Analysis
-
max time kernel
582s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
13-05-2022 13:36
Static task
static1
Behavioral task
behavioral1
Sample
ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad.docm
Resource
win10-20220414-en
Behavioral task
behavioral2
Sample
ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad.docm
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad.docm
Resource
win11-20220223-en
General
-
Target
ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad.docm
-
Size
546KB
-
MD5
ee6c2c0cee1d675d7d54ddd8c55a7d2a
-
SHA1
b52b89e670bd912540608671d05b0c772a6a14b9
-
SHA256
ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad
-
SHA512
76371e407bfb8e3dd0427dbd750efe7c9c79483495dd2ef3bdf160c7c1528caafd05ed4c914dfe76f16632348a59a8ebe6061fd83dec1c9bf4f519bef5d726bb
Malware Config
Extracted
trickbot
1000514
ono76
51.89.163.40:443
89.223.126.186:443
45.67.231.68:443
148.251.185.165:443
194.87.110.144:443
213.32.84.27:443
185.234.72.35:443
45.89.125.148:443
195.123.240.104:443
185.99.2.243:443
5.182.211.223:443
195.123.240.113:443
85.204.116.173:443
5.152.210.188:443
103.36.48.103:449
36.94.33.102:449
36.91.87.227:449
177.190.69.162:449
103.76.169.213:449
179.97.246.23:449
200.24.67.161:449
181.143.186.42:449
190.99.97.42:449
179.127.88.41:449
117.252.214.138:449
117.222.63.145:449
45.224.213.234:449
45.237.241.97:449
125.165.20.104:449
-
autorunName:pwgrab
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4672-145-0x00000000010C0000-0x00000000010F7000-memory.dmp templ_dll behavioral2/memory/4672-149-0x0000000001100000-0x0000000001136000-memory.dmp templ_dll behavioral2/memory/4672-152-0x0000000001080000-0x00000000010B5000-memory.dmp templ_dll -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 4672 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A04A0AA8-D2D2-11EC-AC67-46F9D3C81F08} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\User Preferences iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b091500000000020000000000106600000001000020000000a14fb50d3cf48fde9c2e73621e5326f74016651dbd6b3acda1828c3d07865efa000000000e80000000020000200000004cd30f0f769ad5d6bab573b9af95845c9ccfa8ff5f040495a4a0f5cb95d274865000000094252935f5acecb7c4161775e2aca7ac550668b0518a3b39c977742473b2b78333bd842827392b0a346c14acf674180bd177042ca2571a8d32b67f580851908f50a9d83ef9bf10caa8126a39a6dc63bb4000000003093946d9fcddc0a4f3c9004890fd33728d8f083e4368d96b29afb84b5ad0a735f7440b307d272aa7e0e53afb5f986237b3a6e85b149af7cb9bcc2de40d9848 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359221238" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30959327" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30959327" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30959327" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = f982cdb29d50d801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2020116380" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2149645792" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009ca67aad6973c147a14e4257979b091500000000020000000000106600000001000020000000a4158bf50158ebf38ee79c09b1c317901b3f32552df38bf73998c0e577743ef1000000000e80000000020000200000004bae8707cfe7384706e9dfad282e4302615ec37f5a5991baf49e0de5870802d41000000097b7422509aaa2024854d435e289f0f1400000008c60db7a9ac429e52c023eb23655292a352260e9455e2e4338252ecf53963d879b02b0a5fe0362b57673fe7e35246fc9d818eca1d373b9bad4d46a5c4d1a72ad iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30959327" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2020116380" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2149645792" IEXPLORE.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 940 WINWORD.EXE 940 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 4240 wermgr.exe Token: SeDebugPrivilege 4240 wermgr.exe Token: SeDebugPrivilege 4240 wermgr.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1692 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
WINWORD.EXEiexplore.exeIEXPLORE.EXEpid process 940 WINWORD.EXE 940 WINWORD.EXE 940 WINWORD.EXE 940 WINWORD.EXE 940 WINWORD.EXE 940 WINWORD.EXE 940 WINWORD.EXE 1692 iexplore.exe 1692 iexplore.exe 2308 IEXPLORE.EXE 2308 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
WScript.exeiexplore.exeregsvr32.exeregsvr32.exedescription pid process target process PID 4904 wrote to memory of 2148 4904 WScript.exe cmd.exe PID 4904 wrote to memory of 2148 4904 WScript.exe cmd.exe PID 1692 wrote to memory of 2308 1692 iexplore.exe IEXPLORE.EXE PID 1692 wrote to memory of 2308 1692 iexplore.exe IEXPLORE.EXE PID 1692 wrote to memory of 2308 1692 iexplore.exe IEXPLORE.EXE PID 4904 wrote to memory of 3648 4904 WScript.exe certutil.exe PID 4904 wrote to memory of 3648 4904 WScript.exe certutil.exe PID 4904 wrote to memory of 2320 4904 WScript.exe regsvr32.exe PID 4904 wrote to memory of 2320 4904 WScript.exe regsvr32.exe PID 2320 wrote to memory of 4672 2320 regsvr32.exe regsvr32.exe PID 2320 wrote to memory of 4672 2320 regsvr32.exe regsvr32.exe PID 2320 wrote to memory of 4672 2320 regsvr32.exe regsvr32.exe PID 4672 wrote to memory of 4240 4672 regsvr32.exe wermgr.exe PID 4672 wrote to memory of 4240 4672 regsvr32.exe wermgr.exe PID 4672 wrote to memory of 4240 4672 regsvr32.exe wermgr.exe PID 4672 wrote to memory of 4240 4672 regsvr32.exe wermgr.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ea78baf0919870bb04d001f94905bbb84263f9fd012e81005d6adc3aeb8a73ad.docm" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\openssl.vbe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""2⤵
-
C:\Windows\System32\certutil.exe"C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll2⤵
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exec:\drad\ONKVD.dll3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Drad\ONKVD.dllFilesize
608KB
MD5faf55f62d1967375625d0e402c34ee0a
SHA102c8f9055c69a3386e7dbfd2eafad3beab3779fb
SHA256c2ced0e8bbda1c02a143cefa9f810f5e3131254d65ea39b027ed5db240f5d76e
SHA512227ee6b09e6897a0ea883c70f991e062dea0d80d3fc32e19676aea0c7d8c075269d811bd88c795cfdeca5bb81b7b6f0802db0f52d1931b1e6c2558139f4919ca
-
C:\Drad\ONKVD.dllFilesize
304KB
MD50828f63b9396fead9231cae937694a37
SHA166f370b3a1dcfb9c87a31b35d2c0951a3b1612f8
SHA256fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4
SHA512dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256
-
C:\ProgramData\openssl.vbeFilesize
636KB
MD515810fb5f100a3a2d21e4c2288dc1a88
SHA1834308004280f11a459f764d9e2339c34dc5d7f1
SHA256136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6
SHA512431b31281a4b3d99fe2f9a0900a66b5eb9fc7deeae3394501fbc46ecd8d249415014f524f255a629d1f8ee3776d0b3cc8ff76d07beb7ec9c7c33632196ecaf87
-
\??\c:\drad\ONKVD.dllFilesize
304KB
MD50828f63b9396fead9231cae937694a37
SHA166f370b3a1dcfb9c87a31b35d2c0951a3b1612f8
SHA256fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4
SHA512dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256
-
memory/940-136-0x00007FF8F9230000-0x00007FF8F9240000-memory.dmpFilesize
64KB
-
memory/940-159-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmpFilesize
64KB
-
memory/940-130-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmpFilesize
64KB
-
memory/940-134-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmpFilesize
64KB
-
memory/940-135-0x00007FF8F9230000-0x00007FF8F9240000-memory.dmpFilesize
64KB
-
memory/940-157-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmpFilesize
64KB
-
memory/940-133-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmpFilesize
64KB
-
memory/940-158-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmpFilesize
64KB
-
memory/940-131-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmpFilesize
64KB
-
memory/940-160-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmpFilesize
64KB
-
memory/940-132-0x00007FF8FB2F0000-0x00007FF8FB300000-memory.dmpFilesize
64KB
-
memory/2148-138-0x0000000000000000-mapping.dmp
-
memory/2320-141-0x0000000000000000-mapping.dmp
-
memory/3648-139-0x0000000000000000-mapping.dmp
-
memory/4240-155-0x0000021727F50000-0x0000021727F77000-memory.dmpFilesize
156KB
-
memory/4240-154-0x0000000000000000-mapping.dmp
-
memory/4672-153-0x0000000002AF0000-0x0000000002B31000-memory.dmpFilesize
260KB
-
memory/4672-152-0x0000000001080000-0x00000000010B5000-memory.dmpFilesize
212KB
-
memory/4672-149-0x0000000001100000-0x0000000001136000-memory.dmpFilesize
216KB
-
memory/4672-145-0x00000000010C0000-0x00000000010F7000-memory.dmpFilesize
220KB
-
memory/4672-143-0x0000000000000000-mapping.dmp