Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-05-2021 15:07
Behavioral task
behavioral1
Sample
c8f1fdd8_by_Libranalysis.exe
Resource
win7v20210410
General
-
Target
c8f1fdd8_by_Libranalysis.exe
-
Size
673KB
-
MD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd
-
SHA1
30d5e006337e17b512ff5ed878cc1beb1664abb0
-
SHA256
7ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571
-
SHA512
0dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73
Malware Config
Extracted
qakbot
324.141
spx125
1590138228
190.75.168.108:2078
93.114.192.211:2222
47.39.76.74:443
182.56.134.44:995
24.201.79.208:2078
207.246.71.122:443
50.244.112.10:443
88.207.27.144:443
72.204.242.138:443
72.204.242.138:2078
72.204.242.138:990
76.187.8.160:443
220.135.31.140:2222
86.126.97.183:2222
86.126.112.153:995
68.49.120.179:443
101.108.125.44:443
203.101.163.187:443
197.165.212.10:443
207.255.161.8:2078
207.255.161.8:995
98.243.187.85:443
207.255.161.8:32103
108.227.161.27:995
189.140.112.184:443
172.78.87.180:443
71.205.158.156:443
72.28.255.159:995
68.39.177.147:995
73.94.229.115:443
108.58.9.238:995
1.40.42.4:443
74.33.69.208:443
66.222.88.126:995
72.204.242.138:53
24.99.180.247:443
47.152.210.233:443
24.10.42.174:443
140.82.21.191:443
72.190.101.70:443
78.188.109.130:443
211.24.72.253:443
70.124.29.226:443
71.241.247.189:443
216.201.162.158:443
24.43.22.220:993
46.214.139.81:443
49.191.9.180:995
75.183.135.48:443
47.153.115.154:995
50.247.230.33:995
70.183.127.6:995
76.170.77.99:443
188.26.98.35:443
66.68.22.151:443
137.99.224.198:443
75.81.25.223:443
97.127.144.203:2222
76.111.128.194:443
50.78.93.74:443
171.97.10.201:2222
72.204.242.138:50003
67.170.137.8:443
24.122.228.88:443
72.186.1.237:443
189.159.148.145:995
203.106.195.139:443
100.12.173.247:995
98.121.187.78:443
79.78.131.124:443
98.116.62.242:443
89.137.215.100:443
173.245.152.231:443
68.204.164.222:443
217.162.149.212:443
95.77.223.168:443
72.132.249.144:995
79.114.196.138:443
85.122.141.42:443
188.173.70.18:443
117.217.231.113:443
47.202.98.230:443
80.14.209.42:2222
103.76.160.110:443
210.195.177.30:443
24.226.137.154:443
50.244.112.106:443
172.242.156.50:443
5.107.239.212:2222
81.133.234.36:2222
79.116.237.126:443
77.237.188.30:995
5.12.214.109:2222
174.130.225.61:443
102.41.118.44:995
197.50.133.40:443
84.117.176.32:443
24.202.42.48:2222
98.32.60.217:443
72.16.212.108:465
67.250.184.157:443
85.186.50.42:443
98.16.204.189:995
154.56.64.21:443
99.196.208.15:443
72.204.242.138:995
72.29.181.77:2078
72.240.245.253:443
96.56.237.174:990
47.40.244.237:443
100.4.173.223:443
71.213.29.14:995
65.100.244.179:2083
173.90.33.182:2222
104.36.135.227:443
173.175.29.210:443
102.190.246.65:6881
68.4.137.211:443
61.3.126.96:443
188.25.233.157:2222
82.79.67.68:443
73.163.242.114:443
100.38.123.22:443
96.18.240.158:443
71.8.33.238:443
5.182.39.156:443
199.116.241.147:443
94.10.81.239:443
104.221.4.11:2222
184.180.157.203:2222
82.210.157.185:443
65.60.228.130:443
96.56.237.174:465
72.204.242.138:50001
67.165.206.193:995
75.87.161.32:995
64.19.74.29:995
72.204.242.138:32102
187.155.67.97:443
68.174.15.223:443
176.223.114.184:443
197.210.96.222:995
71.77.252.14:2222
46.214.62.199:443
71.185.60.227:443
68.207.50.2:443
108.27.217.44:443
74.134.46.7:443
Signatures
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe cryptone C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe cryptone -
Executes dropped EXE 4 IoCs
Processes:
nalit.exenalit.exenalit.exenalit.exepid process 3144 nalit.exe 3160 nalit.exe 1872 nalit.exe 2488 nalit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c8f1fdd8_by_Libranalysis.exenalit.exenalit.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 c8f1fdd8_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc nalit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service nalit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 nalit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc nalit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 nalit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service nalit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 c8f1fdd8_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service c8f1fdd8_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service nalit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 nalit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc nalit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc c8f1fdd8_by_Libranalysis.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service c8f1fdd8_by_Libranalysis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 nalit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc nalit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service nalit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc c8f1fdd8_by_Libranalysis.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
c8f1fdd8_by_Libranalysis.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" c8f1fdd8_by_Libranalysis.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ c8f1fdd8_by_Libranalysis.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" c8f1fdd8_by_Libranalysis.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" c8f1fdd8_by_Libranalysis.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" c8f1fdd8_by_Libranalysis.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
c8f1fdd8_by_Libranalysis.exec8f1fdd8_by_Libranalysis.exenalit.exenalit.exeexplorer.exec8f1fdd8_by_Libranalysis.exenalit.exenalit.exepid process 1456 c8f1fdd8_by_Libranalysis.exe 1456 c8f1fdd8_by_Libranalysis.exe 2952 c8f1fdd8_by_Libranalysis.exe 2952 c8f1fdd8_by_Libranalysis.exe 2952 c8f1fdd8_by_Libranalysis.exe 2952 c8f1fdd8_by_Libranalysis.exe 3144 nalit.exe 3144 nalit.exe 3160 nalit.exe 3160 nalit.exe 3160 nalit.exe 3160 nalit.exe 3940 explorer.exe 3940 explorer.exe 3940 explorer.exe 3940 explorer.exe 988 c8f1fdd8_by_Libranalysis.exe 988 c8f1fdd8_by_Libranalysis.exe 1872 nalit.exe 1872 nalit.exe 2488 nalit.exe 2488 nalit.exe 2488 nalit.exe 2488 nalit.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
nalit.exepid process 3144 nalit.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
c8f1fdd8_by_Libranalysis.exenalit.exec8f1fdd8_by_Libranalysis.execmd.exenalit.exedescription pid process target process PID 1456 wrote to memory of 2952 1456 c8f1fdd8_by_Libranalysis.exe c8f1fdd8_by_Libranalysis.exe PID 1456 wrote to memory of 2952 1456 c8f1fdd8_by_Libranalysis.exe c8f1fdd8_by_Libranalysis.exe PID 1456 wrote to memory of 2952 1456 c8f1fdd8_by_Libranalysis.exe c8f1fdd8_by_Libranalysis.exe PID 1456 wrote to memory of 3144 1456 c8f1fdd8_by_Libranalysis.exe nalit.exe PID 1456 wrote to memory of 3144 1456 c8f1fdd8_by_Libranalysis.exe nalit.exe PID 1456 wrote to memory of 3144 1456 c8f1fdd8_by_Libranalysis.exe nalit.exe PID 1456 wrote to memory of 2052 1456 c8f1fdd8_by_Libranalysis.exe schtasks.exe PID 1456 wrote to memory of 2052 1456 c8f1fdd8_by_Libranalysis.exe schtasks.exe PID 1456 wrote to memory of 2052 1456 c8f1fdd8_by_Libranalysis.exe schtasks.exe PID 3144 wrote to memory of 3160 3144 nalit.exe nalit.exe PID 3144 wrote to memory of 3160 3144 nalit.exe nalit.exe PID 3144 wrote to memory of 3160 3144 nalit.exe nalit.exe PID 3144 wrote to memory of 3940 3144 nalit.exe explorer.exe PID 3144 wrote to memory of 3940 3144 nalit.exe explorer.exe PID 3144 wrote to memory of 3940 3144 nalit.exe explorer.exe PID 3144 wrote to memory of 3940 3144 nalit.exe explorer.exe PID 988 wrote to memory of 3524 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 3524 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 920 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 920 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 2452 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 2452 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 2912 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 2912 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 1508 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 1508 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 508 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 508 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 2252 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 2252 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 2112 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 2112 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 1152 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 1152 988 c8f1fdd8_by_Libranalysis.exe reg.exe PID 988 wrote to memory of 1872 988 c8f1fdd8_by_Libranalysis.exe nalit.exe PID 988 wrote to memory of 1872 988 c8f1fdd8_by_Libranalysis.exe nalit.exe PID 988 wrote to memory of 1872 988 c8f1fdd8_by_Libranalysis.exe nalit.exe PID 988 wrote to memory of 4080 988 c8f1fdd8_by_Libranalysis.exe cmd.exe PID 988 wrote to memory of 4080 988 c8f1fdd8_by_Libranalysis.exe cmd.exe PID 988 wrote to memory of 3868 988 c8f1fdd8_by_Libranalysis.exe schtasks.exe PID 988 wrote to memory of 3868 988 c8f1fdd8_by_Libranalysis.exe schtasks.exe PID 4080 wrote to memory of 2428 4080 cmd.exe PING.EXE PID 4080 wrote to memory of 2428 4080 cmd.exe PING.EXE PID 1872 wrote to memory of 2488 1872 nalit.exe nalit.exe PID 1872 wrote to memory of 2488 1872 nalit.exe nalit.exe PID 1872 wrote to memory of 2488 1872 nalit.exe nalit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exeC:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe /C3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn hyvxrbmn /tr "\"C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe\" /I hyvxrbmn" /SC ONCE /Z /ST 17:06 /ET 17:182⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exeC:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe /I hyvxrbmn1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"2⤵
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq" /d "0"2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exeC:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exe /C3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\c8f1fdd8_by_Libranalysis.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN hyvxrbmn2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.datMD5
50e946a0120e5a0cdf48574e8fa3cf26
SHA1660f9d36e2dde3defd141997626274552be915e1
SHA256aba81573d4b41944b928db355617fe9505cac473b05257a9f26b87cbd3bf2b3c
SHA512ec2c481ca009c20c68d913a3c876c867ac1efced18c7af53c5accbfa3c2d8f18dc875a8e7b67c473c7b9792cc2f82e2ede49c2176285cfba58f91ea7373913c9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exeMD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd
SHA130d5e006337e17b512ff5ed878cc1beb1664abb0
SHA2567ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571
SHA5120dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exeMD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd
SHA130d5e006337e17b512ff5ed878cc1beb1664abb0
SHA2567ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571
SHA5120dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exeMD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd
SHA130d5e006337e17b512ff5ed878cc1beb1664abb0
SHA2567ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571
SHA5120dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exeMD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd
SHA130d5e006337e17b512ff5ed878cc1beb1664abb0
SHA2567ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571
SHA5120dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Tvbfsedq\nalit.exeMD5
c8f1fdd8dd3724f89cef6d9ea9ec85fd
SHA130d5e006337e17b512ff5ed878cc1beb1664abb0
SHA2567ceaaa2ae96ba6400a09c96ae63a472a6b54535833a8eb5a9bba1afa7645c571
SHA5120dce8b7705707318f8c227e9a9fcf363884b20374c05f233217042f1272ca0921ea637ca435de56f618463cf00cd234cc006de47ac62112047425add28ea1a73
-
memory/508-140-0x0000000000000000-mapping.dmp
-
memory/920-136-0x0000000000000000-mapping.dmp
-
memory/988-134-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/1152-143-0x0000000000000000-mapping.dmp
-
memory/1456-114-0x0000000002210000-0x0000000002247000-memory.dmpFilesize
220KB
-
memory/1456-115-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/1508-139-0x0000000000000000-mapping.dmp
-
memory/1872-149-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/1872-144-0x0000000000000000-mapping.dmp
-
memory/2052-122-0x0000000000000000-mapping.dmp
-
memory/2112-142-0x0000000000000000-mapping.dmp
-
memory/2252-141-0x0000000000000000-mapping.dmp
-
memory/2428-150-0x0000000000000000-mapping.dmp
-
memory/2452-137-0x0000000000000000-mapping.dmp
-
memory/2488-154-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/2488-151-0x0000000000000000-mapping.dmp
-
memory/2488-153-0x00000000005C0000-0x000000000070A000-memory.dmpFilesize
1.3MB
-
memory/2912-138-0x0000000000000000-mapping.dmp
-
memory/2952-116-0x0000000000000000-mapping.dmp
-
memory/2952-118-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/2952-117-0x00000000004B0000-0x00000000005FA000-memory.dmpFilesize
1.3MB
-
memory/3144-124-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/3144-119-0x0000000000000000-mapping.dmp
-
memory/3160-128-0x0000000000400000-0x00000000004AB000-memory.dmpFilesize
684KB
-
memory/3160-125-0x0000000000000000-mapping.dmp
-
memory/3524-135-0x0000000000000000-mapping.dmp
-
memory/3868-147-0x0000000000000000-mapping.dmp
-
memory/3940-131-0x0000000000B50000-0x0000000000C86000-memory.dmpFilesize
1.2MB
-
memory/3940-130-0x00000000005B0000-0x00000000005EA000-memory.dmpFilesize
232KB
-
memory/3940-129-0x0000000000000000-mapping.dmp
-
memory/4080-146-0x0000000000000000-mapping.dmp