Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 23:54
Behavioral task
behavioral1
Sample
7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe
Resource
win10v2004-20240426-en
General
-
Target
7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe
-
Size
2.5MB
-
MD5
b3853be45e0b9a932cfbd7e560a8480d
-
SHA1
e34f75fc6b7f6f8978e814d123fadc6ea01b38cc
-
SHA256
7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082
-
SHA512
f476081140204c578f18bb4fb22c490bb8e4518d9b7f23523dd7a08f31e9b8e904f28d12f0ddabe20209453a4b0c563a17853c416a580617492ec0f60ab080d1
-
SSDEEP
49152:hxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxc:hxx9NUFkQx753uWuCyyxc
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Detects executables packed with Themida 16 IoCs
Processes:
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida \Windows\Resources\Themes\explorer.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2088-12-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida C:\Windows\Resources\spoolsv.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2592-24-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida C:\Windows\Resources\svchost.exe INDICATOR_EXE_Packed_Themida behavioral1/memory/2700-35-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2848-43-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2236-52-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2848-49-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2592-50-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2088-53-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2700-54-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2088-63-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2088-69-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida behavioral1/memory/2088-75-0x0000000000400000-0x0000000000A0E000-memory.dmp INDICATOR_EXE_Packed_Themida -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
spoolsv.exesvchost.exespoolsv.exe7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exe7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
explorer.exespoolsv.exesvchost.exespoolsv.exepid process 2088 explorer.exe 2592 spoolsv.exe 2700 svchost.exe 2848 spoolsv.exe -
Loads dropped DLL 4 IoCs
Processes:
7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exeexplorer.exespoolsv.exesvchost.exepid process 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2088 explorer.exe 2592 spoolsv.exe 2700 svchost.exe -
Processes:
resource yara_rule behavioral1/memory/2236-0-0x0000000000400000-0x0000000000A0E000-memory.dmp themida \Windows\Resources\Themes\explorer.exe themida behavioral1/memory/2088-12-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\spoolsv.exe themida behavioral1/memory/2592-24-0x0000000000400000-0x0000000000A0E000-memory.dmp themida C:\Windows\Resources\svchost.exe themida behavioral1/memory/2700-35-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2848-43-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2236-52-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2848-49-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2592-50-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2088-53-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2700-54-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2088-63-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2088-69-0x0000000000400000-0x0000000000A0E000-memory.dmp themida behavioral1/memory/2088-75-0x0000000000400000-0x0000000000A0E000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe -
Processes:
spoolsv.exe7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exeexplorer.exespoolsv.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2088 explorer.exe 2592 spoolsv.exe 2700 svchost.exe 2848 spoolsv.exe -
Drops file in Windows directory 4 IoCs
Processes:
spoolsv.exeexplorer.exe7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exedescription ioc process File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2744 schtasks.exe 2408 schtasks.exe 596 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exeexplorer.exesvchost.exepid process 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2700 svchost.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2088 explorer.exe 2700 svchost.exe 2700 svchost.exe 2088 explorer.exe 2088 explorer.exe 2700 svchost.exe 2088 explorer.exe 2700 svchost.exe 2700 svchost.exe 2088 explorer.exe 2088 explorer.exe 2700 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 2088 explorer.exe 2700 svchost.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe 2088 explorer.exe 2088 explorer.exe 2592 spoolsv.exe 2592 spoolsv.exe 2700 svchost.exe 2700 svchost.exe 2848 spoolsv.exe 2848 spoolsv.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exeexplorer.exespoolsv.exesvchost.exedescription pid process target process PID 2236 wrote to memory of 2088 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe explorer.exe PID 2236 wrote to memory of 2088 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe explorer.exe PID 2236 wrote to memory of 2088 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe explorer.exe PID 2236 wrote to memory of 2088 2236 7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe explorer.exe PID 2088 wrote to memory of 2592 2088 explorer.exe spoolsv.exe PID 2088 wrote to memory of 2592 2088 explorer.exe spoolsv.exe PID 2088 wrote to memory of 2592 2088 explorer.exe spoolsv.exe PID 2088 wrote to memory of 2592 2088 explorer.exe spoolsv.exe PID 2592 wrote to memory of 2700 2592 spoolsv.exe svchost.exe PID 2592 wrote to memory of 2700 2592 spoolsv.exe svchost.exe PID 2592 wrote to memory of 2700 2592 spoolsv.exe svchost.exe PID 2592 wrote to memory of 2700 2592 spoolsv.exe svchost.exe PID 2700 wrote to memory of 2848 2700 svchost.exe spoolsv.exe PID 2700 wrote to memory of 2848 2700 svchost.exe spoolsv.exe PID 2700 wrote to memory of 2848 2700 svchost.exe spoolsv.exe PID 2700 wrote to memory of 2848 2700 svchost.exe spoolsv.exe PID 2088 wrote to memory of 2524 2088 explorer.exe Explorer.exe PID 2088 wrote to memory of 2524 2088 explorer.exe Explorer.exe PID 2088 wrote to memory of 2524 2088 explorer.exe Explorer.exe PID 2088 wrote to memory of 2524 2088 explorer.exe Explorer.exe PID 2700 wrote to memory of 2744 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 2744 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 2744 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 2744 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 2408 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 2408 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 2408 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 2408 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 596 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 596 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 596 2700 svchost.exe schtasks.exe PID 2700 wrote to memory of 596 2700 svchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe"C:\Users\Admin\AppData\Local\Temp\7dab476be2380a0836602d2fab4c22ed7a79f2cdb8339b0a5f518dd464915082.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe4⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2848 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:56 /f5⤵
- Creates scheduled task(s)
PID:2744 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:57 /f5⤵
- Creates scheduled task(s)
PID:2408 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:58 /f5⤵
- Creates scheduled task(s)
PID:596 -
C:\Windows\Explorer.exeC:\Windows\Explorer.exe3⤵PID:2524
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD52f3f603ad1b39b138e0deee6c56e83b0
SHA1459e3b3a0a0655935248a1039225a1b4b4ac52d8
SHA2561293534e5cb40fbe201aa23b860828789283642d1ff4a77c087e23fc66e8126c
SHA51259f55f6695513d9988531db5b96b32549c111cb8776cce04a86c361a067db2944280b98c1ed4c634fe99e71604717c9f3301cf5b51488d9a8ac6b150cf4a3d96
-
C:\Windows\Resources\svchost.exeFilesize
2.5MB
MD59a8706741ccc1eb16d89b48aaf1714d2
SHA192bfdb8054785a88699ba3ffa73324604e39dba9
SHA256920aeac1e609801b18ea38dfc53f3306dc5bb7eda08c454690104b857c6c7ba9
SHA5120d1ce1a9cf814083fa19771ae321378410698b8de449db39c074d4a156fb2b7839b3ddbad0668f6be3754db068162294346f8bd1b7cf261181419a72918ba6f1
-
\Windows\Resources\Themes\explorer.exeFilesize
2.5MB
MD585ac25006933943b3492b96e17932dc6
SHA11c1b823a387b748da0d6d350900bc4926acdbc7d
SHA25618345dd1c000fec71dd870c58e8e80bb7a348430d477bc0ca0adc2d467d83516
SHA5126efa200f820261cf04801895f372a2b33be249e77ff19c451176ee13567c8178654a63a7502bfb6d92cabcc449e6ec755b9bb47aaf1a5f1b5ab674b5a2a15915
-
memory/2088-53-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2088-12-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2088-75-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2088-23-0x0000000003670000-0x0000000003C7E000-memory.dmpFilesize
6.1MB
-
memory/2088-69-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2088-63-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2236-52-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2236-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2236-1-0x0000000077240000-0x0000000077242000-memory.dmpFilesize
8KB
-
memory/2236-11-0x0000000003850000-0x0000000003E5E000-memory.dmpFilesize
6.1MB
-
memory/2592-50-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2592-24-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2700-42-0x00000000032B0000-0x00000000038BE000-memory.dmpFilesize
6.1MB
-
memory/2700-35-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2700-54-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2848-43-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/2848-49-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB