5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

Analysis

max time kernel
203s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
Size

377KB
MD5

dd5740ab02491ee1d9a7a1203f37cdd7
SHA1

3cf89c9b5a7ccc00be23e0abbf9626d78c838d43
SHA256

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62
SHA512

2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9
SSDEEP

6144:FKz+Bna2+vRSPFt2XkcXaiV11zGommV1MAP1KY+g6gPeTbUNRsWebimiFRl:F0yadRSNt2XkWai31zGYZb+g6UCbUNRF

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

services.exeservices.exeservices.exe

pid process

3176 services.exe
484 services.exe
2280 services.exe

pid	process
3176	services.exe
484	services.exe
2280	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2280-143-0x0000000001610000-0x0000000001705000-memory.dmp	upx
behavioral2/memory/2280-144-0x0000000001610000-0x0000000001705000-memory.dmp	upx
behavioral2/memory/2280-145-0x0000000001610000-0x0000000001705000-memory.dmp	upx
behavioral2/memory/2280-148-0x0000000001610000-0x0000000001705000-memory.dmp	upx
behavioral2/memory/2280-150-0x0000000001610000-0x0000000001705000-memory.dmp	upx
behavioral2/memory/2280-149-0x0000000001610000-0x0000000001705000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeservices.exeservices.exe5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	services.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	services.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\services.exe"	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

services.exe

description pid process target process

PID 484 set thread context of 2280 484 services.exe services.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 484 set thread context of 2280	484	services.exe	services.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

services.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	services.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	services.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	services.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	services.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	services.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	services.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exeservices.exeservices.exe

pid	process
5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
484	services.exe
484	services.exe
2280	services.exe
2280	services.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exeservices.exe

pid process

5008 5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2280 services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exesvchost.exeservices.exe

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
"C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4224

C:\Users\Admin\AppData\Roaming\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Windows\services.exe"
3⤵
- Executes dropped EXE
PID:3176

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:884

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
C:\Users\Admin\AppData\Local\Temp\5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
2⤵
PID:4156

C:\Users\Admin\AppData\Roaming\Windows\services.exe
"C:\Users\Admin\AppData\Roaming\Windows\services.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Roaming\Windows\services.exe
C:\Users\Admin\AppData\Roaming\Windows\services.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TPx6MGVQSjxNF\TPx6MGVQSjxNF.dat
Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TPx6MGVQSjxNF\TPx6MGVQSjxNF.nfo
Filesize
3KB

MD5
35d9c64937aa6ee34dba886e93ec7321

SHA1
3eb12cb1e6564087b1d4c4e4e75dbba1f3341285

SHA256
ce8b9983b00c9b545d45c26cc8f95c70b555a439b8887ba9b6fa2183b0ccc91d

SHA512
8a0da28b99d3aadb1239bb1ba7db7e307c11ba8479a917b779dc0453d1cd688e91dfc17631126c78659a67ebfd490aebb6ddeb0a2cf9e1ec11af8c7362ad5f55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TPx6MGVQSjxNF\TPx6MGVQSjxNF.nfo
Filesize
3KB

MD5
35d9c64937aa6ee34dba886e93ec7321

SHA1
3eb12cb1e6564087b1d4c4e4e75dbba1f3341285

SHA256
ce8b9983b00c9b545d45c26cc8f95c70b555a439b8887ba9b6fa2183b0ccc91d

SHA512
8a0da28b99d3aadb1239bb1ba7db7e307c11ba8479a917b779dc0453d1cd688e91dfc17631126c78659a67ebfd490aebb6ddeb0a2cf9e1ec11af8c7362ad5f55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TPx6MGVQSjxNF\TPx6MGVQSjxNF.nfo
Filesize
3KB

MD5
35d9c64937aa6ee34dba886e93ec7321

SHA1
3eb12cb1e6564087b1d4c4e4e75dbba1f3341285

SHA256
ce8b9983b00c9b545d45c26cc8f95c70b555a439b8887ba9b6fa2183b0ccc91d

SHA512
8a0da28b99d3aadb1239bb1ba7db7e307c11ba8479a917b779dc0453d1cd688e91dfc17631126c78659a67ebfd490aebb6ddeb0a2cf9e1ec11af8c7362ad5f55

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\TPx6MGVQSjxNF\TPx6MGVQSjxNF.svr
Filesize
330KB

MD5
ea2c6fad52ade2fcda8c4d22d1a2e0fe

SHA1
ad732a24b320a78192c1d4de3a0becb303998156

SHA256
8485f454420e4dd1ad128749decb77dd0da078a6351eb7755b46944a6a0364b5

SHA512
57e98dca09b07ee80dc776a9526d29756dc7e8fd10bf7d5f1e44ab8c15a02541c46a4311d14dedc54266506a6cf795c9376e3017d3e77b3e2f56c465978df7fc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\services.exe
Filesize
377KB

MD5
dd5740ab02491ee1d9a7a1203f37cdd7

SHA1
3cf89c9b5a7ccc00be23e0abbf9626d78c838d43

SHA256
5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62

SHA512
2cc04351120d7a042cb09c590eabe04fefabcae993d590c5d665bc5b1ecd3ebe7d408a1ddefa304c3dbd87d56111302db33f4ca0e43df5c18577d8a03119a6d9

Download Submit
memory/484-135-0x0000000000000000-mapping.dmp

Download
memory/2280-142-0x0000000000000000-mapping.dmp

Download
memory/2280-143-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/2280-144-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/2280-145-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/2280-148-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/2280-150-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/2280-149-0x0000000001610000-0x0000000001705000-memory.dmp

Filesize
980KB

Download
memory/2280-153-0x00000000016B2000-0x0000000001704000-memory.dmp

Filesize
328KB

Download
memory/2280-154-0x0000000001611000-0x00000000016B2000-memory.dmp

Filesize
644KB

Download
memory/2280-155-0x00000000016B2000-0x0000000001704000-memory.dmp

Filesize
328KB

Download
memory/3176-136-0x0000000000000000-mapping.dmp

Download
memory/4224-132-0x0000000000000000-mapping.dmp

Download
memory/4224-134-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

description	pid	process	target process
PID 5008 wrote to memory of 4224	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	svchost.exe
PID 5008 wrote to memory of 4224	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	svchost.exe
PID 5008 wrote to memory of 4224	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	svchost.exe
PID 5008 wrote to memory of 4224	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	svchost.exe
PID 5008 wrote to memory of 3952	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3952	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3952	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3480	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3480	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3480	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3692	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3692	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3692	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3540	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3540	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3540	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 2220	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 2220	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 2220	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3900	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3900	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3900	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4768	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4768	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4768	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 2784	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 2784	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 2784	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 2008	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 2008	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 2008	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3592	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3592	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3592	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4724	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4724	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4724	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 884	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 884	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 884	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4288	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4288	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4288	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4344	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4344	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4344	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 932	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 932	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 932	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3740	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3740	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 3740	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4156	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4156	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 4156	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe
PID 5008 wrote to memory of 484	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	services.exe
PID 5008 wrote to memory of 484	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	services.exe
PID 5008 wrote to memory of 484	5008	5f45771a2772d2d388cae5127912022a2f7149e9a5a668aaf1de9bc25987bc62.exe	services.exe
PID 4224 wrote to memory of 3176	4224	svchost.exe	services.exe
PID 4224 wrote to memory of 3176	4224	svchost.exe	services.exe
PID 4224 wrote to memory of 3176	4224	svchost.exe	services.exe
PID 484 wrote to memory of 2280	484	services.exe	services.exe
PID 484 wrote to memory of 2280	484	services.exe	services.exe
PID 484 wrote to memory of 2280	484	services.exe	services.exe