- Windows security bypass
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\SysWOW64\rwnlws.exeC:\Windows\SysWOW64\rwnlws.exe1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\gei33.dllFilesize
134KB
MD50126196eb29bba67faa5f3e2fbff6cf7
SHA1e6ccbfd4e2fab4a80855c641844ea45145278146
SHA2568bc50d8964d5ac502128a8e800162d96e1a7f76a6594d4672478d24a8fedfb89
SHA512c4e25c82948c6719458a8b239063e34f5e5843a05ff654a27f345194ed16d821e97d5df0ba2200db51261edb3c70d860588af5ebb23d626fb581603c19af01bd
-
C:\Windows\SysWOW64\rwnlws.exeFilesize
124KB
MD54aaf75b56c518b82039bef2396941bdc
SHA1fd53de3ac5b4cf593de2e9edad450efb145f20ac
SHA25630509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d
SHA5123f708f09192d3279d0ca13fd7b4b1f70061bbf6973291f2b11d33c01621c38937c92b0b2f4834438db370be1d3d9e98e48feff76cab5e26af7460b7edac73fdb
-
C:\Windows\SysWOW64\rwnlws.exeFilesize
124KB
MD54aaf75b56c518b82039bef2396941bdc
SHA1fd53de3ac5b4cf593de2e9edad450efb145f20ac
SHA25630509b309eab2e55e4ca7c62f3f129eb82fa428aa7891d2ddfb6a7ba852fe78d
SHA5123f708f09192d3279d0ca13fd7b4b1f70061bbf6973291f2b11d33c01621c38937c92b0b2f4834438db370be1d3d9e98e48feff76cab5e26af7460b7edac73fdb
-
memory/2232-134-0x0000000000EF0000-0x0000000001F7E000-memory.dmpFilesize
16.6MB
-
memory/2232-136-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2232-139-0x0000000000EF0000-0x0000000001F7E000-memory.dmpFilesize
16.6MB
-
memory/2232-141-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4740-130-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4740-131-0x0000000002260000-0x00000000032EE000-memory.dmpFilesize
16.6MB
-
memory/4740-135-0x0000000002260000-0x00000000032EE000-memory.dmpFilesize
16.6MB
-
memory/4740-138-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/4740-140-0x0000000002260000-0x00000000032EE000-memory.dmpFilesize
16.6MB