Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 10:30
Static task
static1
Behavioral task
behavioral1
Sample
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exe
Resource
win7-20220812-en
General
-
Target
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exe
-
Size
340KB
-
MD5
4d37950dd556f098d14a099869d35ad4
-
SHA1
f530628df64f620967a0960c687b10bf18579c94
-
SHA256
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
-
SHA512
f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
SSDEEP
6144:NJXQh6uTjQ4rVmh3k4cSbgzsdrVRRetrEpsKHAK3g3UHYTvLRUQSOObAIASgrtHv:2CAIn0eth0Bpi60uKd6N
Malware Config
Extracted
cybergate
v1.07.5
remote
ir0kz.zapto.org:1213
0G7MT5Q26I65Q0
-
enable_keylogger
false
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
wincfg
-
install_file
newudp.exe
-
install_flag
false
-
keylogger_enable_ftp
false
-
message_box_caption
Remote Administration anywhere in the world.
-
message_box_title
CyberGate
-
password
cybergate
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
audiodgi.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run audiodgi.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe" audiodgi.exe -
Executes dropped EXE 8 IoCs
Processes:
svchost.exesvchost.exeaudiodgi.exewmpmetwk.exewmpmetwk.exesvchost.exesvchost.exesvchost.exepid process 3156 svchost.exe 4480 svchost.exe 2224 audiodgi.exe 316 wmpmetwk.exe 208 wmpmetwk.exe 1948 svchost.exe 3780 svchost.exe 1044 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/4480-142-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4480-146-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4480-147-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4480-148-0x0000000000400000-0x0000000000457000-memory.dmp upx behavioral2/memory/4480-165-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/1948-168-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/1948-170-0x0000000010410000-0x0000000010475000-memory.dmp upx behavioral2/memory/1948-185-0x0000000010410000-0x0000000010475000-memory.dmp upx -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exesvchost.exeaudiodgi.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation audiodgi.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
audiodgi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\audiodgi.exe" audiodgi.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
svchost.exewmpmetwk.exesvchost.exedescription pid process target process PID 3156 set thread context of 4480 3156 svchost.exe svchost.exe PID 316 set thread context of 208 316 wmpmetwk.exe wmpmetwk.exe PID 3780 set thread context of 1044 3780 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2460 1044 WerFault.exe svchost.exe -
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exeaudiodgi.exewmpmetwk.exesvchost.exepid process 3156 svchost.exe 2224 audiodgi.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe 316 wmpmetwk.exe 3156 svchost.exe 2224 audiodgi.exe 3780 svchost.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exesvchost.exeaudiodgi.exewmpmetwk.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 5060 a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exe Token: SeDebugPrivilege 3156 svchost.exe Token: SeDebugPrivilege 2224 audiodgi.exe Token: SeDebugPrivilege 316 wmpmetwk.exe Token: SeBackupPrivilege 1948 svchost.exe Token: SeRestorePrivilege 1948 svchost.exe Token: SeDebugPrivilege 1948 svchost.exe Token: SeDebugPrivilege 1948 svchost.exe Token: SeDebugPrivilege 3780 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exesvchost.exeaudiodgi.exewmpmetwk.exesvchost.exedescription pid process target process PID 5060 wrote to memory of 3156 5060 a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exe svchost.exe PID 5060 wrote to memory of 3156 5060 a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exe svchost.exe PID 5060 wrote to memory of 3156 5060 a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exe svchost.exe PID 3156 wrote to memory of 4480 3156 svchost.exe svchost.exe PID 3156 wrote to memory of 4480 3156 svchost.exe svchost.exe PID 3156 wrote to memory of 4480 3156 svchost.exe svchost.exe PID 3156 wrote to memory of 4480 3156 svchost.exe svchost.exe PID 3156 wrote to memory of 4480 3156 svchost.exe svchost.exe PID 3156 wrote to memory of 4480 3156 svchost.exe svchost.exe PID 3156 wrote to memory of 4480 3156 svchost.exe svchost.exe PID 3156 wrote to memory of 4480 3156 svchost.exe svchost.exe PID 3156 wrote to memory of 2224 3156 svchost.exe audiodgi.exe PID 3156 wrote to memory of 2224 3156 svchost.exe audiodgi.exe PID 3156 wrote to memory of 2224 3156 svchost.exe audiodgi.exe PID 2224 wrote to memory of 316 2224 audiodgi.exe wmpmetwk.exe PID 2224 wrote to memory of 316 2224 audiodgi.exe wmpmetwk.exe PID 2224 wrote to memory of 316 2224 audiodgi.exe wmpmetwk.exe PID 316 wrote to memory of 208 316 wmpmetwk.exe wmpmetwk.exe PID 316 wrote to memory of 208 316 wmpmetwk.exe wmpmetwk.exe PID 316 wrote to memory of 208 316 wmpmetwk.exe wmpmetwk.exe PID 316 wrote to memory of 208 316 wmpmetwk.exe wmpmetwk.exe PID 316 wrote to memory of 208 316 wmpmetwk.exe wmpmetwk.exe PID 316 wrote to memory of 208 316 wmpmetwk.exe wmpmetwk.exe PID 316 wrote to memory of 208 316 wmpmetwk.exe wmpmetwk.exe PID 316 wrote to memory of 208 316 wmpmetwk.exe wmpmetwk.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe PID 4480 wrote to memory of 1948 4480 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exe"C:\Users\Admin\AppData\Local\Temp\a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 5607⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeC:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1044 -ip 10441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Admin2.txtFilesize
224KB
MD5b93cc7af92080bea62bc2df6973ff190
SHA108a473d1de8b2df1235c0fc1d1fb9f96d9236a46
SHA2561e3d6f9f91ba95e7cc6d1edc995d395899e5629f2a678382f6cde2d4b97fd165
SHA5129e809d756192f0902c8ed2066cd6ac8746cde6f135497c2757a8ed58227395673092b4c619deca6aa8241c204c237749c0e7fa7aaecda4517e40fa0d8d02f4c8
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
105B
MD5b47a08e54bdb31b6379086523cfb268d
SHA16a0fd9c0cd1ad93586bbd970e620b9acb07e10fa
SHA256b5f9da68cf86318a878b27edad6c1449cae1a1eb068dd64956310778de488a8c
SHA5120519ec2e20975adc027d3345a4cca7e0617e54cf076cafbe49c67536233d93062d2b29c01f564b8d4a0ea2684f3c50455ca133415f39eb07cf1703466d60f0b1
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
56B
MD53ef045d517db664d7f64d66b65eb2ef4
SHA11e54c90ab24a161c307ca74e7bfbab23ca4795a2
SHA2569ae5ccde3335d02f3b0a5795652cb7e706121f9a8bc1a721e2d6ffb1847a5a7b
SHA512ec6b0f85cda02de19eff6094506c093395f6d45e521b2a3985f348ac71414c51b42464723dc7ab95e95c7e8f17fc4199435614cedfeca22630c23868d2377990
-
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exeFilesize
7KB
MD52e18e07194565987ef816f36c4a2134e
SHA15278b14dc0704abd700264bb9f8610caf5d007eb
SHA25644c927820ec11111ab620bfa75b71986b9e675770a782e3c740040d484e5dbd7
SHA5127160e14ec359e738e77afed6341890a8084605543e7deb8720457825ff013b907e7233cc890a8c63614b4d481bc73fb72cf15378d8f3534dfb9c8064fed6f930
-
C:\Users\Admin\AppData\Local\Temp\System\audiodgi.exeFilesize
7KB
MD52e18e07194565987ef816f36c4a2134e
SHA15278b14dc0704abd700264bb9f8610caf5d007eb
SHA25644c927820ec11111ab620bfa75b71986b9e675770a782e3c740040d484e5dbd7
SHA5127160e14ec359e738e77afed6341890a8084605543e7deb8720457825ff013b907e7233cc890a8c63614b4d481bc73fb72cf15378d8f3534dfb9c8064fed6f930
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeFilesize
340KB
MD54d37950dd556f098d14a099869d35ad4
SHA1f530628df64f620967a0960c687b10bf18579c94
SHA256a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
SHA512f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeFilesize
340KB
MD54d37950dd556f098d14a099869d35ad4
SHA1f530628df64f620967a0960c687b10bf18579c94
SHA256a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
SHA512f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
C:\Users\Admin\AppData\Local\Temp\System\wmpmetwk.exeFilesize
340KB
MD54d37950dd556f098d14a099869d35ad4
SHA1f530628df64f620967a0960c687b10bf18579c94
SHA256a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
SHA512f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
340KB
MD54d37950dd556f098d14a099869d35ad4
SHA1f530628df64f620967a0960c687b10bf18579c94
SHA256a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
SHA512f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
340KB
MD54d37950dd556f098d14a099869d35ad4
SHA1f530628df64f620967a0960c687b10bf18579c94
SHA256a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
SHA512f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
340KB
MD54d37950dd556f098d14a099869d35ad4
SHA1f530628df64f620967a0960c687b10bf18579c94
SHA256a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
SHA512f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
340KB
MD54d37950dd556f098d14a099869d35ad4
SHA1f530628df64f620967a0960c687b10bf18579c94
SHA256a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
SHA512f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
340KB
MD54d37950dd556f098d14a099869d35ad4
SHA1f530628df64f620967a0960c687b10bf18579c94
SHA256a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
SHA512f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
340KB
MD54d37950dd556f098d14a099869d35ad4
SHA1f530628df64f620967a0960c687b10bf18579c94
SHA256a1c65a67003ea2e944a484633a52061028e85c7c5dae4f33509250d8b2b0e653
SHA512f0cae45d1a318b0299a6e893f471792862d5faa8bd27635cb743a89e9a3fd1d362d50a5f213ce6c528c342530a0cb593221b74783451c270828f1ff0500a2814
-
memory/208-153-0x0000000000000000-mapping.dmp
-
memory/316-184-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB
-
memory/316-151-0x0000000000000000-mapping.dmp
-
memory/316-158-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB
-
memory/1044-174-0x0000000000000000-mapping.dmp
-
memory/1948-163-0x0000000000000000-mapping.dmp
-
memory/1948-185-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/1948-170-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/1948-168-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/2224-155-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB
-
memory/2224-149-0x0000000000000000-mapping.dmp
-
memory/2224-183-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB
-
memory/3156-133-0x0000000000000000-mapping.dmp
-
memory/3156-145-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB
-
memory/3156-182-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB
-
memory/3780-186-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB
-
memory/3780-181-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB
-
memory/3780-171-0x0000000000000000-mapping.dmp
-
memory/4480-142-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4480-146-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4480-148-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4480-147-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4480-165-0x0000000010410000-0x0000000010475000-memory.dmpFilesize
404KB
-
memory/4480-141-0x0000000000000000-mapping.dmp
-
memory/5060-134-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB
-
memory/5060-139-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB
-
memory/5060-132-0x0000000074BA0000-0x0000000075151000-memory.dmpFilesize
5.7MB