Analysis
-
max time kernel
181s -
max time network
201s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 01:08
Static task
static1
Behavioral task
behavioral1
Sample
Orders.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Orders.exe
Resource
win10v2004-en-20220113
General
-
Target
Orders.exe
-
Size
1.6MB
-
MD5
e85daf3a43f107b213310a53bfd35aa9
-
SHA1
042208c7a232b806c6382e34417f9c8e2a955747
-
SHA256
0b1fbc81d9d9e685307e80d20afe4b01c6538b903b77136b0d1db2486fe8c6e8
-
SHA512
29688e0fe124802b3317355e9836864147e56f6e1d47f702f88ea36df813f0eb388818ead042c4463619e17bd5ec295d4cfc4f0caa2c2dbd90edd22b2277ec7d
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Matiex Main Payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp family_matiex behavioral2/memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp family_matiex C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe family_matiex C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe family_matiex behavioral2/memory/4124-161-0x0000000000210000-0x0000000000286000-memory.dmp family_matiex behavioral2/memory/3604-162-0x0000000004A20000-0x0000000004FC4000-memory.dmp family_matiex behavioral2/memory/4124-164-0x0000000004B90000-0x0000000005134000-memory.dmp family_matiex -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4684 created 4264 4684 WerFault.exe Orders.exe -
AgentTesla Payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp family_agenttesla behavioral2/memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp family_agenttesla C:\Users\Admin\AppData\Local\Temp\origigoods40.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\origigoods40.exe family_agenttesla behavioral2/memory/3604-157-0x0000000000250000-0x000000000028C000-memory.dmp family_agenttesla C:\Users\Admin\AppData\Local\Temp\origigoods20.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\origigoods20.exe family_agenttesla -
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/4264-131-0x0000000000830000-0x00000000009C4000-memory.dmp beds_protector -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp MailPassView behavioral2/memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp MailPassView C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe MailPassView C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp WebBrowserPassView behavioral2/memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp Nirsoft behavioral2/memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp Nirsoft C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
hawkgoods.exeorigigoods40.exeMatiexgoods.exeorigigoods20.exepid process 3560 hawkgoods.exe 3604 origigoods40.exe 4124 Matiexgoods.exe 3320 origigoods20.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
Matiexgoods.exeorigigoods40.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Matiexgoods.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 origigoods40.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 origigoods40.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 origigoods40.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Matiexgoods.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Matiexgoods.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 51 freegeoip.app 52 freegeoip.app 49 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Orders.exedescription pid process target process PID 4264 set thread context of 4836 4264 Orders.exe RegAsm.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3080 4264 WerFault.exe Orders.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Powershell.exeOrders.exeorigigoods40.exeMatiexgoods.exeWerFault.exepid process 2300 Powershell.exe 4264 Orders.exe 4264 Orders.exe 2300 Powershell.exe 3604 origigoods40.exe 3604 origigoods40.exe 4124 Matiexgoods.exe 3080 WerFault.exe 3080 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Matiexgoods.exepid process 4124 Matiexgoods.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Powershell.exeOrders.exeorigigoods40.exeWerFault.exeMatiexgoods.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 2300 Powershell.exe Token: SeDebugPrivilege 4264 Orders.exe Token: SeDebugPrivilege 3604 origigoods40.exe Token: SeRestorePrivilege 3080 WerFault.exe Token: SeBackupPrivilege 3080 WerFault.exe Token: SeDebugPrivilege 4124 Matiexgoods.exe Token: SeShutdownPrivilege 4652 svchost.exe Token: SeCreatePagefilePrivilege 4652 svchost.exe Token: SeShutdownPrivilege 4652 svchost.exe Token: SeCreatePagefilePrivilege 4652 svchost.exe Token: SeShutdownPrivilege 4652 svchost.exe Token: SeCreatePagefilePrivilege 4652 svchost.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe Token: SeRestorePrivilege 2348 TiWorker.exe Token: SeSecurityPrivilege 2348 TiWorker.exe Token: SeBackupPrivilege 2348 TiWorker.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exeMatiexgoods.exepid process 4836 RegAsm.exe 4124 Matiexgoods.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
Orders.exeWerFault.exeRegAsm.exehawkgoods.exeorigigoods20.exefondue.exefondue.exeMatiexgoods.exedescription pid process target process PID 4264 wrote to memory of 2300 4264 Orders.exe Powershell.exe PID 4264 wrote to memory of 2300 4264 Orders.exe Powershell.exe PID 4264 wrote to memory of 2300 4264 Orders.exe Powershell.exe PID 4264 wrote to memory of 796 4264 Orders.exe RegAsm.exe PID 4264 wrote to memory of 796 4264 Orders.exe RegAsm.exe PID 4264 wrote to memory of 796 4264 Orders.exe RegAsm.exe PID 4264 wrote to memory of 4836 4264 Orders.exe RegAsm.exe PID 4264 wrote to memory of 4836 4264 Orders.exe RegAsm.exe PID 4264 wrote to memory of 4836 4264 Orders.exe RegAsm.exe PID 4264 wrote to memory of 4836 4264 Orders.exe RegAsm.exe PID 4264 wrote to memory of 4836 4264 Orders.exe RegAsm.exe PID 4264 wrote to memory of 4836 4264 Orders.exe RegAsm.exe PID 4264 wrote to memory of 4836 4264 Orders.exe RegAsm.exe PID 4684 wrote to memory of 4264 4684 WerFault.exe Orders.exe PID 4684 wrote to memory of 4264 4684 WerFault.exe Orders.exe PID 4836 wrote to memory of 3560 4836 RegAsm.exe hawkgoods.exe PID 4836 wrote to memory of 3560 4836 RegAsm.exe hawkgoods.exe PID 4836 wrote to memory of 3560 4836 RegAsm.exe hawkgoods.exe PID 3560 wrote to memory of 3600 3560 hawkgoods.exe fondue.exe PID 3560 wrote to memory of 3600 3560 hawkgoods.exe fondue.exe PID 3560 wrote to memory of 3600 3560 hawkgoods.exe fondue.exe PID 4836 wrote to memory of 3604 4836 RegAsm.exe origigoods40.exe PID 4836 wrote to memory of 3604 4836 RegAsm.exe origigoods40.exe PID 4836 wrote to memory of 3604 4836 RegAsm.exe origigoods40.exe PID 4836 wrote to memory of 4124 4836 RegAsm.exe Matiexgoods.exe PID 4836 wrote to memory of 4124 4836 RegAsm.exe Matiexgoods.exe PID 4836 wrote to memory of 4124 4836 RegAsm.exe Matiexgoods.exe PID 4836 wrote to memory of 3320 4836 RegAsm.exe origigoods20.exe PID 4836 wrote to memory of 3320 4836 RegAsm.exe origigoods20.exe PID 4836 wrote to memory of 3320 4836 RegAsm.exe origigoods20.exe PID 3320 wrote to memory of 3540 3320 origigoods20.exe fondue.exe PID 3320 wrote to memory of 3540 3320 origigoods20.exe fondue.exe PID 3320 wrote to memory of 3540 3320 origigoods20.exe fondue.exe PID 3600 wrote to memory of 1464 3600 fondue.exe FonDUE.EXE PID 3600 wrote to memory of 1464 3600 fondue.exe FonDUE.EXE PID 3540 wrote to memory of 4752 3540 fondue.exe FonDUE.EXE PID 3540 wrote to memory of 4752 3540 fondue.exe FonDUE.EXE PID 4124 wrote to memory of 3388 4124 Matiexgoods.exe netsh.exe PID 4124 wrote to memory of 3388 4124 Matiexgoods.exe netsh.exe PID 4124 wrote to memory of 3388 4124 Matiexgoods.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
origigoods40.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 origigoods40.exe -
outlook_win_path 1 IoCs
Processes:
origigoods40.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 origigoods40.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Orders.exe"C:\Users\Admin\AppData\Local\Temp\Orders.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Orders.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe"C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe" 03⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe"C:\Users\Admin\AppData\Local\Temp\origigoods40.exe" 03⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe"C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe" 03⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile4⤵
-
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe"C:\Users\Admin\AppData\Local\Temp\origigoods20.exe" 03⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 11082⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4264 -ip 42641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exeMD5
80c61b903400b534858d047dd0919f0e
SHA1d0ab5400b74392308140642c75f0897e16a88d60
SHA25625ade9899c000a27570b527cffc938ec9626978219ec8a086082b113cbe4f492
SHA512b3216f0e4e95c7f50bccba5fdcca2ad622a42379383be855546fa1e0bac41a6beea8226f8634ad5e0d8596169e0443494018bbe70b7052f094402aecaa038bce
-
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exeMD5
80c61b903400b534858d047dd0919f0e
SHA1d0ab5400b74392308140642c75f0897e16a88d60
SHA25625ade9899c000a27570b527cffc938ec9626978219ec8a086082b113cbe4f492
SHA512b3216f0e4e95c7f50bccba5fdcca2ad622a42379383be855546fa1e0bac41a6beea8226f8634ad5e0d8596169e0443494018bbe70b7052f094402aecaa038bce
-
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exeMD5
ffdb58533d5d1362e896e96fb6f02a95
SHA1d6e4a3ca253bfc372a9a3180b5887c716ed285c6
SHA256b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88
SHA5123ae6e49d3d728531201453a0bc27436b1a4305c8ef938b2cbb5e34ee45bb9a9a88cf2a41b08e4914fda9a96bbaa48bd999a2d2f1dffcd39761bb1f3620ca725f
-
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exeMD5
ffdb58533d5d1362e896e96fb6f02a95
SHA1d6e4a3ca253bfc372a9a3180b5887c716ed285c6
SHA256b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88
SHA5123ae6e49d3d728531201453a0bc27436b1a4305c8ef938b2cbb5e34ee45bb9a9a88cf2a41b08e4914fda9a96bbaa48bd999a2d2f1dffcd39761bb1f3620ca725f
-
C:\Users\Admin\AppData\Local\Temp\origigoods20.exeMD5
61dc57c6575e1f3f2ae14c1b332ad2fb
SHA1f52f34623048e5fd720e97a72eedfd32358cd3a9
SHA2561c7757ee223f2480fbc478ae2ecaf82e1d3c17f2e4d47581d3972416166c54ab
SHA51281a7db927f53660d3a04a161d5c18aab17d676bcc7ae0738ab786d9bee82b91016e54e6f70428aec4087961744be89b1511f9e07d8dabbe5c2a9d836722395a1
-
C:\Users\Admin\AppData\Local\Temp\origigoods20.exeMD5
61dc57c6575e1f3f2ae14c1b332ad2fb
SHA1f52f34623048e5fd720e97a72eedfd32358cd3a9
SHA2561c7757ee223f2480fbc478ae2ecaf82e1d3c17f2e4d47581d3972416166c54ab
SHA51281a7db927f53660d3a04a161d5c18aab17d676bcc7ae0738ab786d9bee82b91016e54e6f70428aec4087961744be89b1511f9e07d8dabbe5c2a9d836722395a1
-
C:\Users\Admin\AppData\Local\Temp\origigoods40.exeMD5
ae36f0d16230b9f41ffecbd3c5b1d660
SHA188afc2923d1eefb70bad3c0cd9304949954377ef
SHA256cfad1e486666ff3fb042ba0e9967634de1065f1bbd505c61b3295e55705a2a50
SHA5121e98aee7dc693822113dcde1446a5bed1c564b76eef39f39f3a5d98d7d2099cf69ac92717a3297afc7082203929f1e9437f21cb6bc690974a0ef6d6cf6e4393c
-
C:\Users\Admin\AppData\Local\Temp\origigoods40.exeMD5
ae36f0d16230b9f41ffecbd3c5b1d660
SHA188afc2923d1eefb70bad3c0cd9304949954377ef
SHA256cfad1e486666ff3fb042ba0e9967634de1065f1bbd505c61b3295e55705a2a50
SHA5121e98aee7dc693822113dcde1446a5bed1c564b76eef39f39f3a5d98d7d2099cf69ac92717a3297afc7082203929f1e9437f21cb6bc690974a0ef6d6cf6e4393c
-
memory/2300-139-0x0000000075250000-0x0000000075A00000-memory.dmpFilesize
7.7MB
-
memory/2300-151-0x0000000006B90000-0x0000000006BAA000-memory.dmpFilesize
104KB
-
memory/2300-140-0x0000000005230000-0x0000000005231000-memory.dmpFilesize
4KB
-
memory/2300-141-0x0000000005232000-0x0000000005233000-memory.dmpFilesize
4KB
-
memory/2300-142-0x00000000056F0000-0x0000000005712000-memory.dmpFilesize
136KB
-
memory/2300-143-0x0000000005F10000-0x0000000005F76000-memory.dmpFilesize
408KB
-
memory/2300-144-0x0000000006080000-0x00000000060E6000-memory.dmpFilesize
408KB
-
memory/2300-137-0x0000000005100000-0x0000000005136000-memory.dmpFilesize
216KB
-
memory/2300-138-0x0000000005870000-0x0000000005E98000-memory.dmpFilesize
6.2MB
-
memory/2300-149-0x0000000006640000-0x000000000665E000-memory.dmpFilesize
120KB
-
memory/2300-150-0x0000000006C10000-0x0000000006CA6000-memory.dmpFilesize
600KB
-
memory/2300-152-0x0000000006BE0000-0x0000000006C02000-memory.dmpFilesize
136KB
-
memory/3604-157-0x0000000000250000-0x000000000028C000-memory.dmpFilesize
240KB
-
memory/3604-158-0x0000000075250000-0x0000000075A00000-memory.dmpFilesize
7.7MB
-
memory/3604-162-0x0000000004A20000-0x0000000004FC4000-memory.dmpFilesize
5.6MB
-
memory/4124-161-0x0000000000210000-0x0000000000286000-memory.dmpFilesize
472KB
-
memory/4124-168-0x0000000006A80000-0x0000000006C42000-memory.dmpFilesize
1.8MB
-
memory/4124-169-0x0000000004B90000-0x0000000005134000-memory.dmpFilesize
5.6MB
-
memory/4124-167-0x0000000006460000-0x000000000646A000-memory.dmpFilesize
40KB
-
memory/4124-164-0x0000000004B90000-0x0000000005134000-memory.dmpFilesize
5.6MB
-
memory/4124-163-0x0000000075250000-0x0000000075A00000-memory.dmpFilesize
7.7MB
-
memory/4264-136-0x0000000005370000-0x0000000005391000-memory.dmpFilesize
132KB
-
memory/4264-133-0x0000000005E40000-0x00000000063E4000-memory.dmpFilesize
5.6MB
-
memory/4264-134-0x0000000005970000-0x0000000005A02000-memory.dmpFilesize
584KB
-
memory/4264-135-0x0000000005A10000-0x0000000005AAC000-memory.dmpFilesize
624KB
-
memory/4264-132-0x0000000005350000-0x0000000005362000-memory.dmpFilesize
72KB
-
memory/4264-131-0x0000000000830000-0x00000000009C4000-memory.dmpFilesize
1.6MB
-
memory/4264-130-0x0000000075250000-0x0000000075A00000-memory.dmpFilesize
7.7MB
-
memory/4652-182-0x000001F9D45C0000-0x000001F9D45C4000-memory.dmpFilesize
16KB
-
memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB