Analysis Overview
SHA256
c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105
Threat Level: Known bad
The file c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105 was found to be: Known bad.
Malicious Activity Summary
Redosdru
Gh0st RAT payload
Gh0strat
Redosdru family
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Deletes itself
UPX packed file
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-22 13:58
Signatures
Redosdru family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-22 13:58
Reported
2024-10-22 14:01
Platform
win7-20240903-en
Max time kernel
119s
Max time network
138s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Redosdru
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
| File created | C:\Program Files\AppPatch\8.77.dll | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
| File opened for modification | C:\Program Files\AppPatch\8.77.dll | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Windows NT\conhostdhfw.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B}\92-3b-07-0d-6f-cf | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-3b-07-0d-6f-cf\WpadDecisionTime = 00f510918a24db01 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B}\WpadDecisionTime = 00f510918a24db01 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B}\WpadNetworkName = "Network 3" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-3b-07-0d-6f-cf\WpadDecisionReason = "1" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-3b-07-0d-6f-cf | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B} | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B}\WpadDecision = "0" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7DB5659-E4C4-4470-8D10-BFD6F829B65B}\WpadDecisionReason = "1" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe
"C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe"
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 344
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| HK | 156.241.7.116:7744 | xiazai.caobibibi.com | tcp |
| US | 8.8.8.8:53 | bj.caobibibi.com | udp |
| HK | 154.213.24.14:10087 | bj.caobibibi.com | tcp |
| US | 8.8.8.8:53 | user.qzone.qq.com | udp |
| HK | 43.129.115.16:80 | user.qzone.qq.com | tcp |
| HK | 43.129.115.16:443 | user.qzone.qq.com | tcp |
| US | 8.8.8.8:53 | i.qq.com | udp |
| HK | 43.135.106.65:80 | i.qq.com | tcp |
| HK | 43.135.106.65:443 | i.qq.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| HK | 154.213.24.14:10087 | bj.caobibibi.com | tcp |
| HK | 43.129.115.16:80 | user.qzone.qq.com | tcp |
| HK | 43.129.115.16:443 | user.qzone.qq.com | tcp |
| HK | 43.135.106.65:80 | i.qq.com | tcp |
| HK | 43.135.106.65:443 | i.qq.com | tcp |
Files
C:\Program Files\AppPatch\8.77.dll
| MD5 | 0a74e0bffbce3cc5466796739cfdeb44 |
| SHA1 | c3b50df0a1de18b7053bff1b0293f5512f824055 |
| SHA256 | cdabc33a27b23c2060637193a4cbad94e16d31e6a4df7d67bdc6b63c1d056b30 |
| SHA512 | 9fb4f39d95820f63da2d8767b76f317c512a8db1b86428f04baf4b163d0deaee5c4726c9f66807a3b1c223d575557fabc88e0cde73a4561b304f6edd76b8cc36 |
memory/2444-5-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2444-9-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2444-8-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2444-10-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2312-25-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2312-24-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2312-26-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2312-21-0x0000000010000000-0x000000001034B000-memory.dmp
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
| MD5 | 90d83bbad8110780e90b8f0beab172f9 |
| SHA1 | 0ced0e716b07945787bf78ae6296a5f24bfdbe59 |
| SHA256 | c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105 |
| SHA512 | 92d4a6697644925176852c2b43bf297b16afadc2a993c135b5aa9df3c74a280bfb7cde883c6bf5c8b06202ff55168997dcf89ef2e791a3aeaca3cb09b6ac7707 |
memory/2004-33-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2004-44-0x0000000010000000-0x000000001034B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Windows\Temp\TarEA35.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 1e481531d370555005513c35d35df417 |
| SHA1 | 38683f3bc01ad479fa10fbd1b921a5a722f6ac42 |
| SHA256 | a92c7b5f0c76e0b8840088ae9c0e9eb611027089e0d4a90be1484b348ec5a409 |
| SHA512 | 6bfe3588d3b3bccca48e9c17bfd028c5c992c66859509aac8347c6eedab0126bdd0813c155b721e097f9cb4dc24ccd8edd42ce41aa564232111e8cca413bbec6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-22 13:58
Reported
2024-10-22 14:01
Platform
win10v2004-20241007-en
Max time kernel
132s
Max time network
131s
Command Line
Signatures
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Redosdru
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_BC1D0671A6396D650996E0E6013A6D37 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_BC1D0671A6396D650996E0E6013A6D37 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_786387CC77858B88BA3234B304062475 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CF14D1855652602540DFCFECD21854DB_8C1AD9434E0E1576771CA7E7EAD43D9E | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
| File created | C:\Program Files\AppPatch\8.77.dll | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
| File opened for modification | C:\Program Files\AppPatch\8.77.dll | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Windows NT\conhostdhfw.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Windows NT\conhostdhfw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe
"C:\Users\Admin\AppData\Local\Temp\c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105.exe"
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
"C:\Program Files (x86)\Windows NT\conhostdhfw.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1688 -ip 1688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 560
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xiazai.caobibibi.com | udp |
| HK | 156.241.7.116:7744 | xiazai.caobibibi.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.7.241.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bj.caobibibi.com | udp |
| HK | 154.213.24.14:10087 | bj.caobibibi.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | user.qzone.qq.com | udp |
| HK | 43.159.234.61:80 | user.qzone.qq.com | tcp |
| HK | 43.159.234.61:443 | user.qzone.qq.com | tcp |
| US | 8.8.8.8:53 | 61.234.159.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.qq.com | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| HK | 43.135.106.77:80 | i.qq.com | tcp |
| HK | 43.135.106.77:443 | i.qq.com | tcp |
| US | 8.8.8.8:53 | 77.106.135.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| HK | 154.213.24.14:10087 | bj.caobibibi.com | tcp |
| HK | 43.159.234.61:80 | user.qzone.qq.com | tcp |
| HK | 43.159.234.61:443 | user.qzone.qq.com | tcp |
| HK | 43.135.106.77:80 | i.qq.com | tcp |
| HK | 43.135.106.77:443 | i.qq.com | tcp |
Files
C:\Program Files\AppPatch\8.77.dll
| MD5 | 0a74e0bffbce3cc5466796739cfdeb44 |
| SHA1 | c3b50df0a1de18b7053bff1b0293f5512f824055 |
| SHA256 | cdabc33a27b23c2060637193a4cbad94e16d31e6a4df7d67bdc6b63c1d056b30 |
| SHA512 | 9fb4f39d95820f63da2d8767b76f317c512a8db1b86428f04baf4b163d0deaee5c4726c9f66807a3b1c223d575557fabc88e0cde73a4561b304f6edd76b8cc36 |
memory/2680-5-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2680-8-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2680-9-0x0000000010000000-0x000000001034B000-memory.dmp
C:\Program Files (x86)\Windows NT\conhostdhfw.exe
| MD5 | 90d83bbad8110780e90b8f0beab172f9 |
| SHA1 | 0ced0e716b07945787bf78ae6296a5f24bfdbe59 |
| SHA256 | c28770a88ad997d80ca6f461893cd6f032f614a43c449f21e73df15e8a843105 |
| SHA512 | 92d4a6697644925176852c2b43bf297b16afadc2a993c135b5aa9df3c74a280bfb7cde883c6bf5c8b06202ff55168997dcf89ef2e791a3aeaca3cb09b6ac7707 |
memory/2680-12-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2680-10-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2956-27-0x0000000010000000-0x000000001034B000-memory.dmp
memory/2956-26-0x0000000010000000-0x000000001034B000-memory.dmp
memory/1688-29-0x0000000010000000-0x000000001034B000-memory.dmp
memory/1688-32-0x0000000010000000-0x000000001034B000-memory.dmp
memory/1688-33-0x0000000010000000-0x000000001034B000-memory.dmp
memory/1688-34-0x0000000010000000-0x000000001034B000-memory.dmp
memory/1688-35-0x0000000010000000-0x000000001034B000-memory.dmp
memory/1688-48-0x0000000010000000-0x000000001034B000-memory.dmp