Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 10:03
Static task
static1
Behavioral task
behavioral1
Sample
1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll
Resource
win7-20240220-en
General
-
Target
1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll
-
Size
885KB
-
MD5
1adf0d560866732a66a6c227fa3765a0
-
SHA1
64f91d3f02b829e6e6844391937886a7f5c5a5f1
-
SHA256
2474d389b05dd2d08b201de73548d3acd8fbf0e2df76259be3e0264b34b23a38
-
SHA512
35082be2e70baf12b4f903a3459eb3ed457b2dfa3b2b0a17e108e9244b689bc8e66b5460bbac54639522c895190fde637c00b02e53c54ef2a08349b713eb168f
-
SSDEEP
24576:qL5/rmRsmDWDPNuFhPvYrpLYHSfcoopooLY9Nu0P+Fhp1:QK5hPILYHSfeY9nWFhz
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 2784 rundll32mgr.exe 2644 WaterMark.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32mgr.exepid process 2280 rundll32.exe 2280 rundll32.exe 2784 rundll32mgr.exe 2784 rundll32mgr.exe -
Processes:
resource yara_rule behavioral1/memory/2784-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2784-17-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2784-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2784-16-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2784-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2784-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2784-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2784-32-0x0000000000280000-0x00000000002A7000-memory.dmp upx behavioral1/memory/2644-45-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2644-44-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2644-577-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2644-580-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
Processes:
rundll32.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libmarq_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html svchost.exe File opened for modification C:\Program Files\7-Zip\7z.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libedgedetection_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\slideShow.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EURO\MSOEURO.DLL svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll svchost.exe File opened for modification C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Windows.Presentation.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\DiagnosticsTap.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ccme_base.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsvorepository_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Journal\InkSeg.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACERCLR.DLL svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12Tools.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsusf_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\gstreamer-lite.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\WMPSideShowGadget.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\calendar.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Windows Defender\MsMpLics.dll svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libfreeze_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Entity.Design.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hxdsui.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libvnc_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
WaterMark.exesvchost.exepid process 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 2644 WaterMark.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe 1768 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WaterMark.exesvchost.exerundll32.exedescription pid process Token: SeDebugPrivilege 2644 WaterMark.exe Token: SeDebugPrivilege 1768 svchost.exe Token: SeDebugPrivilege 2280 rundll32.exe Token: SeDebugPrivilege 2644 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
rundll32mgr.exeWaterMark.exepid process 2784 rundll32mgr.exe 2644 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exerundll32mgr.exeWaterMark.exesvchost.exedescription pid process target process PID 2908 wrote to memory of 2280 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 2280 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 2280 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 2280 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 2280 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 2280 2908 rundll32.exe rundll32.exe PID 2908 wrote to memory of 2280 2908 rundll32.exe rundll32.exe PID 2280 wrote to memory of 2784 2280 rundll32.exe rundll32mgr.exe PID 2280 wrote to memory of 2784 2280 rundll32.exe rundll32mgr.exe PID 2280 wrote to memory of 2784 2280 rundll32.exe rundll32mgr.exe PID 2280 wrote to memory of 2784 2280 rundll32.exe rundll32mgr.exe PID 2784 wrote to memory of 2644 2784 rundll32mgr.exe WaterMark.exe PID 2784 wrote to memory of 2644 2784 rundll32mgr.exe WaterMark.exe PID 2784 wrote to memory of 2644 2784 rundll32mgr.exe WaterMark.exe PID 2784 wrote to memory of 2644 2784 rundll32mgr.exe WaterMark.exe PID 2644 wrote to memory of 2756 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 2756 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 2756 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 2756 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 2756 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 2756 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 2756 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 2756 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 2756 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 2756 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 1768 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 1768 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 1768 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 1768 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 1768 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 1768 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 1768 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 1768 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 1768 2644 WaterMark.exe svchost.exe PID 2644 wrote to memory of 1768 2644 WaterMark.exe svchost.exe PID 1768 wrote to memory of 260 1768 svchost.exe smss.exe PID 1768 wrote to memory of 260 1768 svchost.exe smss.exe PID 1768 wrote to memory of 260 1768 svchost.exe smss.exe PID 1768 wrote to memory of 260 1768 svchost.exe smss.exe PID 1768 wrote to memory of 260 1768 svchost.exe smss.exe PID 1768 wrote to memory of 340 1768 svchost.exe csrss.exe PID 1768 wrote to memory of 340 1768 svchost.exe csrss.exe PID 1768 wrote to memory of 340 1768 svchost.exe csrss.exe PID 1768 wrote to memory of 340 1768 svchost.exe csrss.exe PID 1768 wrote to memory of 340 1768 svchost.exe csrss.exe PID 1768 wrote to memory of 388 1768 svchost.exe wininit.exe PID 1768 wrote to memory of 388 1768 svchost.exe wininit.exe PID 1768 wrote to memory of 388 1768 svchost.exe wininit.exe PID 1768 wrote to memory of 388 1768 svchost.exe wininit.exe PID 1768 wrote to memory of 388 1768 svchost.exe wininit.exe PID 1768 wrote to memory of 400 1768 svchost.exe csrss.exe PID 1768 wrote to memory of 400 1768 svchost.exe csrss.exe PID 1768 wrote to memory of 400 1768 svchost.exe csrss.exe PID 1768 wrote to memory of 400 1768 svchost.exe csrss.exe PID 1768 wrote to memory of 400 1768 svchost.exe csrss.exe PID 1768 wrote to memory of 436 1768 svchost.exe winlogon.exe PID 1768 wrote to memory of 436 1768 svchost.exe winlogon.exe PID 1768 wrote to memory of 436 1768 svchost.exe winlogon.exe PID 1768 wrote to memory of 436 1768 svchost.exe winlogon.exe PID 1768 wrote to memory of 436 1768 svchost.exe winlogon.exe PID 1768 wrote to memory of 484 1768 svchost.exe services.exe PID 1768 wrote to memory of 484 1768 svchost.exe services.exe PID 1768 wrote to memory of 484 1768 svchost.exe services.exe PID 1768 wrote to memory of 484 1768 svchost.exe services.exe
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1adf0d560866732a66a6c227fa3765a0_JaffaCakes118.dll,#13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32mgr.exeC:\Windows\SysWOW64\rundll32mgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlFilesize
244KB
MD5a79762f16437ff199ff468c586b963d0
SHA17b1dfaa6f55884cce9a7489479ec2ecaa2377a04
SHA25668e0e533009243d951a9840250429c8e44d104eeb1379da912101b54e7889c44
SHA512a640f30fbfc9ebf49537fc4f97040e8717141c393440e4d29bc28b1cca657911170b3b41d9ed1df06101c5278c9b90cbcf533ecca92b30cef14e0ea4d816d780
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.htmlFilesize
240KB
MD52e6a47cf41d41572cedbf06c7ea468b9
SHA1b44b90822391b0cfd6a646c4f55a79857a2d5e94
SHA2560c6a8e9ec5d5077fd81f60f5026f4e36174d6a4a0ee3cb65e37263db17fbb0ae
SHA5120dea18305fbbb734a95e41caf844e9f3207d43472e257c68b56b197fd085c6a495eafe0d8ef18864879b98332eeb68ca73cd19761f8b7070124ce13366aa4e2f
-
\Windows\SysWOW64\rundll32mgr.exeFilesize
115KB
MD550a0e1f79e2c4a873576fde02f8bb90b
SHA111596d44af32a1ae6d74435b3c070b6a47e8ac78
SHA25658134ebb29f8d9f7bc6cfb1319a1f50054e138ede45f111feb081ff15e11b655
SHA512f7627b15264ef3122bbf1217f81ac1ca077a811225d8d1b850d78272ffd2ef5b828be6015866207952c76e81dbd21648e4998c5d3680b55ff1874b8acb70f3c3
-
memory/1768-81-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1768-88-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1768-87-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1768-195-0x0000000077430000-0x0000000077431000-memory.dmpFilesize
4KB
-
memory/1768-86-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1768-90-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1768-89-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/1768-85-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/1768-74-0x0000000020010000-0x000000002001B000-memory.dmpFilesize
44KB
-
memory/2280-6-0x0000000000220000-0x0000000000247000-memory.dmpFilesize
156KB
-
memory/2280-0-0x00000000749A0000-0x0000000074A81000-memory.dmpFilesize
900KB
-
memory/2280-356-0x0000000000220000-0x0000000000222000-memory.dmpFilesize
8KB
-
memory/2280-12-0x0000000000220000-0x0000000000247000-memory.dmpFilesize
156KB
-
memory/2280-4-0x00000000748B0000-0x0000000074991000-memory.dmpFilesize
900KB
-
memory/2280-2-0x0000000074990000-0x0000000074A71000-memory.dmpFilesize
900KB
-
memory/2644-80-0x000000007742F000-0x0000000077430000-memory.dmpFilesize
4KB
-
memory/2644-44-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2644-43-0x0000000000050000-0x0000000000051000-memory.dmpFilesize
4KB
-
memory/2644-47-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2644-45-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2644-46-0x000000007742F000-0x0000000077430000-memory.dmpFilesize
4KB
-
memory/2644-72-0x0000000000060000-0x0000000000061000-memory.dmpFilesize
4KB
-
memory/2644-577-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2644-580-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2756-54-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2756-67-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2756-65-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/2756-64-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2756-66-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2756-63-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/2756-59-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2756-50-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2756-48-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2756-801-0x0000000020010000-0x0000000020022000-memory.dmpFilesize
72KB
-
memory/2784-22-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/2784-33-0x0000000000280000-0x00000000002A7000-memory.dmpFilesize
156KB
-
memory/2784-23-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-16-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-32-0x0000000000280000-0x00000000002A7000-memory.dmpFilesize
156KB
-
memory/2784-18-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2784-13-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB