Analysis
-
max time kernel
151s -
max time network
188s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 17:28
Static task
static1
Behavioral task
behavioral1
Sample
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe
Resource
win7-20220812-en
General
-
Target
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe
-
Size
4.7MB
-
MD5
fb69931a9d6a62ef32fc98b6131103cc
-
SHA1
376f89c2b2ef1a8870845e0bd0b21ea80803365b
-
SHA256
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c
-
SHA512
a2add386060428908a93af759610095f90bc136242248a63a54846f0253e8ee1eea491d6e7b25a13714f1eb8509620913e167da61b30b9e05592275624497851
-
SSDEEP
98304:un4FkxwWUGoRgnQxFa4fdyqMTRd43GJb03+5cJsCzc:u4FkbUGoRZxF/yFMWJ0/zc
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1912-100-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/1912-102-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/1912-116-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/960-130-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/1060-140-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/1060-180-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 41 IoCs
Processes:
resource yara_rule behavioral1/memory/472-99-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1912-100-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/1912-102-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/796-105-0x0000000010000000-0x0000000010018000-memory.dmp family_gh0strat behavioral1/memory/1912-116-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/472-115-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/960-130-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/1060-140-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/1280-153-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1280-175-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1980-176-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/472-178-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1060-180-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/1628-187-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1132-195-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1628-197-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1388-204-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1072-212-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1388-214-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1356-221-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1292-229-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1356-231-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1172-238-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1100-246-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1172-248-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1728-255-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1980-263-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1728-265-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1088-272-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1324-280-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1088-282-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1988-289-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1124-297-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1988-299-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1968-306-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1592-314-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1968-316-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1980-323-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1980-332-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1932-339-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat behavioral1/memory/1736-347-0x0000000010000000-0x000000001003C000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Jkcde.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Jkcde.exe -
Executes dropped EXE 36 IoCs
Processes:
»¥ÁªÐÒéÈ¡guid.exedwm.exe_��Э����GUID.exesvchost.execsrss.exewininit.execsrss.exewinlogon.exeJkcde.exewinlogon.exeJkcde.exezgtdcg.exesvchost.exezgtdcg.exewinlogon.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 1616 »¥ÁªÐÒéÈ¡guid.exe 1904 dwm.exe 908 _��Э����GUID.exe 1260 svchost.exe 1172 csrss.exe 472 wininit.exe 1912 csrss.exe 796 winlogon.exe 960 Jkcde.exe 1768 winlogon.exe 1060 Jkcde.exe 1020 zgtdcg.exe 1280 svchost.exe 772 zgtdcg.exe 1000 winlogon.exe 1980 svchost.exe 1628 svchost.exe 1132 svchost.exe 1388 svchost.exe 1072 svchost.exe 1356 svchost.exe 1292 svchost.exe 1172 svchost.exe 1100 svchost.exe 1728 svchost.exe 1980 svchost.exe 1088 svchost.exe 1324 svchost.exe 1988 svchost.exe 1124 svchost.exe 1968 svchost.exe 1592 svchost.exe 1980 svchost.exe 1392 svchost.exe 1932 svchost.exe 1736 svchost.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Jkcde.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Jkcde.exe -
Processes:
resource yara_rule behavioral1/memory/1912-96-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1912-100-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1912-102-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1912-116-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/960-130-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1060-140-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1060-180-0x0000000010000000-0x00000000101BA000-memory.dmp upx -
Loads dropped DLL 17 IoCs
Processes:
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe»¥ÁªÐÒéÈ¡guid.exedwm.execsrss.exeJkcde.exepid process 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe 1616 »¥ÁªÐÒéÈ¡guid.exe 1616 »¥ÁªÐÒéÈ¡guid.exe 1616 »¥ÁªÐÒéÈ¡guid.exe 1616 »¥ÁªÐÒéÈ¡guid.exe 1904 dwm.exe 1904 dwm.exe 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe 1904 dwm.exe 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe 1904 dwm.exe 1172 csrss.exe 1172 csrss.exe 1172 csrss.exe 960 Jkcde.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Jkcde.exewinlogon.exedescription ioc process File opened (read-only) \??\H: Jkcde.exe File opened (read-only) \??\X: Jkcde.exe File opened (read-only) \??\Z: winlogon.exe File opened (read-only) \??\F: Jkcde.exe File opened (read-only) \??\P: Jkcde.exe File opened (read-only) \??\W: Jkcde.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\Y: winlogon.exe File opened (read-only) \??\I: Jkcde.exe File opened (read-only) \??\E: Jkcde.exe File opened (read-only) \??\T: Jkcde.exe File opened (read-only) \??\U: winlogon.exe File opened (read-only) \??\B: Jkcde.exe File opened (read-only) \??\O: winlogon.exe File opened (read-only) \??\M: Jkcde.exe File opened (read-only) \??\J: Jkcde.exe File opened (read-only) \??\O: Jkcde.exe File opened (read-only) \??\S: Jkcde.exe File opened (read-only) \??\S: winlogon.exe File opened (read-only) \??\T: winlogon.exe File opened (read-only) \??\G: Jkcde.exe File opened (read-only) \??\Q: Jkcde.exe File opened (read-only) \??\R: Jkcde.exe File opened (read-only) \??\V: Jkcde.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\Q: winlogon.exe File opened (read-only) \??\L: Jkcde.exe File opened (read-only) \??\Z: Jkcde.exe File opened (read-only) \??\B: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\K: Jkcde.exe File opened (read-only) \??\U: Jkcde.exe File opened (read-only) \??\Y: Jkcde.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\N: winlogon.exe File opened (read-only) \??\P: winlogon.exe File opened (read-only) \??\R: winlogon.exe File opened (read-only) \??\N: Jkcde.exe File opened (read-only) \??\W: winlogon.exe File opened (read-only) \??\X: winlogon.exe File opened (read-only) \??\V: winlogon.exe -
Creates a Windows Service
-
Drops file in System32 directory 2 IoCs
Processes:
csrss.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Jkcde.exe csrss.exe File created C:\Windows\SysWOW64\Jkcde.exe csrss.exe -
Drops file in Program Files directory 2 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Program Files (x86)\Microsoft Imsmic\winlogon.exe winlogon.exe File opened for modification C:\Program Files (x86)\Microsoft Imsmic\winlogon.exe winlogon.exe -
Drops file in Windows directory 4 IoCs
Processes:
wininit.exesvchost.exedescription ioc process File created C:\WINDOWS\svchost.exe wininit.exe File opened for modification C:\WINDOWS\svchost.exe wininit.exe File created C:\Windows\zgtdcg.exe svchost.exe File opened for modification C:\Windows\zgtdcg.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 976 1280 WerFault.exe svchost.exe 1324 1628 WerFault.exe svchost.exe 1728 1388 WerFault.exe svchost.exe 1500 1356 WerFault.exe svchost.exe 1600 1172 WerFault.exe svchost.exe 1568 1728 WerFault.exe svchost.exe 1184 1088 WerFault.exe svchost.exe 1700 1988 WerFault.exe svchost.exe 1072 1968 WerFault.exe svchost.exe 1324 1980 WerFault.exe svchost.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wininit.exezgtdcg.exeJkcde.exewinlogon.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wininit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wininit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 zgtdcg.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz zgtdcg.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jkcde.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Jkcde.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winlogon.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
zgtdcg.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" zgtdcg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum zgtdcg.exe Key created \REGISTRY\USER\.DEFAULT\Software zgtdcg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft zgtdcg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie zgtdcg.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum zgtdcg.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wininit.exezgtdcg.exepid process 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 472 wininit.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe 772 zgtdcg.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Jkcde.exepid process 1060 Jkcde.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
csrss.exeJkcde.exedescription pid process Token: SeIncBasePriorityPrivilege 1912 csrss.exe Token: SeLoadDriverPrivilege 1060 Jkcde.exe Token: 33 1060 Jkcde.exe Token: SeIncBasePriorityPrivilege 1060 Jkcde.exe Token: 33 1060 Jkcde.exe Token: SeIncBasePriorityPrivilege 1060 Jkcde.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
Processes:
_������GUID.exesvchost.exewininit.exezgtdcg.exezgtdcg.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exepid process 908 _������GUID.exe 908 _������GUID.exe 1260 svchost.exe 472 wininit.exe 1020 zgtdcg.exe 772 zgtdcg.exe 1280 svchost.exe 1980 svchost.exe 1628 svchost.exe 1132 svchost.exe 1388 svchost.exe 1072 svchost.exe 1356 svchost.exe 1292 svchost.exe 1172 svchost.exe 1100 svchost.exe 1728 svchost.exe 1980 svchost.exe 1088 svchost.exe 1324 svchost.exe 1988 svchost.exe 1124 svchost.exe 1968 svchost.exe 1592 svchost.exe 1980 svchost.exe 1392 svchost.exe 1932 svchost.exe 1736 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe»¥ÁªÐÒéÈ¡guid.exedwm.execsrss.execsrss.exeJkcde.execmd.exezgtdcg.exewinlogon.exesvchost.exedescription pid process target process PID 1936 wrote to memory of 1616 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe »¥ÁªÐÒéÈ¡guid.exe PID 1936 wrote to memory of 1616 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe »¥ÁªÐÒéÈ¡guid.exe PID 1936 wrote to memory of 1616 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe »¥ÁªÐÒéÈ¡guid.exe PID 1936 wrote to memory of 1616 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe »¥ÁªÐÒéÈ¡guid.exe PID 1616 wrote to memory of 1904 1616 »¥ÁªÐÒéÈ¡guid.exe dwm.exe PID 1616 wrote to memory of 1904 1616 »¥ÁªÐÒéÈ¡guid.exe dwm.exe PID 1616 wrote to memory of 1904 1616 »¥ÁªÐÒéÈ¡guid.exe dwm.exe PID 1616 wrote to memory of 1904 1616 »¥ÁªÐÒéÈ¡guid.exe dwm.exe PID 1616 wrote to memory of 908 1616 »¥ÁªÐÒéÈ¡guid.exe _��Э����GUID.exe PID 1616 wrote to memory of 908 1616 »¥ÁªÐÒéÈ¡guid.exe _��Э����GUID.exe PID 1616 wrote to memory of 908 1616 »¥ÁªÐÒéÈ¡guid.exe _��Э����GUID.exe PID 1616 wrote to memory of 908 1616 »¥ÁªÐÒéÈ¡guid.exe _��Э����GUID.exe PID 1904 wrote to memory of 1260 1904 dwm.exe svchost.exe PID 1904 wrote to memory of 1260 1904 dwm.exe svchost.exe PID 1904 wrote to memory of 1260 1904 dwm.exe svchost.exe PID 1904 wrote to memory of 1260 1904 dwm.exe svchost.exe PID 1936 wrote to memory of 1172 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe csrss.exe PID 1936 wrote to memory of 1172 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe csrss.exe PID 1936 wrote to memory of 1172 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe csrss.exe PID 1936 wrote to memory of 1172 1936 22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe csrss.exe PID 1904 wrote to memory of 472 1904 dwm.exe wininit.exe PID 1904 wrote to memory of 472 1904 dwm.exe wininit.exe PID 1904 wrote to memory of 472 1904 dwm.exe wininit.exe PID 1904 wrote to memory of 472 1904 dwm.exe wininit.exe PID 1172 wrote to memory of 1912 1172 csrss.exe csrss.exe PID 1172 wrote to memory of 1912 1172 csrss.exe csrss.exe PID 1172 wrote to memory of 1912 1172 csrss.exe csrss.exe PID 1172 wrote to memory of 1912 1172 csrss.exe csrss.exe PID 1172 wrote to memory of 1912 1172 csrss.exe csrss.exe PID 1172 wrote to memory of 1912 1172 csrss.exe csrss.exe PID 1172 wrote to memory of 1912 1172 csrss.exe csrss.exe PID 1172 wrote to memory of 796 1172 csrss.exe winlogon.exe PID 1172 wrote to memory of 796 1172 csrss.exe winlogon.exe PID 1172 wrote to memory of 796 1172 csrss.exe winlogon.exe PID 1172 wrote to memory of 796 1172 csrss.exe winlogon.exe PID 1912 wrote to memory of 684 1912 csrss.exe cmd.exe PID 1912 wrote to memory of 684 1912 csrss.exe cmd.exe PID 1912 wrote to memory of 684 1912 csrss.exe cmd.exe PID 1912 wrote to memory of 684 1912 csrss.exe cmd.exe PID 960 wrote to memory of 1060 960 Jkcde.exe Jkcde.exe PID 960 wrote to memory of 1060 960 Jkcde.exe Jkcde.exe PID 960 wrote to memory of 1060 960 Jkcde.exe Jkcde.exe PID 960 wrote to memory of 1060 960 Jkcde.exe Jkcde.exe PID 960 wrote to memory of 1060 960 Jkcde.exe Jkcde.exe PID 960 wrote to memory of 1060 960 Jkcde.exe Jkcde.exe PID 960 wrote to memory of 1060 960 Jkcde.exe Jkcde.exe PID 684 wrote to memory of 1700 684 cmd.exe PING.EXE PID 684 wrote to memory of 1700 684 cmd.exe PING.EXE PID 684 wrote to memory of 1700 684 cmd.exe PING.EXE PID 684 wrote to memory of 1700 684 cmd.exe PING.EXE PID 1020 wrote to memory of 772 1020 zgtdcg.exe zgtdcg.exe PID 1020 wrote to memory of 772 1020 zgtdcg.exe zgtdcg.exe PID 1020 wrote to memory of 772 1020 zgtdcg.exe zgtdcg.exe PID 1020 wrote to memory of 772 1020 zgtdcg.exe zgtdcg.exe PID 1768 wrote to memory of 1000 1768 winlogon.exe winlogon.exe PID 1768 wrote to memory of 1000 1768 winlogon.exe winlogon.exe PID 1768 wrote to memory of 1000 1768 winlogon.exe winlogon.exe PID 1768 wrote to memory of 1000 1768 winlogon.exe winlogon.exe PID 1280 wrote to memory of 1980 1280 svchost.exe svchost.exe PID 1280 wrote to memory of 1980 1280 svchost.exe svchost.exe PID 1280 wrote to memory of 1980 1280 svchost.exe svchost.exe PID 1280 wrote to memory of 1980 1280 svchost.exe svchost.exe PID 1280 wrote to memory of 976 1280 svchost.exe WerFault.exe PID 1280 wrote to memory of 976 1280 svchost.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe"C:\Users\Admin\AppData\Local\Temp\22f84677d65048e4a814f2a1ac73f20b2c30ae1f4b3b37281450ce8565a7826c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\»¥ÁªÐÒéÈ¡guid.exeC:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\»¥ÁªÐÒéÈ¡guid.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dwm.exe"C:\Users\Admin\AppData\Local\Temp\dwm.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\wininit.exe"C:\Users\Admin\AppData\Local\Temp\wininit.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\_��Э����GUID.exe"C:\Users\Admin\AppData\Local\Temp\_��Э����GUID.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\csrss.exeC:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\csrss.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\csrss.exe"C:\Users\Admin\AppData\Local\Temp\csrss.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\csrss.exe > nul4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\winlogon.exe"C:\Users\Admin\AppData\Local\Temp\winlogon.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Checks processor information in registry
-
C:\Windows\SysWOW64\Jkcde.exeC:\Windows\SysWOW64\Jkcde.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Jkcde.exeC:\Windows\SysWOW64\Jkcde.exe -acsi2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Imsmic\winlogon.exe"C:\Program Files (x86)\Microsoft Imsmic\winlogon.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Imsmic\winlogon.exe"C:\Program Files (x86)\Microsoft Imsmic\winlogon.exe" Win72⤵
- Executes dropped EXE
-
C:\Windows\zgtdcg.exeC:\Windows\zgtdcg.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\zgtdcg.exeC:\Windows\zgtdcg.exe Win72⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 2842⤵
- Program crash
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 2842⤵
- Program crash
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 3002⤵
- Program crash
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 2842⤵
- Program crash
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 2802⤵
- Program crash
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 3842⤵
- Program crash
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 2962⤵
- Program crash
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2802⤵
- Program crash
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 2962⤵
- Program crash
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 2962⤵
- Program crash
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\svchost.exeC:\WINDOWS\svchost.exe Win72⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Imsmic\winlogon.exeFilesize
552KB
MD5681c08b1d7cbc778ab6b10f0ebb8b56d
SHA13c471975ce8fa42d4d9c4ab31eff56f3226e6ddc
SHA256239091aa1da51a8461579ee93c4e3bb904ef8b36bcdaf0359e7ffd0aae38b273
SHA512a06cee0ce9d35f1304780d7004a1dfb714e6e9e399cae26573bbfc0d421deb44bd6b889a2c524070603b57c8b0e3ad20fb776215ac1d269777a95d3b29b44673
-
C:\Program Files (x86)\Microsoft Imsmic\winlogon.exeFilesize
552KB
MD5681c08b1d7cbc778ab6b10f0ebb8b56d
SHA13c471975ce8fa42d4d9c4ab31eff56f3226e6ddc
SHA256239091aa1da51a8461579ee93c4e3bb904ef8b36bcdaf0359e7ffd0aae38b273
SHA512a06cee0ce9d35f1304780d7004a1dfb714e6e9e399cae26573bbfc0d421deb44bd6b889a2c524070603b57c8b0e3ad20fb776215ac1d269777a95d3b29b44673
-
C:\Program Files (x86)\Microsoft Imsmic\winlogon.exeFilesize
552KB
MD5681c08b1d7cbc778ab6b10f0ebb8b56d
SHA13c471975ce8fa42d4d9c4ab31eff56f3226e6ddc
SHA256239091aa1da51a8461579ee93c4e3bb904ef8b36bcdaf0359e7ffd0aae38b273
SHA512a06cee0ce9d35f1304780d7004a1dfb714e6e9e399cae26573bbfc0d421deb44bd6b889a2c524070603b57c8b0e3ad20fb776215ac1d269777a95d3b29b44673
-
C:\Users\Admin\AppData\Local\Temp\_������GUID.exeFilesize
2.7MB
MD55a70186f12dc3bae680bdd637cc8b219
SHA1f26d97a79ae181088687b8e6e4ea6d523dc37596
SHA25607ab9b63cf0a2d020d39f2fc894299315363cd3500b7224ce4a15e63ba336aac
SHA5120ca65d88a2c93de7defb6dbd8de86ff7ecf922579cc708f57d0bd2f711a7e0deeb41224b0c8a0b6c645cbcee4802699cceda232a2863d07d36187fa320c8a6eb
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
C:\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
C:\Users\Admin\AppData\Local\Temp\dwm.exeFilesize
943KB
MD5065fa2244dc34f5acdfc1051bfee419f
SHA1ef7f27a78a855f494ac36c05f4c77e7b51e0f0d1
SHA2564267f2927c21c277e4d3d6ca0d8481893d9633466c603d630d8aec9f275d5423
SHA512d8347609c4a10c821f01a3ea5a03e07477c6ee7aaa9293682eba8216808ba508a3693c2615273f3e8803801082994bf2ca2b646aa0f72806ea83581adb985eeb
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
C:\Users\Admin\AppData\Local\Temp\wininit.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Users\Admin\AppData\Local\Temp\wininit.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Users\Admin\AppData\Local\Temp\winlogon.exeFilesize
552KB
MD5681c08b1d7cbc778ab6b10f0ebb8b56d
SHA13c471975ce8fa42d4d9c4ab31eff56f3226e6ddc
SHA256239091aa1da51a8461579ee93c4e3bb904ef8b36bcdaf0359e7ffd0aae38b273
SHA512a06cee0ce9d35f1304780d7004a1dfb714e6e9e399cae26573bbfc0d421deb44bd6b889a2c524070603b57c8b0e3ad20fb776215ac1d269777a95d3b29b44673
-
C:\Users\Admin\AppData\Local\Temp\winlogon.exeFilesize
552KB
MD5681c08b1d7cbc778ab6b10f0ebb8b56d
SHA13c471975ce8fa42d4d9c4ab31eff56f3226e6ddc
SHA256239091aa1da51a8461579ee93c4e3bb904ef8b36bcdaf0359e7ffd0aae38b273
SHA512a06cee0ce9d35f1304780d7004a1dfb714e6e9e399cae26573bbfc0d421deb44bd6b889a2c524070603b57c8b0e3ad20fb776215ac1d269777a95d3b29b44673
-
C:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\csrss.exeFilesize
609KB
MD5ff64d99b1ce683431a98af3c9a01c146
SHA12ccc728a6a4f293e5c744ee67293f03493ef50b9
SHA256b3f275b1985c82b9059522c91506af08524dad359f17e80b7fa621819da3ba70
SHA5123e7db53dc632ab79ac97ae4855a44ef1275830054abc19269f4e1da2021af13587e5582fed595c2fe7b582651c163aabd978ca1e4d6eee4fe4dc23797a587f96
-
C:\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\»¥ÁªÐÒéÈ¡guid.exeFilesize
2.5MB
MD5360d04bba9afd0bac662d2d2cd9546c5
SHA1f7663900accb6ab3e9ecbbf4615e86a052d5b1cc
SHA256c3b3fb8205a448486664d6336075c4dfdf4836b159e7532c63d92c2d4f0d07c2
SHA512b8e196f5809a796f7243d1c0b607fc768b8aa311db099ab80f69bc6fad549d54519ba937efb84978cd5d7f139ab30291fe56589e896362b5a7a3babd39133716
-
C:\WINDOWS\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\SysWOW64\Jkcde.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
C:\Windows\SysWOW64\Jkcde.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\svchost.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
C:\Windows\zgtdcg.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
C:\Windows\zgtdcg.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
C:\Windows\zgtdcg.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
\Users\Admin\AppData\Local\Temp\_������GUID.exeFilesize
2.7MB
MD55a70186f12dc3bae680bdd637cc8b219
SHA1f26d97a79ae181088687b8e6e4ea6d523dc37596
SHA25607ab9b63cf0a2d020d39f2fc894299315363cd3500b7224ce4a15e63ba336aac
SHA5120ca65d88a2c93de7defb6dbd8de86ff7ecf922579cc708f57d0bd2f711a7e0deeb41224b0c8a0b6c645cbcee4802699cceda232a2863d07d36187fa320c8a6eb
-
\Users\Admin\AppData\Local\Temp\_������GUID.exeFilesize
2.7MB
MD55a70186f12dc3bae680bdd637cc8b219
SHA1f26d97a79ae181088687b8e6e4ea6d523dc37596
SHA25607ab9b63cf0a2d020d39f2fc894299315363cd3500b7224ce4a15e63ba336aac
SHA5120ca65d88a2c93de7defb6dbd8de86ff7ecf922579cc708f57d0bd2f711a7e0deeb41224b0c8a0b6c645cbcee4802699cceda232a2863d07d36187fa320c8a6eb
-
\Users\Admin\AppData\Local\Temp\csrss.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
\Users\Admin\AppData\Local\Temp\dwm.exeFilesize
943KB
MD5065fa2244dc34f5acdfc1051bfee419f
SHA1ef7f27a78a855f494ac36c05f4c77e7b51e0f0d1
SHA2564267f2927c21c277e4d3d6ca0d8481893d9633466c603d630d8aec9f275d5423
SHA512d8347609c4a10c821f01a3ea5a03e07477c6ee7aaa9293682eba8216808ba508a3693c2615273f3e8803801082994bf2ca2b646aa0f72806ea83581adb985eeb
-
\Users\Admin\AppData\Local\Temp\dwm.exeFilesize
943KB
MD5065fa2244dc34f5acdfc1051bfee419f
SHA1ef7f27a78a855f494ac36c05f4c77e7b51e0f0d1
SHA2564267f2927c21c277e4d3d6ca0d8481893d9633466c603d630d8aec9f275d5423
SHA512d8347609c4a10c821f01a3ea5a03e07477c6ee7aaa9293682eba8216808ba508a3693c2615273f3e8803801082994bf2ca2b646aa0f72806ea83581adb985eeb
-
\Users\Admin\AppData\Local\Temp\nsj85A7.tmp\System.dllFilesize
11KB
MD500a0194c20ee912257df53bfe258ee4a
SHA1d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA5123b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
548KB
MD578137186996510b23a00697ab414b665
SHA1ad6710983038601b1daf54518a118ffff97a4e2c
SHA256c7b2995263d51ca44629938128d95eea3b99fbcb49b709ce0e0b5a37bf992058
SHA51299e67daa3c627a5dd0f90b27bcf572951e4b3bcc21302935e664f045d6e3f0b2bfcec56c8316bd39a1851545d5882f726a3ac9bbc9a4fbf98973abeb8089d048
-
\Users\Admin\AppData\Local\Temp\wininit.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
\Users\Admin\AppData\Local\Temp\wininit.exeFilesize
712KB
MD5a2799ead3ab061f503fc61b0c25c5a1e
SHA1779d783f529c04759af889e64f6282198d36feba
SHA25648e88feed86b81ebcdba90a9be422ee32f49a25dbf4fdd89b80fed784d9bc459
SHA512b9f3d841709b2738c84e9e652d78279b50e98a0d4232fe4d8d22e22a00c4a3ec6c3bce959fedfcf7f9904c2d0530d63ca15dc4a2f6d80dd064bed42a41024837
-
\Users\Admin\AppData\Local\Temp\winlogon.exeFilesize
552KB
MD5681c08b1d7cbc778ab6b10f0ebb8b56d
SHA13c471975ce8fa42d4d9c4ab31eff56f3226e6ddc
SHA256239091aa1da51a8461579ee93c4e3bb904ef8b36bcdaf0359e7ffd0aae38b273
SHA512a06cee0ce9d35f1304780d7004a1dfb714e6e9e399cae26573bbfc0d421deb44bd6b889a2c524070603b57c8b0e3ad20fb776215ac1d269777a95d3b29b44673
-
\Users\Admin\AppData\Local\Temp\winlogon.exeFilesize
552KB
MD5681c08b1d7cbc778ab6b10f0ebb8b56d
SHA13c471975ce8fa42d4d9c4ab31eff56f3226e6ddc
SHA256239091aa1da51a8461579ee93c4e3bb904ef8b36bcdaf0359e7ffd0aae38b273
SHA512a06cee0ce9d35f1304780d7004a1dfb714e6e9e399cae26573bbfc0d421deb44bd6b889a2c524070603b57c8b0e3ad20fb776215ac1d269777a95d3b29b44673
-
\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\csrss.exeFilesize
609KB
MD5ff64d99b1ce683431a98af3c9a01c146
SHA12ccc728a6a4f293e5c744ee67293f03493ef50b9
SHA256b3f275b1985c82b9059522c91506af08524dad359f17e80b7fa621819da3ba70
SHA5123e7db53dc632ab79ac97ae4855a44ef1275830054abc19269f4e1da2021af13587e5582fed595c2fe7b582651c163aabd978ca1e4d6eee4fe4dc23797a587f96
-
\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\csrss.exeFilesize
609KB
MD5ff64d99b1ce683431a98af3c9a01c146
SHA12ccc728a6a4f293e5c744ee67293f03493ef50b9
SHA256b3f275b1985c82b9059522c91506af08524dad359f17e80b7fa621819da3ba70
SHA5123e7db53dc632ab79ac97ae4855a44ef1275830054abc19269f4e1da2021af13587e5582fed595c2fe7b582651c163aabd978ca1e4d6eee4fe4dc23797a587f96
-
\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\»¥ÁªÐÒéÈ¡guid.exeFilesize
2.5MB
MD5360d04bba9afd0bac662d2d2cd9546c5
SHA1f7663900accb6ab3e9ecbbf4615e86a052d5b1cc
SHA256c3b3fb8205a448486664d6336075c4dfdf4836b159e7532c63d92c2d4f0d07c2
SHA512b8e196f5809a796f7243d1c0b607fc768b8aa311db099ab80f69bc6fad549d54519ba937efb84978cd5d7f139ab30291fe56589e896362b5a7a3babd39133716
-
\Users\Admin\AppData\Local\Temp\·¢Ë͸øÄ¿±êµÄÎļþ¼Ð\»¥ÁªÐÒéÈ¡guid.exeFilesize
2.5MB
MD5360d04bba9afd0bac662d2d2cd9546c5
SHA1f7663900accb6ab3e9ecbbf4615e86a052d5b1cc
SHA256c3b3fb8205a448486664d6336075c4dfdf4836b159e7532c63d92c2d4f0d07c2
SHA512b8e196f5809a796f7243d1c0b607fc768b8aa311db099ab80f69bc6fad549d54519ba937efb84978cd5d7f139ab30291fe56589e896362b5a7a3babd39133716
-
\Windows\SysWOW64\Jkcde.exeFilesize
493KB
MD56e43fe2e24e96f78d4c22249128f7c9b
SHA19da7fe7e1674600975518797406069141ebbd6b8
SHA25617aa842e6a2e2497e52cd08c2493b1157d2bc850909ecc60e6478e6665047e04
SHA5121e74b3440867883b4c1ef8480b184614d01b8f425bc3c624b6edd2d052f225bbc15ebcfbe081ccb23637a1412706f5ea7e1567535c53ff6e6d71f5c79326b7c4
-
memory/472-79-0x0000000000000000-mapping.dmp
-
memory/472-95-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/472-99-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/472-178-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/472-115-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/684-123-0x0000000000000000-mapping.dmp
-
memory/772-147-0x0000000000000000-mapping.dmp
-
memory/796-105-0x0000000010000000-0x0000000010018000-memory.dmpFilesize
96KB
-
memory/796-111-0x0000000010015000-0x0000000010018000-memory.dmpFilesize
12KB
-
memory/796-90-0x0000000000000000-mapping.dmp
-
memory/908-94-0x0000000000400000-0x00000000006D4000-memory.dmpFilesize
2.8MB
-
memory/908-177-0x0000000000400000-0x00000000006D4000-memory.dmpFilesize
2.8MB
-
memory/908-68-0x0000000000000000-mapping.dmp
-
memory/960-130-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/976-179-0x0000000000000000-mapping.dmp
-
memory/1000-156-0x0000000000000000-mapping.dmp
-
memory/1060-127-0x0000000000000000-mapping.dmp
-
memory/1060-140-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/1060-180-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/1072-212-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1072-315-0x0000000000000000-mapping.dmp
-
memory/1072-205-0x0000000000000000-mapping.dmp
-
memory/1088-272-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1088-282-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1100-246-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1100-239-0x0000000000000000-mapping.dmp
-
memory/1124-297-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1124-290-0x0000000000000000-mapping.dmp
-
memory/1132-195-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1132-188-0x0000000000000000-mapping.dmp
-
memory/1172-77-0x0000000000000000-mapping.dmp
-
memory/1172-248-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1172-238-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1184-281-0x0000000000000000-mapping.dmp
-
memory/1260-108-0x0000000010000000-0x000000001000F000-memory.dmpFilesize
60KB
-
memory/1260-72-0x0000000000000000-mapping.dmp
-
memory/1280-175-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1280-153-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1292-229-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1292-222-0x0000000000000000-mapping.dmp
-
memory/1324-331-0x0000000000000000-mapping.dmp
-
memory/1324-280-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1324-196-0x0000000000000000-mapping.dmp
-
memory/1324-273-0x0000000000000000-mapping.dmp
-
memory/1356-221-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1356-231-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1388-204-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1388-214-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1392-324-0x0000000000000000-mapping.dmp
-
memory/1500-230-0x0000000000000000-mapping.dmp
-
memory/1568-264-0x0000000000000000-mapping.dmp
-
memory/1592-314-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1592-307-0x0000000000000000-mapping.dmp
-
memory/1600-247-0x0000000000000000-mapping.dmp
-
memory/1616-58-0x0000000000000000-mapping.dmp
-
memory/1628-197-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1628-187-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1700-135-0x0000000000000000-mapping.dmp
-
memory/1700-298-0x0000000000000000-mapping.dmp
-
memory/1728-255-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1728-265-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1728-213-0x0000000000000000-mapping.dmp
-
memory/1736-347-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1736-340-0x0000000000000000-mapping.dmp
-
memory/1904-63-0x0000000000000000-mapping.dmp
-
memory/1912-116-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/1912-86-0x0000000000000000-mapping.dmp
-
memory/1912-102-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/1912-100-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/1912-96-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/1932-339-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1936-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1968-316-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1968-306-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1980-323-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1980-332-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1980-168-0x0000000000000000-mapping.dmp
-
memory/1980-176-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1980-263-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1980-256-0x0000000000000000-mapping.dmp
-
memory/1988-299-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB
-
memory/1988-289-0x0000000010000000-0x000000001003C000-memory.dmpFilesize
240KB