Analysis
-
max time kernel
167s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 03:01
Static task
static1
Behavioral task
behavioral1
Sample
PO_Invoices_pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
PO_Invoices_pdf.exe
Resource
win10v2004-en-20220113
General
-
Target
PO_Invoices_pdf.exe
-
Size
1.6MB
-
MD5
59d7d8d5dd3e0055e7c0dcc75897f569
-
SHA1
b249b28d088d54e971e2d9d8b2688440f8e6d513
-
SHA256
ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
-
SHA512
79ebc2a128d018eb7e71b254fdd2fa72deae18081f1732619046e1db9d1aee92f7529521c005a5f861275afcbda3a39fd304cd5e1a49df848675460c5cf8f30d
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Matiex Main Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp family_matiex behavioral2/memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp family_matiex C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe family_matiex C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe family_matiex behavioral2/memory/1688-375-0x0000000000500000-0x0000000000576000-memory.dmp family_matiex -
AgentTesla Payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp family_agenttesla behavioral2/memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp family_agenttesla C:\Users\Admin\AppData\Local\Temp\origigoods40.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\origigoods40.exe family_agenttesla behavioral2/memory/4760-371-0x0000000000E30000-0x0000000000E6C000-memory.dmp family_agenttesla C:\Users\Admin\AppData\Local\Temp\origigoods20.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\origigoods20.exe family_agenttesla -
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral2/memory/1320-130-0x00000000007D0000-0x000000000096A000-memory.dmp beds_protector -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp MailPassView behavioral2/memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp MailPassView C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe MailPassView C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp WebBrowserPassView behavioral2/memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp Nirsoft behavioral2/memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp Nirsoft C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
hawkgoods.exeorigigoods40.exeMatiexgoods.exeorigigoods20.exepid process 4708 hawkgoods.exe 4760 origigoods40.exe 1688 Matiexgoods.exe 2948 origigoods20.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Matiexgoods.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Matiexgoods.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Matiexgoods.exe Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Matiexgoods.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 38 checkip.dyndns.org 43 freegeoip.app 44 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO_Invoices_pdf.exedescription pid process target process PID 1320 set thread context of 4332 1320 PO_Invoices_pdf.exe RegAsm.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
PO_Invoices_pdf.exePowershell.exeorigigoods40.exeMatiexgoods.exepid process 1320 PO_Invoices_pdf.exe 1320 PO_Invoices_pdf.exe 1320 PO_Invoices_pdf.exe 1320 PO_Invoices_pdf.exe 1320 PO_Invoices_pdf.exe 1320 PO_Invoices_pdf.exe 1372 Powershell.exe 1372 Powershell.exe 4760 origigoods40.exe 4760 origigoods40.exe 1688 Matiexgoods.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Matiexgoods.exepid process 1688 Matiexgoods.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
PO_Invoices_pdf.exePowershell.exeorigigoods40.exeMatiexgoods.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 1320 PO_Invoices_pdf.exe Token: SeDebugPrivilege 1372 Powershell.exe Token: SeDebugPrivilege 4760 origigoods40.exe Token: SeDebugPrivilege 1688 Matiexgoods.exe Token: SeShutdownPrivilege 3708 svchost.exe Token: SeCreatePagefilePrivilege 3708 svchost.exe Token: SeShutdownPrivilege 3708 svchost.exe Token: SeCreatePagefilePrivilege 3708 svchost.exe Token: SeShutdownPrivilege 3708 svchost.exe Token: SeCreatePagefilePrivilege 3708 svchost.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe Token: SeBackupPrivilege 1900 TiWorker.exe Token: SeRestorePrivilege 1900 TiWorker.exe Token: SeSecurityPrivilege 1900 TiWorker.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exeMatiexgoods.exepid process 4332 RegAsm.exe 1688 Matiexgoods.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
PO_Invoices_pdf.exeRegAsm.exehawkgoods.exeorigigoods20.exefondue.exefondue.exeMatiexgoods.exedescription pid process target process PID 1320 wrote to memory of 1372 1320 PO_Invoices_pdf.exe Powershell.exe PID 1320 wrote to memory of 1372 1320 PO_Invoices_pdf.exe Powershell.exe PID 1320 wrote to memory of 1372 1320 PO_Invoices_pdf.exe Powershell.exe PID 1320 wrote to memory of 956 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 956 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 956 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 3876 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 3876 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 3876 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 2456 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 2456 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 2456 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 4332 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 4332 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 4332 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 4332 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 4332 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 4332 1320 PO_Invoices_pdf.exe RegAsm.exe PID 1320 wrote to memory of 4332 1320 PO_Invoices_pdf.exe RegAsm.exe PID 4332 wrote to memory of 4708 4332 RegAsm.exe hawkgoods.exe PID 4332 wrote to memory of 4708 4332 RegAsm.exe hawkgoods.exe PID 4332 wrote to memory of 4708 4332 RegAsm.exe hawkgoods.exe PID 4708 wrote to memory of 2244 4708 hawkgoods.exe fondue.exe PID 4708 wrote to memory of 2244 4708 hawkgoods.exe fondue.exe PID 4708 wrote to memory of 2244 4708 hawkgoods.exe fondue.exe PID 4332 wrote to memory of 4760 4332 RegAsm.exe origigoods40.exe PID 4332 wrote to memory of 4760 4332 RegAsm.exe origigoods40.exe PID 4332 wrote to memory of 4760 4332 RegAsm.exe origigoods40.exe PID 4332 wrote to memory of 1688 4332 RegAsm.exe Matiexgoods.exe PID 4332 wrote to memory of 1688 4332 RegAsm.exe Matiexgoods.exe PID 4332 wrote to memory of 1688 4332 RegAsm.exe Matiexgoods.exe PID 4332 wrote to memory of 2948 4332 RegAsm.exe origigoods20.exe PID 4332 wrote to memory of 2948 4332 RegAsm.exe origigoods20.exe PID 4332 wrote to memory of 2948 4332 RegAsm.exe origigoods20.exe PID 2948 wrote to memory of 2316 2948 origigoods20.exe fondue.exe PID 2948 wrote to memory of 2316 2948 origigoods20.exe fondue.exe PID 2948 wrote to memory of 2316 2948 origigoods20.exe fondue.exe PID 2244 wrote to memory of 2884 2244 fondue.exe FonDUE.EXE PID 2244 wrote to memory of 2884 2244 fondue.exe FonDUE.EXE PID 2316 wrote to memory of 3404 2316 fondue.exe FonDUE.EXE PID 2316 wrote to memory of 3404 2316 fondue.exe FonDUE.EXE PID 1688 wrote to memory of 1192 1688 Matiexgoods.exe netsh.exe PID 1688 wrote to memory of 1192 1688 Matiexgoods.exe netsh.exe PID 1688 wrote to memory of 1192 1688 Matiexgoods.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
Matiexgoods.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Matiexgoods.exe -
outlook_win_path 1 IoCs
Processes:
Matiexgoods.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Matiexgoods.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO_Invoices_pdf.exe"C:\Users\Admin\AppData\Local\Temp\PO_Invoices_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\PO_Invoices_pdf.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe"C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe" 03⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe"C:\Users\Admin\AppData\Local\Temp\origigoods40.exe" 03⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe"C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe" 03⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile4⤵
-
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe"C:\Users\Admin\AppData\Local\Temp\origigoods20.exe" 03⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exeMD5
80c61b903400b534858d047dd0919f0e
SHA1d0ab5400b74392308140642c75f0897e16a88d60
SHA25625ade9899c000a27570b527cffc938ec9626978219ec8a086082b113cbe4f492
SHA512b3216f0e4e95c7f50bccba5fdcca2ad622a42379383be855546fa1e0bac41a6beea8226f8634ad5e0d8596169e0443494018bbe70b7052f094402aecaa038bce
-
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exeMD5
80c61b903400b534858d047dd0919f0e
SHA1d0ab5400b74392308140642c75f0897e16a88d60
SHA25625ade9899c000a27570b527cffc938ec9626978219ec8a086082b113cbe4f492
SHA512b3216f0e4e95c7f50bccba5fdcca2ad622a42379383be855546fa1e0bac41a6beea8226f8634ad5e0d8596169e0443494018bbe70b7052f094402aecaa038bce
-
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exeMD5
ffdb58533d5d1362e896e96fb6f02a95
SHA1d6e4a3ca253bfc372a9a3180b5887c716ed285c6
SHA256b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88
SHA5123ae6e49d3d728531201453a0bc27436b1a4305c8ef938b2cbb5e34ee45bb9a9a88cf2a41b08e4914fda9a96bbaa48bd999a2d2f1dffcd39761bb1f3620ca725f
-
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exeMD5
ffdb58533d5d1362e896e96fb6f02a95
SHA1d6e4a3ca253bfc372a9a3180b5887c716ed285c6
SHA256b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88
SHA5123ae6e49d3d728531201453a0bc27436b1a4305c8ef938b2cbb5e34ee45bb9a9a88cf2a41b08e4914fda9a96bbaa48bd999a2d2f1dffcd39761bb1f3620ca725f
-
C:\Users\Admin\AppData\Local\Temp\origigoods20.exeMD5
61dc57c6575e1f3f2ae14c1b332ad2fb
SHA1f52f34623048e5fd720e97a72eedfd32358cd3a9
SHA2561c7757ee223f2480fbc478ae2ecaf82e1d3c17f2e4d47581d3972416166c54ab
SHA51281a7db927f53660d3a04a161d5c18aab17d676bcc7ae0738ab786d9bee82b91016e54e6f70428aec4087961744be89b1511f9e07d8dabbe5c2a9d836722395a1
-
C:\Users\Admin\AppData\Local\Temp\origigoods20.exeMD5
61dc57c6575e1f3f2ae14c1b332ad2fb
SHA1f52f34623048e5fd720e97a72eedfd32358cd3a9
SHA2561c7757ee223f2480fbc478ae2ecaf82e1d3c17f2e4d47581d3972416166c54ab
SHA51281a7db927f53660d3a04a161d5c18aab17d676bcc7ae0738ab786d9bee82b91016e54e6f70428aec4087961744be89b1511f9e07d8dabbe5c2a9d836722395a1
-
C:\Users\Admin\AppData\Local\Temp\origigoods40.exeMD5
ae36f0d16230b9f41ffecbd3c5b1d660
SHA188afc2923d1eefb70bad3c0cd9304949954377ef
SHA256cfad1e486666ff3fb042ba0e9967634de1065f1bbd505c61b3295e55705a2a50
SHA5121e98aee7dc693822113dcde1446a5bed1c564b76eef39f39f3a5d98d7d2099cf69ac92717a3297afc7082203929f1e9437f21cb6bc690974a0ef6d6cf6e4393c
-
C:\Users\Admin\AppData\Local\Temp\origigoods40.exeMD5
ae36f0d16230b9f41ffecbd3c5b1d660
SHA188afc2923d1eefb70bad3c0cd9304949954377ef
SHA256cfad1e486666ff3fb042ba0e9967634de1065f1bbd505c61b3295e55705a2a50
SHA5121e98aee7dc693822113dcde1446a5bed1c564b76eef39f39f3a5d98d7d2099cf69ac92717a3297afc7082203929f1e9437f21cb6bc690974a0ef6d6cf6e4393c
-
memory/1320-134-0x0000000005420000-0x0000000005432000-memory.dmpFilesize
72KB
-
memory/1320-214-0x0000000005380000-0x0000000005924000-memory.dmpFilesize
5.6MB
-
memory/1320-291-0x0000000009260000-0x00000000092FC000-memory.dmpFilesize
624KB
-
memory/1320-130-0x00000000007D0000-0x000000000096A000-memory.dmpFilesize
1.6MB
-
memory/1320-136-0x0000000005730000-0x000000000573A000-memory.dmpFilesize
40KB
-
memory/1320-135-0x0000000005380000-0x0000000005924000-memory.dmpFilesize
5.6MB
-
memory/1320-133-0x0000000005380000-0x0000000005412000-memory.dmpFilesize
584KB
-
memory/1320-132-0x0000000005930000-0x0000000005ED4000-memory.dmpFilesize
5.6MB
-
memory/1320-131-0x0000000074F90000-0x0000000075740000-memory.dmpFilesize
7.7MB
-
memory/1372-357-0x0000000004D30000-0x0000000004D31000-memory.dmpFilesize
4KB
-
memory/1372-361-0x0000000005C50000-0x0000000005CB6000-memory.dmpFilesize
408KB
-
memory/1372-362-0x0000000005D30000-0x0000000005D96000-memory.dmpFilesize
408KB
-
memory/1372-360-0x0000000005B20000-0x0000000005B42000-memory.dmpFilesize
136KB
-
memory/1372-366-0x0000000006300000-0x000000000631E000-memory.dmpFilesize
120KB
-
memory/1372-359-0x00000000053F0000-0x0000000005A18000-memory.dmpFilesize
6.2MB
-
memory/1372-358-0x0000000004D32000-0x0000000004D33000-memory.dmpFilesize
4KB
-
memory/1372-356-0x0000000074F90000-0x0000000075740000-memory.dmpFilesize
7.7MB
-
memory/1372-381-0x00000000074F0000-0x0000000007586000-memory.dmpFilesize
600KB
-
memory/1372-354-0x0000000004D80000-0x0000000004DB6000-memory.dmpFilesize
216KB
-
memory/1372-382-0x0000000006810000-0x000000000682A000-memory.dmpFilesize
104KB
-
memory/1372-383-0x0000000006860000-0x0000000006882000-memory.dmpFilesize
136KB
-
memory/1688-375-0x0000000000500000-0x0000000000576000-memory.dmpFilesize
472KB
-
memory/1688-379-0x0000000074F90000-0x0000000075740000-memory.dmpFilesize
7.7MB
-
memory/1688-380-0x0000000002900000-0x000000000299C000-memory.dmpFilesize
624KB
-
memory/1688-391-0x0000000006C50000-0x0000000006E12000-memory.dmpFilesize
1.8MB
-
memory/1688-393-0x0000000002900000-0x000000000299C000-memory.dmpFilesize
624KB
-
memory/2044-138-0x000002051DAD0000-0x000002051DAE0000-memory.dmpFilesize
64KB
-
memory/2044-137-0x000002051DA70000-0x000002051DA80000-memory.dmpFilesize
64KB
-
memory/3708-392-0x000001E71F510000-0x000001E71F514000-memory.dmpFilesize
16KB
-
memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmpFilesize
1.4MB
-
memory/4760-372-0x0000000074F90000-0x0000000075740000-memory.dmpFilesize
7.7MB
-
memory/4760-371-0x0000000000E30000-0x0000000000E6C000-memory.dmpFilesize
240KB
-
memory/4760-378-0x00000000055F0000-0x0000000005B94000-memory.dmpFilesize
5.6MB