Analysis
-
max time kernel
230s -
max time network
235s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 22:11
Static task
static1
Behavioral task
behavioral1
Sample
dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe
Resource
win7-20220812-en
General
-
Target
dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe
-
Size
257KB
-
MD5
a911bfbc1a3e58c90af3068277d897bd
-
SHA1
230a72563a253e262a64d7bbc2ef9f64c317f35b
-
SHA256
dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
-
SHA512
0783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
SSDEEP
6144:qha6zCh4avYHQA2R2rdhifyMSGL0Cv9CV+b3rT:qMhHmQAKMi0Y0CVm+bbT
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\AppLaunch.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Serial.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Serial.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe -
Executes dropped EXE 3 IoCs
Processes:
explorer.exewab32.exeDirectDB.exepid process 3924 explorer.exe 3868 wab32.exe 3988 DirectDB.exe -
Processes:
resource yara_rule behavioral2/memory/1584-141-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1584-143-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1584-145-0x0000000000400000-0x000000000047B000-memory.dmp upx behavioral2/memory/1584-144-0x0000000000400000-0x000000000047B000-memory.dmp upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exeexplorer.exewab32.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation explorer.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation wab32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
wab32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wab32.exe" wab32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
explorer.exeDirectDB.exedescription pid process target process PID 3924 set thread context of 1584 3924 explorer.exe AppLaunch.exe PID 3988 set thread context of 3472 3988 DirectDB.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 3908 reg.exe 4816 reg.exe 4456 reg.exe 4872 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
explorer.exewab32.exeDirectDB.exepid process 3924 explorer.exe 3868 wab32.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3988 DirectDB.exe 3868 wab32.exe 3924 explorer.exe 3868 wab32.exe 3988 DirectDB.exe 3924 explorer.exe 3868 wab32.exe 3988 DirectDB.exe 3924 explorer.exe 3988 DirectDB.exe 3868 wab32.exe 3924 explorer.exe 3988 DirectDB.exe 3868 wab32.exe 3988 DirectDB.exe 3868 wab32.exe 3988 DirectDB.exe 3868 wab32.exe 3924 explorer.exe 3868 wab32.exe 3988 DirectDB.exe 3924 explorer.exe 3868 wab32.exe 3988 DirectDB.exe 3924 explorer.exe 3988 DirectDB.exe 3868 wab32.exe 3924 explorer.exe 3988 DirectDB.exe 3868 wab32.exe 3924 explorer.exe 3868 wab32.exe 3988 DirectDB.exe 3924 explorer.exe 3868 wab32.exe 3988 DirectDB.exe 3924 explorer.exe 3868 wab32.exe 3988 DirectDB.exe 3924 explorer.exe 3988 DirectDB.exe 3868 wab32.exe 3924 explorer.exe 3988 DirectDB.exe 3868 wab32.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exeexplorer.exewab32.exeAppLaunch.exeDirectDB.exedescription pid process Token: SeDebugPrivilege 4804 dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe Token: SeDebugPrivilege 3924 explorer.exe Token: SeDebugPrivilege 3868 wab32.exe Token: 1 1584 AppLaunch.exe Token: SeCreateTokenPrivilege 1584 AppLaunch.exe Token: SeAssignPrimaryTokenPrivilege 1584 AppLaunch.exe Token: SeLockMemoryPrivilege 1584 AppLaunch.exe Token: SeIncreaseQuotaPrivilege 1584 AppLaunch.exe Token: SeMachineAccountPrivilege 1584 AppLaunch.exe Token: SeTcbPrivilege 1584 AppLaunch.exe Token: SeSecurityPrivilege 1584 AppLaunch.exe Token: SeTakeOwnershipPrivilege 1584 AppLaunch.exe Token: SeLoadDriverPrivilege 1584 AppLaunch.exe Token: SeSystemProfilePrivilege 1584 AppLaunch.exe Token: SeSystemtimePrivilege 1584 AppLaunch.exe Token: SeProfSingleProcessPrivilege 1584 AppLaunch.exe Token: SeIncBasePriorityPrivilege 1584 AppLaunch.exe Token: SeCreatePagefilePrivilege 1584 AppLaunch.exe Token: SeCreatePermanentPrivilege 1584 AppLaunch.exe Token: SeBackupPrivilege 1584 AppLaunch.exe Token: SeRestorePrivilege 1584 AppLaunch.exe Token: SeShutdownPrivilege 1584 AppLaunch.exe Token: SeDebugPrivilege 1584 AppLaunch.exe Token: SeAuditPrivilege 1584 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 1584 AppLaunch.exe Token: SeChangeNotifyPrivilege 1584 AppLaunch.exe Token: SeRemoteShutdownPrivilege 1584 AppLaunch.exe Token: SeUndockPrivilege 1584 AppLaunch.exe Token: SeSyncAgentPrivilege 1584 AppLaunch.exe Token: SeEnableDelegationPrivilege 1584 AppLaunch.exe Token: SeManageVolumePrivilege 1584 AppLaunch.exe Token: SeImpersonatePrivilege 1584 AppLaunch.exe Token: SeCreateGlobalPrivilege 1584 AppLaunch.exe Token: 31 1584 AppLaunch.exe Token: 32 1584 AppLaunch.exe Token: 33 1584 AppLaunch.exe Token: 34 1584 AppLaunch.exe Token: 35 1584 AppLaunch.exe Token: SeDebugPrivilege 3988 DirectDB.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
AppLaunch.exeAppLaunch.exepid process 1584 AppLaunch.exe 1584 AppLaunch.exe 1584 AppLaunch.exe 1584 AppLaunch.exe 3472 AppLaunch.exe 3472 AppLaunch.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exeexplorer.exeAppLaunch.execmd.execmd.execmd.execmd.exewab32.exeDirectDB.exedescription pid process target process PID 4804 wrote to memory of 3924 4804 dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe explorer.exe PID 4804 wrote to memory of 3924 4804 dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe explorer.exe PID 4804 wrote to memory of 3924 4804 dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe explorer.exe PID 3924 wrote to memory of 1584 3924 explorer.exe AppLaunch.exe PID 3924 wrote to memory of 1584 3924 explorer.exe AppLaunch.exe PID 3924 wrote to memory of 1584 3924 explorer.exe AppLaunch.exe PID 3924 wrote to memory of 1584 3924 explorer.exe AppLaunch.exe PID 3924 wrote to memory of 1584 3924 explorer.exe AppLaunch.exe PID 3924 wrote to memory of 1584 3924 explorer.exe AppLaunch.exe PID 3924 wrote to memory of 1584 3924 explorer.exe AppLaunch.exe PID 3924 wrote to memory of 1584 3924 explorer.exe AppLaunch.exe PID 3924 wrote to memory of 3868 3924 explorer.exe wab32.exe PID 3924 wrote to memory of 3868 3924 explorer.exe wab32.exe PID 3924 wrote to memory of 3868 3924 explorer.exe wab32.exe PID 1584 wrote to memory of 2092 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 2092 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 2092 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 4676 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 4676 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 4676 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 4132 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 4132 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 4132 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 4112 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 4112 1584 AppLaunch.exe cmd.exe PID 1584 wrote to memory of 4112 1584 AppLaunch.exe cmd.exe PID 4676 wrote to memory of 4816 4676 cmd.exe reg.exe PID 4676 wrote to memory of 4816 4676 cmd.exe reg.exe PID 4676 wrote to memory of 4816 4676 cmd.exe reg.exe PID 2092 wrote to memory of 4872 2092 cmd.exe reg.exe PID 2092 wrote to memory of 4872 2092 cmd.exe reg.exe PID 2092 wrote to memory of 4872 2092 cmd.exe reg.exe PID 4132 wrote to memory of 4456 4132 cmd.exe reg.exe PID 4132 wrote to memory of 4456 4132 cmd.exe reg.exe PID 4132 wrote to memory of 4456 4132 cmd.exe reg.exe PID 4112 wrote to memory of 3908 4112 cmd.exe reg.exe PID 4112 wrote to memory of 3908 4112 cmd.exe reg.exe PID 4112 wrote to memory of 3908 4112 cmd.exe reg.exe PID 3868 wrote to memory of 3988 3868 wab32.exe DirectDB.exe PID 3868 wrote to memory of 3988 3868 wab32.exe DirectDB.exe PID 3868 wrote to memory of 3988 3868 wab32.exe DirectDB.exe PID 3988 wrote to memory of 3472 3988 DirectDB.exe AppLaunch.exe PID 3988 wrote to memory of 3472 3988 DirectDB.exe AppLaunch.exe PID 3988 wrote to memory of 3472 3988 DirectDB.exe AppLaunch.exe PID 3988 wrote to memory of 3472 3988 DirectDB.exe AppLaunch.exe PID 3988 wrote to memory of 3472 3988 DirectDB.exe AppLaunch.exe PID 3988 wrote to memory of 3472 3988 DirectDB.exe AppLaunch.exe PID 3988 wrote to memory of 3472 3988 DirectDB.exe AppLaunch.exe PID 3988 wrote to memory of 3472 3988 DirectDB.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe"C:\Users\Admin\AppData\Local\Temp\dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Serial.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Serial.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Serial.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Serial.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DirectDB.exe"C:\Users\Admin\AppData\Local\Temp\DirectDB.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe5⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DirectDB.exeFilesize
257KB
MD5a911bfbc1a3e58c90af3068277d897bd
SHA1230a72563a253e262a64d7bbc2ef9f64c317f35b
SHA256dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
SHA5120783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
C:\Users\Admin\AppData\Local\Temp\DirectDB.exeFilesize
257KB
MD5a911bfbc1a3e58c90af3068277d897bd
SHA1230a72563a253e262a64d7bbc2ef9f64c317f35b
SHA256dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
SHA5120783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD569104f0c944088ee37ca4cf4cbcc9c00
SHA13f94dc72bfeea22f624c6ecef5d6e2c17258d2b0
SHA2567f860d55082a3ff57afc71722dc912844588c505d87b477cded8a1034379d92b
SHA512827e5df941257efd902e2f3e82dd7f867c9aca97889590f12284696548957a355c5b97f92a198fff53538a4f310e80070b193de4e031783806738e6334081fbb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
257KB
MD5a911bfbc1a3e58c90af3068277d897bd
SHA1230a72563a253e262a64d7bbc2ef9f64c317f35b
SHA256dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
SHA5120783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
257KB
MD5a911bfbc1a3e58c90af3068277d897bd
SHA1230a72563a253e262a64d7bbc2ef9f64c317f35b
SHA256dddc03048feb18016f0c6a34795c3b1bfb9a016fa4301f8efa4b4ae0685f52e4
SHA5120783d092917a81eb31cff7438b358d1bb066d68e0247c0c2f828e14e1cdedf199f8500da01d36b29a9e00a3dd7fb5680d7728d0766a0a7ba72c7880845a35049
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exeFilesize
9KB
MD5c9c4b5fd14511b6241a36a3d6437973f
SHA103d39cf5b9ade55b41fdabc25c3140ebfd444c1c
SHA256c0278b9dfa3d59f2edf3f91279676a8a8453e17dec2abddaa9805199f2217bcf
SHA51267e3a9be2072938aef452e7800d8b7991aeda01a843a4be201a4dffeea3d02c366d74d777b534dd02f0bf20c2b0459f1f4fb18e9f6a4525a4eb9b2c258190e14
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wab32.exeFilesize
9KB
MD5c9c4b5fd14511b6241a36a3d6437973f
SHA103d39cf5b9ade55b41fdabc25c3140ebfd444c1c
SHA256c0278b9dfa3d59f2edf3f91279676a8a8453e17dec2abddaa9805199f2217bcf
SHA51267e3a9be2072938aef452e7800d8b7991aeda01a843a4be201a4dffeea3d02c366d74d777b534dd02f0bf20c2b0459f1f4fb18e9f6a4525a4eb9b2c258190e14
-
memory/1584-144-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1584-140-0x0000000000000000-mapping.dmp
-
memory/1584-141-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1584-143-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1584-145-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/2092-152-0x0000000000000000-mapping.dmp
-
memory/3472-165-0x0000000000000000-mapping.dmp
-
memory/3868-174-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/3868-147-0x0000000000000000-mapping.dmp
-
memory/3868-156-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/3908-160-0x0000000000000000-mapping.dmp
-
memory/3924-139-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/3924-137-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/3924-133-0x0000000000000000-mapping.dmp
-
memory/3988-175-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/3988-162-0x0000000000000000-mapping.dmp
-
memory/3988-164-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/4112-155-0x0000000000000000-mapping.dmp
-
memory/4132-154-0x0000000000000000-mapping.dmp
-
memory/4456-159-0x0000000000000000-mapping.dmp
-
memory/4676-153-0x0000000000000000-mapping.dmp
-
memory/4804-136-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/4804-132-0x0000000074E10000-0x00000000753C1000-memory.dmpFilesize
5.7MB
-
memory/4816-157-0x0000000000000000-mapping.dmp
-
memory/4872-158-0x0000000000000000-mapping.dmp