Analysis
-
max time kernel
150s -
max time network
174s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 17:05
Static task
static1
Behavioral task
behavioral1
Sample
unknownfamily.exe
Resource
win7v20210410
General
-
Target
unknownfamily.exe
-
Size
2.8MB
-
MD5
3299ebb7b213d7ab79f7fef2296b06d2
-
SHA1
71efb0ca7eac2410291a6405977aa81bb72394f1
-
SHA256
783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d
-
SHA512
5f5f1e3d45a83cac12f7590a628c1a4f8cbcb84deb4e5c86566778164761c738fefab11a003fee4372121b7545fb26ec7ec2fede0c3ba34470523fdc03ecb996
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Drops file in Drivers directory 3 IoCs
Processes:
gbpcefwr64.tmpcore.exedescription ioc process File created C:\Windows\system32\drivers\is-JM92O.tmp gbpcefwr64.tmp File created C:\Windows\system32\drivers\is-I4R3N.tmp gbpcefwr64.tmp File opened for modification C:\Windows\system32\drivers\wsddpp.sys core.exe -
Executes dropped EXE 36 IoCs
Processes:
vcredist.exevcredist_64.exegbpcefwr64.exegbpcefwr64.tmpget_version.exe_setup64.tmpimpersonate.exeopenssl.exeopenssl.exeopenssl.exeopenssl.exeopenssl.exewsffcmgr.execertutil.execertutil.execertutil.execertutil.execorefixer.exewsffcmgr.execertutil.execertutil.exewsffcmgr.execertutil.execertutil.execertutil.execertutil.execore.execore.exeimpersonate.execore.execore.exewsffcmgr.execertutil.execertutil.exewsffcmgr.execertutil.exepid process 1096 vcredist.exe 1792 vcredist_64.exe 292 gbpcefwr64.exe 1980 gbpcefwr64.tmp 948 get_version.exe 1620 _setup64.tmp 1988 impersonate.exe 828 openssl.exe 880 openssl.exe 928 openssl.exe 1548 openssl.exe 948 openssl.exe 872 wsffcmgr.exe 1632 certutil.exe 1140 certutil.exe 880 certutil.exe 1656 certutil.exe 1604 corefixer.exe 980 wsffcmgr.exe 1244 certutil.exe 1376 certutil.exe 1132 wsffcmgr.exe 2016 certutil.exe 1900 certutil.exe 1336 certutil.exe 1820 certutil.exe 1792 core.exe 1092 core.exe 792 impersonate.exe 572 core.exe 2036 core.exe 976 wsffcmgr.exe 568 certutil.exe 1396 certutil.exe 1792 wsffcmgr.exe 1784 certutil.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
core.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion core.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion core.exe -
Loads dropped DLL 64 IoCs
Processes:
unknownfamily.exegbpcefwr64.exegbpcefwr64.tmprundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exewsffcmgr.execertutil.exepid process 1444 unknownfamily.exe 1444 unknownfamily.exe 1444 unknownfamily.exe 292 gbpcefwr64.exe 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 436 rundll32.exe 436 rundll32.exe 436 rundll32.exe 436 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 1256 rundll32.exe 876 rundll32.exe 876 rundll32.exe 876 rundll32.exe 876 rundll32.exe 1372 rundll32.exe 1372 rundll32.exe 1372 rundll32.exe 1372 rundll32.exe 1372 rundll32.exe 1372 rundll32.exe 1980 gbpcefwr64.tmp 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 1644 rundll32.exe 2036 rundll32.exe 2036 rundll32.exe 2036 rundll32.exe 2036 rundll32.exe 2036 rundll32.exe 2036 rundll32.exe 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1980 gbpcefwr64.tmp 1720 872 wsffcmgr.exe 872 wsffcmgr.exe 1632 certutil.exe 1632 certutil.exe 1632 certutil.exe 1632 certutil.exe 1632 certutil.exe 1632 certutil.exe 1632 certutil.exe 1632 certutil.exe 1632 certutil.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
gbpcefwr64.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run gbpcefwr64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Diebold - Warsaw = "C:\\Program Files\\Diebold\\Warsaw\\core.exe" gbpcefwr64.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
unknownfamily.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unknownfamily.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
core.exedescription ioc process File opened for modification \??\PhysicalDrive0 core.exe -
Drops file in System32 directory 4 IoCs
Processes:
unknownfamily.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 unknownfamily.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 unknownfamily.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 unknownfamily.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 unknownfamily.exe -
Drops file in Program Files directory 59 IoCs
Processes:
gbpcefwr64.tmpcmd.execmd.execore.exedescription ioc process File created C:\Program Files\Diebold\Warsaw\is-354JO.tmp gbpcefwr64.tmp File created C:\Program Files (x86)\Diebold\Warsaw\is-RUHR3.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-TJM96.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-M96VJ.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-B57QK.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-1TLSL.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-DPG8P.tmp gbpcefwr64.tmp File opened for modification C:\Program Files (x86)\Diebold gbpcefwr64.tmp File opened for modification C:\Program Files (x86)\GAS Tecnologia\Warsaw gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-2664I.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-O4LUI.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-CL3VQ.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-V39MQ.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-KE8AT.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-9DPUL.tmp gbpcefwr64.tmp File created C:\Program Files (x86)\Diebold\Warsaw\is-LK8RV.tmp gbpcefwr64.tmp File created C:\Program Files (x86)\Diebold\Warsaw\is-C31IO.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-8493A.tmp gbpcefwr64.tmp File opened for modification C:\Program Files\Diebold\Warsaw\ws.dat cmd.exe File opened for modification C:\Program Files (x86)\Diebold\Warsaw gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-CB3B9.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-R0LO5.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-6HQ78.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\root_ca.cer cmd.exe File created C:\Program Files\Diebold\Warsaw\is-RQ9AO.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-C5KV4.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-LQ5OP.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-21O6D.tmp gbpcefwr64.tmp File opened for modification C:\Program Files\Diebold\Warsaw\unins000.dat gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw:oyhagmu138iahnc core.exe File created C:\Program Files\Diebold\Warsaw\is-S4LJ7.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-K7R0K.tmp gbpcefwr64.tmp File opened for modification C:\Program Files (x86)\Diebold\Warsaw\wsbrmu.dll gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\opt core.exe File created C:\Program Files\Diebold\Warsaw\unins000.dat gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-V4JUU.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-88J49.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-BFI5O.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-50PH2.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-1KGOI.tmp gbpcefwr64.tmp File opened for modification C:\Program Files\Diebold\Warsaw\opt core.exe File created C:\Program Files\Diebold\Warsaw\is-RU9UU.tmp gbpcefwr64.tmp File opened for modification C:\Program Files (x86)\GAS Tecnologia\Warsaw\wsbrmu.dll gbpcefwr64.tmp File opened for modification C:\Program Files\Diebold\Warsaw\root_ca.cer cmd.exe File created C:\Program Files\Diebold\Warsaw\is-VHL0U.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-33QC2.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-TOGCB.tmp gbpcefwr64.tmp File created C:\Program Files (x86)\Diebold\Warsaw\is-H2SJ4.tmp gbpcefwr64.tmp File opened for modification C:\Program Files (x86)\GAS Tecnologia gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-C6L6A.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\ws.dat cmd.exe File created C:\Program Files\Diebold\Warsaw\is-LT5LH.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-RAGV8.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-T090V.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-CCBR9.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-UD7AH.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-26IL9.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-169QC.tmp gbpcefwr64.tmp File created C:\Program Files\Diebold\Warsaw\is-N474F.tmp gbpcefwr64.tmp -
Drops file in Windows directory 1 IoCs
Processes:
gbpcefwr64.tmpdescription ioc process File created C:\Windows\Fonts\is-21G79.tmp gbpcefwr64.tmp -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 920 tasklist.exe 1632 tasklist.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
core.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\ core.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
unknownfamily.execertutil.execore.exewsffcmgr.exewsffcmgr.execorefixer.exewsffcmgr.exewsffcmgr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs unknownfamily.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 certutil.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople core.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT wsffcmgr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs wsffcmgr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust core.exe Key created \REGISTRY\USER\NTUSER.DAT wsffcmgr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs core.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs core.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates core.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs corefixer.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates core.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs wsffcmgr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs core.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates wsffcmgr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates wsffcmgr.exe Key created \REGISTRY\USER\NTUSER.DAT wsffcmgr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs core.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs core.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates unknownfamily.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates wsffcmgr.exe -
Processes:
unknownfamily.exeunknownfamily.execore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 unknownfamily.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a unknownfamily.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a unknownfamily.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C unknownfamily.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 unknownfamily.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 unknownfamily.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a unknownfamily.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C545A4A8F6654C9BE2156C22CF2EEEFC25ADED65 core.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C545A4A8F6654C9BE2156C22CF2EEEFC25ADED65\Blob = 0f00000001000000200000003b276f0d27b6983194848358da616f1d4250bfe4aa55b6ccb675c90e943ff886030000000100000014000000c545a4a8f6654c9be2156c22cf2eeefc25aded652000000001000000ba040000308204b63082029e020900a0e861bd7fb6a3e4300d06092a864886f70d01010b0500301d311b30190603550403131257617273617720506572736f6e616c204341301e170d3231303632343137313034395a170d3331303632323137313034395a301d311b30190603550403131257617273617720506572736f6e616c20434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b999e1d1dde95e9cae110b64b6ff33cba19b0d3661029a107b4b48b98003d33edb861d61ce83c0a55a07989de399147b70cd4dfd0cb233070cddec7133b251e049350bc6a94cf2552a36d2d4785af0745d1b608b0fc90267bd93410a52e4a0b5f17065b9361031d3a59312fac496039fe672a763de6c0ef3d5b9503cc2d0b790e3633087f286a85e53790588f7a131a6d70da2a51f2c379d88d5fc37fc7686b1b3dbbf4cd89aff924e7d3f9f3fd7a72b0ebe88475f12f9418f3d272cd2215038edc8882fc11be23685a26b4ecab25578c18d2d6a228ef02ad33ba5ec5c4ba9e00c5ff7e4250a4c0ec0a6c3279ea918002dcd95d1e062a548631a5eb61770dd4cfc0e2029be856615de22367e6d9a260e1dac65e63b19efdb9b7c2ce8c2bd05c93dd91636ac4c31768650c0f3b7c3985ec3d35699c7c3ff3089685f56372907fe31a09ef4cc80fc8e3a02d39a40cb5c0a18cca0130ac67205d86d65b7312d56d12acc87c9163cd1c7031d5e548367f51580762298545c69c930cb81a9190ca6efc8f77cf0cc00b817ee7b511ca21028f2138bc79458c0f0870acbd47eb5168a06c4c223d4cf807c5457681c323ce2c8c389b86bb15e7dcf612dd56a25a86fde1361c16fdf3c707d3548b21beb637d4eb158a5fcc2bdef4ccd49db2c7f7787c6f821c37c96b852fdc04bb8e006008ea1be6f0b32c3a5a01fd141c3f0c7859a33070203010001300d06092a864886f70d01010b0500038202010059e2c61364dae49b426a5af7ea219a2927052b810c8064e0e25b632dd24f23d3394713fd8d98e96d7d24e5de4983df44ce7ad5a845d8da48814837c4cd79afde144d5526b9f1fec2bd2c9bc0b201833a24a39425795e5741a93239d745a7e1d40af61cd557ea680aab6c8b36f234cd4d4b5bdbb9914e6f95ff390ece379161178b3ece6533fba21a731fab75f29b9c8ecc8afa260c45965531fd8c35be31738cd6250c36b45b9aff08b8d229e5120245667ba59532f6f24b2b7ffad3a47b30441022ed46013c9e925be1d585e9c27b3ae26101fe39de956436b872d1631d4da899789c52adc194f860b11cfb9c31f43a8f81cd811fe9128e905d2f162f04d2a63ed9431ba85e32bdb1e7b8fcb5af0bef879a5f92f33c81f4867e1a1381171d922ad8234187a3f1e77a1e5aa34d381f966ee50d028131cfab8fe74c603052a94df8ce079f0fe7bfd714da63156c8109daad7ad71ef0c5711c8fa3b60b9e26877122a6dede1882bfbf9e22204c258ae2db7036a055c10469e0d4486c4dca18416968ecaa6ce143104793010a9866a5e90bac6ca578406f5124afab99000dc6e481f84e61802b7a2a7e8c230e8a5bc9f8575fbbb8d55438767d2e1e3b172df90b8298e5a533d74dc8b9e80b8148fbe12ad567fde78ab8d278f549986c759e0cee92b3d1a5a31762009dc9f63a2c58ba7c9b845382d223fb6d2a822b52ddb5020b32 core.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C545A4A8F6654C9BE2156C22CF2EEEFC25ADED65\Blob = 1400000001000000140000000729aeaac002572245f195f3c41f81d4fdc557a8030000000100000014000000c545a4a8f6654c9be2156c22cf2eeefc25aded650f00000001000000200000003b276f0d27b6983194848358da616f1d4250bfe4aa55b6ccb675c90e943ff8862000000001000000ba040000308204b63082029e020900a0e861bd7fb6a3e4300d06092a864886f70d01010b0500301d311b30190603550403131257617273617720506572736f6e616c204341301e170d3231303632343137313034395a170d3331303632323137313034395a301d311b30190603550403131257617273617720506572736f6e616c20434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b999e1d1dde95e9cae110b64b6ff33cba19b0d3661029a107b4b48b98003d33edb861d61ce83c0a55a07989de399147b70cd4dfd0cb233070cddec7133b251e049350bc6a94cf2552a36d2d4785af0745d1b608b0fc90267bd93410a52e4a0b5f17065b9361031d3a59312fac496039fe672a763de6c0ef3d5b9503cc2d0b790e3633087f286a85e53790588f7a131a6d70da2a51f2c379d88d5fc37fc7686b1b3dbbf4cd89aff924e7d3f9f3fd7a72b0ebe88475f12f9418f3d272cd2215038edc8882fc11be23685a26b4ecab25578c18d2d6a228ef02ad33ba5ec5c4ba9e00c5ff7e4250a4c0ec0a6c3279ea918002dcd95d1e062a548631a5eb61770dd4cfc0e2029be856615de22367e6d9a260e1dac65e63b19efdb9b7c2ce8c2bd05c93dd91636ac4c31768650c0f3b7c3985ec3d35699c7c3ff3089685f56372907fe31a09ef4cc80fc8e3a02d39a40cb5c0a18cca0130ac67205d86d65b7312d56d12acc87c9163cd1c7031d5e548367f51580762298545c69c930cb81a9190ca6efc8f77cf0cc00b817ee7b511ca21028f2138bc79458c0f0870acbd47eb5168a06c4c223d4cf807c5457681c323ce2c8c389b86bb15e7dcf612dd56a25a86fde1361c16fdf3c707d3548b21beb637d4eb158a5fcc2bdef4ccd49db2c7f7787c6f821c37c96b852fdc04bb8e006008ea1be6f0b32c3a5a01fd141c3f0c7859a33070203010001300d06092a864886f70d01010b0500038202010059e2c61364dae49b426a5af7ea219a2927052b810c8064e0e25b632dd24f23d3394713fd8d98e96d7d24e5de4983df44ce7ad5a845d8da48814837c4cd79afde144d5526b9f1fec2bd2c9bc0b201833a24a39425795e5741a93239d745a7e1d40af61cd557ea680aab6c8b36f234cd4d4b5bdbb9914e6f95ff390ece379161178b3ece6533fba21a731fab75f29b9c8ecc8afa260c45965531fd8c35be31738cd6250c36b45b9aff08b8d229e5120245667ba59532f6f24b2b7ffad3a47b30441022ed46013c9e925be1d585e9c27b3ae26101fe39de956436b872d1631d4da899789c52adc194f860b11cfb9c31f43a8f81cd811fe9128e905d2f162f04d2a63ed9431ba85e32bdb1e7b8fcb5af0bef879a5f92f33c81f4867e1a1381171d922ad8234187a3f1e77a1e5aa34d381f966ee50d028131cfab8fe74c603052a94df8ce079f0fe7bfd714da63156c8109daad7ad71ef0c5711c8fa3b60b9e26877122a6dede1882bfbf9e22204c258ae2db7036a055c10469e0d4486c4dca18416968ecaa6ce143104793010a9866a5e90bac6ca578406f5124afab99000dc6e481f84e61802b7a2a7e8c230e8a5bc9f8575fbbb8d55438767d2e1e3b172df90b8298e5a533d74dc8b9e80b8148fbe12ad567fde78ab8d278f549986c759e0cee92b3d1a5a31762009dc9f63a2c58ba7c9b845382d223fb6d2a822b52ddb5020b32 core.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C545A4A8F6654C9BE2156C22CF2EEEFC25ADED65\Blob = 1900000001000000100000008e0bb579d47f7dfa737023f4a53762600f00000001000000200000003b276f0d27b6983194848358da616f1d4250bfe4aa55b6ccb675c90e943ff886030000000100000014000000c545a4a8f6654c9be2156c22cf2eeefc25aded651400000001000000140000000729aeaac002572245f195f3c41f81d4fdc557a82000000001000000ba040000308204b63082029e020900a0e861bd7fb6a3e4300d06092a864886f70d01010b0500301d311b30190603550403131257617273617720506572736f6e616c204341301e170d3231303632343137313034395a170d3331303632323137313034395a301d311b30190603550403131257617273617720506572736f6e616c20434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b999e1d1dde95e9cae110b64b6ff33cba19b0d3661029a107b4b48b98003d33edb861d61ce83c0a55a07989de399147b70cd4dfd0cb233070cddec7133b251e049350bc6a94cf2552a36d2d4785af0745d1b608b0fc90267bd93410a52e4a0b5f17065b9361031d3a59312fac496039fe672a763de6c0ef3d5b9503cc2d0b790e3633087f286a85e53790588f7a131a6d70da2a51f2c379d88d5fc37fc7686b1b3dbbf4cd89aff924e7d3f9f3fd7a72b0ebe88475f12f9418f3d272cd2215038edc8882fc11be23685a26b4ecab25578c18d2d6a228ef02ad33ba5ec5c4ba9e00c5ff7e4250a4c0ec0a6c3279ea918002dcd95d1e062a548631a5eb61770dd4cfc0e2029be856615de22367e6d9a260e1dac65e63b19efdb9b7c2ce8c2bd05c93dd91636ac4c31768650c0f3b7c3985ec3d35699c7c3ff3089685f56372907fe31a09ef4cc80fc8e3a02d39a40cb5c0a18cca0130ac67205d86d65b7312d56d12acc87c9163cd1c7031d5e548367f51580762298545c69c930cb81a9190ca6efc8f77cf0cc00b817ee7b511ca21028f2138bc79458c0f0870acbd47eb5168a06c4c223d4cf807c5457681c323ce2c8c389b86bb15e7dcf612dd56a25a86fde1361c16fdf3c707d3548b21beb637d4eb158a5fcc2bdef4ccd49db2c7f7787c6f821c37c96b852fdc04bb8e006008ea1be6f0b32c3a5a01fd141c3f0c7859a33070203010001300d06092a864886f70d01010b0500038202010059e2c61364dae49b426a5af7ea219a2927052b810c8064e0e25b632dd24f23d3394713fd8d98e96d7d24e5de4983df44ce7ad5a845d8da48814837c4cd79afde144d5526b9f1fec2bd2c9bc0b201833a24a39425795e5741a93239d745a7e1d40af61cd557ea680aab6c8b36f234cd4d4b5bdbb9914e6f95ff390ece379161178b3ece6533fba21a731fab75f29b9c8ecc8afa260c45965531fd8c35be31738cd6250c36b45b9aff08b8d229e5120245667ba59532f6f24b2b7ffad3a47b30441022ed46013c9e925be1d585e9c27b3ae26101fe39de956436b872d1631d4da899789c52adc194f860b11cfb9c31f43a8f81cd811fe9128e905d2f162f04d2a63ed9431ba85e32bdb1e7b8fcb5af0bef879a5f92f33c81f4867e1a1381171d922ad8234187a3f1e77a1e5aa34d381f966ee50d028131cfab8fe74c603052a94df8ce079f0fe7bfd714da63156c8109daad7ad71ef0c5711c8fa3b60b9e26877122a6dede1882bfbf9e22204c258ae2db7036a055c10469e0d4486c4dca18416968ecaa6ce143104793010a9866a5e90bac6ca578406f5124afab99000dc6e481f84e61802b7a2a7e8c230e8a5bc9f8575fbbb8d55438767d2e1e3b172df90b8298e5a533d74dc8b9e80b8148fbe12ad567fde78ab8d278f549986c759e0cee92b3d1a5a31762009dc9f63a2c58ba7c9b845382d223fb6d2a822b52ddb5020b32 core.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 unknownfamily.exe -
NTFS ADS 1 IoCs
Processes:
core.exedescription ioc process File created C:\Program Files\Diebold\Warsaw:oyhagmu138iahnc core.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
unknownfamily.exeunknownfamily.exeopenssl.exeopenssl.exeopenssl.exeopenssl.exeopenssl.execorefixer.execore.execore.exepid process 1032 unknownfamily.exe 1032 unknownfamily.exe 1032 unknownfamily.exe 1032 unknownfamily.exe 1444 unknownfamily.exe 1444 unknownfamily.exe 1032 unknownfamily.exe 1032 unknownfamily.exe 1444 unknownfamily.exe 1444 unknownfamily.exe 828 openssl.exe 828 openssl.exe 880 openssl.exe 880 openssl.exe 928 openssl.exe 928 openssl.exe 1548 openssl.exe 1548 openssl.exe 948 openssl.exe 948 openssl.exe 1604 corefixer.exe 2036 core.exe 2036 core.exe 2036 core.exe 2036 core.exe 2036 core.exe 2036 core.exe 1092 core.exe 1092 core.exe 1092 core.exe 1092 core.exe 1092 core.exe 1092 core.exe 1092 core.exe 1092 core.exe 1092 core.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
core.exepid process 1092 core.exe 464 -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
impersonate.exewsffcmgr.exewsffcmgr.exewsffcmgr.execore.execore.exeimpersonate.exewsffcmgr.exetasklist.exetasklist.exewsffcmgr.exedescription pid process Token: SeTcbPrivilege 1988 impersonate.exe Token: SeIncreaseQuotaPrivilege 1988 impersonate.exe Token: SeAssignPrimaryTokenPrivilege 1988 impersonate.exe Token: SeRestorePrivilege 872 wsffcmgr.exe Token: SeRestorePrivilege 980 wsffcmgr.exe Token: SeRestorePrivilege 1132 wsffcmgr.exe Token: SeDebugPrivilege 1792 core.exe Token: SeTakeOwnershipPrivilege 1792 core.exe Token: SeDebugPrivilege 1092 core.exe Token: SeTakeOwnershipPrivilege 1092 core.exe Token: SeTcbPrivilege 792 impersonate.exe Token: SeIncreaseQuotaPrivilege 792 impersonate.exe Token: SeAssignPrimaryTokenPrivilege 792 impersonate.exe Token: SeLoadDriverPrivilege 1092 core.exe Token: SeRestorePrivilege 976 wsffcmgr.exe Token: SeDebugPrivilege 920 tasklist.exe Token: SeDebugPrivilege 1632 tasklist.exe Token: SeRestorePrivilege 1792 wsffcmgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
gbpcefwr64.tmppid process 1980 gbpcefwr64.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
unknownfamily.exegbpcefwr64.exegbpcefwr64.tmprundll32.exerundll32.exeimpersonate.exerundll32.exedescription pid process target process PID 1444 wrote to memory of 1096 1444 unknownfamily.exe vcredist.exe PID 1444 wrote to memory of 1096 1444 unknownfamily.exe vcredist.exe PID 1444 wrote to memory of 1096 1444 unknownfamily.exe vcredist.exe PID 1444 wrote to memory of 1096 1444 unknownfamily.exe vcredist.exe PID 1444 wrote to memory of 1792 1444 unknownfamily.exe vcredist_64.exe PID 1444 wrote to memory of 1792 1444 unknownfamily.exe vcredist_64.exe PID 1444 wrote to memory of 1792 1444 unknownfamily.exe vcredist_64.exe PID 1444 wrote to memory of 1792 1444 unknownfamily.exe vcredist_64.exe PID 1444 wrote to memory of 292 1444 unknownfamily.exe gbpcefwr64.exe PID 1444 wrote to memory of 292 1444 unknownfamily.exe gbpcefwr64.exe PID 1444 wrote to memory of 292 1444 unknownfamily.exe gbpcefwr64.exe PID 1444 wrote to memory of 292 1444 unknownfamily.exe gbpcefwr64.exe PID 292 wrote to memory of 1980 292 gbpcefwr64.exe gbpcefwr64.tmp PID 292 wrote to memory of 1980 292 gbpcefwr64.exe gbpcefwr64.tmp PID 292 wrote to memory of 1980 292 gbpcefwr64.exe gbpcefwr64.tmp PID 292 wrote to memory of 1980 292 gbpcefwr64.exe gbpcefwr64.tmp PID 292 wrote to memory of 1980 292 gbpcefwr64.exe gbpcefwr64.tmp PID 292 wrote to memory of 1980 292 gbpcefwr64.exe gbpcefwr64.tmp PID 292 wrote to memory of 1980 292 gbpcefwr64.exe gbpcefwr64.tmp PID 1980 wrote to memory of 948 1980 gbpcefwr64.tmp get_version.exe PID 1980 wrote to memory of 948 1980 gbpcefwr64.tmp get_version.exe PID 1980 wrote to memory of 948 1980 gbpcefwr64.tmp get_version.exe PID 1980 wrote to memory of 948 1980 gbpcefwr64.tmp get_version.exe PID 1980 wrote to memory of 1620 1980 gbpcefwr64.tmp _setup64.tmp PID 1980 wrote to memory of 1620 1980 gbpcefwr64.tmp _setup64.tmp PID 1980 wrote to memory of 1620 1980 gbpcefwr64.tmp _setup64.tmp PID 1980 wrote to memory of 1620 1980 gbpcefwr64.tmp _setup64.tmp PID 1980 wrote to memory of 436 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 436 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 436 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 436 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 436 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 436 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 436 1980 gbpcefwr64.tmp rundll32.exe PID 436 wrote to memory of 1256 436 rundll32.exe rundll32.exe PID 436 wrote to memory of 1256 436 rundll32.exe rundll32.exe PID 436 wrote to memory of 1256 436 rundll32.exe rundll32.exe PID 436 wrote to memory of 1256 436 rundll32.exe rundll32.exe PID 1980 wrote to memory of 876 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 876 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 876 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 876 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 876 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 876 1980 gbpcefwr64.tmp rundll32.exe PID 1980 wrote to memory of 876 1980 gbpcefwr64.tmp rundll32.exe PID 876 wrote to memory of 1372 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 1372 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 1372 876 rundll32.exe rundll32.exe PID 876 wrote to memory of 1372 876 rundll32.exe rundll32.exe PID 1980 wrote to memory of 1988 1980 gbpcefwr64.tmp impersonate.exe PID 1980 wrote to memory of 1988 1980 gbpcefwr64.tmp impersonate.exe PID 1980 wrote to memory of 1988 1980 gbpcefwr64.tmp impersonate.exe PID 1980 wrote to memory of 1988 1980 gbpcefwr64.tmp impersonate.exe PID 1988 wrote to memory of 1644 1988 impersonate.exe rundll32.exe PID 1988 wrote to memory of 1644 1988 impersonate.exe rundll32.exe PID 1988 wrote to memory of 1644 1988 impersonate.exe rundll32.exe PID 1988 wrote to memory of 1644 1988 impersonate.exe rundll32.exe PID 1988 wrote to memory of 1644 1988 impersonate.exe rundll32.exe PID 1988 wrote to memory of 1644 1988 impersonate.exe rundll32.exe PID 1988 wrote to memory of 1644 1988 impersonate.exe rundll32.exe PID 1644 wrote to memory of 2036 1644 rundll32.exe rundll32.exe PID 1644 wrote to memory of 2036 1644 rundll32.exe rundll32.exe PID 1644 wrote to memory of 2036 1644 rundll32.exe rundll32.exe PID 1644 wrote to memory of 2036 1644 rundll32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\unknownfamily.exe"C:\Users\Admin\AppData\Local\Temp\unknownfamily.exe"1⤵
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\unknownfamily.exe"C:\Users\Admin\AppData\Local\Temp\unknownfamily.exe" service_service1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Temp\vcredist.exeC:\ProgramData\Temp\vcredist.exe /verysilent2⤵
- Executes dropped EXE
-
C:\ProgramData\Temp\vcredist_64.exeC:\ProgramData\Temp\vcredist_64.exe /verysilent2⤵
- Executes dropped EXE
-
C:\ProgramData\Temp\gbpcefwr64.exeC:\ProgramData\Temp\gbpcefwr64.exe /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\is-4QGSV.tmp\gbpcefwr64.tmp"C:\Windows\TEMP\is-4QGSV.tmp\gbpcefwr64.tmp" /SL5="$30076,16836934,56832,C:\ProgramData\Temp\gbpcefwr64.exe" /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\is-E65FC.tmp\get_version.exe"C:\Windows\TEMP\is-E65FC.tmp\get_version.exe" "C:\Program Files\Diebold\Warsaw\features.dat" "C:\Windows\TEMP\is-E65FC.tmp\version.txt"4⤵
- Executes dropped EXE
-
C:\Windows\TEMP\is-E65FC.tmp\_isetup\_setup64.tmphelper 105 0x2944⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Program Files\Diebold\Warsaw\wslbmid.dll", GetMigrateCache4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Program Files\Diebold\Warsaw\wslbmid.dll", GetMigrateCache5⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Program Files\Diebold\Warsaw\wslbmid.dll", GetMigrateCache4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Program Files\Diebold\Warsaw\wslbmid.dll", GetMigrateCache5⤵
- Loads dropped DLL
-
C:\Windows\TEMP\is-E65FC.tmp\impersonate.exe"C:\Windows\TEMP\is-E65FC.tmp\impersonate.exe" wait "C:\Windows\system32\rundll32.exe" "\"C:\Program Files\Diebold\Warsaw\wslbmid.dll\"", GetMigrateCache4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe "C:\Program Files\Diebold\Warsaw\wslbmid.dll", GetMigrateCache5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe "C:\Program Files\Diebold\Warsaw\wslbmid.dll", GetMigrateCache6⤵
- Loads dropped DLL
-
C:\Windows\TEMP\is-E65FC.tmp\openssl.exe"C:\Windows\TEMP\is-E65FC.tmp\openssl.exe" genrsa -des3 -passout pass:00371-177-0000061-85598 -out C:\Windows\TEMP\is-E65FC.tmp\root_ca.key 40964⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\TEMP\is-E65FC.tmp\openssl.exe"C:\Windows\TEMP\is-E65FC.tmp\openssl.exe" req -new -sha256 -x509 -days 3650 -key C:\Windows\TEMP\is-E65FC.tmp\root_ca.key -passin pass:00371-177-0000061-85598 -out C:\Windows\TEMP\is-E65FC.tmp\root_ca.cer -config C:\Windows\TEMP\is-E65FC.tmp\openssl.conf -subj "/CN=Warsaw Personal CA"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\TEMP\is-E65FC.tmp\openssl.exe"C:\Windows\TEMP\is-E65FC.tmp\openssl.exe" genrsa -des3 -passout pass:00371-177-0000061-85598 -out C:\Windows\TEMP\is-E65FC.tmp\localhost.key 40964⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\TEMP\is-E65FC.tmp\openssl.exe"C:\Windows\TEMP\is-E65FC.tmp\openssl.exe" req -new -key C:\Windows\TEMP\is-E65FC.tmp\localhost.key -passin pass:00371-177-0000061-85598 -out C:\Windows\TEMP\is-E65FC.tmp\localhost.csr -config C:\Windows\TEMP\is-E65FC.tmp\openssl.conf -subj "/CN=127.0.0.1"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\TEMP\is-E65FC.tmp\openssl.exe"C:\Windows\TEMP\is-E65FC.tmp\openssl.exe" x509 -sha256 -req -days 3650 -in C:\Windows\TEMP\is-E65FC.tmp\localhost.csr -CA C:\Windows\TEMP\is-E65FC.tmp\root_ca.cer -CAkey C:\Windows\TEMP\is-E65FC.tmp\root_ca.key -passin pass:00371-177-0000061-85598 -set_serial 1 -out C:\Windows\TEMP\is-E65FC.tmp\localhost.crt4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "copy /y "C:\Windows\TEMP\is-E65FC.tmp\root_ca.cer" "C:\Program Files\Diebold\Warsaw\root_ca.cer""4⤵
- Drops file in Program Files directory
-
C:\Windows\system32\certutil.exe"C:\Windows\system32\certutil.exe" -addstore root "C:\Program Files\Diebold\Warsaw\root_ca.cer"4⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Diebold\Warsaw\wsffcmgr.exe"C:\Program Files\Diebold\Warsaw\wsffcmgr.exe" --t="C:\Program Files\Diebold\Warsaw\wsfftools" --cn="Warsaw Personal CA" --a="ui"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\warsaw_872\certutil.exe"C:\Windows\TEMP\warsaw_872\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.default-release" -n "Warsaw Personal CA"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\TEMP\warsaw_872\certutil.exe"C:\Windows\TEMP\warsaw_872\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.Admin" -n "Warsaw Personal CA"5⤵
- Executes dropped EXE
-
C:\Windows\TEMP\warsaw_872\certutil.exe"C:\Windows\TEMP\warsaw_872\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.default-release" -n "Warsaw Personal CA" -t "TCu,Cu,Tuw" -i "C:\Windows\TEMP\root_ca.cer"5⤵
- Executes dropped EXE
-
C:\Windows\TEMP\warsaw_872\certutil.exe"C:\Windows\TEMP\warsaw_872\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.Admin" -n "Warsaw Personal CA" -t "TCu,Cu,Tuw" -i "C:\Windows\TEMP\root_ca.cer"5⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "del /F /Q "C:\Program Files\Diebold\Warsaw\root_ca.cer""4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "copy /y /b "C:\Windows\TEMP\is-E65FC.tmp\localhost.crt"+"C:\Windows\TEMP\is-E65FC.tmp\localhost.key" "C:\Program Files\Diebold\Warsaw\ws.dat""4⤵
- Drops file in Program Files directory
-
C:\Windows\TEMP\is-E65FC.tmp\corefixer.exe"C:\Windows\TEMP\is-E65FC.tmp\corefixer.exe"4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Diebold\Warsaw\wsffcmgr.exe"C:\Program Files\Diebold\Warsaw\wsffcmgr.exe" --t="C:\Program Files\Diebold\Warsaw\wsfftools" --cn="Warsaw Personal CA" --a="u"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\warsaw_980\certutil.exe"C:\Windows\TEMP\warsaw_980\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.default-release" -n "Warsaw Personal CA"6⤵
- Executes dropped EXE
-
C:\Windows\TEMP\warsaw_980\certutil.exe"C:\Windows\TEMP\warsaw_980\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.Admin" -n "Warsaw Personal CA"6⤵
- Executes dropped EXE
-
C:\Program Files\Diebold\Warsaw\wsffcmgr.exe"C:\Program Files\Diebold\Warsaw\wsffcmgr.exe" --t="C:\Program Files\Diebold\Warsaw\wsfftools" --c="C:\Windows\TEMP\root_ca.cer" --cn="Warsaw Personal CA" --a="ui"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\warsaw_1132\certutil.exe"C:\Windows\TEMP\warsaw_1132\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.default-release" -n "Warsaw Personal CA"6⤵
- Executes dropped EXE
-
C:\Windows\TEMP\warsaw_1132\certutil.exe"C:\Windows\TEMP\warsaw_1132\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.Admin" -n "Warsaw Personal CA"6⤵
- Executes dropped EXE
-
C:\Windows\TEMP\warsaw_1132\certutil.exe"C:\Windows\TEMP\warsaw_1132\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.default-release" -n "Warsaw Personal CA" -t "TCu,Cu,Tuw" -i "C:\Windows\TEMP\root_ca.cer"6⤵
- Executes dropped EXE
-
C:\Windows\TEMP\warsaw_1132\certutil.exe"C:\Windows\TEMP\warsaw_1132\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.Admin" -n "Warsaw Personal CA" -t "TCu,Cu,Tuw" -i "C:\Windows\TEMP\root_ca.cer"6⤵
- Executes dropped EXE
-
C:\Program Files\Diebold\Warsaw\core.exe"C:\Program Files\Diebold\Warsaw\core.exe" --install-service4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\is-E65FC.tmp\impersonate.exe"C:\Windows\TEMP\is-E65FC.tmp\impersonate.exe" "C:\Program Files\Diebold\Warsaw\core.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Diebold\Warsaw\core.exe"C:\Program Files\Diebold\Warsaw\core.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Diebold\Warsaw\core.exe"C:\Program Files\Diebold\Warsaw\core.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exe"sc.exe" start "Warsaw Technology"4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-E65FC.tmp\check_core.bat4⤵
-
C:\Windows\system32\cmd.execmd /c tasklist /?5⤵
-
C:\Windows\system32\tasklist.exetasklist /?6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exetasklist /FI "imagename eq core.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\find.exefind /C "core.exe"5⤵
-
C:\Program Files\Diebold\Warsaw\core.exe"C:\Program Files\Diebold\Warsaw\core.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Diebold\Warsaw\wsffcmgr.exe"C:\Program Files\Diebold\Warsaw\wsffcmgr.exe" --t="C:\Program Files\Diebold\Warsaw\wsfftools" --cn="Warsaw Personal CA" --a="c"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\warsaw_976\certutil.exe"C:\Windows\TEMP\warsaw_976\certutil.exe" -O -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.default-release" -n "Warsaw Personal CA"3⤵
- Executes dropped EXE
-
C:\Windows\TEMP\warsaw_976\certutil.exe"C:\Windows\TEMP\warsaw_976\certutil.exe" -O -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.Admin" -n "Warsaw Personal CA"3⤵
- Executes dropped EXE
-
C:\Program Files\Diebold\Warsaw\wsffcmgr.exe"C:\Program Files\Diebold\Warsaw\wsffcmgr.exe" --t="C:\Program Files\Diebold\Warsaw\wsfftools" --cn="Warsaw Personal CA" --a="e" --c="C:\Windows\TEMP\tmp.cr"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\warsaw_1792\certutil.exe"C:\Windows\TEMP\warsaw_1792\certutil.exe" -L -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tubambty.default-release" -n "Warsaw Personal CA" -a3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Diebold\Warsaw\MSVCP120.dllMD5
46060c35f697281bc5e7337aee3722b1
SHA1d0164c041707f297a73abb9ea854111953e99cf1
SHA2562abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848
SHA5122cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a
-
C:\Program Files\Diebold\Warsaw\MSVCR120.dllMD5
9c861c079dd81762b6c54e37597b7712
SHA162cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA5123aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7
-
C:\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
C:\ProgramData\Temp\GBPCEF.exeMD5
d5c809cdf52e0acac895af39160cb242
SHA1de6c5820ac03f727dbf651fbdc6e29bddbf4a24e
SHA25690dd130992de7541f3293e435202be48ff32b0e0bd64088fedf903dd8094fb9e
SHA5124ccab7976276ebb2f292662110d57f31b7d5390752783ac0e0ed292627f268a7768d724e51bc05070b7c45cdebf1bb1a0d7773ecfbb9b60d86c6a34d790de479
-
C:\ProgramData\Temp\gbpcefwr64.exeMD5
cbed602c9566e8bc06daae91a71cd85b
SHA1bf01f9f5a85e319e22365f3b6893e53d12acf88e
SHA256fd3a79e0bf668f0b79f76126862943e2bf4309065b04fa571d23bd40e02b2515
SHA512bc822080df2c980c828e95269efcb1e51e18b8096042a3a925d1e23e3f28ece5bbe724495133079675863c65e42d23e728ea2001ab1725365f451452d0c4b3be
-
C:\ProgramData\Temp\gbpcefwr64.exeMD5
cbed602c9566e8bc06daae91a71cd85b
SHA1bf01f9f5a85e319e22365f3b6893e53d12acf88e
SHA256fd3a79e0bf668f0b79f76126862943e2bf4309065b04fa571d23bd40e02b2515
SHA512bc822080df2c980c828e95269efcb1e51e18b8096042a3a925d1e23e3f28ece5bbe724495133079675863c65e42d23e728ea2001ab1725365f451452d0c4b3be
-
C:\ProgramData\Temp\vcredist.exeMD5
b3fd20c4d0b4aa40f930d77c35f78411
SHA15894b507b156ff7002ff3c246bb0cc707e055181
SHA256bc9173cf99981fc98a4f5954d1408b9e94008dad94d96a0c8c62c7ebbac0040c
SHA512c8955045eb0aa6b1c504bd6ce8673af0571f078dbcef28bb09ee3257652a68a7c1f07d11c010034ca996095b4d66493d174a8b715b7f9113711a02957b64a139
-
C:\ProgramData\Temp\vcredist.exeMD5
b3fd20c4d0b4aa40f930d77c35f78411
SHA15894b507b156ff7002ff3c246bb0cc707e055181
SHA256bc9173cf99981fc98a4f5954d1408b9e94008dad94d96a0c8c62c7ebbac0040c
SHA512c8955045eb0aa6b1c504bd6ce8673af0571f078dbcef28bb09ee3257652a68a7c1f07d11c010034ca996095b4d66493d174a8b715b7f9113711a02957b64a139
-
C:\ProgramData\Temp\vcredist_64.exeMD5
b3fd20c4d0b4aa40f930d77c35f78411
SHA15894b507b156ff7002ff3c246bb0cc707e055181
SHA256bc9173cf99981fc98a4f5954d1408b9e94008dad94d96a0c8c62c7ebbac0040c
SHA512c8955045eb0aa6b1c504bd6ce8673af0571f078dbcef28bb09ee3257652a68a7c1f07d11c010034ca996095b4d66493d174a8b715b7f9113711a02957b64a139
-
C:\ProgramData\Temp\vcredist_64.exeMD5
b3fd20c4d0b4aa40f930d77c35f78411
SHA15894b507b156ff7002ff3c246bb0cc707e055181
SHA256bc9173cf99981fc98a4f5954d1408b9e94008dad94d96a0c8c62c7ebbac0040c
SHA512c8955045eb0aa6b1c504bd6ce8673af0571f078dbcef28bb09ee3257652a68a7c1f07d11c010034ca996095b4d66493d174a8b715b7f9113711a02957b64a139
-
C:\Windows\TEMP\is-4QGSV.tmp\gbpcefwr64.tmpMD5
a2c4d52c66b4b399facadb8cc8386745
SHA1c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA2566c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA5122a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6
-
C:\Windows\TEMP\is-E65FC.tmp\get_version.exeMD5
a17bcf264ab044fff85ebe1a227dd0e0
SHA11a508645006f9fbf401f4c9a05127b2cf842e6c1
SHA25633e2b8598bd4bb0c280e47b515217a8a9a06ed39031eace1fdd7c060d467a44b
SHA512fabcc3aa1fa17aa418d2b6b327a80cb7ffcaf92679a30f0e0505b557a4c24a6f2e205bd950a100220dece3d8c41b46fa78cdc8759d5b76f2ba38cee645a0e79b
-
C:\Windows\TEMP\is-E65FC.tmp\version.txtMD5
81051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Windows\Temp\is-4QGSV.tmp\gbpcefwr64.tmpMD5
a2c4d52c66b4b399facadb8cc8386745
SHA1c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA2566c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA5122a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6
-
C:\Windows\Temp\is-E65FC.tmp\_isetup\_setup64.tmpMD5
c8871efd8af2cf4d9d42d1ff8fadbf89
SHA1d0eacd5322c036554d509c7566f0bcc7607209bd
SHA256e4fc574a01b272c2d0aed0ec813f6d75212e2a15a5f5c417129dd65d69768f40
SHA5122735bb610060f749e26acd86f2df2b8a05f2bdd3dccf3e4b2946ebb21ba0805fb492c474b1eeb2c5b8bf1a421f7c1b8728245f649c644f4a9ecc5bd8770a16f6
-
C:\Windows\Temp\is-E65FC.tmp\get_version.exeMD5
a17bcf264ab044fff85ebe1a227dd0e0
SHA11a508645006f9fbf401f4c9a05127b2cf842e6c1
SHA25633e2b8598bd4bb0c280e47b515217a8a9a06ed39031eace1fdd7c060d467a44b
SHA512fabcc3aa1fa17aa418d2b6b327a80cb7ffcaf92679a30f0e0505b557a4c24a6f2e205bd950a100220dece3d8c41b46fa78cdc8759d5b76f2ba38cee645a0e79b
-
C:\Windows\Temp\is-E65FC.tmp\impersonate.exeMD5
090b6b574de922b48831ef23170c787d
SHA16de807d08299e826f09ec30a2cbf476d633cafd6
SHA2568f48c841c233923dd54adb5e2784fa7402fc2d4111dc105e75ef6ebc4024e30d
SHA512d425d2b101ea739efd42aa1a7d6cc4bf1ecece28696137e5b7c07a4da2870ada5223e6ec536d5ac63fb2563e13dab7b465adb0e595bb3149e23d0693e83eb11a
-
C:\Windows\Temp\is-E65FC.tmp\openssl.exeMD5
a024a8a1e0f3a34c95172223c792e279
SHA11f0e02c5df8e5cf27ffa112bb2799e5b6d2f9744
SHA256dd5af187a06f157ce7b0a74e91a8f02695ebc184bfef5ce6e4bc3cc1cc08b965
SHA512eb0371ad4c2fbe241404f23004787b26b05525d06af88a28d29cd031d55da1bdcbd59846d82e4eef8707bf6238a8f8e526cfa7a4cf1274d2a90654c3b0c80d9d
-
C:\Windows\Temp\is-E65FC.tmp\openssl.exeMD5
a024a8a1e0f3a34c95172223c792e279
SHA11f0e02c5df8e5cf27ffa112bb2799e5b6d2f9744
SHA256dd5af187a06f157ce7b0a74e91a8f02695ebc184bfef5ce6e4bc3cc1cc08b965
SHA512eb0371ad4c2fbe241404f23004787b26b05525d06af88a28d29cd031d55da1bdcbd59846d82e4eef8707bf6238a8f8e526cfa7a4cf1274d2a90654c3b0c80d9d
-
\Program Files\Diebold\Warsaw\msvcp120.dllMD5
46060c35f697281bc5e7337aee3722b1
SHA1d0164c041707f297a73abb9ea854111953e99cf1
SHA2562abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848
SHA5122cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a
-
\Program Files\Diebold\Warsaw\msvcp120.dllMD5
46060c35f697281bc5e7337aee3722b1
SHA1d0164c041707f297a73abb9ea854111953e99cf1
SHA2562abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848
SHA5122cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a
-
\Program Files\Diebold\Warsaw\msvcp120.dllMD5
46060c35f697281bc5e7337aee3722b1
SHA1d0164c041707f297a73abb9ea854111953e99cf1
SHA2562abf0aab5a3c5ae9424b64e9d19d9d6d4aebc67814d7e92e4927b9798fef2848
SHA5122cf2ed4d45c79a6e6cebfa3d332710a97f5cf0251dc194eec8c54ea0cb85762fd19822610021ccd6a6904e80afae1590a83af1fa45152f28ca56d862a3473f0a
-
\Program Files\Diebold\Warsaw\msvcr120.dllMD5
9c861c079dd81762b6c54e37597b7712
SHA162cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA5123aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7
-
\Program Files\Diebold\Warsaw\msvcr120.dllMD5
9c861c079dd81762b6c54e37597b7712
SHA162cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA5123aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7
-
\Program Files\Diebold\Warsaw\msvcr120.dllMD5
9c861c079dd81762b6c54e37597b7712
SHA162cb65a1d79e2c5ada0c7bfc04c18693567c90d0
SHA256ad32240bb1de55c3f5fcac8789f583a17057f9d14914c538c2a7a5ad346b341c
SHA5123aa770d6fba8590fdcf5d263cb2b3d2fae859e29d31ad482fbfbd700bcd602a013ac2568475999ef9fb06ae666d203d97f42181ec7344cba023a8534fb13acb7
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\Program Files\Diebold\Warsaw\wslbmid.dllMD5
7b23df4ab7e403d38c661b719b4c0f4b
SHA13b5c78ff96fea310dc685ad475520d1f41a91ba2
SHA256a0f2b2a8670edb69653df4aca7b6b5b3c1f1eda8b85de9384d2bfe932a2c7607
SHA512bf2f3713f8003012b3cd63c183bb9e26bb44616d21073a769c45babb25dd7b086992e8bfbf57670b1039aec6f24ef3dcd74bd0f053d89d565795d38c3706220a
-
\ProgramData\Temp\gbpcefwr64.exeMD5
cbed602c9566e8bc06daae91a71cd85b
SHA1bf01f9f5a85e319e22365f3b6893e53d12acf88e
SHA256fd3a79e0bf668f0b79f76126862943e2bf4309065b04fa571d23bd40e02b2515
SHA512bc822080df2c980c828e95269efcb1e51e18b8096042a3a925d1e23e3f28ece5bbe724495133079675863c65e42d23e728ea2001ab1725365f451452d0c4b3be
-
\ProgramData\Temp\vcredist.exeMD5
b3fd20c4d0b4aa40f930d77c35f78411
SHA15894b507b156ff7002ff3c246bb0cc707e055181
SHA256bc9173cf99981fc98a4f5954d1408b9e94008dad94d96a0c8c62c7ebbac0040c
SHA512c8955045eb0aa6b1c504bd6ce8673af0571f078dbcef28bb09ee3257652a68a7c1f07d11c010034ca996095b4d66493d174a8b715b7f9113711a02957b64a139
-
\ProgramData\Temp\vcredist_64.exeMD5
b3fd20c4d0b4aa40f930d77c35f78411
SHA15894b507b156ff7002ff3c246bb0cc707e055181
SHA256bc9173cf99981fc98a4f5954d1408b9e94008dad94d96a0c8c62c7ebbac0040c
SHA512c8955045eb0aa6b1c504bd6ce8673af0571f078dbcef28bb09ee3257652a68a7c1f07d11c010034ca996095b4d66493d174a8b715b7f9113711a02957b64a139
-
\Windows\Temp\is-4QGSV.tmp\gbpcefwr64.tmpMD5
a2c4d52c66b4b399facadb8cc8386745
SHA1c326304c56a52a3e5bfbdce2fef54604a0c653e0
SHA2566c0465ce64c07e729c399a338705941d77727c7d089430957df3e91a416e9d2a
SHA5122a66256ff8535e2b300aa0ca27b76e85d42422b0aaf5e7e6d055f7abb9e338929c979e185c6be8918d920fb134b7f28a76b714579cacb8ace09000c046dd34d6
-
\Windows\Temp\is-E65FC.tmp\_isetup\_setup64.tmpMD5
c8871efd8af2cf4d9d42d1ff8fadbf89
SHA1d0eacd5322c036554d509c7566f0bcc7607209bd
SHA256e4fc574a01b272c2d0aed0ec813f6d75212e2a15a5f5c417129dd65d69768f40
SHA5122735bb610060f749e26acd86f2df2b8a05f2bdd3dccf3e4b2946ebb21ba0805fb492c474b1eeb2c5b8bf1a421f7c1b8728245f649c644f4a9ecc5bd8770a16f6
-
\Windows\Temp\is-E65FC.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Windows\Temp\is-E65FC.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Windows\Temp\is-E65FC.tmp\get_version.exeMD5
a17bcf264ab044fff85ebe1a227dd0e0
SHA11a508645006f9fbf401f4c9a05127b2cf842e6c1
SHA25633e2b8598bd4bb0c280e47b515217a8a9a06ed39031eace1fdd7c060d467a44b
SHA512fabcc3aa1fa17aa418d2b6b327a80cb7ffcaf92679a30f0e0505b557a4c24a6f2e205bd950a100220dece3d8c41b46fa78cdc8759d5b76f2ba38cee645a0e79b
-
\Windows\Temp\is-E65FC.tmp\get_version.exeMD5
a17bcf264ab044fff85ebe1a227dd0e0
SHA11a508645006f9fbf401f4c9a05127b2cf842e6c1
SHA25633e2b8598bd4bb0c280e47b515217a8a9a06ed39031eace1fdd7c060d467a44b
SHA512fabcc3aa1fa17aa418d2b6b327a80cb7ffcaf92679a30f0e0505b557a4c24a6f2e205bd950a100220dece3d8c41b46fa78cdc8759d5b76f2ba38cee645a0e79b
-
\Windows\Temp\is-E65FC.tmp\get_version.exeMD5
a17bcf264ab044fff85ebe1a227dd0e0
SHA11a508645006f9fbf401f4c9a05127b2cf842e6c1
SHA25633e2b8598bd4bb0c280e47b515217a8a9a06ed39031eace1fdd7c060d467a44b
SHA512fabcc3aa1fa17aa418d2b6b327a80cb7ffcaf92679a30f0e0505b557a4c24a6f2e205bd950a100220dece3d8c41b46fa78cdc8759d5b76f2ba38cee645a0e79b
-
\Windows\Temp\is-E65FC.tmp\impersonate.exeMD5
090b6b574de922b48831ef23170c787d
SHA16de807d08299e826f09ec30a2cbf476d633cafd6
SHA2568f48c841c233923dd54adb5e2784fa7402fc2d4111dc105e75ef6ebc4024e30d
SHA512d425d2b101ea739efd42aa1a7d6cc4bf1ecece28696137e5b7c07a4da2870ada5223e6ec536d5ac63fb2563e13dab7b465adb0e595bb3149e23d0693e83eb11a
-
\Windows\Temp\is-E65FC.tmp\openssl.exeMD5
a024a8a1e0f3a34c95172223c792e279
SHA11f0e02c5df8e5cf27ffa112bb2799e5b6d2f9744
SHA256dd5af187a06f157ce7b0a74e91a8f02695ebc184bfef5ce6e4bc3cc1cc08b965
SHA512eb0371ad4c2fbe241404f23004787b26b05525d06af88a28d29cd031d55da1bdcbd59846d82e4eef8707bf6238a8f8e526cfa7a4cf1274d2a90654c3b0c80d9d
-
\Windows\Temp\is-E65FC.tmp\openssl.exeMD5
a024a8a1e0f3a34c95172223c792e279
SHA11f0e02c5df8e5cf27ffa112bb2799e5b6d2f9744
SHA256dd5af187a06f157ce7b0a74e91a8f02695ebc184bfef5ce6e4bc3cc1cc08b965
SHA512eb0371ad4c2fbe241404f23004787b26b05525d06af88a28d29cd031d55da1bdcbd59846d82e4eef8707bf6238a8f8e526cfa7a4cf1274d2a90654c3b0c80d9d
-
\Windows\Temp\is-E65FC.tmp\openssl.exeMD5
a024a8a1e0f3a34c95172223c792e279
SHA11f0e02c5df8e5cf27ffa112bb2799e5b6d2f9744
SHA256dd5af187a06f157ce7b0a74e91a8f02695ebc184bfef5ce6e4bc3cc1cc08b965
SHA512eb0371ad4c2fbe241404f23004787b26b05525d06af88a28d29cd031d55da1bdcbd59846d82e4eef8707bf6238a8f8e526cfa7a4cf1274d2a90654c3b0c80d9d
-
\Windows\Temp\is-E65FC.tmp\openssl.exeMD5
a024a8a1e0f3a34c95172223c792e279
SHA11f0e02c5df8e5cf27ffa112bb2799e5b6d2f9744
SHA256dd5af187a06f157ce7b0a74e91a8f02695ebc184bfef5ce6e4bc3cc1cc08b965
SHA512eb0371ad4c2fbe241404f23004787b26b05525d06af88a28d29cd031d55da1bdcbd59846d82e4eef8707bf6238a8f8e526cfa7a4cf1274d2a90654c3b0c80d9d
-
memory/292-74-0x0000000000000000-mapping.dmp
-
memory/292-77-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/436-99-0x0000000000000000-mapping.dmp
-
memory/568-214-0x0000000000000000-mapping.dmp
-
memory/572-184-0x0000000000000000-mapping.dmp
-
memory/572-186-0x000000013FF90000-0x0000000140097000-memory.dmpFilesize
1.0MB
-
memory/792-183-0x0000000000000000-mapping.dmp
-
memory/828-149-0x0000000000000000-mapping.dmp
-
memory/872-162-0x000000013F970000-0x000000013F9F9000-memory.dmpFilesize
548KB
-
memory/872-161-0x0000000000000000-mapping.dmp
-
memory/876-116-0x0000000000000000-mapping.dmp
-
memory/880-153-0x0000000000000000-mapping.dmp
-
memory/880-165-0x0000000000000000-mapping.dmp
-
memory/920-216-0x0000000000000000-mapping.dmp
-
memory/928-155-0x0000000000000000-mapping.dmp
-
memory/948-87-0x0000000000000000-mapping.dmp
-
memory/948-90-0x0000000000200000-0x00000000002D4000-memory.dmpFilesize
848KB
-
memory/948-157-0x0000000000000000-mapping.dmp
-
memory/976-211-0x0000000000000000-mapping.dmp
-
memory/976-212-0x000000013FBF0000-0x000000013FC79000-memory.dmpFilesize
548KB
-
memory/980-171-0x000000013F5C0000-0x000000013F649000-memory.dmpFilesize
548KB
-
memory/980-170-0x0000000000000000-mapping.dmp
-
memory/1032-59-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/1092-182-0x000000013FF90000-0x0000000140097000-memory.dmpFilesize
1.0MB
-
memory/1092-209-0x000007FEF4930000-0x000007FEF49A7000-memory.dmpFilesize
476KB
-
memory/1092-200-0x000007FEF5020000-0x000007FEF5071000-memory.dmpFilesize
324KB
-
memory/1092-188-0x000007FEF5C20000-0x000007FEF5D09000-memory.dmpFilesize
932KB
-
memory/1092-192-0x000007FEF5690000-0x000007FEF57BE000-memory.dmpFilesize
1.2MB
-
memory/1092-194-0x000007FEF51B0000-0x000007FEF5212000-memory.dmpFilesize
392KB
-
memory/1092-206-0x000007FEF4D50000-0x000007FEF4E0C000-memory.dmpFilesize
752KB
-
memory/1092-207-0x000007FEF4C70000-0x000007FEF4D4E000-memory.dmpFilesize
888KB
-
memory/1092-202-0x000007FEF4FB0000-0x000007FEF5010000-memory.dmpFilesize
384KB
-
memory/1092-205-0x000007FEF4ED0000-0x000007FEF4F41000-memory.dmpFilesize
452KB
-
memory/1092-208-0x000007FEF49B0000-0x000007FEF4C66000-memory.dmpFilesize
2.7MB
-
memory/1092-190-0x000007FEF5AA0000-0x000007FEF5C1D000-memory.dmpFilesize
1.5MB
-
memory/1092-198-0x000007FEF50D0000-0x000007FEF515B000-memory.dmpFilesize
556KB
-
memory/1092-196-0x000007FEF5EB0000-0x000007FEF5EF8000-memory.dmpFilesize
288KB
-
memory/1092-210-0x000007FEF47D0000-0x000007FEF4930000-memory.dmpFilesize
1.4MB
-
memory/1096-64-0x0000000000000000-mapping.dmp
-
memory/1096-66-0x00000000001E0000-0x00000000003F7000-memory.dmpFilesize
2.1MB
-
memory/1132-175-0x000000013F1C0000-0x000000013F249000-memory.dmpFilesize
548KB
-
memory/1132-174-0x0000000000000000-mapping.dmp
-
memory/1140-164-0x0000000000000000-mapping.dmp
-
memory/1244-172-0x0000000000000000-mapping.dmp
-
memory/1244-213-0x0000000000000000-mapping.dmp
-
memory/1256-115-0x000007FEF5E60000-0x000007FEF5ED7000-memory.dmpFilesize
476KB
-
memory/1256-106-0x0000000000000000-mapping.dmp
-
memory/1336-178-0x0000000000000000-mapping.dmp
-
memory/1372-122-0x0000000000000000-mapping.dmp
-
memory/1372-129-0x000007FEF5E60000-0x000007FEF5ED7000-memory.dmpFilesize
476KB
-
memory/1376-173-0x0000000000000000-mapping.dmp
-
memory/1384-160-0x00000000FF601000-0x00000000FF603000-memory.dmpFilesize
8KB
-
memory/1384-159-0x0000000000000000-mapping.dmp
-
memory/1396-219-0x0000000000000000-mapping.dmp
-
memory/1496-158-0x0000000000000000-mapping.dmp
-
memory/1548-156-0x0000000000000000-mapping.dmp
-
memory/1604-169-0x0000000000000000-mapping.dmp
-
memory/1612-167-0x0000000000000000-mapping.dmp
-
memory/1620-96-0x000007FEFB991000-0x000007FEFB993000-memory.dmpFilesize
8KB
-
memory/1620-94-0x0000000000000000-mapping.dmp
-
memory/1632-163-0x0000000000000000-mapping.dmp
-
memory/1632-217-0x0000000000000000-mapping.dmp
-
memory/1636-218-0x0000000000000000-mapping.dmp
-
memory/1644-133-0x0000000000000000-mapping.dmp
-
memory/1656-166-0x0000000000000000-mapping.dmp
-
memory/1696-185-0x0000000000000000-mapping.dmp
-
memory/1784-222-0x0000000000000000-mapping.dmp
-
memory/1792-221-0x000000013F6E0000-0x000000013F769000-memory.dmpFilesize
548KB
-
memory/1792-220-0x0000000000000000-mapping.dmp
-
memory/1792-71-0x0000000000BB0000-0x0000000000DC7000-memory.dmpFilesize
2.1MB
-
memory/1792-69-0x0000000000000000-mapping.dmp
-
memory/1792-180-0x0000000000000000-mapping.dmp
-
memory/1792-181-0x000000013FF90000-0x0000000140097000-memory.dmpFilesize
1.0MB
-
memory/1820-179-0x0000000000000000-mapping.dmp
-
memory/1900-177-0x0000000000000000-mapping.dmp
-
memory/1916-215-0x0000000000000000-mapping.dmp
-
memory/1980-80-0x0000000000000000-mapping.dmp
-
memory/1980-92-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1988-131-0x0000000000000000-mapping.dmp
-
memory/1996-168-0x0000000000000000-mapping.dmp
-
memory/2016-176-0x0000000000000000-mapping.dmp
-
memory/2036-187-0x0000000000000000-mapping.dmp
-
memory/2036-201-0x000007FEF5080000-0x000007FEF50C8000-memory.dmpFilesize
288KB
-
memory/2036-195-0x000007FEF5220000-0x000007FEF568D000-memory.dmpFilesize
4.4MB
-
memory/2036-189-0x000000013FF90000-0x0000000140097000-memory.dmpFilesize
1.0MB
-
memory/2036-139-0x0000000000000000-mapping.dmp
-
memory/2036-204-0x000007FEF4E10000-0x000007FEF4ECA000-memory.dmpFilesize
744KB
-
memory/2036-146-0x000007FEF5E60000-0x000007FEF5ED7000-memory.dmpFilesize
476KB
-
memory/2036-203-0x000007FEF4F50000-0x000007FEF4FAC000-memory.dmpFilesize
368KB
-
memory/2036-191-0x000007FEF57C0000-0x000007FEF5891000-memory.dmpFilesize
836KB
-
memory/2036-199-0x000007FEF5160000-0x000007FEF51AE000-memory.dmpFilesize
312KB
-
memory/2036-197-0x000007FEF62B0000-0x000007FEF62DF000-memory.dmpFilesize
188KB