Analysis
-
max time kernel
231s -
max time network
309s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 15:00
Static task
static1
Behavioral task
behavioral1
Sample
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe
Resource
win10v2004-20220901-en
General
-
Target
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe
-
Size
544KB
-
MD5
e038a0d251bb672af6506aeb420f2388
-
SHA1
0f085d0385eb58fe0126cef171e3bfcfb2fd25bf
-
SHA256
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35
-
SHA512
05ba101950b87331bf0646346202e507a7eaab19c8b4f8982ba43798366669a397149e32e3d5776f6b52d04e89f9df6af0ad3bfd299fb9e967941a5de98f170a
-
SSDEEP
12288:9R1cL/pzrkTj+3B6P0M4e5iVs3kkG6FD:X1ctzrk41pe5i0kkG6
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
winfirewall.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Windows\\SysWOW64\\Windows Firewall\\winfirewall.exe\"" winfirewall.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
winfirewall.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winfirewall.exe -
Executes dropped EXE 2 IoCs
Processes:
winfirewall.exewinfirewall.exepid process 1588 winfirewall.exe 1644 winfirewall.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
winfirewall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winfirewall.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winfirewall.exe\DisableExceptionChainValidation winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "nqij.exe" winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe winfirewall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe\Debugger = "nqij.exe" winfirewall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe winfirewall.exe -
Loads dropped DLL 1 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exepid process 592 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe -
Drops file in System32 directory 3 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Windows Firewall\winfirewall.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe File opened for modification C:\Windows\SysWOW64\Windows Firewall\ 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe File created C:\Windows\SysWOW64\Windows Firewall\winfirewall.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exewinfirewall.exedescription pid process target process PID 432 set thread context of 592 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 1588 set thread context of 1644 1588 winfirewall.exe winfirewall.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exewinfirewall.exewinfirewall.exepid process 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 1588 winfirewall.exe 1588 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe 1644 winfirewall.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winfirewall.exepid process 1644 winfirewall.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exepid process 592 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exewinfirewall.exewinfirewall.exedescription pid process Token: SeDebugPrivilege 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe Token: SeDebugPrivilege 1588 winfirewall.exe Token: SeDebugPrivilege 1644 winfirewall.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winfirewall.exepid process 1644 winfirewall.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exewinfirewall.exedescription pid process target process PID 432 wrote to memory of 592 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 432 wrote to memory of 592 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 432 wrote to memory of 592 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 432 wrote to memory of 592 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 432 wrote to memory of 592 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 432 wrote to memory of 592 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 432 wrote to memory of 592 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 432 wrote to memory of 592 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 432 wrote to memory of 592 432 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe PID 592 wrote to memory of 1588 592 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe winfirewall.exe PID 592 wrote to memory of 1588 592 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe winfirewall.exe PID 592 wrote to memory of 1588 592 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe winfirewall.exe PID 592 wrote to memory of 1588 592 2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe winfirewall.exe PID 1588 wrote to memory of 1644 1588 winfirewall.exe winfirewall.exe PID 1588 wrote to memory of 1644 1588 winfirewall.exe winfirewall.exe PID 1588 wrote to memory of 1644 1588 winfirewall.exe winfirewall.exe PID 1588 wrote to memory of 1644 1588 winfirewall.exe winfirewall.exe PID 1588 wrote to memory of 1644 1588 winfirewall.exe winfirewall.exe PID 1588 wrote to memory of 1644 1588 winfirewall.exe winfirewall.exe PID 1588 wrote to memory of 1644 1588 winfirewall.exe winfirewall.exe PID 1588 wrote to memory of 1644 1588 winfirewall.exe winfirewall.exe PID 1588 wrote to memory of 1644 1588 winfirewall.exe winfirewall.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe"C:\Users\Admin\AppData\Local\Temp\2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe"C:\Users\Admin\AppData\Local\Temp\2fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Windows Firewall\winfirewall.exe"C:\Windows\system32\Windows Firewall\winfirewall.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Windows Firewall\winfirewall.exe"C:\Windows\SysWOW64\Windows Firewall\winfirewall.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Windows Firewall\winfirewall.exeFilesize
544KB
MD5e038a0d251bb672af6506aeb420f2388
SHA10f085d0385eb58fe0126cef171e3bfcfb2fd25bf
SHA2562fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35
SHA51205ba101950b87331bf0646346202e507a7eaab19c8b4f8982ba43798366669a397149e32e3d5776f6b52d04e89f9df6af0ad3bfd299fb9e967941a5de98f170a
-
C:\Windows\SysWOW64\Windows Firewall\winfirewall.exeFilesize
544KB
MD5e038a0d251bb672af6506aeb420f2388
SHA10f085d0385eb58fe0126cef171e3bfcfb2fd25bf
SHA2562fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35
SHA51205ba101950b87331bf0646346202e507a7eaab19c8b4f8982ba43798366669a397149e32e3d5776f6b52d04e89f9df6af0ad3bfd299fb9e967941a5de98f170a
-
C:\Windows\SysWOW64\Windows Firewall\winfirewall.exeFilesize
544KB
MD5e038a0d251bb672af6506aeb420f2388
SHA10f085d0385eb58fe0126cef171e3bfcfb2fd25bf
SHA2562fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35
SHA51205ba101950b87331bf0646346202e507a7eaab19c8b4f8982ba43798366669a397149e32e3d5776f6b52d04e89f9df6af0ad3bfd299fb9e967941a5de98f170a
-
\Windows\SysWOW64\Windows Firewall\winfirewall.exeFilesize
544KB
MD5e038a0d251bb672af6506aeb420f2388
SHA10f085d0385eb58fe0126cef171e3bfcfb2fd25bf
SHA2562fa935884bbdef3afe3c59ba894b93a087fea7c56af02ab0c831a6f581031f35
SHA51205ba101950b87331bf0646346202e507a7eaab19c8b4f8982ba43798366669a397149e32e3d5776f6b52d04e89f9df6af0ad3bfd299fb9e967941a5de98f170a
-
memory/432-70-0x0000000074310000-0x00000000748BB000-memory.dmpFilesize
5.7MB
-
memory/432-55-0x0000000074310000-0x00000000748BB000-memory.dmpFilesize
5.7MB
-
memory/432-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/592-63-0x0000000000080000-0x00000000000CE000-memory.dmpFilesize
312KB
-
memory/592-95-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB
-
memory/592-64-0x0000000000080000-0x00000000000CE000-memory.dmpFilesize
312KB
-
memory/592-72-0x0000000000080000-0x00000000000CE000-memory.dmpFilesize
312KB
-
memory/592-74-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB
-
memory/592-62-0x000000000044896E-mapping.dmp
-
memory/592-59-0x0000000000080000-0x00000000000CE000-memory.dmpFilesize
312KB
-
memory/592-57-0x0000000000080000-0x00000000000CE000-memory.dmpFilesize
312KB
-
memory/592-68-0x0000000000080000-0x00000000000CE000-memory.dmpFilesize
312KB
-
memory/592-56-0x0000000000080000-0x00000000000CE000-memory.dmpFilesize
312KB
-
memory/592-97-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB
-
memory/1588-76-0x0000000000000000-mapping.dmp
-
memory/1588-90-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB
-
memory/1644-86-0x000000000044896E-mapping.dmp
-
memory/1644-94-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB
-
memory/1644-92-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1644-96-0x00000000742A0000-0x000000007484B000-memory.dmpFilesize
5.7MB
-
memory/1644-89-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB