Analysis
-
max time kernel
166s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 12:02
Behavioral task
behavioral1
Sample
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe
Resource
win7-20220812-en
General
-
Target
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe
-
Size
1.5MB
-
MD5
876454cb19e951b6af7055337bfa0ec2
-
SHA1
bcf59cd759187283f6929c740bfec43458c215b6
-
SHA256
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83
-
SHA512
253ab1bf8524b64d4427a21793137fd0a68fc56a74239590da4bbf7b271c7fbb1aac71616743acf29f55542753dc1a05f31dda5e56d9af4ba49da133265a83d1
-
SSDEEP
24576:6kC9Gv9ZgS1BU6WLPICFFcjD+fUtRYWJVxbQzNCpEFU0HkA6cC7y4NWmXd57vIWg:6PPS1fhrtHoTtvev7QWg
Malware Config
Extracted
Protocol: ftp- Host:
www12.subdomain.com - Port:
21 - Username:
user1577439 - Password:
jetaimeradouane
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Driver\\Audio.exe" 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe -
Executes dropped EXE 2 IoCs
Processes:
FREE.EXESERVER.EXEpid process 2000 FREE.EXE 880 SERVER.EXE -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
explorer.exe8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine explorer.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe -
Loads dropped DLL 4 IoCs
Processes:
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exepid process 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/668-55-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/668-67-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/1756-73-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/668-75-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/1756-76-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/1756-77-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/1756-79-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/1756-80-0x0000000000400000-0x0000000000592000-memory.dmp themida behavioral1/memory/1756-90-0x0000000000400000-0x0000000000592000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Windows\\system32\\Driver\\Audio.exe" 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe -
Drops file in System32 directory 3 IoCs
Processes:
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exedescription ioc process File created C:\Windows\SysWOW64\Driver\Audio.exe 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe File opened for modification C:\Windows\SysWOW64\Driver\Audio.exe 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe File opened for modification C:\Windows\SysWOW64\Driver\ 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exeexplorer.exepid process 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe 1756 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exedescription pid process target process PID 668 set thread context of 1756 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exe8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exe8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exeexplorer.exeFREE.EXEpid process 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe 1756 explorer.exe 2000 FREE.EXE 2000 FREE.EXE -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exeexplorer.exedescription pid process Token: SeIncreaseQuotaPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeSecurityPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeTakeOwnershipPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeLoadDriverPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeSystemProfilePrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeSystemtimePrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeProfSingleProcessPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeIncBasePriorityPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeCreatePagefilePrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeBackupPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeRestorePrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeShutdownPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeDebugPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeSystemEnvironmentPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeChangeNotifyPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeRemoteShutdownPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeUndockPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeManageVolumePrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeImpersonatePrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeCreateGlobalPrivilege 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: 33 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: 34 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: 35 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe Token: SeIncreaseQuotaPrivilege 1756 explorer.exe Token: SeSecurityPrivilege 1756 explorer.exe Token: SeTakeOwnershipPrivilege 1756 explorer.exe Token: SeLoadDriverPrivilege 1756 explorer.exe Token: SeSystemProfilePrivilege 1756 explorer.exe Token: SeSystemtimePrivilege 1756 explorer.exe Token: SeProfSingleProcessPrivilege 1756 explorer.exe Token: SeIncBasePriorityPrivilege 1756 explorer.exe Token: SeCreatePagefilePrivilege 1756 explorer.exe Token: SeBackupPrivilege 1756 explorer.exe Token: SeRestorePrivilege 1756 explorer.exe Token: SeShutdownPrivilege 1756 explorer.exe Token: SeDebugPrivilege 1756 explorer.exe Token: SeSystemEnvironmentPrivilege 1756 explorer.exe Token: SeChangeNotifyPrivilege 1756 explorer.exe Token: SeRemoteShutdownPrivilege 1756 explorer.exe Token: SeUndockPrivilege 1756 explorer.exe Token: SeManageVolumePrivilege 1756 explorer.exe Token: SeImpersonatePrivilege 1756 explorer.exe Token: SeCreateGlobalPrivilege 1756 explorer.exe Token: 33 1756 explorer.exe Token: 34 1756 explorer.exe Token: 35 1756 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SERVER.EXEpid process 880 SERVER.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exeFREE.EXEdescription pid process target process PID 668 wrote to memory of 2000 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe FREE.EXE PID 668 wrote to memory of 2000 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe FREE.EXE PID 668 wrote to memory of 2000 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe FREE.EXE PID 668 wrote to memory of 2000 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe FREE.EXE PID 668 wrote to memory of 880 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe SERVER.EXE PID 668 wrote to memory of 880 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe SERVER.EXE PID 668 wrote to memory of 880 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe SERVER.EXE PID 668 wrote to memory of 880 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe SERVER.EXE PID 668 wrote to memory of 1756 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe explorer.exe PID 668 wrote to memory of 1756 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe explorer.exe PID 668 wrote to memory of 1756 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe explorer.exe PID 668 wrote to memory of 1756 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe explorer.exe PID 668 wrote to memory of 1756 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe explorer.exe PID 668 wrote to memory of 1756 668 8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe explorer.exe PID 2000 wrote to memory of 1324 2000 FREE.EXE Explorer.EXE PID 2000 wrote to memory of 1324 2000 FREE.EXE Explorer.EXE PID 2000 wrote to memory of 1324 2000 FREE.EXE Explorer.EXE PID 2000 wrote to memory of 1324 2000 FREE.EXE Explorer.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe"C:\Users\Admin\AppData\Local\Temp\8e12fdf27e852fb135f9e5627c2c0b5dfa052f9f9e0f8600b6e5ea6e47678b83.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FREE.EXE"C:\Users\Admin\AppData\Local\Temp\FREE.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FREE.EXEFilesize
56KB
MD5101b079ca4aa9ee593e302455f7e3999
SHA1adff4912a805ca61b46abe54adc676ec2a1ed66b
SHA25605d88c500eae9ff3f95cb674dcf2c8b53dc7f2c338440d957157d387b4193da3
SHA512674b49b30db9e5638e8de4f1bcb5e3706a524d2bb9d36ebf05cb136a685b053515397a084a51688328cf1ed39dff58269befa47898905aa22dd880bfa011e103
-
C:\Users\Admin\AppData\Local\Temp\FREE.EXEFilesize
56KB
MD5101b079ca4aa9ee593e302455f7e3999
SHA1adff4912a805ca61b46abe54adc676ec2a1ed66b
SHA25605d88c500eae9ff3f95cb674dcf2c8b53dc7f2c338440d957157d387b4193da3
SHA512674b49b30db9e5638e8de4f1bcb5e3706a524d2bb9d36ebf05cb136a685b053515397a084a51688328cf1ed39dff58269befa47898905aa22dd880bfa011e103
-
C:\Users\Admin\AppData\Local\Temp\SERVER.EXEFilesize
96KB
MD5d5ca7630edf9bfe6d372ecfec16e1256
SHA1ab931c2c9e38b6a1d056c0cd3b42302be519d8f8
SHA25647816e5c85713dfa1f92ac2afe6dc2cdf3c995efe28e2330b57148322c024f82
SHA512f53262a1d4debd25db7d888cd4fa992282eb01f4e421a30f85919bc69eca20c1806a0043cb77661953c61f305d4156f1b7a20e4d1f58019646a4673ad3d54e76
-
\Users\Admin\AppData\Local\Temp\FREE.EXEFilesize
56KB
MD5101b079ca4aa9ee593e302455f7e3999
SHA1adff4912a805ca61b46abe54adc676ec2a1ed66b
SHA25605d88c500eae9ff3f95cb674dcf2c8b53dc7f2c338440d957157d387b4193da3
SHA512674b49b30db9e5638e8de4f1bcb5e3706a524d2bb9d36ebf05cb136a685b053515397a084a51688328cf1ed39dff58269befa47898905aa22dd880bfa011e103
-
\Users\Admin\AppData\Local\Temp\FREE.EXEFilesize
56KB
MD5101b079ca4aa9ee593e302455f7e3999
SHA1adff4912a805ca61b46abe54adc676ec2a1ed66b
SHA25605d88c500eae9ff3f95cb674dcf2c8b53dc7f2c338440d957157d387b4193da3
SHA512674b49b30db9e5638e8de4f1bcb5e3706a524d2bb9d36ebf05cb136a685b053515397a084a51688328cf1ed39dff58269befa47898905aa22dd880bfa011e103
-
\Users\Admin\AppData\Local\Temp\SERVER.EXEFilesize
96KB
MD5d5ca7630edf9bfe6d372ecfec16e1256
SHA1ab931c2c9e38b6a1d056c0cd3b42302be519d8f8
SHA25647816e5c85713dfa1f92ac2afe6dc2cdf3c995efe28e2330b57148322c024f82
SHA512f53262a1d4debd25db7d888cd4fa992282eb01f4e421a30f85919bc69eca20c1806a0043cb77661953c61f305d4156f1b7a20e4d1f58019646a4673ad3d54e76
-
\Users\Admin\AppData\Local\Temp\SERVER.EXEFilesize
96KB
MD5d5ca7630edf9bfe6d372ecfec16e1256
SHA1ab931c2c9e38b6a1d056c0cd3b42302be519d8f8
SHA25647816e5c85713dfa1f92ac2afe6dc2cdf3c995efe28e2330b57148322c024f82
SHA512f53262a1d4debd25db7d888cd4fa992282eb01f4e421a30f85919bc69eca20c1806a0043cb77661953c61f305d4156f1b7a20e4d1f58019646a4673ad3d54e76
-
memory/668-75-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/668-67-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/668-68-0x0000000005770000-0x0000000005779000-memory.dmpFilesize
36KB
-
memory/668-69-0x0000000005770000-0x0000000005779000-memory.dmpFilesize
36KB
-
memory/668-55-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/668-54-0x0000000075981000-0x0000000075983000-memory.dmpFilesize
8KB
-
memory/880-62-0x0000000000000000-mapping.dmp
-
memory/1324-84-0x000000007FFF0000-0x000000007FFF7000-memory.dmpFilesize
28KB
-
memory/1756-71-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/1756-87-0x0000000000401000-0x00000000004AF000-memory.dmpFilesize
696KB
-
memory/1756-73-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/1756-76-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/1756-77-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/1756-79-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/1756-80-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/1756-91-0x0000000000401000-0x00000000004AF000-memory.dmpFilesize
696KB
-
memory/1756-90-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/1756-74-0x00000000004D7014-mapping.dmp
-
memory/2000-58-0x0000000000000000-mapping.dmp
-
memory/2000-88-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2000-89-0x0000000010000000-0x0000000010013000-memory.dmpFilesize
76KB
-
memory/2000-70-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2000-82-0x0000000010000000-0x0000000010013000-memory.dmpFilesize
76KB