Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 20:47
Static task
static1
Behavioral task
behavioral1
Sample
117E4E3F1B6EDAE6745F82CF072008F1.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
117E4E3F1B6EDAE6745F82CF072008F1.exe
Resource
win10v20210410
General
-
Target
117E4E3F1B6EDAE6745F82CF072008F1.exe
-
Size
1.0MB
-
MD5
117e4e3f1b6edae6745f82cf072008f1
-
SHA1
62bcde8f6c592a4be16b0d0feeb5fa2df13b0619
-
SHA256
3f3ce1f91c8f439a2c903fa08544b08e21704a53c3ab260d3a0b8d3dea425020
-
SHA512
f7e5ee09daf8e52729feb9259457659f0575f6695842611c01e327b8e70d7a10bc9901662fecb28a1c8b35ac57e86bd92f4a93d4fcca203f24502255274223c1
Malware Config
Extracted
redline
9874
nshoreyle.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2104-128-0x0000000000720000-0x000000000073C000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
Processes:
Sta.exe.comSta.exe.comRegAsm.exefile.exetib_mounter_monitor.exesihost64.exePULServices.exesihost64.exePULServices.exesihost64.exepid process 1004 Sta.exe.com 3952 Sta.exe.com 2104 RegAsm.exe 3088 file.exe 3728 tib_mounter_monitor.exe 3148 sihost64.exe 4016 PULServices.exe 632 sihost64.exe 412 PULServices.exe 3680 sihost64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tib_mounter_monitor.exePULServices.exePULServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\PULServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PULServices.exe" tib_mounter_monitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\PULServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PULServices.exe" PULServices.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\PULServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PULServices.exe" PULServices.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sta.exe.comdescription pid process target process PID 3952 set thread context of 2104 3952 Sta.exe.com RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
RegAsm.exetib_mounter_monitor.exePULServices.exePULServices.exepid process 2104 RegAsm.exe 3728 tib_mounter_monitor.exe 3728 tib_mounter_monitor.exe 3728 tib_mounter_monitor.exe 4016 PULServices.exe 4016 PULServices.exe 412 PULServices.exe 412 PULServices.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RegAsm.exetib_mounter_monitor.exePULServices.exePULServices.exedescription pid process Token: SeDebugPrivilege 2104 RegAsm.exe Token: SeDebugPrivilege 3728 tib_mounter_monitor.exe Token: SeDebugPrivilege 4016 PULServices.exe Token: SeDebugPrivilege 412 PULServices.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
117E4E3F1B6EDAE6745F82CF072008F1.execmd.execmd.exeSta.exe.comSta.exe.comRegAsm.exefile.exetib_mounter_monitor.exePULServices.exesihost64.exePULServices.exedescription pid process target process PID 3680 wrote to memory of 2380 3680 117E4E3F1B6EDAE6745F82CF072008F1.exe cmd.exe PID 3680 wrote to memory of 2380 3680 117E4E3F1B6EDAE6745F82CF072008F1.exe cmd.exe PID 3680 wrote to memory of 2380 3680 117E4E3F1B6EDAE6745F82CF072008F1.exe cmd.exe PID 2380 wrote to memory of 1008 2380 cmd.exe cmd.exe PID 2380 wrote to memory of 1008 2380 cmd.exe cmd.exe PID 2380 wrote to memory of 1008 2380 cmd.exe cmd.exe PID 1008 wrote to memory of 3956 1008 cmd.exe findstr.exe PID 1008 wrote to memory of 3956 1008 cmd.exe findstr.exe PID 1008 wrote to memory of 3956 1008 cmd.exe findstr.exe PID 1008 wrote to memory of 1004 1008 cmd.exe Sta.exe.com PID 1008 wrote to memory of 1004 1008 cmd.exe Sta.exe.com PID 1008 wrote to memory of 1004 1008 cmd.exe Sta.exe.com PID 1008 wrote to memory of 3432 1008 cmd.exe PING.EXE PID 1008 wrote to memory of 3432 1008 cmd.exe PING.EXE PID 1008 wrote to memory of 3432 1008 cmd.exe PING.EXE PID 1004 wrote to memory of 3952 1004 Sta.exe.com Sta.exe.com PID 1004 wrote to memory of 3952 1004 Sta.exe.com Sta.exe.com PID 1004 wrote to memory of 3952 1004 Sta.exe.com Sta.exe.com PID 3952 wrote to memory of 2104 3952 Sta.exe.com RegAsm.exe PID 3952 wrote to memory of 2104 3952 Sta.exe.com RegAsm.exe PID 3952 wrote to memory of 2104 3952 Sta.exe.com RegAsm.exe PID 3952 wrote to memory of 2104 3952 Sta.exe.com RegAsm.exe PID 3952 wrote to memory of 2104 3952 Sta.exe.com RegAsm.exe PID 2104 wrote to memory of 3088 2104 RegAsm.exe file.exe PID 2104 wrote to memory of 3088 2104 RegAsm.exe file.exe PID 2104 wrote to memory of 3088 2104 RegAsm.exe file.exe PID 3088 wrote to memory of 3728 3088 file.exe tib_mounter_monitor.exe PID 3088 wrote to memory of 3728 3088 file.exe tib_mounter_monitor.exe PID 3728 wrote to memory of 3148 3728 tib_mounter_monitor.exe sihost64.exe PID 3728 wrote to memory of 3148 3728 tib_mounter_monitor.exe sihost64.exe PID 3728 wrote to memory of 4016 3728 tib_mounter_monitor.exe PULServices.exe PID 3728 wrote to memory of 4016 3728 tib_mounter_monitor.exe PULServices.exe PID 4016 wrote to memory of 632 4016 PULServices.exe sihost64.exe PID 4016 wrote to memory of 632 4016 PULServices.exe sihost64.exe PID 632 wrote to memory of 412 632 sihost64.exe PULServices.exe PID 632 wrote to memory of 412 632 sihost64.exe PULServices.exe PID 412 wrote to memory of 3680 412 PULServices.exe sihost64.exe PID 412 wrote to memory of 3680 412 PULServices.exe sihost64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\117E4E3F1B6EDAE6745F82CF072008F1.exe"C:\Users\Admin\AppData\Local\Temp\117E4E3F1B6EDAE6745F82CF072008F1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c OjTdveCmOYGkwPuVcKiZNQpZgITQtdpOakAXUzIiXgaubigrkVRWUyRXrTwOpLxnOSSPfoqweZenbeCixQFpnhThxCU & cmd < Dai.mp42⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^aUkEmTrtPLftfXTJGsUJbGeamVtEFfQQoaHhAtLwnlFklwqAGOsXaZfLRTyEPmnAVmVWfGoBFTljwRobUEYRXSbprWcHZikZLyfKutlqFQanPeKqKIJkAHDewMTzlACbHlBV$" Lancio.mp44⤵
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comSta.exe.com x4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comC:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.com x5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeC:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exe6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tib_mounter_monitor.exe"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tib_mounter_monitor.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\PULServices.exe"C:\Users\Admin\AppData\Local\Temp\PULServices.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PULServices.exe"C:\Users\Admin\AppData\Local\Temp\PULServices.exe"11⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"12⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PULServices.exe.logMD5
e5fdba4d5123921f53769f77a042bf26
SHA1cc2e35f55451aaa67f783eb7fa9da408b961fd4e
SHA2561f256aa80d3a1e1190079b2ff33d18c0b825cf00ed0cc846499866af717762a0
SHA512e72fd37c73a6b2fd65efa88bc387dc1a2477ae79aa1bbd338ec35b978b890019086c7328617db26d70fe5532735f5684db5378d72bad503a2b02231a9383556f
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tib_mounter_monitor.exeMD5
4dae15c2d5942f112ed58e4f3fbe8779
SHA17b7bf381008a49b42da32479c5f7ce3dc275d808
SHA256531cd74c2f7779b276ad11e89c87509fab99cb627aab1029c017eff070938f96
SHA512114fea35dcfebb793c86512937864e72f2695c6bff3343ad5947969862d26ac8cee1f21aee4c4db5b8dd50d523196f5a06d85b376f6f64abf546d70e8287532d
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\tib_mounter_monitor.exeMD5
4dae15c2d5942f112ed58e4f3fbe8779
SHA17b7bf381008a49b42da32479c5f7ce3dc275d808
SHA256531cd74c2f7779b276ad11e89c87509fab99cb627aab1029c017eff070938f96
SHA512114fea35dcfebb793c86512937864e72f2695c6bff3343ad5947969862d26ac8cee1f21aee4c4db5b8dd50d523196f5a06d85b376f6f64abf546d70e8287532d
-
C:\Users\Admin\AppData\Local\Temp\PULServices.exeMD5
4dae15c2d5942f112ed58e4f3fbe8779
SHA17b7bf381008a49b42da32479c5f7ce3dc275d808
SHA256531cd74c2f7779b276ad11e89c87509fab99cb627aab1029c017eff070938f96
SHA512114fea35dcfebb793c86512937864e72f2695c6bff3343ad5947969862d26ac8cee1f21aee4c4db5b8dd50d523196f5a06d85b376f6f64abf546d70e8287532d
-
C:\Users\Admin\AppData\Local\Temp\PULServices.exeMD5
4dae15c2d5942f112ed58e4f3fbe8779
SHA17b7bf381008a49b42da32479c5f7ce3dc275d808
SHA256531cd74c2f7779b276ad11e89c87509fab99cb627aab1029c017eff070938f96
SHA512114fea35dcfebb793c86512937864e72f2695c6bff3343ad5947969862d26ac8cee1f21aee4c4db5b8dd50d523196f5a06d85b376f6f64abf546d70e8287532d
-
C:\Users\Admin\AppData\Local\Temp\PULServices.exeMD5
4dae15c2d5942f112ed58e4f3fbe8779
SHA17b7bf381008a49b42da32479c5f7ce3dc275d808
SHA256531cd74c2f7779b276ad11e89c87509fab99cb627aab1029c017eff070938f96
SHA512114fea35dcfebb793c86512937864e72f2695c6bff3343ad5947969862d26ac8cee1f21aee4c4db5b8dd50d523196f5a06d85b376f6f64abf546d70e8287532d
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
106af9f8dbea059d72617e4de5226115
SHA15bac6bd73373dbded3e15810eb14cd95cd0da187
SHA2566951a407d32863623561113d6d8e9425dd2c6e37d6b9fe05dc9707dae81f20fd
SHA512e8a2420a99d2f45f03ace45a91e6341cf36a2ad9c13ef12ba8a688b54b32923983b57c582c3e08d2b271408a4aad9049254f7dabf4f0b396ff7a13693a3424b3
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
106af9f8dbea059d72617e4de5226115
SHA15bac6bd73373dbded3e15810eb14cd95cd0da187
SHA2566951a407d32863623561113d6d8e9425dd2c6e37d6b9fe05dc9707dae81f20fd
SHA512e8a2420a99d2f45f03ace45a91e6341cf36a2ad9c13ef12ba8a688b54b32923983b57c582c3e08d2b271408a4aad9049254f7dabf4f0b396ff7a13693a3424b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sysMD5
0c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sysMD5
0c0195c48b6b8582fa6f6373032118da
SHA1d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA25611bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
8e3448aef650abb816a7eee2e654212b
SHA119f255eead10815965e7bd52a90f369af5d933d2
SHA256fb16209f38d04d7d1a8a7e6f18d52387430b0e598c63b1144c90b6091918f77f
SHA512c4af33b2becd112bc40a1decd9b63c7e5bebde6d6738b1626342d3e2eb0ca71f8525279a2610d37581e2593da291113a96a7e56810bae6f18d3a4b12f46eceaa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
8e3448aef650abb816a7eee2e654212b
SHA119f255eead10815965e7bd52a90f369af5d933d2
SHA256fb16209f38d04d7d1a8a7e6f18d52387430b0e598c63b1144c90b6091918f77f
SHA512c4af33b2becd112bc40a1decd9b63c7e5bebde6d6738b1626342d3e2eb0ca71f8525279a2610d37581e2593da291113a96a7e56810bae6f18d3a4b12f46eceaa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
8e3448aef650abb816a7eee2e654212b
SHA119f255eead10815965e7bd52a90f369af5d933d2
SHA256fb16209f38d04d7d1a8a7e6f18d52387430b0e598c63b1144c90b6091918f77f
SHA512c4af33b2becd112bc40a1decd9b63c7e5bebde6d6738b1626342d3e2eb0ca71f8525279a2610d37581e2593da291113a96a7e56810bae6f18d3a4b12f46eceaa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
8e3448aef650abb816a7eee2e654212b
SHA119f255eead10815965e7bd52a90f369af5d933d2
SHA256fb16209f38d04d7d1a8a7e6f18d52387430b0e598c63b1144c90b6091918f77f
SHA512c4af33b2becd112bc40a1decd9b63c7e5bebde6d6738b1626342d3e2eb0ca71f8525279a2610d37581e2593da291113a96a7e56810bae6f18d3a4b12f46eceaa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
8e3448aef650abb816a7eee2e654212b
SHA119f255eead10815965e7bd52a90f369af5d933d2
SHA256fb16209f38d04d7d1a8a7e6f18d52387430b0e598c63b1144c90b6091918f77f
SHA512c4af33b2becd112bc40a1decd9b63c7e5bebde6d6738b1626342d3e2eb0ca71f8525279a2610d37581e2593da291113a96a7e56810bae6f18d3a4b12f46eceaa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exeMD5
8e3448aef650abb816a7eee2e654212b
SHA119f255eead10815965e7bd52a90f369af5d933d2
SHA256fb16209f38d04d7d1a8a7e6f18d52387430b0e598c63b1144c90b6091918f77f
SHA512c4af33b2becd112bc40a1decd9b63c7e5bebde6d6738b1626342d3e2eb0ca71f8525279a2610d37581e2593da291113a96a7e56810bae6f18d3a4b12f46eceaa
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Dai.mp4MD5
0e56f66476f6e3a85190704a7e046982
SHA1750712070aa3c7daf4b7a0b4c5e8af24f6f985d1
SHA2561e20974b76c4bb90a87c81baa20c8c53884ae2aa785049a2746b3ba674abcfe6
SHA5120e6a82d8418deae83fd0359ef528c2b1a40c8ea44b9e6a6a5800552b30ffb28c558f30b768bed19f4d093329ca3f0cd0bc35d7f2583a1215e3dc0be1206a31d8
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Dov.mp4MD5
e285cd820751c970d433c30be18f9b1f
SHA198f29b363800196529e365e2aaf9b19412b9a444
SHA2569e41888516b60390bcfed7d9e5ebed0425e759472629741a766cc9f6071bd3e3
SHA512938de25e5f6bf1a7d5eb3212232899eb38184104bea0d5205fa9bdbd3ed2e848a6b32816b865c14539af3461a9c8ea7ff61021a7b7dcd731026d43322133dee7
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Lancio.mp4MD5
6766c39c9986df037b4a80c79cb6bb57
SHA1dda7df5e57484eb7c9b976a0554e2dc720689d20
SHA256b970d4b3e1a03fded470a637d2adcddff6c7e2b933241fa22c626d46dabc2c47
SHA512824791e911cae758a437bcb32eb8389bd8963c4b5a53751bf5d8fb59fbb91dfbc5a3ddd796f5bae971099bd812c576a3620a9626727ce0cfe1db1f95e603eb1f
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Sta.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\Vedremo.mp4MD5
f38303433bf6beb49dcde52b2f19af65
SHA16f71a3cc54e96cdc326f5f1e4677d19e1357a1c5
SHA256ccb312ffe82d736ee2ca37bc89c665b6817b155766d1753d0dd70a8af1727d5e
SHA5128092a35a3eccedef93cdf0ef6a1502f5c490b481a024db7565c53f45bbc011f7c98c346735c3828c4d83909635725411f9e9d3c7fd0b87d0886f7d5d3502130a
-
C:\Users\Admin\AppData\Roaming\uBMbjNpPpdpWfAOsohNBAMpthkfYHqrtbkrBZnhbKYuZwEQdhrHrrDSxaIlqnlopjymtvjaKZfRC\xMD5
f38303433bf6beb49dcde52b2f19af65
SHA16f71a3cc54e96cdc326f5f1e4677d19e1357a1c5
SHA256ccb312ffe82d736ee2ca37bc89c665b6817b155766d1753d0dd70a8af1727d5e
SHA5128092a35a3eccedef93cdf0ef6a1502f5c490b481a024db7565c53f45bbc011f7c98c346735c3828c4d83909635725411f9e9d3c7fd0b87d0886f7d5d3502130a
-
memory/412-175-0x00000000035B0000-0x00000000035B2000-memory.dmpFilesize
8KB
-
memory/412-171-0x0000000000000000-mapping.dmp
-
memory/632-170-0x000000001C790000-0x000000001C792000-memory.dmpFilesize
8KB
-
memory/632-164-0x0000000000000000-mapping.dmp
-
memory/1004-120-0x0000000000000000-mapping.dmp
-
memory/1008-116-0x0000000000000000-mapping.dmp
-
memory/2104-135-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/2104-128-0x0000000000720000-0x000000000073C000-memory.dmpFilesize
112KB
-
memory/2104-133-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/2104-138-0x0000000004BC0000-0x00000000051C6000-memory.dmpFilesize
6.0MB
-
memory/2104-139-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/2104-140-0x00000000060F0000-0x00000000060F1000-memory.dmpFilesize
4KB
-
memory/2104-136-0x0000000004C40000-0x0000000004C41000-memory.dmpFilesize
4KB
-
memory/2104-137-0x0000000004E90000-0x0000000004E91000-memory.dmpFilesize
4KB
-
memory/2104-134-0x0000000002730000-0x0000000002731000-memory.dmpFilesize
4KB
-
memory/2104-141-0x00000000065F0000-0x00000000065F1000-memory.dmpFilesize
4KB
-
memory/2104-142-0x0000000006CF0000-0x0000000006CF1000-memory.dmpFilesize
4KB
-
memory/2104-143-0x00000000067C0000-0x00000000067C1000-memory.dmpFilesize
4KB
-
memory/2380-114-0x0000000000000000-mapping.dmp
-
memory/3088-144-0x0000000000000000-mapping.dmp
-
memory/3148-156-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB
-
memory/3148-162-0x0000000001B20000-0x0000000001B22000-memory.dmpFilesize
8KB
-
memory/3148-152-0x0000000000000000-mapping.dmp
-
memory/3432-123-0x0000000000000000-mapping.dmp
-
memory/3680-177-0x0000000000000000-mapping.dmp
-
memory/3680-183-0x000000001C220000-0x000000001C222000-memory.dmpFilesize
8KB
-
memory/3728-147-0x0000000000000000-mapping.dmp
-
memory/3728-151-0x0000000003320000-0x0000000003322000-memory.dmpFilesize
8KB
-
memory/3728-150-0x00000000005F0000-0x00000000005F1000-memory.dmpFilesize
4KB
-
memory/3952-127-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB
-
memory/3952-124-0x0000000000000000-mapping.dmp
-
memory/3956-117-0x0000000000000000-mapping.dmp
-
memory/4016-161-0x000000001C910000-0x000000001C912000-memory.dmpFilesize
8KB
-
memory/4016-155-0x0000000000000000-mapping.dmp
-
memory/4016-163-0x00000000016D0000-0x00000000016D1000-memory.dmpFilesize
4KB