Analysis Overview
SHA256
ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec
Threat Level: Known bad
The file ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec was found to be: Known bad.
Malicious Activity Summary
RMS
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
autoit_exe
Drops file in Windows directory
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-28 18:14
Signatures
autoit_exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-28 18:14
Reported
2022-01-28 18:29
Platform
win7-en-20211208
Max time kernel
151s
Max time network
158s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation | C:\Windows\System86\sysdisk.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation = "C:\\Windows\\System86\\sysdisk.exe" | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System86\vp8encoder.dll | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| File created | C:\Windows\System86\vp8decoder.dll | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| File created | C:\Windows\System86\sysdisk.exe | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System86\sysdisk.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe
"C:\Users\Admin\AppData\Local\Temp\ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe"
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe
"C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe"
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe
"C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe"
C:\Windows\System86\sysdisk.exe
"C:\Windows\System86\sysdisk.exe"
C:\Windows\System86\sysdisk.exe
C:\Windows\System86\sysdisk.exe -second
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | unayt.ru | udp |
| RU | 91.227.18.139:80 | unayt.ru | tcp |
Files
memory/1660-54-0x00000000754B1000-0x00000000754B3000-memory.dmp
\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe
| MD5 | fdb20ee2562716738eaa9fc77768d848 |
| SHA1 | 2fcbeb6bea3a6d5369eb172a7257c262a6e257f3 |
| SHA256 | d123b427da845ab39e917a4c0e1690d733865a144f74e3f35462ca7a1bbdf8a0 |
| SHA512 | 12fcab1ca583e3574a3b489cb36ab740349ca6c459cf63a25160e057b8a63c2094185ecb2b336d7c7c9b55a48472b472d58d9342f5a9e52938aab0d9f36c4051 |
\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe
| MD5 | fdb20ee2562716738eaa9fc77768d848 |
| SHA1 | 2fcbeb6bea3a6d5369eb172a7257c262a6e257f3 |
| SHA256 | d123b427da845ab39e917a4c0e1690d733865a144f74e3f35462ca7a1bbdf8a0 |
| SHA512 | 12fcab1ca583e3574a3b489cb36ab740349ca6c459cf63a25160e057b8a63c2094185ecb2b336d7c7c9b55a48472b472d58d9342f5a9e52938aab0d9f36c4051 |
\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe
| MD5 | fdb20ee2562716738eaa9fc77768d848 |
| SHA1 | 2fcbeb6bea3a6d5369eb172a7257c262a6e257f3 |
| SHA256 | d123b427da845ab39e917a4c0e1690d733865a144f74e3f35462ca7a1bbdf8a0 |
| SHA512 | 12fcab1ca583e3574a3b489cb36ab740349ca6c459cf63a25160e057b8a63c2094185ecb2b336d7c7c9b55a48472b472d58d9342f5a9e52938aab0d9f36c4051 |
\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe
| MD5 | fdb20ee2562716738eaa9fc77768d848 |
| SHA1 | 2fcbeb6bea3a6d5369eb172a7257c262a6e257f3 |
| SHA256 | d123b427da845ab39e917a4c0e1690d733865a144f74e3f35462ca7a1bbdf8a0 |
| SHA512 | 12fcab1ca583e3574a3b489cb36ab740349ca6c459cf63a25160e057b8a63c2094185ecb2b336d7c7c9b55a48472b472d58d9342f5a9e52938aab0d9f36c4051 |
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe
| MD5 | fdb20ee2562716738eaa9fc77768d848 |
| SHA1 | 2fcbeb6bea3a6d5369eb172a7257c262a6e257f3 |
| SHA256 | d123b427da845ab39e917a4c0e1690d733865a144f74e3f35462ca7a1bbdf8a0 |
| SHA512 | 12fcab1ca583e3574a3b489cb36ab740349ca6c459cf63a25160e057b8a63c2094185ecb2b336d7c7c9b55a48472b472d58d9342f5a9e52938aab0d9f36c4051 |
\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe
| MD5 | 453ac2dbdd8a83f47e2e7108f4c3fc57 |
| SHA1 | 2e44ec77a80198d8076882cf1d9800933b9d10c5 |
| SHA256 | ee6a81b9219588dc917fac4307919dcb26d6b9f6a5f847aed9f9053a8fbae101 |
| SHA512 | 2e6428ed55d3103d2602a5da182fa74a046bb64979e18db1fa6d32eff18320ca576404c9f56a01dfd121da1e72c71b423089bdd40b7586c7cb7409a2feb0b46b |
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe
| MD5 | 453ac2dbdd8a83f47e2e7108f4c3fc57 |
| SHA1 | 2e44ec77a80198d8076882cf1d9800933b9d10c5 |
| SHA256 | ee6a81b9219588dc917fac4307919dcb26d6b9f6a5f847aed9f9053a8fbae101 |
| SHA512 | 2e6428ed55d3103d2602a5da182fa74a046bb64979e18db1fa6d32eff18320ca576404c9f56a01dfd121da1e72c71b423089bdd40b7586c7cb7409a2feb0b46b |
memory/1624-63-0x000007FEFB571000-0x000007FEFB573000-memory.dmp
memory/540-64-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1624-65-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1624-66-0x00000000030E0000-0x000000000317E000-memory.dmp
\Windows\System86\sysdisk.exe
| MD5 | 92aee365c9fab710fa68b362e5910264 |
| SHA1 | a145a246311bed3c4c5e14332618795a189e13a4 |
| SHA256 | 0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713 |
| SHA512 | 6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9 |
C:\Windows\System86\sysdisk.exe
| MD5 | 92aee365c9fab710fa68b362e5910264 |
| SHA1 | a145a246311bed3c4c5e14332618795a189e13a4 |
| SHA256 | 0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713 |
| SHA512 | 6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9 |
C:\Windows\System86\sysdisk.exe
| MD5 | 92aee365c9fab710fa68b362e5910264 |
| SHA1 | a145a246311bed3c4c5e14332618795a189e13a4 |
| SHA256 | 0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713 |
| SHA512 | 6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9 |
memory/740-71-0x00000000002C0000-0x00000000002C1000-memory.dmp
C:\Windows\System86\sysdisk.exe
| MD5 | 92aee365c9fab710fa68b362e5910264 |
| SHA1 | a145a246311bed3c4c5e14332618795a189e13a4 |
| SHA256 | 0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713 |
| SHA512 | 6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9 |
memory/1620-74-0x0000000000380000-0x0000000000381000-memory.dmp
C:\Windows\System86\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
C:\Windows\System86\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
memory/1620-77-0x0000000004BF0000-0x0000000004E50000-memory.dmp
memory/1620-78-0x0000000004BF0000-0x0000000004E50000-memory.dmp
memory/1620-79-0x0000000004BF0000-0x0000000004E50000-memory.dmp
memory/1620-80-0x0000000004BF0000-0x0000000005020000-memory.dmp
memory/1620-81-0x0000000005460000-0x0000000005570000-memory.dmp
memory/1620-82-0x0000000005580000-0x0000000005581000-memory.dmp
memory/1620-83-0x0000000005460000-0x0000000005570000-memory.dmp
memory/1620-84-0x0000000005570000-0x0000000005571000-memory.dmp
memory/1620-85-0x0000000005590000-0x0000000005591000-memory.dmp
memory/1620-86-0x00000000058F0000-0x00000000058F1000-memory.dmp
memory/1620-87-0x00000000059B0000-0x00000000059B1000-memory.dmp
memory/1620-88-0x00000000059C0000-0x00000000059C1000-memory.dmp
memory/1620-89-0x0000000005BF0000-0x0000000005BF1000-memory.dmp
\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe
| MD5 | 453ac2dbdd8a83f47e2e7108f4c3fc57 |
| SHA1 | 2e44ec77a80198d8076882cf1d9800933b9d10c5 |
| SHA256 | ee6a81b9219588dc917fac4307919dcb26d6b9f6a5f847aed9f9053a8fbae101 |
| SHA512 | 2e6428ed55d3103d2602a5da182fa74a046bb64979e18db1fa6d32eff18320ca576404c9f56a01dfd121da1e72c71b423089bdd40b7586c7cb7409a2feb0b46b |
memory/1620-92-0x0000000006940000-0x0000000006941000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-28 18:14
Reported
2022-01-28 18:30
Platform
win10-en-20211208
Max time kernel
164s
Max time network
173s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation | C:\Windows\System86\sysdisk.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation = "C:\\Windows\\System86\\sysdisk.exe" | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System86\vp8decoder.dll | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| File created | C:\Windows\System86\sysdisk.exe | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| File created | C:\Windows\System86\vp8encoder.dll | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System86\sysdisk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall" | C:\Windows\System86\sysdisk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System86\sysdisk.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
| N/A | N/A | C:\Windows\System86\sysdisk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe
"C:\Users\Admin\AppData\Local\Temp\ced3bf40fca4a8a4d951b58b45613ccab4364076003647d80d6ee9a8779b6eec.exe"
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe
"C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe"
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe
"C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe"
C:\Windows\System86\sysdisk.exe
"C:\Windows\System86\sysdisk.exe"
C:\Windows\System86\sysdisk.exe
C:\Windows\System86\sysdisk.exe -second
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 8.8.8.8:53 | unayt.ru | udp |
| RU | 91.227.18.139:80 | unayt.ru | tcp |
| US | 8.8.8.8:53 | unayt.ru | udp |
Files
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe
| MD5 | fdb20ee2562716738eaa9fc77768d848 |
| SHA1 | 2fcbeb6bea3a6d5369eb172a7257c262a6e257f3 |
| SHA256 | d123b427da845ab39e917a4c0e1690d733865a144f74e3f35462ca7a1bbdf8a0 |
| SHA512 | 12fcab1ca583e3574a3b489cb36ab740349ca6c459cf63a25160e057b8a63c2094185ecb2b336d7c7c9b55a48472b472d58d9342f5a9e52938aab0d9f36c4051 |
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderast.exe
| MD5 | fdb20ee2562716738eaa9fc77768d848 |
| SHA1 | 2fcbeb6bea3a6d5369eb172a7257c262a6e257f3 |
| SHA256 | d123b427da845ab39e917a4c0e1690d733865a144f74e3f35462ca7a1bbdf8a0 |
| SHA512 | 12fcab1ca583e3574a3b489cb36ab740349ca6c459cf63a25160e057b8a63c2094185ecb2b336d7c7c9b55a48472b472d58d9342f5a9e52938aab0d9f36c4051 |
C:\Users\Admin\AppData\Roaming\Z41829519\Flooderaсt.exe
| MD5 | 453ac2dbdd8a83f47e2e7108f4c3fc57 |
| SHA1 | 2e44ec77a80198d8076882cf1d9800933b9d10c5 |
| SHA256 | ee6a81b9219588dc917fac4307919dcb26d6b9f6a5f847aed9f9053a8fbae101 |
| SHA512 | 2e6428ed55d3103d2602a5da182fa74a046bb64979e18db1fa6d32eff18320ca576404c9f56a01dfd121da1e72c71b423089bdd40b7586c7cb7409a2feb0b46b |
memory/4392-121-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/4392-122-0x0000000002840000-0x00000000028DE000-memory.dmp
memory/4308-123-0x00000000013F0000-0x000000000153A000-memory.dmp
C:\Windows\System86\sysdisk.exe
| MD5 | 92aee365c9fab710fa68b362e5910264 |
| SHA1 | a145a246311bed3c4c5e14332618795a189e13a4 |
| SHA256 | 0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713 |
| SHA512 | 6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9 |
C:\Windows\System86\sysdisk.exe
| MD5 | 92aee365c9fab710fa68b362e5910264 |
| SHA1 | a145a246311bed3c4c5e14332618795a189e13a4 |
| SHA256 | 0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713 |
| SHA512 | 6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9 |
memory/4340-126-0x00000000010F0000-0x00000000010F1000-memory.dmp
memory/4340-127-0x0000000004660000-0x0000000004661000-memory.dmp
C:\Windows\System86\sysdisk.exe
| MD5 | 92aee365c9fab710fa68b362e5910264 |
| SHA1 | a145a246311bed3c4c5e14332618795a189e13a4 |
| SHA256 | 0d5373376ab09d8d286732008b15a5bdf34ec9fa7492504e2634bb2490760713 |
| SHA512 | 6c37048df8bb80cc04453859ef86cc89e866c21fc3f24930aa7dfe6114ffba6fd82204d15e69d30f2b8b326ea31737af17a2729f1272e515a05f9af6ea8e84e9 |
memory/4416-129-0x00000000012B0000-0x00000000012B1000-memory.dmp
C:\Windows\System86\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\Windows\System86\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
memory/4416-132-0x0000000004580000-0x0000000004581000-memory.dmp
memory/4416-133-0x00000000045E0000-0x00000000045E1000-memory.dmp
memory/4416-134-0x00000000045D0000-0x00000000045D1000-memory.dmp
memory/4416-135-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
memory/4416-136-0x00000000050F0000-0x00000000050F1000-memory.dmp
memory/4416-138-0x0000000004F90000-0x0000000004F91000-memory.dmp
memory/4416-137-0x0000000004F80000-0x0000000004F81000-memory.dmp
memory/4416-140-0x0000000005710000-0x0000000005711000-memory.dmp
memory/4416-139-0x00000000055C0000-0x00000000055C1000-memory.dmp
memory/4416-141-0x0000000006E90000-0x0000000006E91000-memory.dmp
memory/4416-142-0x0000000007090000-0x0000000007091000-memory.dmp
memory/4416-143-0x0000000007320000-0x0000000007321000-memory.dmp
memory/4416-144-0x0000000007470000-0x0000000007541000-memory.dmp