Resubmissions
19-11-2020 14:39
201119-59epbrqadx 1019-11-2020 14:22
201119-ff99dc42e6 1019-11-2020 14:16
201119-298y5e8ncj 9Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-11-2020 14:22
Static task
static1
Behavioral task
behavioral1
Sample
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
Resource
win10v20201028
General
-
Target
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe
-
Size
1.8MB
-
MD5
10d7151b9ee53b8da8ee6f85001ffb20
-
SHA1
76d33ef58ea7b012342d975d871db64840da9675
-
SHA256
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093
-
SHA512
1c6d2d7f509b462b5d48db61817ee42a7204d10141c59394eb190d0dba733b831a6344bb85197dfac358939379e640c9f38732d376e28f92e187806ca574d10f
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html
insupport@messagesafe.io
14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP
https://bitcoin.org/en/buy
https://buy.bitcoin.com
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exedescription ioc process File created C:\Users\Admin\Pictures\UpdateGrant.crw.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File created C:\Users\Admin\Pictures\MergeFormat.raw.REDROMAN f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe -
Drops startup file 2 IoCs
Processes:
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe7zG.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.7z.tmp 7zG.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1488 vssadmin.exe 2524 vssadmin.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a60000000000200000000001066000000010000200000001e8c7e9a07b824437d9aca30bd2dc0850907b41d714e3e08989fb6695f6692d3000000000e8000000002000020000000908f8722f85467ce4d1b9f4e2e2a6bb84d2b4629b11187a682e6b35d8ca758962000000006c3a253ebe8f73bbd51c6284892612c678344c9ab9d255ed3852b619fa02ec84000000001a385691194c44f92befcd06a604ed8f746a3e809857b57411cdd85c79d5927ef3ba2136fecbfd8f72d8896081b926d98f0585c2e1bfd48f7c7970eb8da535a iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e092d53180bed601 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5A775821-2A73-11EB-8332-F65A7312C48E} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000d014d6d73683ab094af7153ed2faf9026bb25b998f1ac9f866845562a873b902000000000e8000000002000020000000abdc66d033a425b63fa17ad12199f488991b80060334aa23237a45f216a803c790000000774bdfef5c1eaec690842716fa716c610107517f8c5d7c0fdb0368cea6851a11f3bddf473b5de7da58b0c7c3b3a81f0f98ffc9d861135477febee8827889c34d5fe791a887c21c9d81d8dedbb576bcb7e1c93ad20806ab090d59b8822079dcd5c310cac3612a591a53aaa2a59c1e2ffcda461283ef5fec733d7e3b380c9e345d6f872f65e8015bf72a73afe5636a4c8340000000d699895f8b82a96bc2c0ef5ec6aae2357650b27149aeff4f56a2d7aec293e17e78aca551ce64d01627bb552ef333d9f9461d8d52ff25d3acf01e9aba05aee5ec iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2644 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1380 powershell.exe 1472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exepowershell.exevssvc.exe7zG.exedescription pid process Token: SeDebugPrivilege 1380 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeBackupPrivilege 2356 vssvc.exe Token: SeRestorePrivilege 2356 vssvc.exe Token: SeAuditPrivilege 2356 vssvc.exe Token: SeRestorePrivilege 1876 7zG.exe Token: 35 1876 7zG.exe Token: SeSecurityPrivilege 1876 7zG.exe Token: SeSecurityPrivilege 1876 7zG.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exe7zG.exepid process 2788 iexplore.exe 1876 7zG.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2788 iexplore.exe 2788 iexplore.exe 2852 IEXPLORE.EXE 2852 IEXPLORE.EXE 2852 IEXPLORE.EXE 2852 IEXPLORE.EXE 2852 IEXPLORE.EXE 2852 IEXPLORE.EXE 2852 IEXPLORE.EXE 2852 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exepowershell.execmd.exenet.exenet.exerundll32.exeiexplore.exedescription pid process target process PID 1740 wrote to memory of 1380 1740 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 1740 wrote to memory of 1380 1740 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 1740 wrote to memory of 1380 1740 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 1740 wrote to memory of 1472 1740 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 1740 wrote to memory of 1472 1740 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 1740 wrote to memory of 1472 1740 f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe powershell.exe PID 1472 wrote to memory of 396 1472 powershell.exe cmd.exe PID 1472 wrote to memory of 396 1472 powershell.exe cmd.exe PID 1472 wrote to memory of 396 1472 powershell.exe cmd.exe PID 396 wrote to memory of 1488 396 cmd.exe vssadmin.exe PID 396 wrote to memory of 1488 396 cmd.exe vssadmin.exe PID 396 wrote to memory of 1488 396 cmd.exe vssadmin.exe PID 396 wrote to memory of 2524 396 cmd.exe vssadmin.exe PID 396 wrote to memory of 2524 396 cmd.exe vssadmin.exe PID 396 wrote to memory of 2524 396 cmd.exe vssadmin.exe PID 396 wrote to memory of 2556 396 cmd.exe net.exe PID 396 wrote to memory of 2556 396 cmd.exe net.exe PID 396 wrote to memory of 2556 396 cmd.exe net.exe PID 2556 wrote to memory of 2568 2556 net.exe net1.exe PID 2556 wrote to memory of 2568 2556 net.exe net1.exe PID 2556 wrote to memory of 2568 2556 net.exe net1.exe PID 396 wrote to memory of 2596 396 cmd.exe net.exe PID 396 wrote to memory of 2596 396 cmd.exe net.exe PID 396 wrote to memory of 2596 396 cmd.exe net.exe PID 2596 wrote to memory of 2608 2596 net.exe net1.exe PID 2596 wrote to memory of 2608 2596 net.exe net1.exe PID 2596 wrote to memory of 2608 2596 net.exe net1.exe PID 2408 wrote to memory of 2644 2408 rundll32.exe NOTEPAD.EXE PID 2408 wrote to memory of 2644 2408 rundll32.exe NOTEPAD.EXE PID 2408 wrote to memory of 2644 2408 rundll32.exe NOTEPAD.EXE PID 2788 wrote to memory of 2852 2788 iexplore.exe IEXPLORE.EXE PID 2788 wrote to memory of 2852 2788 iexplore.exe IEXPLORE.EXE PID 2788 wrote to memory of 2852 2788 iexplore.exe IEXPLORE.EXE PID 2788 wrote to memory of 2852 2788 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\f0fbd0654d4bf299c08f1f83e7b6c3a1f332b49c24b3cf0b9b87757b8c13f093.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -WindowStyle Hidden get-wmiobject win32_computersystem | "fl model"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Start-Process C:\ProgramData\amdkey.bat -Verb runas2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\amdkey.bat"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Resize ShadowStorage /For=C: /On=C: /MaxSize=320MB4⤵
- Interacts with shadow copies
-
C:\Windows\system32\net.exenet user /add RedROMAN p4zzaub71h4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add RedROMAN p4zzaub71h5⤵
-
C:\Windows\system32\net.exenet localgroup administrators RedROMAN /add4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators RedROMAN /add5⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\TraceRename.ex_.REDROMAN1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\TraceRename.ex_.REDROMAN2⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap21596:184:7zEvent14446 -ad -saa -- "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\amdkey.batMD5
e1ccfa2c9fccc3306d6a2beafee97e88
SHA1769a6f5692364611fb1c97b7f8909e305df46b0c
SHA2568c6a13f418d0c11640ea15a0c42a4edc9f4175c4c924573c35b86929a7d25aaf
SHA512f5ecf42ded57faa60cd98f7e43438c7b7158afb7061b836805469840880ae6b980dfe99f66bce8b52f2fa27eb0d07a48631da8f8fb82a3f12754a2024d70460c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndexMD5
615a05ffd0f3a4dcd2131e2adf26bd96
SHA1eac9f1ddb099e7cd653d9d0c757dfe6a753088ba
SHA2563f29ece07a651a0ceae9569e84cade5b60f15ae6a2e44ae42b9fc1d6c37b2947
SHA5121c0ef46ce6b39ab2290d4e6910a068219225de26f475f7842317e452aa987ef3e4ba3b9a209c1086c5120091fd8b7d774511d04a0f9917bb4d2320b946323faf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
f71960fa9c39f9a785ffd967ffe4b1c1
SHA1613d89d563c7f4e5248112ecce2e5b89c39a2284
SHA2569f331c03980bc7f49bfbae55df8c2c8f7a87aabe30ecce2c1d46995b6e9a7176
SHA512974d3494e07999231ed93f5e620674b4c196a5be975562e98da259253820b4c5338fba5c90a475820ccfafd1302e7266ca0d4b8ea4e0b4fdaa98748159b0329a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPENTHIS.htmlMD5
a15162a522fbd1ed603ab6415f4de0de
SHA133299e2baaff029b82c724630d4b5e5424353f18
SHA2565d4d8f87b815bbc435d6b8b1b3d3349d06a6d82226a4ad0e17accf8b750d80dc
SHA512d45ba782b9977131ce3b30661ec5db27fd94a169dc42ca6f0a907db20186c54348eaeae763279113fb81783d56478b9c98b2038948eb4c7cb18d00f4c292650d
-
C:\Users\Admin\Desktop\TraceRename.ex_.REDROMANMD5
61168d9b275e0d90b3d4df579d75a16e
SHA1809b023d9ecf86b095791af6b39bc1985299c577
SHA2566afb6dd934bc5725ea928d9b97e05493018954316795aca81c236596132252e4
SHA512d183c1d906196b90ca95b8585a7c3915e80db087569cb3bcac206d040ce942a2d458043dfaf4d72f2fa0020965b000428ee4856c97d508a26811995861b734d5
-
\??\PIPE\samrMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/396-19-0x0000000000000000-mapping.dmp
-
memory/1380-8-0x000000001C5F0000-0x000000001C5F1000-memory.dmpFilesize
4KB
-
memory/1380-6-0x00000000023A0000-0x00000000023A1000-memory.dmpFilesize
4KB
-
memory/1380-1-0x0000000000000000-mapping.dmp
-
memory/1380-7-0x000000001C200000-0x000000001C201000-memory.dmpFilesize
4KB
-
memory/1380-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmpFilesize
9.9MB
-
memory/1380-3-0x00000000024F0000-0x00000000024F1000-memory.dmpFilesize
4KB
-
memory/1380-4-0x000000001AC90000-0x000000001AC91000-memory.dmpFilesize
4KB
-
memory/1380-5-0x0000000002440000-0x0000000002441000-memory.dmpFilesize
4KB
-
memory/1472-14-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/1472-12-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/1472-17-0x000000001B9B0000-0x000000001B9B1000-memory.dmpFilesize
4KB
-
memory/1472-9-0x0000000000000000-mapping.dmp
-
memory/1472-13-0x000000001ABE0000-0x000000001ABE1000-memory.dmpFilesize
4KB
-
memory/1472-15-0x0000000002780000-0x0000000002781000-memory.dmpFilesize
4KB
-
memory/1472-11-0x000007FEF5830000-0x000007FEF621C000-memory.dmpFilesize
9.9MB
-
memory/1488-20-0x0000000000000000-mapping.dmp
-
memory/1740-0-0x000000013F640000-0x000000013F811000-memory.dmpFilesize
1.8MB
-
memory/2524-21-0x0000000000000000-mapping.dmp
-
memory/2556-22-0x0000000000000000-mapping.dmp
-
memory/2568-23-0x0000000000000000-mapping.dmp
-
memory/2596-24-0x0000000000000000-mapping.dmp
-
memory/2608-25-0x0000000000000000-mapping.dmp
-
memory/2644-27-0x0000000000000000-mapping.dmp
-
memory/2664-29-0x000007FEF7730000-0x000007FEF79AA000-memory.dmpFilesize
2.5MB
-
memory/2852-30-0x0000000000000000-mapping.dmp