Analysis
-
max time kernel
546s -
max time network
597s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-02-2021 18:23
Static task
static1
General
-
Target
bid,02.21.doc
-
Size
95KB
-
MD5
8d4ca32c865cbc75fb529bc64730c453
-
SHA1
334c4352dbda3759ca503a6118bc2ddb09b6f9d7
-
SHA256
53b9aaed11c3bff95b8baeef19467b11ab6ef362e2f8b550ee531babbddd9e0f
-
SHA512
3bd039c6d748008d76d5095be0130763e74dd68929e1f8878c557e92bff5742731fdfddbb38171b4f6c13ed42e7339ea4bd54c975d6f36015ea6f7b2bfb66f50
Malware Config
Extracted
qakbot
krk01
1611569149
31.5.21.66:995
89.3.198.238:443
202.188.138.162:443
188.24.128.253:443
175.141.219.71:443
151.60.15.183:443
184.189.122.72:443
80.227.5.70:443
140.82.49.12:443
89.211.241.100:995
81.97.154.100:443
77.27.174.49:995
92.154.83.96:2078
42.3.8.54:443
71.187.170.235:443
46.153.36.53:995
71.182.142.63:443
105.186.102.16:443
50.244.112.106:443
78.63.226.32:443
85.132.36.111:2222
68.186.192.69:443
75.136.40.155:443
68.225.60.77:995
144.139.47.206:443
79.129.121.81:995
98.121.187.78:443
75.67.192.125:443
216.201.162.158:443
2.50.2.216:443
75.136.26.147:443
84.72.35.226:443
172.78.30.215:443
105.198.236.99:443
83.110.102.100:443
193.248.221.184:2222
190.85.91.154:443
96.37.113.36:993
83.110.108.181:2222
88.233.91.244:443
95.77.223.148:443
207.246.77.75:2222
86.236.77.68:2222
207.246.77.75:443
45.63.107.192:995
77.211.30.202:995
149.28.99.97:443
207.246.77.75:8443
149.28.98.196:2222
207.246.116.237:995
207.246.116.237:8443
149.28.99.97:995
207.246.77.75:995
207.246.116.237:2222
45.77.115.208:443
45.32.211.207:995
149.28.101.90:8443
149.28.101.90:443
149.28.99.97:2222
172.115.177.204:2222
144.202.38.185:995
207.246.116.237:443
149.28.98.196:443
144.202.38.185:443
149.28.101.90:995
45.32.211.207:2222
45.32.211.207:443
45.32.211.207:8443
149.28.98.196:995
144.202.38.185:2222
45.63.107.192:443
149.28.101.90:2222
45.63.107.192:2222
45.77.115.208:2222
196.151.252.84:443
105.198.236.101:443
82.76.47.211:443
45.77.115.208:995
45.77.115.208:8443
213.60.147.140:443
92.59.35.196:2222
47.22.148.6:443
203.106.195.67:443
202.185.50.15:443
173.70.165.101:995
50.240.77.238:22
86.98.93.124:2078
172.87.157.235:3389
197.45.110.165:995
76.25.142.196:443
106.51.52.111:443
188.25.63.105:443
83.110.12.140:2222
64.121.114.87:443
50.29.166.232:995
217.133.54.140:32100
122.148.156.131:995
173.21.10.71:2222
45.46.53.140:2222
67.6.91.75:443
47.156.65.184:443
76.111.128.194:443
75.118.1.141:443
65.27.228.247:443
71.74.12.34:443
74.68.144.202:443
98.240.24.57:443
47.196.192.184:443
71.14.110.199:443
71.197.126.250:443
24.253.38.139:993
197.161.154.132:443
80.7.129.64:995
47.208.8.187:443
89.137.211.239:995
86.220.60.133:2222
94.53.92.42:443
78.97.207.104:443
106.250.150.98:443
67.8.103.21:443
41.39.134.183:443
2.50.161.6:2222
96.19.117.140:443
199.19.117.131:443
104.37.20.207:995
216.150.207.100:2222
189.222.111.204:443
73.216.60.90:2222
69.123.179.70:443
189.237.7.9:443
89.137.221.232:443
109.12.111.14:443
125.63.101.62:443
2.7.69.217:2222
89.211.247.202:443
201.130.149.43:995
186.155.151.167:443
201.127.37.219:443
151.205.102.42:443
189.210.115.207:443
97.69.160.4:2222
72.240.200.181:2222
72.252.201.69:443
172.87.134.226:995
209.210.187.52:995
209.210.187.52:443
108.46.145.30:443
24.229.150.54:995
186.84.90.232:443
80.11.5.65:2222
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
xml.compid process 1572 xml.com -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 744 regsvr32.exe 3732 regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 10 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exeSystemSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 regsvr32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 SystemSettings.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Discovers systems in the same network 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
netstat.exeipconfig.exepid process 424 netstat.exe 4008 ipconfig.exe -
Modifies Control Panel 1 IoCs
Processes:
SystemSettings.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Colors SystemSettings.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 2632 WINWORD.EXE 2632 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
regsvr32.exeexplorer.exepid process 744 regsvr32.exe 744 regsvr32.exe 744 regsvr32.exe 744 regsvr32.exe 3780 explorer.exe 3780 explorer.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
regsvr32.exeexplorer.exepid process 744 regsvr32.exe 3780 explorer.exe -
Suspicious use of AdjustPrivilegeToken 79 IoCs
Processes:
xml.comSystemSettings.exewhoami.exedescription pid process Token: SeIncreaseQuotaPrivilege 1572 xml.com Token: SeSecurityPrivilege 1572 xml.com Token: SeTakeOwnershipPrivilege 1572 xml.com Token: SeLoadDriverPrivilege 1572 xml.com Token: SeSystemProfilePrivilege 1572 xml.com Token: SeSystemtimePrivilege 1572 xml.com Token: SeProfSingleProcessPrivilege 1572 xml.com Token: SeIncBasePriorityPrivilege 1572 xml.com Token: SeCreatePagefilePrivilege 1572 xml.com Token: SeBackupPrivilege 1572 xml.com Token: SeRestorePrivilege 1572 xml.com Token: SeShutdownPrivilege 1572 xml.com Token: SeDebugPrivilege 1572 xml.com Token: SeSystemEnvironmentPrivilege 1572 xml.com Token: SeRemoteShutdownPrivilege 1572 xml.com Token: SeUndockPrivilege 1572 xml.com Token: SeManageVolumePrivilege 1572 xml.com Token: 33 1572 xml.com Token: 34 1572 xml.com Token: 35 1572 xml.com Token: 36 1572 xml.com Token: SeIncreaseQuotaPrivilege 1572 xml.com Token: SeSecurityPrivilege 1572 xml.com Token: SeTakeOwnershipPrivilege 1572 xml.com Token: SeLoadDriverPrivilege 1572 xml.com Token: SeSystemProfilePrivilege 1572 xml.com Token: SeSystemtimePrivilege 1572 xml.com Token: SeProfSingleProcessPrivilege 1572 xml.com Token: SeIncBasePriorityPrivilege 1572 xml.com Token: SeCreatePagefilePrivilege 1572 xml.com Token: SeBackupPrivilege 1572 xml.com Token: SeRestorePrivilege 1572 xml.com Token: SeShutdownPrivilege 1572 xml.com Token: SeDebugPrivilege 1572 xml.com Token: SeSystemEnvironmentPrivilege 1572 xml.com Token: SeRemoteShutdownPrivilege 1572 xml.com Token: SeUndockPrivilege 1572 xml.com Token: SeManageVolumePrivilege 1572 xml.com Token: 33 1572 xml.com Token: 34 1572 xml.com Token: 35 1572 xml.com Token: 36 1572 xml.com Token: SeShutdownPrivilege 1664 SystemSettings.exe Token: SeCreatePagefilePrivilege 1664 SystemSettings.exe Token: SeShutdownPrivilege 1664 SystemSettings.exe Token: SeCreatePagefilePrivilege 1664 SystemSettings.exe Token: SeShutdownPrivilege 1664 SystemSettings.exe Token: SeCreatePagefilePrivilege 1664 SystemSettings.exe Token: SeShutdownPrivilege 1664 SystemSettings.exe Token: SeCreatePagefilePrivilege 1664 SystemSettings.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe Token: SeDebugPrivilege 956 whoami.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
Processes:
WINWORD.EXESystemSettings.exepid process 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 2632 WINWORD.EXE 1664 SystemSettings.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
WINWORD.EXExml.comregsvr32.exeregsvr32.exeexplorer.exeregsvr32.exenet.exenet.exedescription pid process target process PID 2632 wrote to memory of 1572 2632 WINWORD.EXE xml.com PID 2632 wrote to memory of 1572 2632 WINWORD.EXE xml.com PID 1572 wrote to memory of 3012 1572 xml.com regsvr32.exe PID 1572 wrote to memory of 3012 1572 xml.com regsvr32.exe PID 3012 wrote to memory of 744 3012 regsvr32.exe regsvr32.exe PID 3012 wrote to memory of 744 3012 regsvr32.exe regsvr32.exe PID 3012 wrote to memory of 744 3012 regsvr32.exe regsvr32.exe PID 744 wrote to memory of 3780 744 regsvr32.exe explorer.exe PID 744 wrote to memory of 3780 744 regsvr32.exe explorer.exe PID 744 wrote to memory of 3780 744 regsvr32.exe explorer.exe PID 744 wrote to memory of 3780 744 regsvr32.exe explorer.exe PID 744 wrote to memory of 3780 744 regsvr32.exe explorer.exe PID 3780 wrote to memory of 3632 3780 explorer.exe schtasks.exe PID 3780 wrote to memory of 3632 3780 explorer.exe schtasks.exe PID 3780 wrote to memory of 3632 3780 explorer.exe schtasks.exe PID 3552 wrote to memory of 3732 3552 regsvr32.exe regsvr32.exe PID 3552 wrote to memory of 3732 3552 regsvr32.exe regsvr32.exe PID 3552 wrote to memory of 3732 3552 regsvr32.exe regsvr32.exe PID 3780 wrote to memory of 956 3780 explorer.exe whoami.exe PID 3780 wrote to memory of 956 3780 explorer.exe whoami.exe PID 3780 wrote to memory of 956 3780 explorer.exe whoami.exe PID 3780 wrote to memory of 1776 3780 explorer.exe cmd.exe PID 3780 wrote to memory of 1776 3780 explorer.exe cmd.exe PID 3780 wrote to memory of 1776 3780 explorer.exe cmd.exe PID 3780 wrote to memory of 1096 3780 explorer.exe arp.exe PID 3780 wrote to memory of 1096 3780 explorer.exe arp.exe PID 3780 wrote to memory of 1096 3780 explorer.exe arp.exe PID 3780 wrote to memory of 4008 3780 explorer.exe ipconfig.exe PID 3780 wrote to memory of 4008 3780 explorer.exe ipconfig.exe PID 3780 wrote to memory of 4008 3780 explorer.exe ipconfig.exe PID 3780 wrote to memory of 492 3780 explorer.exe net.exe PID 3780 wrote to memory of 492 3780 explorer.exe net.exe PID 3780 wrote to memory of 492 3780 explorer.exe net.exe PID 3780 wrote to memory of 848 3780 explorer.exe nslookup.exe PID 3780 wrote to memory of 848 3780 explorer.exe nslookup.exe PID 3780 wrote to memory of 848 3780 explorer.exe nslookup.exe PID 3780 wrote to memory of 1264 3780 explorer.exe net.exe PID 3780 wrote to memory of 1264 3780 explorer.exe net.exe PID 3780 wrote to memory of 1264 3780 explorer.exe net.exe PID 1264 wrote to memory of 1388 1264 net.exe net1.exe PID 1264 wrote to memory of 1388 1264 net.exe net1.exe PID 1264 wrote to memory of 1388 1264 net.exe net1.exe PID 3780 wrote to memory of 2964 3780 explorer.exe route.exe PID 3780 wrote to memory of 2964 3780 explorer.exe route.exe PID 3780 wrote to memory of 2964 3780 explorer.exe route.exe PID 3780 wrote to memory of 424 3780 explorer.exe netstat.exe PID 3780 wrote to memory of 424 3780 explorer.exe netstat.exe PID 3780 wrote to memory of 424 3780 explorer.exe netstat.exe PID 3780 wrote to memory of 852 3780 explorer.exe net.exe PID 3780 wrote to memory of 852 3780 explorer.exe net.exe PID 3780 wrote to memory of 852 3780 explorer.exe net.exe PID 852 wrote to memory of 2180 852 net.exe net1.exe PID 852 wrote to memory of 2180 852 net.exe net1.exe PID 852 wrote to memory of 2180 852 net.exe net1.exe PID 3780 wrote to memory of 1984 3780 explorer.exe explorer.exe PID 3780 wrote to memory of 1984 3780 explorer.exe explorer.exe PID 3780 wrote to memory of 1984 3780 explorer.exe explorer.exe PID 3780 wrote to memory of 1984 3780 explorer.exe explorer.exe PID 3780 wrote to memory of 1984 3780 explorer.exe explorer.exe PID 3780 wrote to memory of 1984 3780 explorer.exe explorer.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bid,02.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\programdata\xml.com"C:\programdata\xml.com" process list /format : "c:\programdata\i.xsl"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32 c:\programdata\1271.jpg3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\programdata\1271.jpg4⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn rxnrcabmk /tr "regsvr32.exe -s \"c:\programdata\1271.jpg\"" /SC ONCE /Z /ST 19:30 /ET 19:426⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\whoami.exewhoami /all6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c set6⤵
-
C:\Windows\SysWOW64\arp.exearp -a6⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- Gathers network information
-
C:\Windows\SysWOW64\net.exenet view /all6⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\nslookup.exenslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP6⤵
-
C:\Windows\SysWOW64\net.exenet share6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share7⤵
-
C:\Windows\SysWOW64\route.exeroute print6⤵
-
C:\Windows\SysWOW64\netstat.exenetstat -nao6⤵
- Gathers network information
-
C:\Windows\SysWOW64\net.exenet localgroup6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup7⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
-
\??\c:\windows\system32\regsvr32.exeregsvr32.exe -s "c:\programdata\1271.jpg"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s "c:\programdata\1271.jpg"2⤵
- Loads dropped DLL
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Checks SCSI registry key(s)
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\xml.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
C:\programdata\xml.comMD5
4191f61f2449ccc2bc2f2ac6d8898ce7
SHA1d49936fc8a03561214ce4bf9791ca59e94ab8fe9
SHA25674d21e1349aab027cd02d15f2428028c028592f265d1830c8dfc407f9bf76173
SHA512fe67059bc374cc2d39dd01c22c2183ca44a8e04050d633f78d4eac415ae4528c378c7504ea3cc4b6923675256ae3af199b3a498243a4ca1a4d0f61f2e086821f
-
\??\c:\programdata\1271.jpgMD5
9ceaf757400b02d2564db76c5ee72100
SHA186e6abdb76e29a64ca6adf1c32b449d4602a93ea
SHA256e2887a017165076e46262e8b40b02b356dcd44509628151c4662dd5704efe145
SHA512c448201e7c43cf47e475e29fc79a003795862fe98c7e0c600efc9bc9498bf256b4db9b05a64e7f3fb55869c17073ef1ac5690a9710a9ff3b0562b3b089edc333
-
\??\c:\programdata\1271.jpgMD5
f59947ac6215cd2494fed1197aef030f
SHA1ebc5b88172ffc9a3c50e5782df253d9c8aee2882
SHA2567699fb4fcd6bbc12757623fc62b42a76fe0b0c89529656aaff9c020795dd0ad3
SHA512f92175a331b7af5b71870bd5cf80d33ac8317480922d4547621e3a970a723acbf25f73453837b0ed53259ee83720af53d89e977fd9d8e170502c2e93c7f1fd0d
-
\??\c:\programdata\i.xslMD5
3bfe49781b0c5ebfce69bf1815076111
SHA112af9552ed24477939ad337973643ec758e62721
SHA2565243d6b20c66df6fb8e02b17b4963a8b33d4b907209fa08bf024becb341628a3
SHA51265a8535574bad660a9b4bc8b1bbcb0e479a40843c51432f8313248064bb6457bd2a9846c5a6fc382090942efb3b6ac9860a67a3876ff40a20923347ab45c0e3c
-
\ProgramData\1271.jpgMD5
9ceaf757400b02d2564db76c5ee72100
SHA186e6abdb76e29a64ca6adf1c32b449d4602a93ea
SHA256e2887a017165076e46262e8b40b02b356dcd44509628151c4662dd5704efe145
SHA512c448201e7c43cf47e475e29fc79a003795862fe98c7e0c600efc9bc9498bf256b4db9b05a64e7f3fb55869c17073ef1ac5690a9710a9ff3b0562b3b089edc333
-
\ProgramData\1271.jpgMD5
f59947ac6215cd2494fed1197aef030f
SHA1ebc5b88172ffc9a3c50e5782df253d9c8aee2882
SHA2567699fb4fcd6bbc12757623fc62b42a76fe0b0c89529656aaff9c020795dd0ad3
SHA512f92175a331b7af5b71870bd5cf80d33ac8317480922d4547621e3a970a723acbf25f73453837b0ed53259ee83720af53d89e977fd9d8e170502c2e93c7f1fd0d
-
memory/424-42-0x0000000000000000-mapping.dmp
-
memory/492-37-0x0000000000000000-mapping.dmp
-
memory/744-24-0x0000000074330000-0x0000000074365000-memory.dmpFilesize
212KB
-
memory/744-14-0x0000000000000000-mapping.dmp
-
memory/744-25-0x00000000010B0000-0x00000000010B1000-memory.dmpFilesize
4KB
-
memory/848-38-0x0000000000000000-mapping.dmp
-
memory/852-43-0x0000000000000000-mapping.dmp
-
memory/956-33-0x0000000000000000-mapping.dmp
-
memory/1096-35-0x0000000000000000-mapping.dmp
-
memory/1264-39-0x0000000000000000-mapping.dmp
-
memory/1388-40-0x0000000000000000-mapping.dmp
-
memory/1572-8-0x0000000000000000-mapping.dmp
-
memory/1776-34-0x0000000000000000-mapping.dmp
-
memory/1984-46-0x0000000003470000-0x00000000034A5000-memory.dmpFilesize
212KB
-
memory/1984-45-0x0000000000000000-mapping.dmp
-
memory/1984-47-0x0000000005050000-0x00000000050C5000-memory.dmpFilesize
468KB
-
memory/2180-44-0x0000000000000000-mapping.dmp
-
memory/2632-21-0x00007FF967810000-0x00007FF967820000-memory.dmpFilesize
64KB
-
memory/2632-4-0x00007FF967810000-0x00007FF967820000-memory.dmpFilesize
64KB
-
memory/2632-7-0x0000022FC3600000-0x0000022FC3604000-memory.dmpFilesize
16KB
-
memory/2632-16-0x00007FF988D40000-0x00007FF98B863000-memory.dmpFilesize
43.1MB
-
memory/2632-6-0x00007FF9870E0000-0x00007FF987717000-memory.dmpFilesize
6.2MB
-
memory/2632-17-0x00007FF988D40000-0x00007FF98B863000-memory.dmpFilesize
43.1MB
-
memory/2632-5-0x00007FF967810000-0x00007FF967820000-memory.dmpFilesize
64KB
-
memory/2632-18-0x00007FF988D40000-0x00007FF98B863000-memory.dmpFilesize
43.1MB
-
memory/2632-2-0x00007FF967810000-0x00007FF967820000-memory.dmpFilesize
64KB
-
memory/2632-22-0x00007FF967810000-0x00007FF967820000-memory.dmpFilesize
64KB
-
memory/2632-19-0x00007FF988D40000-0x00007FF98B863000-memory.dmpFilesize
43.1MB
-
memory/2632-3-0x00007FF967810000-0x00007FF967820000-memory.dmpFilesize
64KB
-
memory/2632-23-0x00007FF967810000-0x00007FF967820000-memory.dmpFilesize
64KB
-
memory/2632-20-0x00007FF967810000-0x00007FF967820000-memory.dmpFilesize
64KB
-
memory/2964-41-0x0000000000000000-mapping.dmp
-
memory/3012-12-0x0000000000000000-mapping.dmp
-
memory/3632-28-0x0000000000000000-mapping.dmp
-
memory/3732-31-0x0000000000000000-mapping.dmp
-
memory/3780-27-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3780-26-0x0000000000000000-mapping.dmp
-
memory/3780-29-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/4008-36-0x0000000000000000-mapping.dmp