Analysis
-
max time kernel
147s -
max time network
133s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
01-12-2021 18:08
Static task
static1
Behavioral task
behavioral1
Sample
m2.dat.exe
Resource
win7-en-20211014
General
-
Target
m2.dat.exe
-
Size
3.4MB
-
MD5
fcfc0feed527d188d6b2ed3445758511
-
SHA1
b4198d332b59b303e2dc5df717f2cf408b308f28
-
SHA256
28e5812c8bff42c348a5f25a5f3d871c5b3bbda882da1009db4d25dc974bef0c
-
SHA512
af053c75e89e18573161dcd1fcabc3b08998874c5e810bc15bb2a0e5ab0254d06b4ec6defc545fc9dff4fcb94529eb9ea7610ad63233e5d6e191b232c502d3c5
Malware Config
Signatures
-
XMRig Miner Payload 8 IoCs
Processes:
resource yara_rule C:\Windows\debug\m\winlogon.exe xmrig C:\Windows\debug\m\winlogon.exe xmrig C:\Windows\debug\m\winlogon.exe xmrig C:\Windows\debug\m\winlogon.exe xmrig C:\Windows\debug\m\winlogon.exe xmrig C:\Windows\debug\m\winlogon.exe xmrig C:\Windows\debug\m\winlogon.exe xmrig C:\Windows\debug\m\winlogon.exe xmrig -
Executes dropped EXE 18 IoCs
Processes:
lsass.exe1sass.exelsass.exe1sass.execsrss.execsrss.exewinlogon.execsrss.exewinlogon.exewinlogon.execsrss.exewinlogon.execsrss.exewinlogon.execsrss.exewinlogon.execsrss.exewinlogon.exepid process 4260 lsass.exe 4420 1sass.exe 4376 lsass.exe 4548 1sass.exe 432 csrss.exe 876 csrss.exe 1272 winlogon.exe 1652 csrss.exe 1884 winlogon.exe 3436 winlogon.exe 304 csrss.exe 4908 winlogon.exe 5024 csrss.exe 4672 winlogon.exe 4940 csrss.exe 2908 winlogon.exe 2640 csrss.exe 4696 winlogon.exe -
Modifies Windows Firewall 1 TTPs
-
Drops file in Windows directory 24 IoCs
Processes:
m2.dat.exeattrib.exeattrib.exeattrib.exedescription ioc process File created C:\Windows\debug\m\server2.reg m2.dat.exe File created C:\Windows\debug\m\n.vbs m2.dat.exe File opened for modification C:\Windows\debug\m\n.vbs m2.dat.exe File opened for modification C:\Windows\debug\m\csrss.exe m2.dat.exe File created C:\Windows\debug\__tmp_rar_sfx_access_check_259384109 m2.dat.exe File created C:\Windows\debug\m\config.json m2.dat.exe File opened for modification C:\Windows\debug\m\server.reg m2.dat.exe File opened for modification C:\Windows\debug\m\winlogon.exe m2.dat.exe File opened for modification C:\Windows\debug\m\config.json attrib.exe File opened for modification C:\Windows\debug\m\server2.reg m2.dat.exe File opened for modification C:\Windows\debug\m\lsass.exe m2.dat.exe File created C:\Windows\debug\m\winlogon.exe m2.dat.exe File opened for modification C:\Windows\debug\m\lsass.exe attrib.exe File opened for modification C:\Windows\debug\m\config.json m2.dat.exe File created C:\Windows\debug\m\WinRing0x64.sys m2.dat.exe File created C:\Windows\debug\m\lsass.exe m2.dat.exe File created C:\Windows\debug\m\c1.bat m2.dat.exe File opened for modification C:\Windows\debug\m\c1.bat m2.dat.exe File created C:\Windows\debug\m\csrss.exe m2.dat.exe File opened for modification C:\Windows\debug\m attrib.exe File opened for modification C:\Windows\debug\m\winlogon.exe attrib.exe File opened for modification C:\Windows\debug\m m2.dat.exe File created C:\Windows\debug\m\server.reg m2.dat.exe File opened for modification C:\Windows\debug\m\WinRing0x64.sys m2.dat.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
m2.dat.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\Local Settings m2.dat.exe -
Runs .reg file with regedit 2 IoCs
Processes:
regedit.exeregedit.exepid process 4208 regedit.exe 4516 regedit.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
1sass.exelsass.exepid process 4548 1sass.exe 4548 1sass.exe 4548 1sass.exe 4548 1sass.exe 4376 lsass.exe 4376 lsass.exe 4548 1sass.exe 4548 1sass.exe 4376 lsass.exe 4376 lsass.exe 4376 lsass.exe 4376 lsass.exe 4548 1sass.exe 4548 1sass.exe 4376 lsass.exe 4376 lsass.exe 4548 1sass.exe 4548 1sass.exe 4376 lsass.exe 4376 lsass.exe 4548 1sass.exe 4548 1sass.exe 4376 lsass.exe 4376 lsass.exe 4548 1sass.exe 4548 1sass.exe 4376 lsass.exe 4376 lsass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
m2.dat.exeWScript.execmd.exe1sass.exelsass.exedescription pid process target process PID 3560 wrote to memory of 3908 3560 m2.dat.exe WScript.exe PID 3560 wrote to memory of 3908 3560 m2.dat.exe WScript.exe PID 3560 wrote to memory of 3908 3560 m2.dat.exe WScript.exe PID 3908 wrote to memory of 4052 3908 WScript.exe cmd.exe PID 3908 wrote to memory of 4052 3908 WScript.exe cmd.exe PID 3908 wrote to memory of 4052 3908 WScript.exe cmd.exe PID 4052 wrote to memory of 4260 4052 cmd.exe lsass.exe PID 4052 wrote to memory of 4260 4052 cmd.exe lsass.exe PID 4052 wrote to memory of 4208 4052 cmd.exe regedit.exe PID 4052 wrote to memory of 4208 4052 cmd.exe regedit.exe PID 4052 wrote to memory of 4208 4052 cmd.exe regedit.exe PID 4052 wrote to memory of 4420 4052 cmd.exe 1sass.exe PID 4052 wrote to memory of 4420 4052 cmd.exe 1sass.exe PID 4052 wrote to memory of 4516 4052 cmd.exe regedit.exe PID 4052 wrote to memory of 4516 4052 cmd.exe regedit.exe PID 4052 wrote to memory of 4516 4052 cmd.exe regedit.exe PID 4052 wrote to memory of 4392 4052 cmd.exe sc.exe PID 4052 wrote to memory of 4392 4052 cmd.exe sc.exe PID 4052 wrote to memory of 4392 4052 cmd.exe sc.exe PID 4052 wrote to memory of 4360 4052 cmd.exe sc.exe PID 4052 wrote to memory of 4360 4052 cmd.exe sc.exe PID 4052 wrote to memory of 4360 4052 cmd.exe sc.exe PID 4052 wrote to memory of 3740 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 3740 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 3740 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4076 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4076 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4076 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4000 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4000 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4000 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4160 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4160 4052 cmd.exe attrib.exe PID 4052 wrote to memory of 4160 4052 cmd.exe attrib.exe PID 4548 wrote to memory of 432 4548 1sass.exe csrss.exe PID 4548 wrote to memory of 432 4548 1sass.exe csrss.exe PID 4052 wrote to memory of 592 4052 cmd.exe netsh.exe PID 4052 wrote to memory of 592 4052 cmd.exe netsh.exe PID 4052 wrote to memory of 592 4052 cmd.exe netsh.exe PID 4548 wrote to memory of 876 4548 1sass.exe csrss.exe PID 4548 wrote to memory of 876 4548 1sass.exe csrss.exe PID 4376 wrote to memory of 1272 4376 lsass.exe winlogon.exe PID 4376 wrote to memory of 1272 4376 lsass.exe winlogon.exe PID 4548 wrote to memory of 1652 4548 1sass.exe csrss.exe PID 4548 wrote to memory of 1652 4548 1sass.exe csrss.exe PID 4376 wrote to memory of 1884 4376 lsass.exe winlogon.exe PID 4376 wrote to memory of 1884 4376 lsass.exe winlogon.exe PID 4376 wrote to memory of 3436 4376 lsass.exe winlogon.exe PID 4376 wrote to memory of 3436 4376 lsass.exe winlogon.exe PID 4548 wrote to memory of 304 4548 1sass.exe csrss.exe PID 4548 wrote to memory of 304 4548 1sass.exe csrss.exe PID 4376 wrote to memory of 4908 4376 lsass.exe winlogon.exe PID 4376 wrote to memory of 4908 4376 lsass.exe winlogon.exe PID 4548 wrote to memory of 5024 4548 1sass.exe csrss.exe PID 4548 wrote to memory of 5024 4548 1sass.exe csrss.exe PID 4376 wrote to memory of 4672 4376 lsass.exe winlogon.exe PID 4376 wrote to memory of 4672 4376 lsass.exe winlogon.exe PID 4548 wrote to memory of 4940 4548 1sass.exe csrss.exe PID 4548 wrote to memory of 4940 4548 1sass.exe csrss.exe PID 4376 wrote to memory of 2908 4376 lsass.exe winlogon.exe PID 4376 wrote to memory of 2908 4376 lsass.exe winlogon.exe PID 4548 wrote to memory of 2640 4548 1sass.exe csrss.exe PID 4548 wrote to memory of 2640 4548 1sass.exe csrss.exe PID 4376 wrote to memory of 4696 4376 lsass.exe winlogon.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 3740 attrib.exe 4076 attrib.exe 4000 attrib.exe 4160 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\m2.dat.exe"C:\Users\Admin\AppData\Local\Temp\m2.dat.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\debug\m\n.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\debug\m\c1.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\debug\m\lsass.exelsass.exe install "Windows Updata" winlogon.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\regedit.exeC:\Windows\regedit /s server.reg4⤵
- Runs .reg file with regedit
-
C:\PerfLogs\Admin\1sass.exeC:\PerfLogs\Admin\1sass.exe install "Windows Management" C:\PerfLogs\Admin\csrss.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\regedit.exeC:\Windows\regedit /s server2.reg4⤵
- Runs .reg file with regedit
-
C:\Windows\SysWOW64\sc.exesc start "Windows Updata"4⤵
-
C:\Windows\SysWOW64\sc.exesc start "Windows Management"4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\debug\m +h +a4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\debug\m\*.json +h +a +s +r4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Windows\debug\m\*.exe +h +a +s +r4⤵
- Drops file in Windows directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib C:\PerfLogs\Admin\*.exe +h +a +s +r4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="tcp all" dir=in protocol=tcp localport=0-65535 action=allow4⤵
-
C:\Windows\debug\m\lsass.exeC:\Windows\debug\m\lsass.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\debug\m\winlogon.exe"winlogon.exe"2⤵
- Executes dropped EXE
-
C:\Windows\debug\m\winlogon.exe"winlogon.exe"2⤵
- Executes dropped EXE
-
C:\Windows\debug\m\winlogon.exe"winlogon.exe"2⤵
- Executes dropped EXE
-
C:\Windows\debug\m\winlogon.exe"winlogon.exe"2⤵
- Executes dropped EXE
-
C:\Windows\debug\m\winlogon.exe"winlogon.exe"2⤵
- Executes dropped EXE
-
C:\Windows\debug\m\winlogon.exe"winlogon.exe"2⤵
- Executes dropped EXE
-
C:\Windows\debug\m\winlogon.exe"winlogon.exe"2⤵
- Executes dropped EXE
-
C:\PerfLogs\Admin\1sass.exeC:\PerfLogs\Admin\1sass.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\PerfLogs\Admin\csrss.exe"C:\PerfLogs\Admin\csrss.exe"2⤵
- Executes dropped EXE
-
C:\PerfLogs\Admin\csrss.exe"C:\PerfLogs\Admin\csrss.exe"2⤵
- Executes dropped EXE
-
C:\PerfLogs\Admin\csrss.exe"C:\PerfLogs\Admin\csrss.exe"2⤵
- Executes dropped EXE
-
C:\PerfLogs\Admin\csrss.exe"C:\PerfLogs\Admin\csrss.exe"2⤵
- Executes dropped EXE
-
C:\PerfLogs\Admin\csrss.exe"C:\PerfLogs\Admin\csrss.exe"2⤵
- Executes dropped EXE
-
C:\PerfLogs\Admin\csrss.exe"C:\PerfLogs\Admin\csrss.exe"2⤵
- Executes dropped EXE
-
C:\PerfLogs\Admin\csrss.exe"C:\PerfLogs\Admin\csrss.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\PerfLogs\Admin\1sass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\PerfLogs\Admin\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\Windows\debug\m\c1.batMD5
9a412e42384f31ad8c61cbd32076603c
SHA17a1caef46f6c7549ab17d98f1328fff4673cacb2
SHA2560ab85d2da0f7a9b644d4b7a964a7b1728d1f9eb716b9abe2f1d9c611d7ee4617
SHA5121d9d179db2a8901539f3a7fe6a91d58422cdb6a28dbf53e758e8745881a45304b0037227b9a4d1c04928d14b0014a1bb1c2e6eb53dfa43111eba6bf32da949c6
-
C:\Windows\debug\m\config.jsonMD5
c3b273d977023f0309fa7225c73911ed
SHA1b667780303d60c649a77e8c2fed970779d8a53cf
SHA2563896eedd2bceeca958779c63c3150744c9e2d0160553b4d8a652323fe2b3b5df
SHA51238e8e637c58e59577a5e05e05fb6818ccba96b8db2cfda9e8221e1a0665429a321dc3efe603aa37afed7165267060382b213136076ebe3b4c536c8f060f026ea
-
C:\Windows\debug\m\csrss.exeMD5
62e98ca6b2bf484e6fbbc537fd49167a
SHA1b8fbfaaeadb02dde6461132bf63a9faa4a89987e
SHA256cbc85816ce4d841628d343113b3ae6843402062835a9da85da1064f58e840517
SHA512684cd2a043b71b288a515a8df26e4f374afcec9de9cdb6d80068e24f6eeea7adf9c141e6df172ec4cb2a09edbf3da2a9e0120ff8a086800c52f5c7cc998799d8
-
C:\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\Windows\debug\m\lsass.exeMD5
beceae2fdc4f7729a93e94ac2ccd78cc
SHA147c112c23c7bdf2af24a20bd512f91ff6af76bc6
SHA256f689ee9af94b00e9e3f0bb072b34caaf207f32dcb4f5782fc9ca351df9a06c97
SHA512073f5ae0d4ffedb5edb3b92b8e19bea2c482a3ad7ab02ed71955d3e55aa44a297307fe4334d28c6f7683cb02d40b4313e560c9049507b16a8c5d6ee0a0f0071f
-
C:\Windows\debug\m\n.vbsMD5
c4258287aa2aa93135e6d1462b1cd58f
SHA116bdfae57a969931d2b7321dd48ec39dfbe8be14
SHA256cf8417cdc951eed2c10d424b312a0fbf222321e785e655548d9b054a2d87c273
SHA51238c701c8f50d35dd8319755d65e74849150bc3402afe2994a0eea9209ffde193ca6301ff28ad4e8b5ddb4cdd916f9a0e7ef4ef7e4e9c8b82ae28a2a3e76d75ba
-
C:\Windows\debug\m\server.regMD5
7c2301b0fa96dac6f800704acca36342
SHA1d5733429c9acee4e452bae53499fa67309beb855
SHA256f9f8291c7d3f5397e249aa6ec402ebc45d47cf455b25588970382048aa67b985
SHA512f754c1b848ff6eef49d60096c3a79a9120ddde80d812be2b6b751745cd008c3f2ffd0c82de23852a9153258d43ef8de7e1e30f4598a557ff7809ae476a75922f
-
C:\Windows\debug\m\server2.regMD5
41678ca725e5e2964ccfebde111d243a
SHA1451890c89b9268a321831ae0ca17cf128c973c2a
SHA2561b74416ba48010dad0467ce77f8d1044e75be2dd003a18cdad0d6f2112e3b565
SHA512b916c1321f4073da734c31bd6a50f1abb95592a4782977f09d73b986b867a3599f348bfbd3641d204a1882f4e3e84be7eb7254d5e4049e45279088172ab8ddad
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
C:\Windows\debug\m\winlogon.exeMD5
14404f2edef3c43d318fa8cab21b0ea6
SHA14f86639fd543555ba4604e0acb28c8631fe9c300
SHA25665127ac2b7fcda847872fa2314d4ef34620efc6d585551cebf2d4886d657c736
SHA512fccd70f3b3162a7f5f1d48fe0066ae0126bfbec92d51eb8b767db2d43ea919e9de9aa292013fc311503c2f567d1884143e08420048321ac0447771c3ad368624
-
memory/304-157-0x0000000000000000-mapping.dmp
-
memory/432-144-0x0000000000000000-mapping.dmp
-
memory/592-146-0x0000000000000000-mapping.dmp
-
memory/876-147-0x0000000000000000-mapping.dmp
-
memory/1272-149-0x0000000000000000-mapping.dmp
-
memory/1652-151-0x0000000000000000-mapping.dmp
-
memory/1884-153-0x0000000000000000-mapping.dmp
-
memory/2640-169-0x0000000000000000-mapping.dmp
-
memory/2908-167-0x0000000000000000-mapping.dmp
-
memory/3436-155-0x0000000000000000-mapping.dmp
-
memory/3740-137-0x0000000000000000-mapping.dmp
-
memory/3908-118-0x0000000000000000-mapping.dmp
-
memory/4000-140-0x0000000000000000-mapping.dmp
-
memory/4052-121-0x0000000000000000-mapping.dmp
-
memory/4076-138-0x0000000000000000-mapping.dmp
-
memory/4160-142-0x0000000000000000-mapping.dmp
-
memory/4208-125-0x0000000000000000-mapping.dmp
-
memory/4260-122-0x0000000000000000-mapping.dmp
-
memory/4360-135-0x0000000000000000-mapping.dmp
-
memory/4392-133-0x0000000000000000-mapping.dmp
-
memory/4420-128-0x0000000000000000-mapping.dmp
-
memory/4516-131-0x0000000000000000-mapping.dmp
-
memory/4672-163-0x0000000000000000-mapping.dmp
-
memory/4696-171-0x0000000000000000-mapping.dmp
-
memory/4908-159-0x0000000000000000-mapping.dmp
-
memory/4940-165-0x0000000000000000-mapping.dmp
-
memory/5024-161-0x0000000000000000-mapping.dmp