Resubmissions
20-03-2023 20:10
230320-yx3gcafc24 1020-03-2023 10:43
230320-msm1bafa5t 1020-03-2023 10:23
230320-me3hvach68 1018-03-2023 10:19
230318-mcwyaaea3z 10Analysis
-
max time kernel
144s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18-03-2023 10:19
Behavioral task
behavioral1
Sample
quak.exe
Resource
win7-20230220-en
General
-
Target
quak.exe
-
Size
216KB
-
MD5
58e1c32eeb0130da19625e55ee48cf1e
-
SHA1
00ae1c5066f67e5e71285de99bea8d8b67085743
-
SHA256
f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790
-
SHA512
31ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2
-
SSDEEP
3072:4FCXMfyhFPZ8H7kJiIceKozOMeNJwOUJCfUfWcxQvAKChQztvWZZOtyFb8e:lXPFP6HWriMeN2rJCyWVDhM55
Malware Config
Extracted
qakbot
324.142
spx143
1592482956
39.36.254.179:995
24.139.132.70:443
24.202.42.48:2222
72.204.242.138:443
172.242.156.50:995
72.204.242.138:20
68.174.15.223:443
74.193.197.246:443
96.56.237.174:990
64.19.74.29:995
70.168.130.172:443
189.236.166.167:443
68.4.137.211:443
76.187.8.160:443
76.86.57.179:2222
73.226.220.56:443
67.250.184.157:443
75.183.171.155:3389
173.172.205.216:443
173.3.132.17:995
172.78.30.215:443
207.255.161.8:32103
75.137.239.211:443
68.49.120.179:443
206.51.202.106:50003
82.127.193.151:2222
207.255.161.8:2222
207.255.161.8:2087
24.152.219.253:995
187.19.151.218:995
197.37.48.37:993
188.241.243.175:443
72.88.119.131:443
89.137.211.239:443
108.30.125.94:443
187.163.101.137:995
100.19.7.242:443
45.77.164.175:443
80.240.26.178:443
66.208.105.6:443
207.246.75.201:443
199.247.22.145:443
199.247.16.80:443
95.77.223.148:443
68.60.221.169:465
5.107.220.84:2222
41.228.212.22:443
86.233.4.153:2222
68.200.23.189:443
201.146.127.158:443
79.114.199.39:443
87.65.204.240:995
71.74.12.34:443
217.162.149.212:443
195.162.106.93:2222
75.165.112.82:50002
201.248.102.4:2078
96.41.93.96:443
89.247.216.127:443
84.232.238.30:443
103.238.231.40:443
174.34.67.106:2222
98.115.138.61:443
91.125.21.16:2222
84.247.55.190:443
193.248.44.2:2222
74.135.37.79:443
78.96.190.54:443
86.126.97.183:2222
2.50.47.97:2222
68.39.160.40:443
96.232.203.15:443
86.144.150.29:2222
71.220.191.200:443
24.231.54.185:2222
80.14.209.42:2222
24.164.79.147:443
70.183.127.6:995
47.153.115.154:993
184.180.157.203:2222
50.104.68.223:443
67.165.206.193:995
200.113.201.83:993
47.153.115.154:465
24.42.14.241:995
189.160.203.110:443
188.27.76.139:443
207.255.161.8:32102
49.207.105.25:443
71.210.177.4:443
117.242.253.163:443
50.244.112.106:443
69.92.54.95:995
41.34.91.90:995
72.204.242.138:53
41.97.138.74:443
72.29.181.77:2078
71.88.168.176:443
2.50.171.142:443
67.83.54.76:2222
86.125.145.90:2222
47.153.115.154:995
24.122.157.93:443
47.146.169.85:443
72.181.9.163:443
187.155.74.5:443
71.209.187.4:443
74.75.216.202:443
24.44.180.236:2222
24.43.22.220:993
108.188.116.179:443
100.4.173.223:443
76.170.77.99:443
70.95.118.217:443
134.0.196.46:995
68.225.56.31:443
72.204.242.138:32102
72.204.242.138:50001
108.190.151.108:2222
72.204.242.138:465
50.244.112.10:443
173.22.120.11:2222
24.43.22.220:995
24.43.22.220:443
92.17.167.87:2222
72.209.191.27:443
72.204.242.138:80
71.187.170.235:443
96.56.237.174:32103
71.187.7.239:443
184.98.104.7:995
70.124.29.226:443
137.99.224.198:443
73.23.194.75:443
151.205.102.42:443
64.224.76.152:443
72.204.242.138:32100
173.187.101.221:443
72.179.13.59:443
208.93.202.49:443
70.174.3.241:443
96.37.137.42:443
76.111.128.194:443
67.209.195.198:3389
61.3.184.27:443
24.42.14.241:443
74.56.167.31:443
5.193.61.212:2222
117.216.177.171:443
Signatures
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl = "0" reg.exe -
Executes dropped EXE 4 IoCs
Processes:
gdtneusw.exegdtneusw.exegdtneusw.exegdtneusw.exepid process 1244 gdtneusw.exe 516 gdtneusw.exe 1964 gdtneusw.exe 656 gdtneusw.exe -
Loads dropped DLL 3 IoCs
Processes:
quak.exequak.exepid process 1764 quak.exe 1764 quak.exe 392 quak.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
quak.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ quak.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" quak.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" quak.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
quak.exequak.exegdtneusw.exegdtneusw.exeexplorer.exeexplorer.exemobsync.exequak.exemobsync.exeiexplore.exegdtneusw.exeiexplore.exegdtneusw.exepid process 1764 quak.exe 1760 quak.exe 1760 quak.exe 1244 gdtneusw.exe 516 gdtneusw.exe 516 gdtneusw.exe 1812 explorer.exe 996 explorer.exe 1620 mobsync.exe 392 quak.exe 788 mobsync.exe 1932 iexplore.exe 1964 gdtneusw.exe 1956 iexplore.exe 1244 gdtneusw.exe 656 gdtneusw.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
gdtneusw.exepid process 1244 gdtneusw.exe 1244 gdtneusw.exe 1244 gdtneusw.exe 1244 gdtneusw.exe 1244 gdtneusw.exe 1244 gdtneusw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
quak.exegdtneusw.exetaskeng.exequak.exedescription pid process target process PID 1764 wrote to memory of 1760 1764 quak.exe quak.exe PID 1764 wrote to memory of 1760 1764 quak.exe quak.exe PID 1764 wrote to memory of 1760 1764 quak.exe quak.exe PID 1764 wrote to memory of 1760 1764 quak.exe quak.exe PID 1764 wrote to memory of 1244 1764 quak.exe gdtneusw.exe PID 1764 wrote to memory of 1244 1764 quak.exe gdtneusw.exe PID 1764 wrote to memory of 1244 1764 quak.exe gdtneusw.exe PID 1764 wrote to memory of 1244 1764 quak.exe gdtneusw.exe PID 1764 wrote to memory of 1628 1764 quak.exe schtasks.exe PID 1764 wrote to memory of 1628 1764 quak.exe schtasks.exe PID 1764 wrote to memory of 1628 1764 quak.exe schtasks.exe PID 1764 wrote to memory of 1628 1764 quak.exe schtasks.exe PID 1244 wrote to memory of 516 1244 gdtneusw.exe gdtneusw.exe PID 1244 wrote to memory of 516 1244 gdtneusw.exe gdtneusw.exe PID 1244 wrote to memory of 516 1244 gdtneusw.exe gdtneusw.exe PID 1244 wrote to memory of 516 1244 gdtneusw.exe gdtneusw.exe PID 1244 wrote to memory of 1812 1244 gdtneusw.exe explorer.exe PID 1244 wrote to memory of 1812 1244 gdtneusw.exe explorer.exe PID 1244 wrote to memory of 1812 1244 gdtneusw.exe explorer.exe PID 1244 wrote to memory of 1812 1244 gdtneusw.exe explorer.exe PID 1244 wrote to memory of 1812 1244 gdtneusw.exe explorer.exe PID 1244 wrote to memory of 996 1244 gdtneusw.exe explorer.exe PID 1244 wrote to memory of 996 1244 gdtneusw.exe explorer.exe PID 1244 wrote to memory of 996 1244 gdtneusw.exe explorer.exe PID 1244 wrote to memory of 996 1244 gdtneusw.exe explorer.exe PID 1244 wrote to memory of 996 1244 gdtneusw.exe explorer.exe PID 1244 wrote to memory of 1620 1244 gdtneusw.exe mobsync.exe PID 1244 wrote to memory of 1620 1244 gdtneusw.exe mobsync.exe PID 1244 wrote to memory of 1620 1244 gdtneusw.exe mobsync.exe PID 1244 wrote to memory of 1620 1244 gdtneusw.exe mobsync.exe PID 1244 wrote to memory of 1620 1244 gdtneusw.exe mobsync.exe PID 304 wrote to memory of 392 304 taskeng.exe quak.exe PID 304 wrote to memory of 392 304 taskeng.exe quak.exe PID 304 wrote to memory of 392 304 taskeng.exe quak.exe PID 304 wrote to memory of 392 304 taskeng.exe quak.exe PID 1244 wrote to memory of 788 1244 gdtneusw.exe mobsync.exe PID 1244 wrote to memory of 788 1244 gdtneusw.exe mobsync.exe PID 1244 wrote to memory of 788 1244 gdtneusw.exe mobsync.exe PID 1244 wrote to memory of 788 1244 gdtneusw.exe mobsync.exe PID 1244 wrote to memory of 788 1244 gdtneusw.exe mobsync.exe PID 1244 wrote to memory of 1932 1244 gdtneusw.exe iexplore.exe PID 1244 wrote to memory of 1932 1244 gdtneusw.exe iexplore.exe PID 1244 wrote to memory of 1932 1244 gdtneusw.exe iexplore.exe PID 1244 wrote to memory of 1932 1244 gdtneusw.exe iexplore.exe PID 1244 wrote to memory of 1932 1244 gdtneusw.exe iexplore.exe PID 392 wrote to memory of 2040 392 quak.exe reg.exe PID 392 wrote to memory of 2040 392 quak.exe reg.exe PID 392 wrote to memory of 2040 392 quak.exe reg.exe PID 392 wrote to memory of 2040 392 quak.exe reg.exe PID 392 wrote to memory of 1732 392 quak.exe reg.exe PID 392 wrote to memory of 1732 392 quak.exe reg.exe PID 392 wrote to memory of 1732 392 quak.exe reg.exe PID 392 wrote to memory of 1732 392 quak.exe reg.exe PID 392 wrote to memory of 540 392 quak.exe reg.exe PID 392 wrote to memory of 540 392 quak.exe reg.exe PID 392 wrote to memory of 540 392 quak.exe reg.exe PID 392 wrote to memory of 540 392 quak.exe reg.exe PID 392 wrote to memory of 1688 392 quak.exe reg.exe PID 392 wrote to memory of 1688 392 quak.exe reg.exe PID 392 wrote to memory of 1688 392 quak.exe reg.exe PID 392 wrote to memory of 1688 392 quak.exe reg.exe PID 392 wrote to memory of 1500 392 quak.exe reg.exe PID 392 wrote to memory of 1500 392 quak.exe reg.exe PID 392 wrote to memory of 1500 392 quak.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\quak.exe"C:\Users\Admin\AppData\Local\Temp\quak.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\quak.exeC:\Users\Admin\AppData\Local\Temp\quak.exe /C2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe /C3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\SysWOW64\mobsync.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\SysWOW64\mobsync.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn kcphrjzvc /tr "\"C:\Users\Admin\AppData\Local\Temp\quak.exe\" /I kcphrjzvc" /SC ONCE /Z /ST 11:22 /ET 11:342⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {9E60D40D-3C41-4C4D-9723-DCF9CE88560A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\quak.exeC:\Users\Admin\AppData\Local\Temp\quak.exe /I kcphrjzvc2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"3⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl" /d "0"3⤵
- Windows security bypass
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exe /C4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\quak.exe"3⤵
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN kcphrjzvc3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeFilesize
216KB
MD558e1c32eeb0130da19625e55ee48cf1e
SHA100ae1c5066f67e5e71285de99bea8d8b67085743
SHA256f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790
SHA51231ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeFilesize
216KB
MD558e1c32eeb0130da19625e55ee48cf1e
SHA100ae1c5066f67e5e71285de99bea8d8b67085743
SHA256f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790
SHA51231ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeFilesize
216KB
MD558e1c32eeb0130da19625e55ee48cf1e
SHA100ae1c5066f67e5e71285de99bea8d8b67085743
SHA256f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790
SHA51231ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeFilesize
216KB
MD558e1c32eeb0130da19625e55ee48cf1e
SHA100ae1c5066f67e5e71285de99bea8d8b67085743
SHA256f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790
SHA51231ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeFilesize
216KB
MD558e1c32eeb0130da19625e55ee48cf1e
SHA100ae1c5066f67e5e71285de99bea8d8b67085743
SHA256f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790
SHA51231ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeFilesize
216KB
MD558e1c32eeb0130da19625e55ee48cf1e
SHA100ae1c5066f67e5e71285de99bea8d8b67085743
SHA256f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790
SHA51231ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2
-
\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeFilesize
216KB
MD558e1c32eeb0130da19625e55ee48cf1e
SHA100ae1c5066f67e5e71285de99bea8d8b67085743
SHA256f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790
SHA51231ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2
-
\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeFilesize
216KB
MD558e1c32eeb0130da19625e55ee48cf1e
SHA100ae1c5066f67e5e71285de99bea8d8b67085743
SHA256f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790
SHA51231ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2
-
\Users\Admin\AppData\Roaming\Microsoft\Tesegqxhnyl\gdtneusw.exeFilesize
216KB
MD558e1c32eeb0130da19625e55ee48cf1e
SHA100ae1c5066f67e5e71285de99bea8d8b67085743
SHA256f5ff6dbf5206cc2db098b41f5af14303f6dc43e36c5ec02604a50d5cfecf4790
SHA51231ea3186c3c7b77f815e1bc060add4a6c7b3abddf98c5a615a5779472ea46eeacfe256286f8dd741deb29d1d43889f05854462ba621f0f5065cd1e36b61478f2
-
memory/788-72-0x0000000000080000-0x00000000000BA000-memory.dmpFilesize
232KB
-
memory/788-73-0x0000000000120000-0x0000000000153000-memory.dmpFilesize
204KB
-
memory/996-69-0x00000000001C0000-0x00000000001F3000-memory.dmpFilesize
204KB
-
memory/996-68-0x00000000000F0000-0x000000000012A000-memory.dmpFilesize
232KB
-
memory/1244-77-0x00000000025D0000-0x0000000002603000-memory.dmpFilesize
204KB
-
memory/1620-70-0x0000000000100000-0x000000000013A000-memory.dmpFilesize
232KB
-
memory/1620-71-0x0000000000440000-0x0000000000473000-memory.dmpFilesize
204KB
-
memory/1812-67-0x0000000000190000-0x00000000001C3000-memory.dmpFilesize
204KB
-
memory/1812-66-0x0000000000080000-0x00000000000BA000-memory.dmpFilesize
232KB