Analysis
-
max time kernel
13s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
28-06-2024 13:30
General
-
Target
1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe
-
Size
792KB
-
MD5
1a4e0616d3bb6faaae67c2b9655b3691
-
SHA1
1063f0d26a161d91dec14755a65862be23f4d011
-
SHA256
86584928126b210987919b533525f52937b87a2877130a39d456a37ccb9ee828
-
SHA512
5d76bd1801a66e51d326aabc15e7fb3464590726101e72789917d287b1c5eb1afe48c4be5933f46091f555e5b7f918cb164eabfba77a131af2c92e37e3402c58
-
SSDEEP
12288:FEnnhoUxDJKzPNZeO+2HBtIEMt/4FylEQKvC9ss+jJwdmDHif/uuhbJ2XyiCyai:JQaZx+2jIE0/jGgPghTspJ2kyn
Score
10/10
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 4 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Executes dropped EXE 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in Program Files directory 11 IoCs
-
Drops file in Windows directory 1 IoCs
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Program crash 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
-
Suspicious behavior: MapViewOfSection 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of UnmapMainImage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca2⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exeC:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exeC:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgrmgr.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- System policy modification
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:460 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable8⤵
- Modifies Windows Firewall
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 13123⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ff9be9d4ef8,0x7ff9be9d4f04,0x7ff9be9d4f102⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2440,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=2432 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1852,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=3516 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2456,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=3660 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:82⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4520 -ip 45201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exeFilesize
271KB
MD5bbac48fdbc1106de1c61a1e8dd361e39
SHA1bda379d20b9de5806bb338277019ba3bd92908df
SHA25649939a37344dd2276fd7c31ace0b3aa3c37ef492d34117a225b3cbe5ac384c65
SHA512fb6368b11466cbf6eda80637104696d7e40400ccfc6fa054995c48526f541de9c43fbac7ac857508c121b4df050cd0b51180ca36fa66eacdd3150b490fbd589b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5293ea21f7d2b09f447f07d065dd542b9
SHA15d30d1d814dab60840b66cb9ee7dd8ceea05df70
SHA2562203bb67fc1d126a35d05b53e3b9c39acf5a06b6f2d792099460e8caa83f2a32
SHA5127d5ff3768b8ab54f4186a325ac433eb4a1f3dfabb30d641a0a1d6b9f2f24c5dd83cc5d05c13477cab16c5644d39e45ae991d75a1ddb7c79b76e562b4f2eb2898
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD51e89031abfd5cbd14201901260b73b5b
SHA1f5f2f0dee3c18e74607ab86cb7aaae4bc91591fd
SHA25675b884f300cf8c4c8c2fe3a9d5b466f70de6aba50eabf1c4e8a30252170d5915
SHA512b755d6e9025492249dc93a580670e4100ac63c802fc681d89a539830eade30edca6bea8a3173e75e8199d2373d08125f35a9b4c08d1cf5155339e91d6ac09455
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QZRYTBAT\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\1a4e0616d3bb6faaae67c2b9655b3691_JaffaCakes118mgr.exeFilesize
650KB
MD53a713d8ea4721bffcf9eddf47af0dbe5
SHA1f1ce15d0c816d290885ca9b97b2c7f6f8728647b
SHA25643a70a7c64ebf6dcaca4d415c4ccb19a9fe82fa15077c00c28e73119451772bd
SHA51204e7ea8dc5583c9630ada5758b3f37f602d79a0a0c32d46be07efb35de19b1e04d00f220c655a42b2f79687d64e466ae2c8b0e1f4b8b186b835e1d9e1d59e80f
-
C:\Windows\SYSTEM.INIFilesize
258B
MD505f0ed5f0339d08b92a8835c27701bc1
SHA1de80bf05856e0beed27411981448749d7556b834
SHA2561f994cf7ca8eb601c4dc1c1732afe630f3a9657fe78e73cd711737e6f042249a
SHA5125c6c7e8d0e9f23112457280d43538f064cdf630251e76d544018918c5b7e057b63343f097794d7c0ff9a02d86096115d3b0aff10c89a0734217a56c73fcef860
-
memory/1208-101-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/1728-57-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1728-46-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1728-59-0x0000000000401000-0x0000000000416000-memory.dmpFilesize
84KB
-
memory/1728-58-0x0000000000416000-0x0000000000420000-memory.dmpFilesize
40KB
-
memory/2952-164-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2952-107-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3264-79-0x0000000077D42000-0x0000000077D43000-memory.dmpFilesize
4KB
-
memory/3264-97-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/3264-69-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/3264-45-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3264-78-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3264-157-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-21-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-5-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3496-31-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-6-0x0000000003500000-0x0000000004530000-memory.dmpFilesize
16.2MB
-
memory/3496-32-0x0000000000B50000-0x0000000000B51000-memory.dmpFilesize
4KB
-
memory/3496-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3496-17-0x0000000003500000-0x0000000004530000-memory.dmpFilesize
16.2MB
-
memory/3496-8-0x0000000003500000-0x0000000004530000-memory.dmpFilesize
16.2MB
-
memory/3496-22-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4360-121-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/4360-122-0x0000000000D70000-0x0000000000D71000-memory.dmpFilesize
4KB
-
memory/4368-95-0x0000000000416000-0x0000000000420000-memory.dmpFilesize
40KB
-
memory/4368-77-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4368-88-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4520-146-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/4520-23-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/4520-20-0x00000000006C0000-0x00000000006C1000-memory.dmpFilesize
4KB
-
memory/4520-19-0x0000000000590000-0x0000000000592000-memory.dmpFilesize
8KB
-
memory/4520-33-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/4520-0-0x0000000000400000-0x00000000004E2000-memory.dmpFilesize
904KB
-
memory/4652-92-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/4652-106-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4652-99-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/4652-188-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4652-189-0x00000000032A0000-0x00000000042D0000-memory.dmpFilesize
16.2MB
-
memory/4652-60-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4652-73-0x00000000032A0000-0x00000000042D0000-memory.dmpFilesize
16.2MB
-
memory/4652-70-0x00000000032A0000-0x00000000042D0000-memory.dmpFilesize
16.2MB