Resubmissions
06-12-2022 06:08
221206-gv8f5sba24 1006-12-2022 05:49
221206-gh9tfaaa63 1006-12-2022 05:35
221206-gae9vshe77 1001-12-2022 10:00
221201-l1rsssbf9y 10Analysis
-
max time kernel
1601s -
max time network
1610s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 06:08
Static task
static1
Behavioral task
behavioral1
Sample
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe
Resource
win7-20220812-en
General
-
Target
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe
-
Size
811KB
-
MD5
ba9aadaadc270f2311dc84a4c33c3a8e
-
SHA1
ea2bc535baa5f3d9efae8df9a1928f557c72b863
-
SHA256
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9
-
SHA512
33ec365aa550cd7c7d99055c5d7f434f2e65541ccdde1a4665f74e64050f42cb9fbb3f64ec09793805e0e1792e1dcd9288eb7580fa5fe8a4f21b874c0ed0d6f4
-
SSDEEP
12288:GkTDYsZ1DX/VDJtV7NuswRlClEl7xoDMvu/R9OPgpB0IOJc0:GyDYkMnoSLIMG/CPgT0Bc0
Malware Config
Extracted
formbook
4.1
d0a7
ngpjqd.top
provider1.net
themetaverseloyalties.com
tylpp.com
pmjewels.com
87napxxgz8x86a.com
djolobal.com
fmbmaiamelo.com
naijabam.online
networkingbits.com
beesweet.live
sexarab.homes
promptcompete.com
midsouthradio.com
23mk.top
bnhkit.xyz
2ozp56.bond
vehiclesgroups.com
healthycommunitynow.com
cwzmesr.com
qpeqlqb.com
parallelsoundsstudio.com
legacy-lc.com
isedeonline.com
baudtown.com
characting.space
noironclothes.com
pisell.one
comnewcocoffee.com
bitvtag.live
hotelblunt.com
chryslercapitla.com
designrate.art
niacopeland.com
royaltyweb3.com
openai-good.com
mom.rent
brapix.app
pikkwik.com
omilive.com
whdmjse.com
belifprint.com
ncsex6.xyz
vrf70r.online
jbway.com
avtokozmetika.website
info-klar.com
zbk53.com
comfydays.shop
ismagency.biz
shm01.com
horzeplay.com
luxacumen.com
drpathcares.com
steamfulfillmentllc.com
board-evaluations.com
gecreditu.info
aquastarla.net
yjdfw.net
dhjzfs.com
theminco.biz
honeynoel.com
rzkbol.com
anastsy4.tech
botani-yodo1.xyz
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2004-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2004-149-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3560-159-0x0000000000B00000-0x0000000000B2F000-memory.dmp formbook behavioral2/memory/3560-169-0x0000000000B00000-0x0000000000B2F000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\_ZU4ANCXO8W = "C:\\Program Files (x86)\\Pfnhp5\\nf8xwdz0zhht-6n.exe" systray.exe -
Executes dropped EXE 1 IoCs
Processes:
nf8xwdz0zhht-6n.exepid process 1300 nf8xwdz0zhht-6n.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exeRegSvcs.exesystray.exedescription pid process target process PID 1648 set thread context of 2004 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe RegSvcs.exe PID 2004 set thread context of 2152 2004 RegSvcs.exe Explorer.EXE PID 3560 set thread context of 2152 3560 systray.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
systray.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Pfnhp5\nf8xwdz0zhht-6n.exe systray.exe File opened for modification C:\Program Files (x86)\Pfnhp5 Explorer.EXE File created C:\Program Files (x86)\Pfnhp5\nf8xwdz0zhht-6n.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Pfnhp5\nf8xwdz0zhht-6n.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3736 2488 WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exepowershell.exeRegSvcs.exesystray.exepid process 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe 4044 powershell.exe 2004 RegSvcs.exe 2004 RegSvcs.exe 2004 RegSvcs.exe 2004 RegSvcs.exe 4044 powershell.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2152 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exesystray.exepid process 2004 RegSvcs.exe 2004 RegSvcs.exe 2004 RegSvcs.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe 3560 systray.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exepowershell.exeRegSvcs.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe Token: SeDebugPrivilege 4044 powershell.exe Token: SeDebugPrivilege 2004 RegSvcs.exe Token: SeDebugPrivilege 3560 systray.exe Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE Token: SeShutdownPrivilege 2152 Explorer.EXE Token: SeCreatePagefilePrivilege 2152 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2152 Explorer.EXE -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exeExplorer.EXEsystray.exedescription pid process target process PID 1648 wrote to memory of 4044 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe powershell.exe PID 1648 wrote to memory of 4044 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe powershell.exe PID 1648 wrote to memory of 4044 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe powershell.exe PID 1648 wrote to memory of 3124 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe schtasks.exe PID 1648 wrote to memory of 3124 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe schtasks.exe PID 1648 wrote to memory of 3124 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe schtasks.exe PID 1648 wrote to memory of 220 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe RegSvcs.exe PID 1648 wrote to memory of 220 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe RegSvcs.exe PID 1648 wrote to memory of 220 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe RegSvcs.exe PID 1648 wrote to memory of 2004 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe RegSvcs.exe PID 1648 wrote to memory of 2004 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe RegSvcs.exe PID 1648 wrote to memory of 2004 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe RegSvcs.exe PID 1648 wrote to memory of 2004 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe RegSvcs.exe PID 1648 wrote to memory of 2004 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe RegSvcs.exe PID 1648 wrote to memory of 2004 1648 43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe RegSvcs.exe PID 2152 wrote to memory of 3560 2152 Explorer.EXE systray.exe PID 2152 wrote to memory of 3560 2152 Explorer.EXE systray.exe PID 2152 wrote to memory of 3560 2152 Explorer.EXE systray.exe PID 3560 wrote to memory of 4204 3560 systray.exe cmd.exe PID 3560 wrote to memory of 4204 3560 systray.exe cmd.exe PID 3560 wrote to memory of 4204 3560 systray.exe cmd.exe PID 3560 wrote to memory of 2972 3560 systray.exe cmd.exe PID 3560 wrote to memory of 2972 3560 systray.exe cmd.exe PID 3560 wrote to memory of 2972 3560 systray.exe cmd.exe PID 3560 wrote to memory of 1044 3560 systray.exe Firefox.exe PID 3560 wrote to memory of 1044 3560 systray.exe Firefox.exe PID 3560 wrote to memory of 1044 3560 systray.exe Firefox.exe PID 2152 wrote to memory of 1300 2152 Explorer.EXE nf8xwdz0zhht-6n.exe PID 2152 wrote to memory of 1300 2152 Explorer.EXE nf8xwdz0zhht-6n.exe PID 2152 wrote to memory of 1300 2152 Explorer.EXE nf8xwdz0zhht-6n.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe"C:\Users\Admin\AppData\Local\Temp\43b26b0cc53ea7df2488d70e652d77fbeac5a3e2d9fb3705bcaf6e3f9152b0b9.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZLEBiTF.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZLEBiTF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F11.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Pfnhp5\nf8xwdz0zhht-6n.exe"C:\Program Files (x86)\Pfnhp5\nf8xwdz0zhht-6n.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 2488 -ip 24881⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2488 -s 7721⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Pfnhp5\nf8xwdz0zhht-6n.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Program Files (x86)\Pfnhp5\nf8xwdz0zhht-6n.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\tmp8F11.tmpFilesize
1KB
MD501f12f4ea3061aaf467631cc26187fbb
SHA1fa702b9c9162a620f8d7861e00ecd1b4d76a9d8e
SHA256752815ac268109b2acacbdddd9e5643c5ed7f6d50c3778b7adf984e4b48f99f2
SHA5122746e313c97853b92d6f044134a64cc88c59ccf2a509789c8da9bed8e881159c871cfcbb229340161da80fa593a0122165fb79fdf7c2fbaecc519d8baacea40f
-
C:\Users\Admin\AppData\Roaming\-3408PUB\-34logim.jpegFilesize
81KB
MD5fc92cb23b76798c9c73a893f02b149af
SHA1c98282ee759f439802022adfd4d41e25edeae8ec
SHA256f46a86cdc3ad4501c4fd4a3f595dc81870aa3e756c031b4f6a2f95125d455874
SHA512f2d51fe8c68730309095e2e9d75e8bbda877f57b7097b9ccd77b160d5265f4bcb37b37948dbad31599a127549ff3294c6d71348aab3f43e6169f02136a743819
-
C:\Users\Admin\AppData\Roaming\-3408PUB\-34logrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\-3408PUB\-34logrg.iniFilesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
C:\Users\Admin\AppData\Roaming\-3408PUB\-34logri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\-3408PUB\-34logrv.iniFilesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/220-142-0x0000000000000000-mapping.dmp
-
memory/1300-175-0x0000000000000000-mapping.dmp
-
memory/1300-179-0x0000000002640000-0x000000000267C000-memory.dmpFilesize
240KB
-
memory/1300-178-0x00000000001F0000-0x00000000001FE000-memory.dmpFilesize
56KB
-
memory/1648-136-0x0000000008FD0000-0x000000000906C000-memory.dmpFilesize
624KB
-
memory/1648-134-0x0000000005350000-0x00000000053E2000-memory.dmpFilesize
584KB
-
memory/1648-132-0x0000000000950000-0x0000000000A22000-memory.dmpFilesize
840KB
-
memory/1648-135-0x0000000005260000-0x000000000526A000-memory.dmpFilesize
40KB
-
memory/1648-133-0x0000000005900000-0x0000000005EA4000-memory.dmpFilesize
5.6MB
-
memory/2004-149-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2004-151-0x00000000011C0000-0x00000000011D5000-memory.dmpFilesize
84KB
-
memory/2004-150-0x0000000001650000-0x000000000199A000-memory.dmpFilesize
3.3MB
-
memory/2004-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2004-143-0x0000000000000000-mapping.dmp
-
memory/2152-152-0x0000000007B30000-0x0000000007C2B000-memory.dmpFilesize
1004KB
-
memory/2152-168-0x0000000007CB0000-0x0000000007DC5000-memory.dmpFilesize
1.1MB
-
memory/2152-170-0x0000000007CB0000-0x0000000007DC5000-memory.dmpFilesize
1.1MB
-
memory/2972-173-0x0000000000000000-mapping.dmp
-
memory/3124-138-0x0000000000000000-mapping.dmp
-
memory/3560-167-0x0000000002890000-0x0000000002924000-memory.dmpFilesize
592KB
-
memory/3560-158-0x0000000000F40000-0x0000000000F46000-memory.dmpFilesize
24KB
-
memory/3560-159-0x0000000000B00000-0x0000000000B2F000-memory.dmpFilesize
188KB
-
memory/3560-164-0x0000000002A50000-0x0000000002D9A000-memory.dmpFilesize
3.3MB
-
memory/3560-169-0x0000000000B00000-0x0000000000B2F000-memory.dmpFilesize
188KB
-
memory/3560-157-0x0000000000000000-mapping.dmp
-
memory/4044-145-0x0000000005640000-0x0000000005662000-memory.dmpFilesize
136KB
-
memory/4044-156-0x0000000006480000-0x000000000649E000-memory.dmpFilesize
120KB
-
memory/4044-165-0x0000000007460000-0x00000000074F6000-memory.dmpFilesize
600KB
-
memory/4044-163-0x0000000007250000-0x000000000725A000-memory.dmpFilesize
40KB
-
memory/4044-171-0x0000000007520000-0x000000000753A000-memory.dmpFilesize
104KB
-
memory/4044-172-0x0000000007510000-0x0000000007518000-memory.dmpFilesize
32KB
-
memory/4044-137-0x0000000000000000-mapping.dmp
-
memory/4044-161-0x00000000071E0000-0x00000000071FA000-memory.dmpFilesize
104KB
-
memory/4044-160-0x0000000007840000-0x0000000007EBA000-memory.dmpFilesize
6.5MB
-
memory/4044-166-0x0000000004C10000-0x0000000004C1E000-memory.dmpFilesize
56KB
-
memory/4044-155-0x0000000071840000-0x000000007188C000-memory.dmpFilesize
304KB
-
memory/4044-154-0x00000000064C0000-0x00000000064F2000-memory.dmpFilesize
200KB
-
memory/4044-153-0x0000000005DE0000-0x0000000005DFE000-memory.dmpFilesize
120KB
-
memory/4044-147-0x00000000058F0000-0x0000000005956000-memory.dmpFilesize
408KB
-
memory/4044-146-0x0000000005810000-0x0000000005876000-memory.dmpFilesize
408KB
-
memory/4044-141-0x0000000004F80000-0x00000000055A8000-memory.dmpFilesize
6.2MB
-
memory/4044-139-0x0000000004910000-0x0000000004946000-memory.dmpFilesize
216KB
-
memory/4204-162-0x0000000000000000-mapping.dmp