Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 10:51
Static task
static1
Behavioral task
behavioral1
Sample
45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
Resource
win10v2004-20220414-en
General
-
Target
45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe
-
Size
396KB
-
MD5
369c33b9e8e9839f9f6299d969d6017f
-
SHA1
dfe0698639787b5554bc8fe6e3851e1800b1f15a
-
SHA256
45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5
-
SHA512
cc4b33a6aa8c83d9b3d696eedd386b39941ed3ccbd5cd73b011d2f21ff6f9f59e586a5956ba60eb728c3a0e4f7e3509d9822b09e01d360f1447c1071764cce25
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-790309383-526510583-3802439154-1000\RECOVERqxlyk.txt
http://h5nuwefkuh134ljngkasdbasfg.corolbugan.com/7EF3D1BA88DEEA2
http://p54dhkus4tlkfashdb6vjetgsdfg.greetingshere.at/7EF3D1BA88DEEA2
http://f4dsbjhb45wfiuqeib4fkqeg.meccaledgy.at/7EF3D1BA88DEEA2
http://k7tlx3ghr3m4n2tu.onion/7EF3D1BA88DEEA2
Signatures
-
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
suricata: ET MALWARE Alphacrypt/TeslaCrypt Ransomware CnC Beacon
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
onvkia.exeonvkia.exepid process 1492 onvkia.exe 1708 onvkia.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1760 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exepid process 908 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 908 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
onvkia.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run onvkia.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\_agrt = "C:\\Windows\\SYSTEM32\\CMD.EXE /C START C:\\Users\\Admin\\Documents\\onvkia.exe" onvkia.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exeonvkia.exedescription pid process target process PID 1308 set thread context of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1492 set thread context of 1708 1492 onvkia.exe onvkia.exe -
Drops file in Program Files directory 64 IoCs
Processes:
onvkia.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\RECOVERqxlyk.txt onvkia.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\RECOVERqxlyk.txt onvkia.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt onvkia.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\_platform_specific\win_x64\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\RECOVERqxlyk.txt onvkia.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg onvkia.exe File opened for modification C:\Program Files\Common Files\System\ado\it-IT\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\RECOVERqxlyk.txt onvkia.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png onvkia.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\Logo.png onvkia.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt onvkia.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\RECOVERqxlyk.txt onvkia.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\RECOVERqxlyk.txt onvkia.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576_91n92.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\selection_subpicture.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_ButtonGraphic.png onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt onvkia.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\RECOVERqxlyk.txt onvkia.exe File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv onvkia.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sk.pak onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\RECOVERqxlyk.txt onvkia.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\DVD Maker\en-US\RECOVERqxlyk.txt onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\RECOVERqxlyk.txt onvkia.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\de-DE\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\es-ES\RECOVERqxlyk.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv onvkia.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\RECOVERqxlyk.html onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png onvkia.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png onvkia.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1820 vssadmin.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
onvkia.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\trueimg onvkia.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
onvkia.exepid process 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe 1708 onvkia.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
onvkia.exevssvc.exedescription pid process Token: SeDebugPrivilege 1708 onvkia.exe Token: SeBackupPrivilege 1900 vssvc.exe Token: SeRestorePrivilege 1900 vssvc.exe Token: SeAuditPrivilege 1900 vssvc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exeonvkia.exeonvkia.exedescription pid process target process PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 1308 wrote to memory of 908 1308 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe PID 908 wrote to memory of 1492 908 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe onvkia.exe PID 908 wrote to memory of 1492 908 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe onvkia.exe PID 908 wrote to memory of 1492 908 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe onvkia.exe PID 908 wrote to memory of 1492 908 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe onvkia.exe PID 908 wrote to memory of 1760 908 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe cmd.exe PID 908 wrote to memory of 1760 908 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe cmd.exe PID 908 wrote to memory of 1760 908 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe cmd.exe PID 908 wrote to memory of 1760 908 45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe cmd.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1492 wrote to memory of 1708 1492 onvkia.exe onvkia.exe PID 1708 wrote to memory of 1820 1708 onvkia.exe vssadmin.exe PID 1708 wrote to memory of 1820 1708 onvkia.exe vssadmin.exe PID 1708 wrote to memory of 1820 1708 onvkia.exe vssadmin.exe PID 1708 wrote to memory of 1820 1708 onvkia.exe vssadmin.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
onvkia.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System onvkia.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" onvkia.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe"C:\Users\Admin\AppData\Local\Temp\45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe"C:\Users\Admin\AppData\Local\Temp\45c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\onvkia.exeC:\Users\Admin\Documents\onvkia.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\onvkia.exeC:\Users\Admin\Documents\onvkia.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\45C912~1.EXE >> NUL3⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\onvkia.exeFilesize
396KB
MD5369c33b9e8e9839f9f6299d969d6017f
SHA1dfe0698639787b5554bc8fe6e3851e1800b1f15a
SHA25645c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5
SHA512cc4b33a6aa8c83d9b3d696eedd386b39941ed3ccbd5cd73b011d2f21ff6f9f59e586a5956ba60eb728c3a0e4f7e3509d9822b09e01d360f1447c1071764cce25
-
C:\Users\Admin\Documents\onvkia.exeFilesize
396KB
MD5369c33b9e8e9839f9f6299d969d6017f
SHA1dfe0698639787b5554bc8fe6e3851e1800b1f15a
SHA25645c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5
SHA512cc4b33a6aa8c83d9b3d696eedd386b39941ed3ccbd5cd73b011d2f21ff6f9f59e586a5956ba60eb728c3a0e4f7e3509d9822b09e01d360f1447c1071764cce25
-
C:\Users\Admin\Documents\onvkia.exeFilesize
396KB
MD5369c33b9e8e9839f9f6299d969d6017f
SHA1dfe0698639787b5554bc8fe6e3851e1800b1f15a
SHA25645c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5
SHA512cc4b33a6aa8c83d9b3d696eedd386b39941ed3ccbd5cd73b011d2f21ff6f9f59e586a5956ba60eb728c3a0e4f7e3509d9822b09e01d360f1447c1071764cce25
-
\Users\Admin\Documents\onvkia.exeFilesize
396KB
MD5369c33b9e8e9839f9f6299d969d6017f
SHA1dfe0698639787b5554bc8fe6e3851e1800b1f15a
SHA25645c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5
SHA512cc4b33a6aa8c83d9b3d696eedd386b39941ed3ccbd5cd73b011d2f21ff6f9f59e586a5956ba60eb728c3a0e4f7e3509d9822b09e01d360f1447c1071764cce25
-
\Users\Admin\Documents\onvkia.exeFilesize
396KB
MD5369c33b9e8e9839f9f6299d969d6017f
SHA1dfe0698639787b5554bc8fe6e3851e1800b1f15a
SHA25645c91234b6ad5955140973834c39a8cf2e4e6b7f1b3900a85a4903ba40f82cc5
SHA512cc4b33a6aa8c83d9b3d696eedd386b39941ed3ccbd5cd73b011d2f21ff6f9f59e586a5956ba60eb728c3a0e4f7e3509d9822b09e01d360f1447c1071764cce25
-
memory/908-71-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/908-57-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/908-64-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/908-66-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/908-67-0x00000000004176DE-mapping.dmp
-
memory/908-56-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/908-70-0x0000000075261000-0x0000000075263000-memory.dmpFilesize
8KB
-
memory/908-78-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/908-72-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/908-61-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/908-59-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/908-63-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1308-54-0x00000000001B0000-0x00000000001B6000-memory.dmpFilesize
24KB
-
memory/1308-69-0x00000000001B0000-0x00000000001B6000-memory.dmpFilesize
24KB
-
memory/1308-55-0x00000000001B0000-0x00000000001B6000-memory.dmpFilesize
24KB
-
memory/1492-75-0x0000000000000000-mapping.dmp
-
memory/1708-91-0x00000000004176DE-mapping.dmp
-
memory/1708-95-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1708-96-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1708-98-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/1760-77-0x0000000000000000-mapping.dmp
-
memory/1820-97-0x0000000000000000-mapping.dmp