Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
02-08-2020 15:29
Static task
static1
Behavioral task
behavioral1
Sample
Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
Resource
win7v200722
General
-
Target
Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe
-
Size
4.5MB
-
MD5
57afe7c6eae81f93e3e6a085b6bd7961
-
SHA1
6af9bb4cb10f0d765cf87b71f5dcfa3c5d7d61f6
-
SHA256
b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3
-
SHA512
ebd7a6029b72385d1667fa1013241dfeac19fedf2ccf1303b22105126e5de490f39af4e5a2f3dbaba462b919560fb8a421f3228c49bfb8bc569d9f8c16c40665
Malware Config
Extracted
danabot
192.236.161.25
93.115.21.108
173.234.155.181
2.56.212.137
45.153.240.84
Signatures
-
Danabot x86 payload 5 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL family_danabot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 13 IoCs
Processes:
WScript.exerundll32.exeflow pid process 11 1832 WScript.exe 13 1832 WScript.exe 15 1832 WScript.exe 17 1832 WScript.exe 36 3384 rundll32.exe 37 3384 rundll32.exe 38 3384 rundll32.exe 40 3384 rundll32.exe 43 3384 rundll32.exe 44 3384 rundll32.exe 45 3384 rundll32.exe 46 3384 rundll32.exe 47 3384 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
pwxgdnyciegq.exemifcripvc.exexruvjfdkx.exepid process 2976 pwxgdnyciegq.exe 1824 mifcripvc.exe 2784 xruvjfdkx.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
xruvjfdkx.exeKafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exepwxgdnyciegq.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xruvjfdkx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pwxgdnyciegq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion pwxgdnyciegq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xruvjfdkx.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exexruvjfdkx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Wine Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Wine xruvjfdkx.exe -
Loads dropped DLL 4 IoCs
Processes:
regsvr32.exerundll32.exepid process 2968 regsvr32.exe 2968 regsvr32.exe 3384 rundll32.exe 3384 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exexruvjfdkx.exepid process 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 2784 xruvjfdkx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
pwxgdnyciegq.exeKafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString pwxgdnyciegq.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 pwxgdnyciegq.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 1268 timeout.exe 2172 timeout.exe 3764 timeout.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exexruvjfdkx.exepid process 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe 2784 xruvjfdkx.exe 2784 xruvjfdkx.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pwxgdnyciegq.exepid process 2976 pwxgdnyciegq.exe 2976 pwxgdnyciegq.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.execmd.execmd.exepwxgdnyciegq.execmd.execmd.execmd.exemifcripvc.exeregsvr32.exexruvjfdkx.execmd.execmd.exedescription pid process target process PID 3612 wrote to memory of 3284 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 3612 wrote to memory of 3284 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 3612 wrote to memory of 3284 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 3284 wrote to memory of 1832 3284 cmd.exe WScript.exe PID 3284 wrote to memory of 1832 3284 cmd.exe WScript.exe PID 3284 wrote to memory of 1832 3284 cmd.exe WScript.exe PID 3612 wrote to memory of 3144 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 3612 wrote to memory of 3144 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 3612 wrote to memory of 3144 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 3144 wrote to memory of 2976 3144 cmd.exe pwxgdnyciegq.exe PID 3144 wrote to memory of 2976 3144 cmd.exe pwxgdnyciegq.exe PID 2976 wrote to memory of 864 2976 pwxgdnyciegq.exe cmd.exe PID 2976 wrote to memory of 864 2976 pwxgdnyciegq.exe cmd.exe PID 864 wrote to memory of 1268 864 cmd.exe timeout.exe PID 864 wrote to memory of 1268 864 cmd.exe timeout.exe PID 3612 wrote to memory of 1640 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 3612 wrote to memory of 1640 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 3612 wrote to memory of 1640 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 1640 wrote to memory of 1824 1640 cmd.exe mifcripvc.exe PID 1640 wrote to memory of 1824 1640 cmd.exe mifcripvc.exe PID 1640 wrote to memory of 1824 1640 cmd.exe mifcripvc.exe PID 3612 wrote to memory of 2428 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 3612 wrote to memory of 2428 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 3612 wrote to memory of 2428 3612 Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe cmd.exe PID 2428 wrote to memory of 2784 2428 cmd.exe xruvjfdkx.exe PID 2428 wrote to memory of 2784 2428 cmd.exe xruvjfdkx.exe PID 2428 wrote to memory of 2784 2428 cmd.exe xruvjfdkx.exe PID 1824 wrote to memory of 2968 1824 mifcripvc.exe regsvr32.exe PID 1824 wrote to memory of 2968 1824 mifcripvc.exe regsvr32.exe PID 1824 wrote to memory of 2968 1824 mifcripvc.exe regsvr32.exe PID 2968 wrote to memory of 3384 2968 regsvr32.exe rundll32.exe PID 2968 wrote to memory of 3384 2968 regsvr32.exe rundll32.exe PID 2968 wrote to memory of 3384 2968 regsvr32.exe rundll32.exe PID 2784 wrote to memory of 492 2784 xruvjfdkx.exe cmd.exe PID 2784 wrote to memory of 492 2784 xruvjfdkx.exe cmd.exe PID 2784 wrote to memory of 492 2784 xruvjfdkx.exe cmd.exe PID 492 wrote to memory of 2172 492 cmd.exe timeout.exe PID 492 wrote to memory of 2172 492 cmd.exe timeout.exe PID 492 wrote to memory of 2172 492 cmd.exe timeout.exe PID 2784 wrote to memory of 2100 2784 xruvjfdkx.exe cmd.exe PID 2784 wrote to memory of 2100 2784 xruvjfdkx.exe cmd.exe PID 2784 wrote to memory of 2100 2784 xruvjfdkx.exe cmd.exe PID 2100 wrote to memory of 3764 2100 cmd.exe timeout.exe PID 2100 wrote to memory of 3764 2100 cmd.exe timeout.exe PID 2100 wrote to memory of 3764 2100 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe"C:\Users\Admin\AppData\Local\Temp\Kafan_Sample_b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\opwgvwbuwyal.vbs"2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\opwgvwbuwyal.vbs"3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exe"C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\mifcripvc.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mifcripvc.exe"C:\Users\Admin\AppData\Local\Temp\mifcripvc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\MIFCRI~1.EXE@18244⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLL,f05⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe"C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\nbqtslico & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\nbqtslico & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\nbqtslico\46173476.txt
-
C:\ProgramData\nbqtslico\8372422.txt
-
C:\ProgramData\nbqtslico\Files\_INFOR~1.TXT
-
C:\ProgramData\nbqtslico\NL_202~1.ZIP
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C954CE05407CAD0B91F1461CBC854DCE
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C954CE05407CAD0B91F1461CBC854DCE
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\4ljk.tmp
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\CVAFMR~1.ZIPMD5
aa72e39056988aec3b29a8083d6c918a
SHA10ff4aaf9a8f327022fd2c92988a8011a3279abdf
SHA2560d765c48674354494c78690a6abb12cedde64fa58404b9d29c53116e1403be5e
SHA5125cefb5da9a9c12dd298f3835bd0d1fbad401a714172778f59bd9f08c4431584792e9a831815f2df24416dac9145c63c5511b9384eab94b115bf16928fafa006b
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\EDTIt.tmp
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\SI3RTP~1.ZIP
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\WUtf.tmp
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\_Files\_INFOR~1.TXT
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\_Files\_SCREE~1.JPE
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\files_\SCREEN~1.JPG
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\files_\SYSTEM~1.TXT
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\jwS0.tmp
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\qhC2c.tmp
-
C:\Users\Admin\AppData\Local\Temp\J07mtSQegJyL\ucQZ.tmp
-
C:\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLLMD5
179a440bc1d21ec457943af4aea08472
SHA1497b2672b1ba31be72395ac7eb96d0c8fd3381e4
SHA256597294bbd3de0c920a54c1ce70f854d52536718c2f1173a62a75b271739c78a9
SHA51289ccd609ed684a0f1d67119db55f908cb41c2dd430911377af1398763278569759bfd6d3c23aef59cbef14cf3a589e5cb58d977a5141be9d537ddfc705160fd8
-
C:\Users\Admin\AppData\Local\Temp\mifcripvc.exe
-
C:\Users\Admin\AppData\Local\Temp\mifcripvc.exe
-
C:\Users\Admin\AppData\Local\Temp\opwgvwbuwyal.vbsMD5
acd6ab8c45911dcb632eef36a70b5d0c
SHA1717809496e2229a11ad3cbc4c5fb8cd2f22b2692
SHA2561bd77358b8973852e07982f02b86db9100713d7871941b182f56c655bfd95ec2
SHA512c8ce51d09262cda17ca5acd309c4a58b2634c7fc58ad19d0885738c831713030550fe3d0c7f594cf69f00c21679c5d04c55a0cd576c1ac9c575f520cbf925816
-
C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exeMD5
64d3edf1a6cd37e9e2193c0e1fc50220
SHA19e5863b0e717030db247fa3ff6dead07710d5ab5
SHA256b56d450c7ccbccb915ca8006bfc0fc41037cd850dd799c77275eab397ef61772
SHA5120ff5c9fef715ba203de9c239d53e99baff932e35a03b94f21369410d425f4deed0c4a7f17f6d483ffaee2acf706c031cca62b0f86f31d94c6bf704d996f68abb
-
C:\Users\Admin\AppData\Local\Temp\pwxgdnyciegq.exeMD5
64d3edf1a6cd37e9e2193c0e1fc50220
SHA19e5863b0e717030db247fa3ff6dead07710d5ab5
SHA256b56d450c7ccbccb915ca8006bfc0fc41037cd850dd799c77275eab397ef61772
SHA5120ff5c9fef715ba203de9c239d53e99baff932e35a03b94f21369410d425f4deed0c4a7f17f6d483ffaee2acf706c031cca62b0f86f31d94c6bf704d996f68abb
-
C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe
-
C:\Users\Admin\AppData\Local\Temp\xruvjfdkx.exe
-
\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLLMD5
179a440bc1d21ec457943af4aea08472
SHA1497b2672b1ba31be72395ac7eb96d0c8fd3381e4
SHA256597294bbd3de0c920a54c1ce70f854d52536718c2f1173a62a75b271739c78a9
SHA51289ccd609ed684a0f1d67119db55f908cb41c2dd430911377af1398763278569759bfd6d3c23aef59cbef14cf3a589e5cb58d977a5141be9d537ddfc705160fd8
-
\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLLMD5
179a440bc1d21ec457943af4aea08472
SHA1497b2672b1ba31be72395ac7eb96d0c8fd3381e4
SHA256597294bbd3de0c920a54c1ce70f854d52536718c2f1173a62a75b271739c78a9
SHA51289ccd609ed684a0f1d67119db55f908cb41c2dd430911377af1398763278569759bfd6d3c23aef59cbef14cf3a589e5cb58d977a5141be9d537ddfc705160fd8
-
\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLLMD5
179a440bc1d21ec457943af4aea08472
SHA1497b2672b1ba31be72395ac7eb96d0c8fd3381e4
SHA256597294bbd3de0c920a54c1ce70f854d52536718c2f1173a62a75b271739c78a9
SHA51289ccd609ed684a0f1d67119db55f908cb41c2dd430911377af1398763278569759bfd6d3c23aef59cbef14cf3a589e5cb58d977a5141be9d537ddfc705160fd8
-
\Users\Admin\AppData\Local\Temp\MIFCRI~1.DLLMD5
179a440bc1d21ec457943af4aea08472
SHA1497b2672b1ba31be72395ac7eb96d0c8fd3381e4
SHA256597294bbd3de0c920a54c1ce70f854d52536718c2f1173a62a75b271739c78a9
SHA51289ccd609ed684a0f1d67119db55f908cb41c2dd430911377af1398763278569759bfd6d3c23aef59cbef14cf3a589e5cb58d977a5141be9d537ddfc705160fd8
-
memory/492-50-0x0000000000000000-mapping.dmp
-
memory/864-11-0x0000000000000000-mapping.dmp
-
memory/1268-24-0x0000000000000000-mapping.dmp
-
memory/1640-29-0x0000000000000000-mapping.dmp
-
memory/1824-31-0x0000000000000000-mapping.dmp
-
memory/1824-30-0x0000000000000000-mapping.dmp
-
memory/1824-42-0x0000000002B30000-0x0000000002B31000-memory.dmpFilesize
4KB
-
memory/1832-4-0x0000000000000000-mapping.dmp
-
memory/2100-56-0x0000000000000000-mapping.dmp
-
memory/2172-55-0x0000000000000000-mapping.dmp
-
memory/2428-35-0x0000000000000000-mapping.dmp
-
memory/2784-36-0x0000000000000000-mapping.dmp
-
memory/2784-40-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/2784-41-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/2784-37-0x0000000000000000-mapping.dmp
-
memory/2968-43-0x0000000000000000-mapping.dmp
-
memory/2976-6-0x0000000000000000-mapping.dmp
-
memory/2976-7-0x0000000000000000-mapping.dmp
-
memory/2976-10-0x0000018DF8C80000-0x0000018DF8C81000-memory.dmpFilesize
4KB
-
memory/3144-5-0x0000000000000000-mapping.dmp
-
memory/3284-2-0x0000000000000000-mapping.dmp
-
memory/3384-47-0x0000000000000000-mapping.dmp
-
memory/3612-1-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/3612-0-0x0000000004E80000-0x0000000004E81000-memory.dmpFilesize
4KB
-
memory/3764-57-0x0000000000000000-mapping.dmp