Analysis
-
max time kernel
167s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17-02-2022 07:30
Static task
static1
Behavioral task
behavioral1
Sample
ORDER_96.exe
Resource
win7-en-20211208
General
-
Target
ORDER_96.exe
-
Size
292KB
-
MD5
d279a9125327264ffc89fb5cb4d8e433
-
SHA1
44ec118059baa04d7f812ed30f52b15aa138b181
-
SHA256
e9fe0fe5cd5d59f973f1ea299c3476fbbd9e6a95f44509854286f584a313837c
-
SHA512
eb7d2a41cb461af28f961f4ae903d56bf730f3307e2bab1e91ac7e4b1b7ab6289f00ee2463f8d2477b9ffaba6e2667ff424628cf2dbc92a88716da98cd9c2db2
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3056-135-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2480-143-0x0000000002F70000-0x0000000002F99000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
xzwgzw.exexzwgzw.exepid process 3472 xzwgzw.exe 3056 xzwgzw.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
xzwgzw.exexzwgzw.exesystray.exedescription pid process target process PID 3472 set thread context of 3056 3472 xzwgzw.exe xzwgzw.exe PID 3056 set thread context of 2412 3056 xzwgzw.exe Explorer.EXE PID 2480 set thread context of 2412 2480 systray.exe Explorer.EXE -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.347959" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4084" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132897331761912752" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4192" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.186289" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
xzwgzw.exesystray.exepid process 3056 xzwgzw.exe 3056 xzwgzw.exe 3056 xzwgzw.exe 3056 xzwgzw.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe 2480 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2412 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
xzwgzw.exesystray.exepid process 3056 xzwgzw.exe 3056 xzwgzw.exe 3056 xzwgzw.exe 2480 systray.exe 2480 systray.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
xzwgzw.exeExplorer.EXEsystray.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 3056 xzwgzw.exe Token: SeShutdownPrivilege 2412 Explorer.EXE Token: SeCreatePagefilePrivilege 2412 Explorer.EXE Token: SeShutdownPrivilege 2412 Explorer.EXE Token: SeCreatePagefilePrivilege 2412 Explorer.EXE Token: SeShutdownPrivilege 2412 Explorer.EXE Token: SeCreatePagefilePrivilege 2412 Explorer.EXE Token: SeShutdownPrivilege 2412 Explorer.EXE Token: SeCreatePagefilePrivilege 2412 Explorer.EXE Token: SeDebugPrivilege 2480 systray.exe Token: SeShutdownPrivilege 2412 Explorer.EXE Token: SeCreatePagefilePrivilege 2412 Explorer.EXE Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe Token: SeRestorePrivilege 1336 TiWorker.exe Token: SeSecurityPrivilege 1336 TiWorker.exe Token: SeBackupPrivilege 1336 TiWorker.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2412 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ORDER_96.exexzwgzw.exeExplorer.EXEsystray.exedescription pid process target process PID 2800 wrote to memory of 3472 2800 ORDER_96.exe xzwgzw.exe PID 2800 wrote to memory of 3472 2800 ORDER_96.exe xzwgzw.exe PID 2800 wrote to memory of 3472 2800 ORDER_96.exe xzwgzw.exe PID 3472 wrote to memory of 3056 3472 xzwgzw.exe xzwgzw.exe PID 3472 wrote to memory of 3056 3472 xzwgzw.exe xzwgzw.exe PID 3472 wrote to memory of 3056 3472 xzwgzw.exe xzwgzw.exe PID 3472 wrote to memory of 3056 3472 xzwgzw.exe xzwgzw.exe PID 3472 wrote to memory of 3056 3472 xzwgzw.exe xzwgzw.exe PID 3472 wrote to memory of 3056 3472 xzwgzw.exe xzwgzw.exe PID 2412 wrote to memory of 2480 2412 Explorer.EXE systray.exe PID 2412 wrote to memory of 2480 2412 Explorer.EXE systray.exe PID 2412 wrote to memory of 2480 2412 Explorer.EXE systray.exe PID 2480 wrote to memory of 1360 2480 systray.exe cmd.exe PID 2480 wrote to memory of 1360 2480 systray.exe cmd.exe PID 2480 wrote to memory of 1360 2480 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ORDER_96.exe"C:\Users\Admin\AppData\Local\Temp\ORDER_96.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xzwgzw.exeC:\Users\Admin\AppData\Local\Temp\xzwgzw.exe C:\Users\Admin\AppData\Local\Temp\mxshkert3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\xzwgzw.exeC:\Users\Admin\AppData\Local\Temp\xzwgzw.exe C:\Users\Admin\AppData\Local\Temp\mxshkert4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\xzwgzw.exe"3⤵
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mxshkertMD5
ecae5b2d514c5d78472341570216ae00
SHA1c227b039d526acee4c8310138820d956543cfd52
SHA256a53679722d3dab88ce636d6efbf4fca91f24ae2e34f6a633dfd107a1c7723f06
SHA512d4f13fe75c874332552a6a57b1a86fafd2c66e002a2c9e242371c595944dce1b9e9699c912ae830248aae0ba5430a4e5e9a10146829be7816dd3b0c889cd17df
-
C:\Users\Admin\AppData\Local\Temp\wmlxw2s6yb6fbgobz89MD5
8ae6f143b01998893484a3eb06aaa969
SHA10d4515474c8c3639b96e67bc090db1d832e4381c
SHA2565cc34c8ae785417bd302ce53e97a54823a5e4797e1e96611a3b0fc46d452fff1
SHA5127016250f2791e4432a00fa8317cff22a6ab75dc0b7786d59528aac6ebac1ee38b7dcd06ba6ed5fd57f6f2107035a1d728a5d085781c7a3dbe6d53f1d3b24e881
-
C:\Users\Admin\AppData\Local\Temp\xzwgzw.exeMD5
74cf59e346807c24e3fef93eacf51f5d
SHA12fbff632cad3892cd1629efd93bafaf9ccb2dd2c
SHA256081c10a061264fada3e087f2e6a1b7215872c540daa00960a5c12ebaa53bbfb8
SHA5125a192fea94ecab5bf59c1fc61e5f8c7f650f3a6912d9f54dbe9abbb0dbc228bd24dd12ddd15d127089881885ea1d04d45ef8f8fe9003a82282c640755fe90a4d
-
C:\Users\Admin\AppData\Local\Temp\xzwgzw.exeMD5
74cf59e346807c24e3fef93eacf51f5d
SHA12fbff632cad3892cd1629efd93bafaf9ccb2dd2c
SHA256081c10a061264fada3e087f2e6a1b7215872c540daa00960a5c12ebaa53bbfb8
SHA5125a192fea94ecab5bf59c1fc61e5f8c7f650f3a6912d9f54dbe9abbb0dbc228bd24dd12ddd15d127089881885ea1d04d45ef8f8fe9003a82282c640755fe90a4d
-
C:\Users\Admin\AppData\Local\Temp\xzwgzw.exeMD5
74cf59e346807c24e3fef93eacf51f5d
SHA12fbff632cad3892cd1629efd93bafaf9ccb2dd2c
SHA256081c10a061264fada3e087f2e6a1b7215872c540daa00960a5c12ebaa53bbfb8
SHA5125a192fea94ecab5bf59c1fc61e5f8c7f650f3a6912d9f54dbe9abbb0dbc228bd24dd12ddd15d127089881885ea1d04d45ef8f8fe9003a82282c640755fe90a4d
-
memory/2412-146-0x0000000008990000-0x0000000008B16000-memory.dmpFilesize
1.5MB
-
memory/2412-141-0x0000000008DA0000-0x0000000008F49000-memory.dmpFilesize
1.7MB
-
memory/2480-142-0x0000000000E60000-0x0000000000E66000-memory.dmpFilesize
24KB
-
memory/2480-145-0x0000000004EE0000-0x0000000004F70000-memory.dmpFilesize
576KB
-
memory/2480-144-0x00000000050B0000-0x00000000053FA000-memory.dmpFilesize
3.3MB
-
memory/2480-143-0x0000000002F70000-0x0000000002F99000-memory.dmpFilesize
164KB
-
memory/3056-139-0x000000000041D000-0x000000000041E000-memory.dmpFilesize
4KB
-
memory/3056-140-0x00000000008E0000-0x00000000008F1000-memory.dmpFilesize
68KB
-
memory/3056-137-0x0000000000970000-0x0000000000CBA000-memory.dmpFilesize
3.3MB
-
memory/3056-135-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3472-134-0x0000000000470000-0x0000000000472000-memory.dmpFilesize
8KB