Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 03:25
Static task
static1
Behavioral task
behavioral1
Sample
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
Resource
win7-20220812-en
General
-
Target
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe
-
Size
611KB
-
MD5
5c898dd2bc147ffad06ac8362d13614c
-
SHA1
8f8fc1e81ee69b12a06e256d7f0cdceea54d25dd
-
SHA256
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80
-
SHA512
fcfb8dca28fe47b61f2b201ce160854a3c865aa0f049020a2e741df271772d3e0fd71ebb30fa85d2ad80bc3c0dc0c57183a977f5f4082afc4c240c9d6b06b650
-
SSDEEP
12288:LTqSnzWHA+m3S0fapaJehb2qTvxpGrLRRWDyw4tw+Unzyn6PPr:/qSn4mCSJS1v7GPUz4tYun6n
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
192.168.1.7:1604
87.212.172.69:1604
rattedmyfriend.no-ip.biz:8003
DC_MUTEX-E5UH45R
-
gencode
61lo22hTYh4s
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\interpals.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\interpals.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe = "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\applaunch.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 2 IoCs
Processes:
Not crypted server.exeTRISTAN SERVER.EXEpid process 1632 Not crypted server.exe 1504 TRISTAN SERVER.EXE -
Processes:
resource yara_rule behavioral1/memory/1896-61-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/1896-63-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/1896-64-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/1896-67-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/1896-70-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/1896-71-0x0000000000400000-0x000000000045D000-memory.dmp upx behavioral1/memory/1896-72-0x0000000000400000-0x000000000045D000-memory.dmp upx \Users\Admin\AppData\Local\Temp\Not crypted server.exe upx \Users\Admin\AppData\Local\Temp\Not crypted server.exe upx C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe upx C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe upx behavioral1/memory/1632-98-0x0000000000400000-0x000000000055B000-memory.dmp upx behavioral1/memory/1632-110-0x0000000000400000-0x000000000055B000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exeNot crypted server.exepid process 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe 1632 Not crypted server.exe 1632 Not crypted server.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exedescription pid process target process PID 780 set thread context of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 1196 reg.exe 1724 reg.exe 468 reg.exe 1928 reg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
applaunch.exeNot crypted server.exeTRISTAN SERVER.EXEdescription pid process Token: 1 1896 applaunch.exe Token: SeCreateTokenPrivilege 1896 applaunch.exe Token: SeAssignPrimaryTokenPrivilege 1896 applaunch.exe Token: SeLockMemoryPrivilege 1896 applaunch.exe Token: SeIncreaseQuotaPrivilege 1896 applaunch.exe Token: SeMachineAccountPrivilege 1896 applaunch.exe Token: SeTcbPrivilege 1896 applaunch.exe Token: SeSecurityPrivilege 1896 applaunch.exe Token: SeTakeOwnershipPrivilege 1896 applaunch.exe Token: SeLoadDriverPrivilege 1896 applaunch.exe Token: SeSystemProfilePrivilege 1896 applaunch.exe Token: SeSystemtimePrivilege 1896 applaunch.exe Token: SeProfSingleProcessPrivilege 1896 applaunch.exe Token: SeIncBasePriorityPrivilege 1896 applaunch.exe Token: SeCreatePagefilePrivilege 1896 applaunch.exe Token: SeCreatePermanentPrivilege 1896 applaunch.exe Token: SeBackupPrivilege 1896 applaunch.exe Token: SeRestorePrivilege 1896 applaunch.exe Token: SeShutdownPrivilege 1896 applaunch.exe Token: SeDebugPrivilege 1896 applaunch.exe Token: SeAuditPrivilege 1896 applaunch.exe Token: SeSystemEnvironmentPrivilege 1896 applaunch.exe Token: SeChangeNotifyPrivilege 1896 applaunch.exe Token: SeRemoteShutdownPrivilege 1896 applaunch.exe Token: SeUndockPrivilege 1896 applaunch.exe Token: SeSyncAgentPrivilege 1896 applaunch.exe Token: SeEnableDelegationPrivilege 1896 applaunch.exe Token: SeManageVolumePrivilege 1896 applaunch.exe Token: SeImpersonatePrivilege 1896 applaunch.exe Token: SeCreateGlobalPrivilege 1896 applaunch.exe Token: 31 1896 applaunch.exe Token: 32 1896 applaunch.exe Token: 33 1896 applaunch.exe Token: 34 1896 applaunch.exe Token: 35 1896 applaunch.exe Token: SeIncreaseQuotaPrivilege 1632 Not crypted server.exe Token: SeSecurityPrivilege 1632 Not crypted server.exe Token: SeTakeOwnershipPrivilege 1632 Not crypted server.exe Token: SeLoadDriverPrivilege 1632 Not crypted server.exe Token: SeSystemProfilePrivilege 1632 Not crypted server.exe Token: SeSystemtimePrivilege 1632 Not crypted server.exe Token: SeProfSingleProcessPrivilege 1632 Not crypted server.exe Token: SeIncBasePriorityPrivilege 1632 Not crypted server.exe Token: SeCreatePagefilePrivilege 1632 Not crypted server.exe Token: SeBackupPrivilege 1632 Not crypted server.exe Token: SeRestorePrivilege 1632 Not crypted server.exe Token: SeShutdownPrivilege 1632 Not crypted server.exe Token: SeDebugPrivilege 1632 Not crypted server.exe Token: SeSystemEnvironmentPrivilege 1632 Not crypted server.exe Token: SeChangeNotifyPrivilege 1632 Not crypted server.exe Token: SeRemoteShutdownPrivilege 1632 Not crypted server.exe Token: SeUndockPrivilege 1632 Not crypted server.exe Token: SeManageVolumePrivilege 1632 Not crypted server.exe Token: SeImpersonatePrivilege 1632 Not crypted server.exe Token: SeCreateGlobalPrivilege 1632 Not crypted server.exe Token: 33 1632 Not crypted server.exe Token: 34 1632 Not crypted server.exe Token: 35 1632 Not crypted server.exe Token: SeIncreaseQuotaPrivilege 1504 TRISTAN SERVER.EXE Token: SeSecurityPrivilege 1504 TRISTAN SERVER.EXE Token: SeTakeOwnershipPrivilege 1504 TRISTAN SERVER.EXE Token: SeLoadDriverPrivilege 1504 TRISTAN SERVER.EXE Token: SeSystemProfilePrivilege 1504 TRISTAN SERVER.EXE Token: SeSystemtimePrivilege 1504 TRISTAN SERVER.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
applaunch.exeTRISTAN SERVER.EXENot crypted server.exepid process 1896 applaunch.exe 1896 applaunch.exe 1896 applaunch.exe 1504 TRISTAN SERVER.EXE 1632 Not crypted server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exeapplaunch.execmd.execmd.execmd.exedescription pid process target process PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 1896 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe applaunch.exe PID 780 wrote to memory of 940 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe WScript.exe PID 780 wrote to memory of 940 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe WScript.exe PID 780 wrote to memory of 940 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe WScript.exe PID 780 wrote to memory of 940 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe WScript.exe PID 780 wrote to memory of 1632 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe Not crypted server.exe PID 780 wrote to memory of 1632 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe Not crypted server.exe PID 780 wrote to memory of 1632 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe Not crypted server.exe PID 780 wrote to memory of 1632 780 e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe Not crypted server.exe PID 1896 wrote to memory of 1704 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1704 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1704 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1704 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1704 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1704 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1704 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1752 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1752 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1752 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1752 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1752 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1752 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1752 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1688 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1688 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1688 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1688 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1688 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1688 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 1688 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 2044 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 2044 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 2044 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 2044 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 2044 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 2044 1896 applaunch.exe cmd.exe PID 1896 wrote to memory of 2044 1896 applaunch.exe cmd.exe PID 1704 wrote to memory of 1724 1704 cmd.exe reg.exe PID 1704 wrote to memory of 1724 1704 cmd.exe reg.exe PID 1704 wrote to memory of 1724 1704 cmd.exe reg.exe PID 1704 wrote to memory of 1724 1704 cmd.exe reg.exe PID 1704 wrote to memory of 1724 1704 cmd.exe reg.exe PID 1704 wrote to memory of 1724 1704 cmd.exe reg.exe PID 1704 wrote to memory of 1724 1704 cmd.exe reg.exe PID 1752 wrote to memory of 1196 1752 cmd.exe reg.exe PID 1752 wrote to memory of 1196 1752 cmd.exe reg.exe PID 1752 wrote to memory of 1196 1752 cmd.exe reg.exe PID 1752 wrote to memory of 1196 1752 cmd.exe reg.exe PID 1752 wrote to memory of 1196 1752 cmd.exe reg.exe PID 1752 wrote to memory of 1196 1752 cmd.exe reg.exe PID 1752 wrote to memory of 1196 1752 cmd.exe reg.exe PID 1688 wrote to memory of 1928 1688 cmd.exe reg.exe PID 1688 wrote to memory of 1928 1688 cmd.exe reg.exe PID 1688 wrote to memory of 1928 1688 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe"C:\Users\Admin\AppData\Local\Temp\e5b9281e84cb24c27be96d45f93c01af954cc898fde9cd6450605f9e7ae77d80.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\interpals.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\interpals.exe:*:Enabled:Windows Messanger" /f3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\interpals.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\interpals.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe:*:Enabled:Windows Messanger" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe" /t REG_SZ /d "C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe:*:Enabled:Windows Messanger" /f4⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cwKCo.vbs"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe"C:\Users\Admin\AppData\Local\Temp\Not crypted server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE"C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXE"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exeFilesize
419KB
MD5108c042c7a7d40744942dad445481774
SHA14a03259aa4599c027f12da0d3379216496ef0655
SHA256ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb
SHA512c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f
-
C:\Users\Admin\AppData\Local\Temp\Not crypted server.exeFilesize
419KB
MD5108c042c7a7d40744942dad445481774
SHA14a03259aa4599c027f12da0d3379216496ef0655
SHA256ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb
SHA512c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f
-
C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXEFilesize
658KB
MD590050eb20b33f4f0155a98008aee0bf7
SHA13047729097f0979e87b1403333c384ae4e5c645c
SHA256b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60
SHA51280c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe
-
C:\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXEFilesize
658KB
MD590050eb20b33f4f0155a98008aee0bf7
SHA13047729097f0979e87b1403333c384ae4e5c645c
SHA256b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60
SHA51280c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe
-
C:\Users\Admin\AppData\Local\Temp\cwKCo.vbsFilesize
394B
MD5f52500f8ed2a5563b54286f1127195a4
SHA1ce3615fffedcad20d348e7a501f68f61c8da186b
SHA2561e4f06a679a3fac8a4b667bad3a4b3a728cc611f2db9988e85ca6f9acded8104
SHA512e94ee1d6c6d00c873f8f73b4b7acb1b3e95a3278f08851465d32ce560bb29cc158b0e861b57045fb14c25e1d273c3426f976edf3398153517e586b9ea3d8d9ab
-
\Users\Admin\AppData\Local\Temp\Not crypted server.exeFilesize
419KB
MD5108c042c7a7d40744942dad445481774
SHA14a03259aa4599c027f12da0d3379216496ef0655
SHA256ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb
SHA512c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f
-
\Users\Admin\AppData\Local\Temp\Not crypted server.exeFilesize
419KB
MD5108c042c7a7d40744942dad445481774
SHA14a03259aa4599c027f12da0d3379216496ef0655
SHA256ee31c8618d31624797b5a6c29e4ee9ffd466239c05bb966cb6ed597ae04a47bb
SHA512c63950e78aed06bc175aff38a12d692ab2cdf6409d17fa08a6f8c5b3b1036d14d1f04c4bf6625d9bdca31dda725e6743f4e1c509d10202822a981a2edae39a5f
-
\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXEFilesize
658KB
MD590050eb20b33f4f0155a98008aee0bf7
SHA13047729097f0979e87b1403333c384ae4e5c645c
SHA256b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60
SHA51280c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe
-
\Users\Admin\AppData\Local\Temp\TRISTAN SERVER.EXEFilesize
658KB
MD590050eb20b33f4f0155a98008aee0bf7
SHA13047729097f0979e87b1403333c384ae4e5c645c
SHA256b10d168ed95926c7da49dc2937e40886d7c2dddd347312f0ec9be2ca8b146f60
SHA51280c7c98b0cd26e405c38ede33426fb47ffe2dd01d810a79860fce7b646d330c179f4a45386070a6fc374e10c23a056b607f39bc64a615cb87a94112cd2a53efe
-
memory/468-97-0x0000000000000000-mapping.dmp
-
memory/780-56-0x0000000000520000-0x000000000052C000-memory.dmpFilesize
48KB
-
memory/780-57-0x0000000004F55000-0x0000000004F66000-memory.dmpFilesize
68KB
-
memory/780-55-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/780-54-0x0000000000230000-0x00000000002D2000-memory.dmpFilesize
648KB
-
memory/780-59-0x00000000002F0000-0x00000000002FA000-memory.dmpFilesize
40KB
-
memory/780-58-0x00000000002E0000-0x00000000002EE000-memory.dmpFilesize
56KB
-
memory/940-76-0x0000000000000000-mapping.dmp
-
memory/1196-95-0x0000000000000000-mapping.dmp
-
memory/1504-105-0x0000000000000000-mapping.dmp
-
memory/1632-79-0x0000000000000000-mapping.dmp
-
memory/1632-110-0x0000000000400000-0x000000000055B000-memory.dmpFilesize
1.4MB
-
memory/1632-98-0x0000000000400000-0x000000000055B000-memory.dmpFilesize
1.4MB
-
memory/1688-86-0x0000000000000000-mapping.dmp
-
memory/1704-82-0x0000000000000000-mapping.dmp
-
memory/1724-94-0x0000000000000000-mapping.dmp
-
memory/1752-84-0x0000000000000000-mapping.dmp
-
memory/1896-64-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1896-93-0x0000000000440000-0x000000000045C000-memory.dmpFilesize
112KB
-
memory/1896-72-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1896-71-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1896-70-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1896-67-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1896-65-0x000000000045BC90-mapping.dmp
-
memory/1896-63-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1896-61-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1896-109-0x0000000000440000-0x000000000045C000-memory.dmpFilesize
112KB
-
memory/1896-60-0x0000000000400000-0x000000000045D000-memory.dmpFilesize
372KB
-
memory/1928-96-0x0000000000000000-mapping.dmp
-
memory/2044-87-0x0000000000000000-mapping.dmp