Analysis Overview
SHA256
36a4c21f4c6cc8b615bea7141b510fdd5bbae68ee02b262f8215f88f64cf51f6
Threat Level: Known bad
The file CHIKWA..exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
MassLogger Main Payload
MassLogger
Executes dropped EXE
Deletes itself
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-12-01 11:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-01 11:59
Reported
2020-12-01 12:01
Platform
win7v20201028
Max time kernel
122s
Max time network
141s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA..exe\"" | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHIKWA..exe | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHIKWA..exe | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.lnk | C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA..exe" | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\CHIKWA..exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA..exe" | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1080 set thread context of 1756 | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 4.828
C:\Windows\SysWOW64\timeout.exe
timeout 4.828
C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"
C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe'
C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe
"C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | hastebin.com | udp |
| N/A | 172.67.143.180:443 | hastebin.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.235.182.194:80 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | mail.banoto.com | udp |
| N/A | 93.190.219.149:587 | mail.banoto.com | tcp |
| N/A | 8.8.8.8:53 | www.download.windowsupdate.com | udp |
Files
memory/1080-2-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/1080-3-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1324-5-0x0000000000000000-mapping.dmp
memory/1964-6-0x0000000000000000-mapping.dmp
memory/1080-7-0x000000000B2C0000-0x000000000B421000-memory.dmp
memory/1756-8-0x0000000000400000-0x0000000000498000-memory.dmp
memory/1756-9-0x000000000049307E-mapping.dmp
memory/1756-10-0x0000000000400000-0x0000000000498000-memory.dmp
memory/1756-11-0x0000000000400000-0x0000000000498000-memory.dmp
memory/1756-12-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/1504-15-0x0000000000000000-mapping.dmp
memory/1540-16-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | ad748b3babf9a4e6d25af4a095e29363 |
| SHA1 | 6ba6f092c32935b8488b5f42e05c309c076bc6b4 |
| SHA256 | 0295f54be5d4e011cff13f4b5665e0f71b55b5e7e792eaedd92cacea4ab2f151 |
| SHA512 | dbe2cf1cba8c4c8a42b4664836398985ae2669662b0769bb2b84b30955cbfe65c71055ad254e3bd2c63b9a4553e3676c96ee5d66dd84b9450945bd11f50df338 |
memory/1756-19-0x0000000005F00000-0x0000000005F8D000-memory.dmp
memory/1540-18-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/1504-20-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/1540-21-0x0000000000850000-0x0000000000851000-memory.dmp
memory/1540-23-0x0000000004880000-0x0000000004881000-memory.dmp
memory/1504-25-0x0000000002500000-0x0000000002501000-memory.dmp
memory/1504-27-0x0000000005240000-0x0000000005241000-memory.dmp
memory/1504-31-0x0000000006020000-0x0000000006021000-memory.dmp
memory/1504-36-0x0000000006080000-0x0000000006081000-memory.dmp
memory/1504-37-0x0000000006170000-0x0000000006171000-memory.dmp
memory/1504-44-0x0000000006280000-0x0000000006281000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | d65d3290e911e16f3bff8acfdb9a08ad |
| SHA1 | 7a67686e600844b6038baed3bfdcc20aa9be55e8 |
| SHA256 | d2aaf6b752eabd4bdb0d5bbc9e09df734c47810ecc93fe68183973352fd31b07 |
| SHA512 | 50f374a503567b3cfb7c1b557e525c426ce83c7445235cd5f3714ecb684818c0688c105bb58ead4766b23e9eb635d295321cb95a8af74ee316c756ea2a01ed62 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3bf4f350-86fe-486e-8b87-41ab96d0ad9c
| MD5 | b6d38f250ccc9003dd70efd3b778117f |
| SHA1 | d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a |
| SHA256 | 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265 |
| SHA512 | 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_644b5728-e9b5-45ab-9104-7136ec814422
| MD5 | be4d72095faf84233ac17b94744f7084 |
| SHA1 | cc78ce5b9c57573bd214a8f423ee622b00ebb1ec |
| SHA256 | b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc |
| SHA512 | 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_69670b6c-d49a-42a9-993a-10d18807f7c6
| MD5 | 5e3c7184a75d42dda1a83606a45001d8 |
| SHA1 | 94ca15637721d88f30eb4b6220b805c5be0360ed |
| SHA256 | 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59 |
| SHA512 | fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4408bb97-19ee-4815-b02c-5a0939dddad8
| MD5 | df44874327d79bd75e4264cb8dc01811 |
| SHA1 | 1396b06debed65ea93c24998d244edebd3c0209d |
| SHA256 | 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181 |
| SHA512 | 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e9f9468a-8cbd-4472-b808-e8b3772f4134
| MD5 | 02ff38ac870de39782aeee04d7b48231 |
| SHA1 | 0390d39fa216c9b0ecdb38238304e518fb2b5095 |
| SHA256 | fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876 |
| SHA512 | 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6532a425-51ae-4577-837f-c6e09d9fcfcf
| MD5 | 75a8da7754349b38d64c87c938545b1b |
| SHA1 | 5c28c257d51f1c1587e29164cc03ea880c21b417 |
| SHA256 | bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96 |
| SHA512 | 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643 |
memory/1504-52-0x0000000005FE0000-0x0000000005FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe
| MD5 | 068743421644fc2febdf237a80c6bf6b |
| SHA1 | 67ac969d297bd97bb0b42f399d6756c5c345130e |
| SHA256 | 3410749bccbdf8cff03a7b40cf6debe10bb2b16c09be4f94e9b44df93d0ae322 |
| SHA512 | 6f0a97f229d932a1df8e36dbe5d45158972e0ad4df409a0551e9c66ce1b15c60ab9bafbdce01e776c102b70c96998c56b6120e3c9446f051a74d46ca1076edbb |
memory/1648-63-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe
| MD5 | 068743421644fc2febdf237a80c6bf6b |
| SHA1 | 67ac969d297bd97bb0b42f399d6756c5c345130e |
| SHA256 | 3410749bccbdf8cff03a7b40cf6debe10bb2b16c09be4f94e9b44df93d0ae322 |
| SHA512 | 6f0a97f229d932a1df8e36dbe5d45158972e0ad4df409a0551e9c66ce1b15c60ab9bafbdce01e776c102b70c96998c56b6120e3c9446f051a74d46ca1076edbb |
C:\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe
| MD5 | 068743421644fc2febdf237a80c6bf6b |
| SHA1 | 67ac969d297bd97bb0b42f399d6756c5c345130e |
| SHA256 | 3410749bccbdf8cff03a7b40cf6debe10bb2b16c09be4f94e9b44df93d0ae322 |
| SHA512 | 6f0a97f229d932a1df8e36dbe5d45158972e0ad4df409a0551e9c66ce1b15c60ab9bafbdce01e776c102b70c96998c56b6120e3c9446f051a74d46ca1076edbb |
memory/1648-66-0x0000000074CF0000-0x00000000753DE000-memory.dmp
memory/1648-69-0x0000000000E70000-0x0000000000E71000-memory.dmp
memory/1504-74-0x0000000006300000-0x0000000006301000-memory.dmp
memory/1504-75-0x0000000006310000-0x0000000006311000-memory.dmp
\Users\Admin\AppData\Local\Temp\Dqzimr_btc.exe
| MD5 | 068743421644fc2febdf237a80c6bf6b |
| SHA1 | 67ac969d297bd97bb0b42f399d6756c5c345130e |
| SHA256 | 3410749bccbdf8cff03a7b40cf6debe10bb2b16c09be4f94e9b44df93d0ae322 |
| SHA512 | 6f0a97f229d932a1df8e36dbe5d45158972e0ad4df409a0551e9c66ce1b15c60ab9bafbdce01e776c102b70c96998c56b6120e3c9446f051a74d46ca1076edbb |
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-01 11:59
Reported
2020-12-01 12:01
Platform
win10v20201028
Max time kernel
44s
Max time network
111s
Command Line
Signatures
MassLogger
MassLogger Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA..exe\"" | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHIKWA..exe | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHIKWA..exe | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA..exe" | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\CHIKWA..exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CHIKWA..exe" | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2432 set thread context of 3132 | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 4.828
C:\Windows\SysWOW64\timeout.exe
timeout 4.828
C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe
"C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\CHIKWA..exe'
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | hastebin.com | udp |
| N/A | 172.67.143.180:443 | hastebin.com | tcp |
Files
memory/2432-2-0x0000000073970000-0x000000007405E000-memory.dmp
memory/2432-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
memory/2432-5-0x00000000057F0000-0x00000000057F1000-memory.dmp
memory/728-6-0x0000000000000000-mapping.dmp
memory/2828-7-0x0000000000000000-mapping.dmp
memory/2432-8-0x000000000BBE0000-0x000000000BD41000-memory.dmp
memory/2432-9-0x000000000C250000-0x000000000C251000-memory.dmp
memory/3132-10-0x0000000000400000-0x0000000000498000-memory.dmp
memory/3132-11-0x000000000049307E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CHIKWA..exe.log
| MD5 | 6fd55a5291d2bcbcf9802b4c14a5bd72 |
| SHA1 | 75f1549c7c7859789ef415fe44e6d2dc61961262 |
| SHA256 | f0e9c058145bc79fbee033413fd0d2abf3d5580c433f078b73c3954349e9a111 |
| SHA512 | 403540882c995d22639f59b11f756248799e71560ed3a34b6a7f6207d4b2369f64af8da3d605ffc25037357c1ff4f4578bd3501cf5d8e86d68a7102565723546 |
memory/3132-13-0x0000000073980000-0x000000007406E000-memory.dmp
memory/3132-16-0x0000000005760000-0x0000000005761000-memory.dmp
memory/3132-18-0x0000000005B00000-0x0000000005B01000-memory.dmp
memory/3896-19-0x0000000000000000-mapping.dmp
memory/3896-20-0x00000000739F0000-0x00000000740DE000-memory.dmp
memory/3896-21-0x0000000004590000-0x0000000004591000-memory.dmp
memory/3896-22-0x0000000007170000-0x0000000007171000-memory.dmp
memory/3896-23-0x0000000007010000-0x0000000007011000-memory.dmp
memory/3896-24-0x00000000070B0000-0x00000000070B1000-memory.dmp
memory/3896-26-0x0000000007A60000-0x0000000007A61000-memory.dmp
memory/3896-27-0x0000000007860000-0x0000000007861000-memory.dmp
memory/3896-28-0x00000000082F0000-0x00000000082F1000-memory.dmp
memory/3896-29-0x00000000080A0000-0x00000000080A1000-memory.dmp
memory/3896-30-0x0000000009820000-0x0000000009821000-memory.dmp
memory/3896-31-0x0000000008DA0000-0x0000000008DA1000-memory.dmp
memory/3896-32-0x00000000091A0000-0x00000000091A1000-memory.dmp
memory/3896-33-0x0000000006C40000-0x0000000006C41000-memory.dmp