Analysis Overview
SHA256
3f3c8a2b9d1298a72c337887bfe68d66aeecdb9c3ca72dc7f9550f702c31f03f
Threat Level: Likely malicious
The file e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
ASPack v2.12-2.42
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Writes to the Master Boot Record (MBR)
Enumerates connected drives
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 15:07
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 15:07
Reported
2024-05-16 15:09
Platform
win7-20240508-en
Max time kernel
129s
Max time network
139s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ettmtcigc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ettmtcigc.exe | N/A |
| N/A | N/A | C:\wiseman.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wiseman = "C:\\wiseman.exe" | C:\wiseman.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\skkmkldhn\\rvkmwvg.dll\",GetWindowClass" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\ettmtcigc.exe | N/A |
| N/A | N/A | C:\wiseman.exe | N/A |
| N/A | N/A | C:\wiseman.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\ettmtcigc.exe "C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\ettmtcigc.exe
c:\ettmtcigc.exe "C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\skkmkldhn\rvkmwvg.dll",GetWindowClass c:\ettmtcigc.exe
C:\wiseman.exe
"C:\wiseman.exe"
Network
| Country | Destination | Domain | Proto |
| US | 107.163.241.229:6520 | tcp | |
| US | 107.163.241.233:12354 | tcp | |
| US | 107.163.241.233:12354 | tcp | |
| US | 8.8.8.8:53 | api.wisemansupport.com | udp |
| KR | 3.35.144.12:80 | api.wisemansupport.com | tcp |
| US | 107.163.241.233:12354 | tcp | |
| US | 107.163.241.233:12354 | tcp | |
| US | 107.163.241.229:6520 | tcp | |
| US | 107.163.241.229:6520 | tcp | |
| US | 107.163.241.229:6520 | tcp | |
| US | 107.163.241.229:6520 | tcp |
Files
memory/2116-0-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2116-1-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2116-3-0x0000000000400000-0x000000000047F000-memory.dmp
\??\c:\ettmtcigc.exe
| MD5 | 66591434e28048deeedf744275975fe3 |
| SHA1 | a581c2ec69bcd8c2c5c2fb14864ca8e077190b5d |
| SHA256 | ce9d4c803e65310070648f9505f98704e031d71a65970259a3d0912535faa3cc |
| SHA512 | 063b38d90f6636199fb1e8f666487109abb6cf1ac47e7bb87927911ed2842e76d61fde5bf60a8be106f4a5b436857d00612daf6ee3180d3d07e576d158172959 |
memory/2604-6-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2604-7-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2604-11-0x0000000000400000-0x000000000047F000-memory.dmp
\??\c:\skkmkldhn\rvkmwvg.dll
| MD5 | 10eb9b069e53509dfe5652372437858d |
| SHA1 | f5b7b4d4f4afe9439d78f43c1915cb3bd07fc620 |
| SHA256 | c8c3ce80cc170f0a7a3a1ca9120e8279a3f323604b50478ad81869c4131f6315 |
| SHA512 | 6105b5547aa7754183471d395de4fabda8780b5000db2dc4d799bf3af27fca546a0548e6dcc4f435bee5f39e291cae400d7b8efd0d1d7034d31c4e92891b4051 |
memory/1252-17-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1252-18-0x0000000010044000-0x0000000010045000-memory.dmp
memory/1252-19-0x0000000010000000-0x000000001004A000-memory.dmp
C:\wiseman.exe
| MD5 | 8f242369cf14f2b26ced131d7dd67144 |
| SHA1 | d4f2f0f3047300ff5f36af6119ad5e109258fcd0 |
| SHA256 | 03505198d487e04a8ec82c627d34e4d9145f211140c4c8793b4461621e6bf6ce |
| SHA512 | 4516b3fa2f68e64baf166bc7731ba3bb0ca53d36d71ff8fa78b1f211d7c14fc4442af50bd637d0c3f11913583c9c66996101d6e8738592a053e82a78bbd771f5 |
memory/1252-22-0x0000000010000000-0x000000001004A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 15:07
Reported
2024-05-16 15:09
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ldydc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\ldydc.exe | N/A |
| N/A | N/A | C:\wiseman.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wiseman = "C:\\wiseman.exe" | C:\wiseman.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\phvbv\\hcthct.dll\",GetWindowClass" | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\w: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\x: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\y: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\o: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\r: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\i: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\j: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\k: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\m: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\n: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\e: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\h: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\u: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\v: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\b: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\g: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\p: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\q: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\s: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\t: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\z: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\a: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| File opened (read-only) | \??\l: | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | \??\c:\windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe | N/A |
| N/A | N/A | \??\c:\ldydc.exe | N/A |
| N/A | N/A | C:\wiseman.exe | N/A |
| N/A | N/A | C:\wiseman.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1 -n 2&c:\ldydc.exe "C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 2
\??\c:\ldydc.exe
c:\ldydc.exe "C:\Users\Admin\AppData\Local\Temp\e27b28d9b047458a493ffda01bebeef0_NeikiAnalytics.exe"
\??\c:\windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.exe "c:\phvbv\hcthct.dll",GetWindowClass c:\ldydc.exe
C:\wiseman.exe
"C:\wiseman.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| NL | 23.62.61.163:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.61.62.23.in-addr.arpa | udp |
| US | 107.163.241.229:6520 | tcp | |
| US | 107.163.241.233:12354 | tcp | |
| US | 107.163.241.233:12354 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.wisemansupport.com | udp |
| KR | 3.35.144.12:80 | api.wisemansupport.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 107.163.241.233:12354 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 107.163.241.229:6520 | tcp | |
| US | 107.163.241.229:6520 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 107.163.241.229:6520 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 107.163.241.229:6520 | tcp |
Files
memory/224-0-0x0000000000400000-0x000000000047F000-memory.dmp
memory/224-1-0x0000000000400000-0x000000000047F000-memory.dmp
memory/224-4-0x0000000000400000-0x000000000047F000-memory.dmp
\??\c:\ldydc.exe
| MD5 | 9409e622677c3427417264289a1caf19 |
| SHA1 | f4b2faeb46078b15f13794b47ec33b6ebf8d599a |
| SHA256 | 46e8af7be70a9387444b2a42b795866ffa6a08eb14d9b265cedfa6523417e83e |
| SHA512 | 859b54f2330cd146a04611e90495cbcae0628fb5d26c53dc2a4e7fc099d81c545c10c50c709911f50fa2bfcafc1ea5ee9de3d8b587cbaa3140fcd20b3ecb3003 |
memory/2396-8-0x0000000000400000-0x000000000047F000-memory.dmp
memory/2396-12-0x0000000000400000-0x000000000047F000-memory.dmp
\??\c:\phvbv\hcthct.dll
| MD5 | 10eb9b069e53509dfe5652372437858d |
| SHA1 | f5b7b4d4f4afe9439d78f43c1915cb3bd07fc620 |
| SHA256 | c8c3ce80cc170f0a7a3a1ca9120e8279a3f323604b50478ad81869c4131f6315 |
| SHA512 | 6105b5547aa7754183471d395de4fabda8780b5000db2dc4d799bf3af27fca546a0548e6dcc4f435bee5f39e291cae400d7b8efd0d1d7034d31c4e92891b4051 |
memory/1760-15-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1760-16-0x0000000010001000-0x0000000010034000-memory.dmp
C:\wiseman.exe
| MD5 | 8f242369cf14f2b26ced131d7dd67144 |
| SHA1 | d4f2f0f3047300ff5f36af6119ad5e109258fcd0 |
| SHA256 | 03505198d487e04a8ec82c627d34e4d9145f211140c4c8793b4461621e6bf6ce |
| SHA512 | 4516b3fa2f68e64baf166bc7731ba3bb0ca53d36d71ff8fa78b1f211d7c14fc4442af50bd637d0c3f11913583c9c66996101d6e8738592a053e82a78bbd771f5 |
memory/1760-19-0x0000000010000000-0x000000001004A000-memory.dmp
memory/1760-20-0x0000000010001000-0x0000000010034000-memory.dmp