Analysis
-
max time kernel
48s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-03-2023 23:34
Static task
static1
Behavioral task
behavioral1
Sample
Activation.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Activation.exe
Resource
win10v2004-20230220-en
General
-
Target
Activation.exe
-
Size
703KB
-
MD5
8c1d40db6464fd098716a317486db961
-
SHA1
4b4d82e0a91f11e1348488b9e9edd43697d9db67
-
SHA256
7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5
-
SHA512
16c868e227c4928dfcc116ba6e9d93c22418936cad625cd48645abb96229d31ee1329105097d2e7f36f6382e214dfd54e1eb92842bcc45edd978f64da6c4c6dd
-
SSDEEP
6144:5UPAUV624Zk+nC+f8Z7DgMvVXYNlV8F/2/6utZeiXhOy8oMmkCOutH5BysohXWwm:5mV620nN8ZoAutZeiXhOBuOaBToo4ZY
Malware Config
Signatures
-
Possible privilege escalation attempt 3 IoCs
Processes:
icacls.exeicacls.exetakeown.exepid process 1780 icacls.exe 828 icacls.exe 1920 takeown.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
takeown.exeicacls.exeicacls.exepid process 1920 takeown.exe 1780 icacls.exe 828 icacls.exe -
Drops file in Windows directory 3 IoCs
Processes:
Activation.exedescription ioc process File created C:\Windows\IME\permissions.bat Activation.exe File created C:\Windows\IME\reset.bat Activation.exe File created C:\Windows\IME\activator.bat Activation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1224 timeout.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 512 powershell.exe 1648 powershell.exe 1392 powershell.exe 1924 powershell.exe 1736 powershell.exe 1224 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
takeown.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeTakeOwnershipPrivilege 1920 takeown.exe Token: SeDebugPrivilege 512 powershell.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 1392 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeSecurityPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeSecurityPrivilege 1224 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Activation.execmd.exedescription pid process target process PID 1156 wrote to memory of 2040 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 2040 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 2040 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 608 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 608 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 608 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1980 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1980 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1980 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1228 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1228 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1228 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 908 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 908 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 908 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1480 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1480 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1480 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1484 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1484 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1484 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1224 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1224 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1224 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 580 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 580 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 580 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 680 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 680 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 680 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 664 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 664 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 664 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 764 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 764 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 764 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 304 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 304 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 304 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1120 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1120 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1120 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 768 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 768 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 768 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 520 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 520 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 520 1156 Activation.exe cmd.exe PID 520 wrote to memory of 1920 520 cmd.exe takeown.exe PID 520 wrote to memory of 1920 520 cmd.exe takeown.exe PID 520 wrote to memory of 1920 520 cmd.exe takeown.exe PID 520 wrote to memory of 1780 520 cmd.exe icacls.exe PID 520 wrote to memory of 1780 520 cmd.exe icacls.exe PID 520 wrote to memory of 1780 520 cmd.exe icacls.exe PID 520 wrote to memory of 828 520 cmd.exe icacls.exe PID 520 wrote to memory of 828 520 cmd.exe icacls.exe PID 520 wrote to memory of 828 520 cmd.exe icacls.exe PID 1156 wrote to memory of 776 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 776 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 776 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1928 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1928 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1928 1156 Activation.exe cmd.exe PID 1156 wrote to memory of 1316 1156 Activation.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Activation.exe"C:\Users\Admin\AppData\Local\Temp\Activation.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title Windows Activation Fix2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0b2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Made by skidaim#06072⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo.2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Starting...2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /F C:\Windows\System32\sppsvc.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\spp /grant administrators:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Applying permissions...2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat2⤵
-
C:\Windows\system32\net.exenet stop sppsvc3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sppsvc4⤵
-
C:\Windows\system32\net.exenet start sppsvc3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start sppsvc4⤵
-
C:\Windows\system32\cscript.execscript.exe C:\Windows\System32\slmgr.vbs /rilc3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c %windir%\IME\activator.bat2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" //B /ipk TX9XD-98N7V-6WMQ6-BX7FG-H8Q993⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" //B /skms kms8.msguides.com3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\system32\slmgr.vbs" //B /ato3⤵
-
C:\Windows\system32\timeout.exetimeout /T 3 /NOBREAK3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e999ba91854aab7ce3e5105f1718ce96
SHA182af1f9d03c603660df2a53a2b06c7ee6b31a276
SHA256693bff3acdbff3bd09821a7dcf19e32cdb3b3e93eeb1d6beeeabc99c63e5eaeb
SHA5127a2bde22b456d89ce04849a6df5015f3548e04bf0bdee6d10f6787e6f2e583b05ee9bd32340b21e3e003ff202578ce47232f3082882b02a69a4f5e7451b39174
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e999ba91854aab7ce3e5105f1718ce96
SHA182af1f9d03c603660df2a53a2b06c7ee6b31a276
SHA256693bff3acdbff3bd09821a7dcf19e32cdb3b3e93eeb1d6beeeabc99c63e5eaeb
SHA5127a2bde22b456d89ce04849a6df5015f3548e04bf0bdee6d10f6787e6f2e583b05ee9bd32340b21e3e003ff202578ce47232f3082882b02a69a4f5e7451b39174
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e999ba91854aab7ce3e5105f1718ce96
SHA182af1f9d03c603660df2a53a2b06c7ee6b31a276
SHA256693bff3acdbff3bd09821a7dcf19e32cdb3b3e93eeb1d6beeeabc99c63e5eaeb
SHA5127a2bde22b456d89ce04849a6df5015f3548e04bf0bdee6d10f6787e6f2e583b05ee9bd32340b21e3e003ff202578ce47232f3082882b02a69a4f5e7451b39174
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e999ba91854aab7ce3e5105f1718ce96
SHA182af1f9d03c603660df2a53a2b06c7ee6b31a276
SHA256693bff3acdbff3bd09821a7dcf19e32cdb3b3e93eeb1d6beeeabc99c63e5eaeb
SHA5127a2bde22b456d89ce04849a6df5015f3548e04bf0bdee6d10f6787e6f2e583b05ee9bd32340b21e3e003ff202578ce47232f3082882b02a69a4f5e7451b39174
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5e999ba91854aab7ce3e5105f1718ce96
SHA182af1f9d03c603660df2a53a2b06c7ee6b31a276
SHA256693bff3acdbff3bd09821a7dcf19e32cdb3b3e93eeb1d6beeeabc99c63e5eaeb
SHA5127a2bde22b456d89ce04849a6df5015f3548e04bf0bdee6d10f6787e6f2e583b05ee9bd32340b21e3e003ff202578ce47232f3082882b02a69a4f5e7451b39174
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JBC553O9PVB219TBB8TJ.tempFilesize
7KB
MD5e999ba91854aab7ce3e5105f1718ce96
SHA182af1f9d03c603660df2a53a2b06c7ee6b31a276
SHA256693bff3acdbff3bd09821a7dcf19e32cdb3b3e93eeb1d6beeeabc99c63e5eaeb
SHA5127a2bde22b456d89ce04849a6df5015f3548e04bf0bdee6d10f6787e6f2e583b05ee9bd32340b21e3e003ff202578ce47232f3082882b02a69a4f5e7451b39174
-
C:\Windows\IME\activator.batFilesize
3KB
MD5365b88395524dec0af52387ed73317ce
SHA166a6e96fb198e8749c9086e35b2b2f85aa21c63c
SHA25699ada36422b17257eba9d9cc5d123907589f638aa9564bc8fb000261cc9c1c10
SHA51246efce6af2a90ace25842fd0d85212463c3b6ba2a6f8e089ee29381d960a745a278b86b49bf3330d686b140e3fc66c9cc8ac70df7f05d8e0ecac694dc542cff5
-
C:\Windows\IME\permissions.batFilesize
162B
MD54be7ca8b30ea192628228857b5005655
SHA1588a60df54f8ff2924b2fd569dfc39ce5ae17cfd
SHA2565e56203e437e3a219fcc9f295c8bcf31961585de816212ce0a6a306a465bc853
SHA512169b735f5b72ff12910451cf9fbab231b0d9e8b9481f9e01824e5c85075caf17283bb4a54353a9c5958c5ff7eebc6dc932630c1e824be5ebe416bc608306c7b4
-
C:\Windows\IME\reset.batFilesize
325B
MD5939378e1c9e25f424c618a379e61fc48
SHA145822124d56b6e6efcfbaab246feff695b7098d4
SHA256fd805584b817ad0b320c85653a5bd7342650359feae60e5a3e722d5571542146
SHA5123833f14692f5cdfea285654f91ac814a89bf189a4db99b0fc1e817905d9929f6f4b184db5a51269f9b82170a14af2c5e0510150201cea03177cab04fb26494fb
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/512-64-0x0000000002330000-0x00000000023B0000-memory.dmpFilesize
512KB
-
memory/512-63-0x0000000002330000-0x00000000023B0000-memory.dmpFilesize
512KB
-
memory/512-62-0x0000000002330000-0x00000000023B0000-memory.dmpFilesize
512KB
-
memory/512-61-0x0000000002290000-0x0000000002298000-memory.dmpFilesize
32KB
-
memory/512-60-0x000000001B140000-0x000000001B422000-memory.dmpFilesize
2.9MB
-
memory/1224-105-0x00000000024B4000-0x00000000024B7000-memory.dmpFilesize
12KB
-
memory/1224-106-0x00000000024BB000-0x00000000024F2000-memory.dmpFilesize
220KB
-
memory/1392-81-0x00000000028A4000-0x00000000028A7000-memory.dmpFilesize
12KB
-
memory/1392-82-0x00000000028AB000-0x00000000028E2000-memory.dmpFilesize
220KB
-
memory/1648-70-0x000000001B240000-0x000000001B522000-memory.dmpFilesize
2.9MB
-
memory/1648-72-0x0000000002804000-0x0000000002807000-memory.dmpFilesize
12KB
-
memory/1648-74-0x0000000002800000-0x0000000002880000-memory.dmpFilesize
512KB
-
memory/1648-73-0x0000000002800000-0x0000000002880000-memory.dmpFilesize
512KB
-
memory/1648-109-0x0000000002800000-0x0000000002880000-memory.dmpFilesize
512KB
-
memory/1648-71-0x0000000002010000-0x0000000002018000-memory.dmpFilesize
32KB
-
memory/1736-95-0x00000000027C0000-0x0000000002840000-memory.dmpFilesize
512KB
-
memory/1736-96-0x00000000027C0000-0x0000000002840000-memory.dmpFilesize
512KB
-
memory/1736-97-0x00000000027C0000-0x0000000002840000-memory.dmpFilesize
512KB
-
memory/1736-98-0x00000000027CB000-0x0000000002802000-memory.dmpFilesize
220KB
-
memory/1924-89-0x000000000228B000-0x00000000022C2000-memory.dmpFilesize
220KB
-
memory/1924-88-0x0000000002284000-0x0000000002287000-memory.dmpFilesize
12KB