Analysis
-
max time kernel
176s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 13:18
Static task
static1
Behavioral task
behavioral1
Sample
c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe
Resource
win10v2004-20220812-en
General
-
Target
c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe
-
Size
706KB
-
MD5
3b1dabb184ddb3d2d6831bfa99e9cf69
-
SHA1
65bbe9e8677bd0b8a6f1a01751ce67e87742e6f0
-
SHA256
c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb
-
SHA512
823933be99210b596e2c600fcf3138223e50dd1fb2ddefc392c72ef1cd466eaaf877d8e735d2399fb28b1281ef3c2cf29c6e2d729d486133c470b7a23d12484f
-
SSDEEP
12288:2kfclKA/0eQdQFVaxrXgsviCx0t64eeg25CrpmUF4znjZSBei/ZFfdYi:wKeNTnaxrB664eKuUU6jZSgie
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2736-157-0x0000000000400000-0x0000000000520000-memory.dmp modiloader_stage2 behavioral2/memory/4780-171-0x0000000000400000-0x0000000000520000-memory.dmp modiloader_stage2 -
Executes dropped EXE 5 IoCs
Processes:
Xr.exeXr.exemstwain32.exemstwain32.exeXR21~1.EXEpid process 792 Xr.exe 2736 Xr.exe 3952 mstwain32.exe 4780 mstwain32.exe 4896 XR21~1.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exe upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exe upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exe upx behavioral2/memory/792-139-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/2736-140-0x0000000000400000-0x0000000000520000-memory.dmp upx C:\Windows\mstwain32.exe upx C:\Windows\mstwain32.exe upx behavioral2/memory/792-152-0x0000000000400000-0x0000000000520000-memory.dmp upx C:\Windows\mstwain32.exe upx behavioral2/memory/4780-155-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/3952-156-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/2736-157-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/4780-171-0x0000000000400000-0x0000000000520000-memory.dmp upx behavioral2/memory/3952-172-0x0000000000400000-0x0000000000520000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Xr.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Xr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mstwain32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate mstwain32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Xr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Xr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation Xr.exe -
Loads dropped DLL 6 IoCs
Processes:
mstwain32.exemstwain32.exepid process 4780 mstwain32.exe 4780 mstwain32.exe 4780 mstwain32.exe 4780 mstwain32.exe 3952 mstwain32.exe 3952 mstwain32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exemstwain32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ mstwain32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
Xr.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Xr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 4 IoCs
Processes:
mstwain32.exeXr.exedescription ioc process File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe File created C:\Windows\mstwain32.exe Xr.exe File opened for modification C:\Windows\mstwain32.exe Xr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 19 IoCs
Processes:
Xr.exemstwain32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA} Xr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727" Xr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ryqhWFrdQo = "Ybuj{jKVbfVNDqJtAi|aXf" mstwain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\vbcq = "L\\zg|BD{fwcJC@dBUtO" mstwain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wskaJng = "vMbmoMNaWk`uj[_wIWfm\\gHZT@sOGd" mstwain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wskaJng = "vMbmoMNaWk`uj[_wIWfm\\WHZT@qNM`" mstwain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\RuntimeVersion = "v2.0.50727" Xr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Word, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" Xr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Interop.Word.OLEControlClass" Xr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rfgpukjy = "oWgykUFrCR{nAF{STJ\\AU\\IB" mstwain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32 Xr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\Assembly = "Microsoft.Office.Interop.Word, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" Xr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wGoyzgE = "pXybbjyzidGwj[_d" mstwain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\eXJwarwK = "bfej{DaGWoJuEFELlgDkYiTIUMH[bKB" mstwain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wnrmdi = "C\\" mstwain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\wnrmdi = "uH" mstwain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\Class = "Microsoft.Office.Interop.Word.OLEControlClass" Xr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\InprocServer32\15.0.0.0 Xr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\rfgpukjy = "oWgykUFrCR{nAv{STJ\\AUlIB" mstwain32.exe -
NTFS ADS 2 IoCs
Processes:
mstwain32.exedescription ioc process File created C:\ProgramData\TEMP:C980DA7D mstwain32.exe File opened for modification C:\ProgramData\TEMP:C980DA7D mstwain32.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Xr.exevssvc.exemstwain32.exemstwain32.exedescription pid process Token: 33 2736 Xr.exe Token: SeIncBasePriorityPrivilege 2736 Xr.exe Token: 33 2736 Xr.exe Token: SeIncBasePriorityPrivilege 2736 Xr.exe Token: SeDebugPrivilege 2736 Xr.exe Token: SeBackupPrivilege 4924 vssvc.exe Token: SeRestorePrivilege 4924 vssvc.exe Token: SeAuditPrivilege 4924 vssvc.exe Token: 33 4780 mstwain32.exe Token: SeIncBasePriorityPrivilege 4780 mstwain32.exe Token: 33 4780 mstwain32.exe Token: SeIncBasePriorityPrivilege 4780 mstwain32.exe Token: SeDebugPrivilege 4780 mstwain32.exe Token: SeDebugPrivilege 4780 mstwain32.exe Token: SeDebugPrivilege 3952 mstwain32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
XR21~1.EXEmstwain32.exepid process 4896 XR21~1.EXE 4780 mstwain32.exe 4780 mstwain32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exeXr.exeXr.exemstwain32.exedescription pid process target process PID 3532 wrote to memory of 792 3532 c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe Xr.exe PID 3532 wrote to memory of 792 3532 c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe Xr.exe PID 3532 wrote to memory of 792 3532 c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe Xr.exe PID 792 wrote to memory of 2736 792 Xr.exe Xr.exe PID 792 wrote to memory of 2736 792 Xr.exe Xr.exe PID 792 wrote to memory of 2736 792 Xr.exe Xr.exe PID 792 wrote to memory of 2736 792 Xr.exe Xr.exe PID 792 wrote to memory of 2736 792 Xr.exe Xr.exe PID 2736 wrote to memory of 3952 2736 Xr.exe mstwain32.exe PID 2736 wrote to memory of 3952 2736 Xr.exe mstwain32.exe PID 2736 wrote to memory of 3952 2736 Xr.exe mstwain32.exe PID 3952 wrote to memory of 4780 3952 mstwain32.exe mstwain32.exe PID 3952 wrote to memory of 4780 3952 mstwain32.exe mstwain32.exe PID 3952 wrote to memory of 4780 3952 mstwain32.exe mstwain32.exe PID 3952 wrote to memory of 4780 3952 mstwain32.exe mstwain32.exe PID 3952 wrote to memory of 4780 3952 mstwain32.exe mstwain32.exe PID 3532 wrote to memory of 4896 3532 c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe XR21~1.EXE PID 3532 wrote to memory of 4896 3532 c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe XR21~1.EXE PID 3532 wrote to memory of 4896 3532 c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe XR21~1.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe"C:\Users\Admin\AppData\Local\Temp\c88ed9d97d99ef02a63eb6d21840355891f17c1ea487438255ebe7ef5d53ccfb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XR21~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XR21~1.EXE2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XR21~1.EXEFilesize
188KB
MD5232b445424e186a67ca325b26c3dafbe
SHA182f9b50fe47d2ecdac4a4cce8a2b0a29314a878a
SHA2566a6356749a31332c931171e09bef01f870253e8ac660307ce6881ff2a0e21797
SHA512b72d47a9aa4a3a5adb0fdbb8f4a392fb6b990037a6e786ac6034f7078fe4cf5d148607b584b146bbb17a6cea83097f547c925100004db2c0cb9623cd497fe80d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\XR21~1.EXEFilesize
188KB
MD5232b445424e186a67ca325b26c3dafbe
SHA182f9b50fe47d2ecdac4a4cce8a2b0a29314a878a
SHA2566a6356749a31332c931171e09bef01f870253e8ac660307ce6881ff2a0e21797
SHA512b72d47a9aa4a3a5adb0fdbb8f4a392fb6b990037a6e786ac6034f7078fe4cf5d148607b584b146bbb17a6cea83097f547c925100004db2c0cb9623cd497fe80d
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exeFilesize
756KB
MD5461c6845216d9b4d5723a3fd1ac2a397
SHA1861cbd5863cb0c60a43951625fb4bf9733ceaf66
SHA256820460c0996c10a97cdbc258b543750d64a69737195b2b42cc716771ca3f427d
SHA512a5b77404a4ddaaa3d925dc369e11f0b73ae9f8ae40d62a0dcde5c3ce88e97b4482e56fd4bf49051239ffaa1bfc6f133893013208fc9cf5b6f3959b5f799e99ea
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exeFilesize
756KB
MD5461c6845216d9b4d5723a3fd1ac2a397
SHA1861cbd5863cb0c60a43951625fb4bf9733ceaf66
SHA256820460c0996c10a97cdbc258b543750d64a69737195b2b42cc716771ca3f427d
SHA512a5b77404a4ddaaa3d925dc369e11f0b73ae9f8ae40d62a0dcde5c3ce88e97b4482e56fd4bf49051239ffaa1bfc6f133893013208fc9cf5b6f3959b5f799e99ea
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xr.exeFilesize
756KB
MD5461c6845216d9b4d5723a3fd1ac2a397
SHA1861cbd5863cb0c60a43951625fb4bf9733ceaf66
SHA256820460c0996c10a97cdbc258b543750d64a69737195b2b42cc716771ca3f427d
SHA512a5b77404a4ddaaa3d925dc369e11f0b73ae9f8ae40d62a0dcde5c3ce88e97b4482e56fd4bf49051239ffaa1bfc6f133893013208fc9cf5b6f3959b5f799e99ea
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5d7412881eacb9eec1da9a915176c0765
SHA193d436de01356a8ca1e9eaef15c3794ae3957349
SHA256b483a2c507abb51943554020f27f17eef241d582b76acd5b2f9bf3f15b7173ab
SHA512eb187e92ab2ba1a9978ad620e6148f62ddf2fb608abcc9b78da2399e27a7339a13961116f13df3a3663e89b6bd4beba0a2b1d1521c146625c591fc3281d8a43d
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5d7412881eacb9eec1da9a915176c0765
SHA193d436de01356a8ca1e9eaef15c3794ae3957349
SHA256b483a2c507abb51943554020f27f17eef241d582b76acd5b2f9bf3f15b7173ab
SHA512eb187e92ab2ba1a9978ad620e6148f62ddf2fb608abcc9b78da2399e27a7339a13961116f13df3a3663e89b6bd4beba0a2b1d1521c146625c591fc3281d8a43d
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5d7412881eacb9eec1da9a915176c0765
SHA193d436de01356a8ca1e9eaef15c3794ae3957349
SHA256b483a2c507abb51943554020f27f17eef241d582b76acd5b2f9bf3f15b7173ab
SHA512eb187e92ab2ba1a9978ad620e6148f62ddf2fb608abcc9b78da2399e27a7339a13961116f13df3a3663e89b6bd4beba0a2b1d1521c146625c591fc3281d8a43d
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5d7412881eacb9eec1da9a915176c0765
SHA193d436de01356a8ca1e9eaef15c3794ae3957349
SHA256b483a2c507abb51943554020f27f17eef241d582b76acd5b2f9bf3f15b7173ab
SHA512eb187e92ab2ba1a9978ad620e6148f62ddf2fb608abcc9b78da2399e27a7339a13961116f13df3a3663e89b6bd4beba0a2b1d1521c146625c591fc3281d8a43d
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5d7412881eacb9eec1da9a915176c0765
SHA193d436de01356a8ca1e9eaef15c3794ae3957349
SHA256b483a2c507abb51943554020f27f17eef241d582b76acd5b2f9bf3f15b7173ab
SHA512eb187e92ab2ba1a9978ad620e6148f62ddf2fb608abcc9b78da2399e27a7339a13961116f13df3a3663e89b6bd4beba0a2b1d1521c146625c591fc3281d8a43d
-
C:\Windows\mstwain32.exeFilesize
756KB
MD5461c6845216d9b4d5723a3fd1ac2a397
SHA1861cbd5863cb0c60a43951625fb4bf9733ceaf66
SHA256820460c0996c10a97cdbc258b543750d64a69737195b2b42cc716771ca3f427d
SHA512a5b77404a4ddaaa3d925dc369e11f0b73ae9f8ae40d62a0dcde5c3ce88e97b4482e56fd4bf49051239ffaa1bfc6f133893013208fc9cf5b6f3959b5f799e99ea
-
C:\Windows\mstwain32.exeFilesize
756KB
MD5461c6845216d9b4d5723a3fd1ac2a397
SHA1861cbd5863cb0c60a43951625fb4bf9733ceaf66
SHA256820460c0996c10a97cdbc258b543750d64a69737195b2b42cc716771ca3f427d
SHA512a5b77404a4ddaaa3d925dc369e11f0b73ae9f8ae40d62a0dcde5c3ce88e97b4482e56fd4bf49051239ffaa1bfc6f133893013208fc9cf5b6f3959b5f799e99ea
-
C:\Windows\mstwain32.exeFilesize
756KB
MD5461c6845216d9b4d5723a3fd1ac2a397
SHA1861cbd5863cb0c60a43951625fb4bf9733ceaf66
SHA256820460c0996c10a97cdbc258b543750d64a69737195b2b42cc716771ca3f427d
SHA512a5b77404a4ddaaa3d925dc369e11f0b73ae9f8ae40d62a0dcde5c3ce88e97b4482e56fd4bf49051239ffaa1bfc6f133893013208fc9cf5b6f3959b5f799e99ea
-
C:\Windows\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
C:\Windows\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
memory/792-132-0x0000000000000000-mapping.dmp
-
memory/792-152-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/792-139-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/2736-146-0x0000000002031000-0x000000000209E000-memory.dmpFilesize
436KB
-
memory/2736-157-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/2736-136-0x0000000000000000-mapping.dmp
-
memory/2736-140-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/2736-141-0x0000000002030000-0x00000000020C4000-memory.dmpFilesize
592KB
-
memory/3952-147-0x0000000000000000-mapping.dmp
-
memory/3952-179-0x0000000000680000-0x000000000068E000-memory.dmpFilesize
56KB
-
memory/3952-156-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/3952-172-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/4780-166-0x0000000002201000-0x000000000226E000-memory.dmpFilesize
436KB
-
memory/4780-151-0x0000000000000000-mapping.dmp
-
memory/4780-175-0x0000000002570000-0x000000000257E000-memory.dmpFilesize
56KB
-
memory/4780-171-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/4780-155-0x0000000000400000-0x0000000000520000-memory.dmpFilesize
1.1MB
-
memory/4780-158-0x0000000002200000-0x0000000002294000-memory.dmpFilesize
592KB
-
memory/4896-160-0x0000000000000000-mapping.dmp