Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 02:58
Static task
static1
Behavioral task
behavioral1
Sample
c9fbaa3919cc10d2a95cc5495e4abb78cfa7f89e8350442916bba1f21bf3a3a1.dll
Resource
win7-20240221-en
General
-
Target
c9fbaa3919cc10d2a95cc5495e4abb78cfa7f89e8350442916bba1f21bf3a3a1.dll
-
Size
157KB
-
MD5
457aa792186d3c64f612cd92be10914a
-
SHA1
ff60592e8963b603f7e71bf306d24831d629edd8
-
SHA256
c9fbaa3919cc10d2a95cc5495e4abb78cfa7f89e8350442916bba1f21bf3a3a1
-
SHA512
62a22c67ff88b7f841c38ef2e1924092017295410e23753476a4aa9329d00c803b6decdf3474d84c6480f0db18aae5bcccdf15bdbd3bf2fbe8d1e351940dbc4f
-
SSDEEP
3072:IMr6N9WfdNAbxBk69VyZhDsHYZ3rDINcQR0n6ecZdGU1QLaLNmYqhPzxm1f:IMqWfdNANG6yEYZ7DVQgsQLPzo1f
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
UPX dump on OEP (original entry point) 10 IoCs
Processes:
resource yara_rule behavioral1/memory/2632-40-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/2500-39-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/1896-69-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/2500-31-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/2500-30-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/2500-25-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/2500-24-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/2500-23-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/1896-155-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/2408-156-0x0000000000400000-0x0000000000421000-memory.dmp UPX -
Executes dropped EXE 4 IoCs
Processes:
rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exepid process 2500 rundll32mgr.exe 2632 rundll32mgrmgr.exe 1896 WaterMark.exe 2408 WaterMark.exe -
Loads dropped DLL 8 IoCs
Processes:
rundll32.exerundll32mgr.exerundll32mgrmgr.exepid process 2592 rundll32.exe 2592 rundll32.exe 2500 rundll32mgr.exe 2500 rundll32mgr.exe 2632 rundll32mgrmgr.exe 2632 rundll32mgrmgr.exe 2500 rundll32mgr.exe 2500 rundll32mgr.exe -
Processes:
resource yara_rule behavioral1/memory/2500-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2632-40-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-39-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1896-69-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2632-36-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2500-31-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-30-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-25-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-24-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2500-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1896-155-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2408-156-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 4 IoCs
Processes:
rundll32.exerundll32mgr.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\rundll32mgrmgr.exe rundll32mgr.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Windows Mail\WinMail.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jsoundds.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\ado\msador15.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libddummy_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubstx3g_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSSOAPR3.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClientsideProviders.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libqt_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\MAPISHELLR.DLL svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libheadphone_channel_mixer_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libexport_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationBuildTasks.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\deployJava1.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jsdt.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuvp_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\ipcclientcerts.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libspdif_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_nv12_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaosp.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
WaterMark.exeWaterMark.exepid process 1896 WaterMark.exe 1896 WaterMark.exe 2408 WaterMark.exe 2408 WaterMark.exe 1896 WaterMark.exe 2408 WaterMark.exe 2408 WaterMark.exe 1896 WaterMark.exe 2408 WaterMark.exe 1896 WaterMark.exe 2408 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 1896 WaterMark.exe 2408 WaterMark.exe 2408 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rundll32.exeWaterMark.exeWaterMark.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 2592 rundll32.exe Token: SeDebugPrivilege 1896 WaterMark.exe Token: SeDebugPrivilege 2408 WaterMark.exe Token: SeDebugPrivilege 332 svchost.exe Token: SeDebugPrivilege 1016 svchost.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
rundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exepid process 2500 rundll32mgr.exe 2632 rundll32mgrmgr.exe 2408 WaterMark.exe 1896 WaterMark.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exerundll32mgrmgr.exeWaterMark.exeWaterMark.exedescription pid process target process PID 2060 wrote to memory of 2592 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2592 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2592 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2592 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2592 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2592 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2592 2060 rundll32.exe rundll32.exe PID 2592 wrote to memory of 2500 2592 rundll32.exe rundll32mgr.exe PID 2592 wrote to memory of 2500 2592 rundll32.exe rundll32mgr.exe PID 2592 wrote to memory of 2500 2592 rundll32.exe rundll32mgr.exe PID 2592 wrote to memory of 2500 2592 rundll32.exe rundll32mgr.exe PID 2500 wrote to memory of 2632 2500 rundll32mgr.exe rundll32mgrmgr.exe PID 2500 wrote to memory of 2632 2500 rundll32mgr.exe rundll32mgrmgr.exe PID 2500 wrote to memory of 2632 2500 rundll32mgr.exe rundll32mgrmgr.exe PID 2500 wrote to memory of 2632 2500 rundll32mgr.exe rundll32mgrmgr.exe PID 2632 wrote to memory of 1896 2632 rundll32mgrmgr.exe WaterMark.exe PID 2632 wrote to memory of 1896 2632 rundll32mgrmgr.exe WaterMark.exe PID 2632 wrote to memory of 1896 2632 rundll32mgrmgr.exe WaterMark.exe PID 2632 wrote to memory of 1896 2632 rundll32mgrmgr.exe WaterMark.exe PID 2500 wrote to memory of 2408 2500 rundll32mgr.exe WaterMark.exe PID 2500 wrote to memory of 2408 2500 rundll32mgr.exe WaterMark.exe PID 2500 wrote to memory of 2408 2500 rundll32mgr.exe WaterMark.exe PID 2500 wrote to memory of 2408 2500 rundll32mgr.exe WaterMark.exe PID 2408 wrote to memory of 2160 2408 WaterMark.exe svchost.exe PID 1896 wrote to memory of 2164 1896 WaterMark.exe svchost.exe PID 2408 wrote to memory of 2160 2408 WaterMark.exe svchost.exe PID 1896 wrote to memory of 2164 1896 WaterMark.exe svchost.exe PID 2408 wrote to memory of 2160 2408 WaterMark.exe svchost.exe PID 1896 wrote to memory of 2164 1896 WaterMark.exe svchost.exe PID 2408 wrote to memory of 2160 2408 WaterMark.exe svchost.exe PID 1896 wrote to memory of 2164 1896 WaterMark.exe svchost.exe PID 2408 wrote to memory of 2160 2408 WaterMark.exe svchost.exe PID 1896 wrote to memory of 2164 1896 WaterMark.exe svchost.exe PID 2408 wrote to memory of 2160 2408 WaterMark.exe svchost.exe PID 1896 wrote to memory of 2164 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 2164 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 2164 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 2164 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 2164 1896 WaterMark.exe svchost.exe PID 2408 wrote to memory of 2160 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 2160 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 2160 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 2160 2408 WaterMark.exe svchost.exe PID 1896 wrote to memory of 332 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 332 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 332 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 332 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 332 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 332 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 332 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 332 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 332 1896 WaterMark.exe svchost.exe PID 1896 wrote to memory of 332 1896 WaterMark.exe svchost.exe PID 2408 wrote to memory of 1016 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 1016 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 1016 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 1016 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 1016 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 1016 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 1016 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 1016 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 1016 2408 WaterMark.exe svchost.exe PID 2408 wrote to memory of 1016 2408 WaterMark.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9fbaa3919cc10d2a95cc5495e4abb78cfa7f89e8350442916bba1f21bf3a3a1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9fbaa3919cc10d2a95cc5495e4abb78cfa7f89e8350442916bba1f21bf3a3a1.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgrmgr.exeC:\Windows\SysWOW64\rundll32mgrmgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
132KB
MD54eedc2be1ef650e85b050a54dc57f71e
SHA1b9ed9a62756d16a6c00816082808a76a882b18e0
SHA25603e2e0cf6367022a163183e9091c0dba3f48a58d816eb5c5a30f0c247855dba5
SHA5121ad0e6623c1366233d2750e8b88d68e796d4d854e45968261ec12828f3ceec6d0b5340032af173db1f7449582d1ceeb729e814f7f76e613fa77f4cdef75f818b
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
128KB
MD5f4ef26b8ab712faa4e64a928db215e4d
SHA1fb8d1b8aed2d0c4b116c08712d1e34d6316d51c7
SHA2567a2937b979a07650544e28dc47bdcde35fad56bbe35a78fcc244c781b2f2bb66
SHA512760540f06030ee44ff34488c9c92d5d3c68923bfe208f5eb2b034d246d624c4245098b621ce330111519d001ca3db237ab0f615908a5bff8ddd51688a7964595
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
122KB
MD5c5255edf109342e3e1d1eb0990b2d094
SHA1ba029b47b9b3a5ccccae3038d90382ec68a1dd44
SHA256ea49164b416d1b900f80a14f30295ea7d546483a0d7ba8b3a9e48dbcb48a3dc5
SHA5126b6911ea424763af3ed4964e67aa75d1ffe74551e1e4e12e6220afcda720dbfdda00d744e23486c07701662bac3702220f760d1c86a188772e9bf8af7b64a3a3
-
\Windows\SysWOW64\rundll32mgrmgr.exeFilesize
59KB
MD5f2c8b7e238a07cce22920efb1c8645a6
SHA1cd2af4b30add747e222f938206b78d7730fdf346
SHA2566b20b420e84a30df810d52a9b205a3af0f46cafe82bf378867542f15eb64461e
SHA512c4b9c8c3dccaa39b5ac1faea7e92b0e1d391f0943989178634992be07c40be15b8543f9c6746ab6a5a7136ea00e3c0818fc43bc2eee4e5d282c3cbf7ea279699
-
memory/1896-69-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1896-155-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1896-68-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/1896-60-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB
-
memory/2160-100-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2160-105-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2160-93-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2164-73-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2164-77-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2408-109-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/2408-70-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/2408-156-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2500-22-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2500-39-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2500-31-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2500-30-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2500-25-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2500-24-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2500-23-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2500-15-0x0000000000120000-0x0000000000143000-memory.dmpFilesize
140KB
-
memory/2500-38-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2500-33-0x0000000000120000-0x0000000000143000-memory.dmpFilesize
140KB
-
memory/2592-1-0x0000000010000000-0x000000001002B000-memory.dmpFilesize
172KB
-
memory/2592-12-0x0000000077200000-0x0000000077201000-memory.dmpFilesize
4KB
-
memory/2592-10-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/2592-11-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/2592-3-0x0000000000130000-0x0000000000163000-memory.dmpFilesize
204KB
-
memory/2632-40-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2632-36-0x0000000000400000-0x0000000000423000-memory.dmpFilesize
140KB