Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2022 08:32

General

  • Target

    b2918589b94b68032a48fb233a1b5e2d648650a48ef32f3f11d31431213f1167.exe

  • Size

    1.3MB

  • MD5

    e217e566ac9c3c7085da04e61b395a62

  • SHA1

    e36d7fd910bcd61f8fd49305c4324b632c785684

  • SHA256

    b2918589b94b68032a48fb233a1b5e2d648650a48ef32f3f11d31431213f1167

  • SHA512

    719e8a7b7c22b689967f0a59f88d2f1acafa4d1fd90d916832cb807c4bd2848e7675c1a5c1c919a944bc37c358b06871ddf52420e845cce1d8b8c664fc83ece4

  • SSDEEP

    24576:u3yGjA9zkaFVyspAxXyvpMQ467YOuUJ5/3Jl99iXH5TKaP1xbGTKnuxs0j2:paWkonAxXyvFYOuS53fiXH5TB2TKuy0a

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2918589b94b68032a48fb233a1b5e2d648650a48ef32f3f11d31431213f1167.exe
    "C:\Users\Admin\AppData\Local\Temp\b2918589b94b68032a48fb233a1b5e2d648650a48ef32f3f11d31431213f1167.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Users\Admin\AppData\Local\Temp\is-S26M3.tmp\b2918589b94b68032a48fb233a1b5e2d648650a48ef32f3f11d31431213f1167.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-S26M3.tmp\b2918589b94b68032a48fb233a1b5e2d648650a48ef32f3f11d31431213f1167.tmp" /SL5="$70124,1016083,114176,C:\Users\Admin\AppData\Local\Temp\b2918589b94b68032a48fb233a1b5e2d648650a48ef32f3f11d31431213f1167.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\Desktop\UnRAR.exe" x "C:\Users\Public\Documents\NGLA\bin.rar" "C:\Users\Public\Documents\NGLA\" -inul -y -o+ -pxidu"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Users\Admin\Desktop\UnRAR.exe
          "C:\Users\Admin\Desktop\UnRAR.exe" x "C:\Users\Public\Documents\NGLA\bin.rar" "C:\Users\Public\Documents\NGLA\" -inul -y -o+ -pxidu
          4⤵
          • Executes dropped EXE
          PID:108
      • C:\Users\Public\Documents\NGLA\GG_chrome.exe
        "C:\Users\Public\Documents\NGLA\GG_chrome.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1140
      • C:\Users\Public\Documents\NGLA\NNN_chrome.exe
        "C:\Users\Public\Documents\NGLA\NNN_chrome.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:992
      • C:\Windows\SysWOW64\taskkill.exe
        "C:\Windows\System32\taskkill.exe" /f /IM b2918589b94b68032a48fb233a1b5e2d648650a48ef32f3f11d31431213f1167.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1064
  • C:\Windows\System32\runas.exe
    "C:\Windows\System32\runas.exe" /trustlevel:0x20000 "cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v NGLA /t REG_SZ /d \"C:\Users\Public\Documents\NGLA\svchongl.exe\" /f"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Windows\System32\cmd.exe
      cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v NGLA /t REG_SZ /d "C:\Users\Public\Documents\NGLA\svchongl.exe" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\system32\reg.exe
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v NGLA /t REG_SZ /d "C:\Users\Public\Documents\NGLA\svchongl.exe" /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:748
  • C:\Windows\System32\runas.exe
    "C:\Windows\System32\runas.exe" /trustlevel:0x20000 "cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v NGLA /t REG_SZ /d \"C:\Users\Public\Documents\NGLA\svchongl.exe\" /f"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:976
    • C:\Windows\System32\cmd.exe
      cmd /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v NGLA /t REG_SZ /d "C:\Users\Public\Documents\NGLA\svchongl.exe" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:108
      • C:\Windows\system32\reg.exe
        reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v NGLA /t REG_SZ /d "C:\Users\Public\Documents\NGLA\svchongl.exe" /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1480
  • C:\Windows\System32\runas.exe
    "C:\Windows\System32\runas.exe" /trustlevel:0x20000 "cmd /c copy /b /y \"C:\Users\Public\Documents\NGLA\NNN_chrome.exe\" \"C:\Users\Public\Documents\NGLA\svchongl.exe\""
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\System32\cmd.exe
      cmd /c copy /b /y "C:\Users\Public\Documents\NGLA\NNN_chrome.exe" "C:\Users\Public\Documents\NGLA\svchongl.exe"
      2⤵
        PID:836
    • C:\Windows\System32\runas.exe
      "C:\Windows\System32\runas.exe" /trustlevel:0x20000 "cmd /c copy /b /y \"C:\Users\Public\Documents\NGLA\NNN_chrome.exe\" \"C:\Users\Public\Documents\NGLA\svchongl.exe\""
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\System32\cmd.exe
        cmd /c copy /b /y "C:\Users\Public\Documents\NGLA\NNN_chrome.exe" "C:\Users\Public\Documents\NGLA\svchongl.exe"
        2⤵
          PID:1248

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\is-S26M3.tmp\b2918589b94b68032a48fb233a1b5e2d648650a48ef32f3f11d31431213f1167.tmp

        Filesize

        1.1MB

        MD5

        fdacd4f4ed9005b11edb7def096f815c

        SHA1

        baf3b2b96813400e83ab8005870d4fa2ae2828db

        SHA256

        8a4525939ac021e1310d878153ded789b4ba6d9284428f9455b82a20ac9dedfb

        SHA512

        5602b31b265303fdf3235210a619bc818e54b2fffd6667fa70b3a78ef500a5756aca6507bf0125429c9a122edd95b7bdae4f8821629be9386b000879b1b98255

      • C:\Users\Admin\Desktop\UnRAR.exe

        Filesize

        382KB

        MD5

        c9b0ff0f2995b5ae5448d6abcef09661

        SHA1

        2d40fd959d1a15b0015fbd2b64e29ade19792637

        SHA256

        5a8c10b3cbb739f1ff0b4750172409b31dcb9f7e29ae010e8ee5c4736e0e2619

        SHA512

        c846bc0d138e09f99c80149bc27618c2a0398733c2a6c26c1ebd0aae08fa75b309e5b147f05e52c450ace4f24b52d98c70086330bc54e2e9a2d8f612e92b2dfb

      • C:\Users\Admin\Desktop\UnRAR.exe

        Filesize

        382KB

        MD5

        c9b0ff0f2995b5ae5448d6abcef09661

        SHA1

        2d40fd959d1a15b0015fbd2b64e29ade19792637

        SHA256

        5a8c10b3cbb739f1ff0b4750172409b31dcb9f7e29ae010e8ee5c4736e0e2619

        SHA512

        c846bc0d138e09f99c80149bc27618c2a0398733c2a6c26c1ebd0aae08fa75b309e5b147f05e52c450ace4f24b52d98c70086330bc54e2e9a2d8f612e92b2dfb

      • C:\Users\Public\Documents\NGLA\App.dat

        Filesize

        51B

        MD5

        e13fe12f75f3b9389bba042f8403cd19

        SHA1

        1dd4d1f3b544497a1b59c8f84a98174ffc4a8e0b

        SHA256

        a7041b0e514b6c3c2dd0016e012d206e270b2440277c7c438fb3d92e6cfc77e3

        SHA512

        806547ecf821095807935a50d9cb2b692aa783a1676d48fa30ad479feeb0adfdb3cd411d05f1d3ee4f5d398eeb64ac8dffb8b78f936d7e2940a96d42e2d86d68

      • C:\Users\Public\Documents\NGLA\DLL_DLL.bin

        Filesize

        15KB

        MD5

        e9c03c057af5b14b34fd012ee2cebfd5

        SHA1

        4880810c495ef9f79d661d8b315963f680694c6b

        SHA256

        560b7b90be6c70f87b22ed293d75b0fbfa8fa19b5d4955b83a8e2a20ccfb3ab3

        SHA512

        192746ead0ef8f8c1125c4fc86cc4af0ea02b9fd6e5c7794279ed3add9574e16c36d939b990dd96401da803a3c46f8176fa9f9ad6d3a3dd32b6d8121cb83f1e5

      • C:\Users\Public\Documents\NGLA\GETINFO.dll

        Filesize

        231KB

        MD5

        87677b51f7a02638de679be61ab7f3d1

        SHA1

        2dba166d998ab502d7c97f6ea004f917e6d4da5a

        SHA256

        1305e245efcc098b9f56743a618561973249cf0529d82410d615794a81d8dead

        SHA512

        a220bb1fd3200c7f4d5c57cb384af4cb189e92a7b424d016f9d6b2d27820e15ffbea2d563238aacee868dad3bc4120c263f75c2956c4a706b9033f51d612cd79

      • C:\Users\Public\Documents\NGLA\GG_chrome.exe

        Filesize

        252KB

        MD5

        724826eaff8dd479d4238cde287fac85

        SHA1

        9b75073b39c35a64e0c73b4198adcc0b90ebf98e

        SHA256

        0ee23e998aa5bc1c51f12ed046cca481e9804909fc7bce422d2c75b76d4f3d39

        SHA512

        44abf15e7aa98a97d5a30b72f16f2d48214c87beb269c472c07303dfab902fa10e0659bf5d3b4cd0a91a96dd8cbfc0177687d49f9fe82731c62da0469e70cfc0

      • C:\Users\Public\Documents\NGLA\GG_chrome.exe

        Filesize

        252KB

        MD5

        724826eaff8dd479d4238cde287fac85

        SHA1

        9b75073b39c35a64e0c73b4198adcc0b90ebf98e

        SHA256

        0ee23e998aa5bc1c51f12ed046cca481e9804909fc7bce422d2c75b76d4f3d39

        SHA512

        44abf15e7aa98a97d5a30b72f16f2d48214c87beb269c472c07303dfab902fa10e0659bf5d3b4cd0a91a96dd8cbfc0177687d49f9fe82731c62da0469e70cfc0

      • C:\Users\Public\Documents\NGLA\MSVCP140.dll

        Filesize

        422KB

        MD5

        6ae5e49c946150cb8f5aed2955dff583

        SHA1

        92db0f6e1aaec7c19975e4b15c78564f93a3cd4e

        SHA256

        fb9420ba0cdde2946ceec8101dbec2d9f078bb20d554d09ade29181915d65432

        SHA512

        64d92dd1ae0b37c08ee7a798f081bb5af600a835369fff627c452ee3e88933a51c322afc4bae4a2972520ec73510ce7c85dfd8eee3932bc659783df7bd570555

      • C:\Users\Public\Documents\NGLA\NNN_chrome.exe

        Filesize

        82KB

        MD5

        ffcb0336d59bd63e23e527d823289c8f

        SHA1

        5c621187e80de7ead929e5d7487df0311dd776e9

        SHA256

        579b5d8b96f2cb10aead288085785f098bd7b7cce9e1f52dfb50d6655dfdf7b1

        SHA512

        6ca41e4c871739046abd55fa187f201f12e6ce0cbe5598c3e7fe3d95202cbf5159974ff66aaa802b379fb464664383bab3a46d20d358a3bedbdca0cd0bb94754

      • C:\Users\Public\Documents\NGLA\NNN_chrome.exe

        Filesize

        82KB

        MD5

        ffcb0336d59bd63e23e527d823289c8f

        SHA1

        5c621187e80de7ead929e5d7487df0311dd776e9

        SHA256

        579b5d8b96f2cb10aead288085785f098bd7b7cce9e1f52dfb50d6655dfdf7b1

        SHA512

        6ca41e4c871739046abd55fa187f201f12e6ce0cbe5598c3e7fe3d95202cbf5159974ff66aaa802b379fb464664383bab3a46d20d358a3bedbdca0cd0bb94754

      • C:\Users\Public\Documents\NGLA\SYSINV.dll

        Filesize

        38KB

        MD5

        7ccc83123c8ddfbc2681653b465eec85

        SHA1

        7803079fd9eb5858ea19d9f5297864f8e30279b9

        SHA256

        f01faba617b47220785973b7afc8f8d841bf1e8d8565cd5431199e9d7ceebf72

        SHA512

        f64f95bc80d24e0e5322a67b44afdd383d3b1505c0b1dc1f4851cc762ce7cd6a594eb75c10e2612ab6187e80645b7c776a608fded99928718684112b27c1dc4f

      • C:\Users\Public\Documents\NGLA\VCRUNTIME140.dll

        Filesize

        70KB

        MD5

        0ddaa0fdb6d99e6d8fd206980d2308c8

        SHA1

        39935192b2e88c1c82babd10e826a818a4bc3d04

        SHA256

        ccc7296c3acd4e7365555e9cf460674be5abee93a25bd07406842aed059666ad

        SHA512

        09772568169f019444bdfb21ecb78874680ae60f5bbbbc429b55f455a9e1a691f8ff6c6de5cf9eb723560b10da6d62fc4560d1b6e074225eaa7c71d146d0353c

      • C:\Users\Public\Documents\NGLA\bin.rar

        Filesize

        714KB

        MD5

        bc64a6c7b5bacac5315f08d9dc885975

        SHA1

        c31c76fc958503ea134afe7bfaddf7baa8f46edf

        SHA256

        761b459557213bbafec70e3affe17324fbb2a0bc3e7494cdab8a55721e11e5b2

        SHA512

        b78e0e1d5dfc443a3e855a10ca13795299bd9708bcbed62523a5d165f652e26b0b01a30eec48556016a9a77a5533e46c7f572303a56d38d5c4c97d1c665a4b33

      • C:\Users\Public\Documents\NGLA\hello.tmp

        Filesize

        284KB

        MD5

        e11b022a038d24c8c6d96b0bf8bafb1c

        SHA1

        7b6f82c85609ce15962e438fe910d9ef583971fb

        SHA256

        f0d1c9be78c43992ca3f8a9e898748c828335c14f404be133a3338469e0afb27

        SHA512

        43bf44cecea5fc7746a03189c4ad0734cdcb03c3e8b64403f71c6b602bbfd624bdb36529bb8cf4f8180584c95543a6dce968b409c5fb6c98f756f6072d4027db

      • C:\Users\Public\Documents\NGLA\svchongl.exe

        Filesize

        82KB

        MD5

        ffcb0336d59bd63e23e527d823289c8f

        SHA1

        5c621187e80de7ead929e5d7487df0311dd776e9

        SHA256

        579b5d8b96f2cb10aead288085785f098bd7b7cce9e1f52dfb50d6655dfdf7b1

        SHA512

        6ca41e4c871739046abd55fa187f201f12e6ce0cbe5598c3e7fe3d95202cbf5159974ff66aaa802b379fb464664383bab3a46d20d358a3bedbdca0cd0bb94754

      • \Users\Admin\AppData\Local\Temp\is-PT1TT.tmp\_isetup\_shfoldr.dll

        Filesize

        22KB

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      • \Users\Admin\AppData\Local\Temp\is-PT1TT.tmp\_isetup\_shfoldr.dll

        Filesize

        22KB

        MD5

        92dc6ef532fbb4a5c3201469a5b5eb63

        SHA1

        3e89ff837147c16b4e41c30d6c796374e0b8e62c

        SHA256

        9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

        SHA512

        9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      • \Users\Admin\AppData\Local\Temp\is-S26M3.tmp\b2918589b94b68032a48fb233a1b5e2d648650a48ef32f3f11d31431213f1167.tmp

        Filesize

        1.1MB

        MD5

        fdacd4f4ed9005b11edb7def096f815c

        SHA1

        baf3b2b96813400e83ab8005870d4fa2ae2828db

        SHA256

        8a4525939ac021e1310d878153ded789b4ba6d9284428f9455b82a20ac9dedfb

        SHA512

        5602b31b265303fdf3235210a619bc818e54b2fffd6667fa70b3a78ef500a5756aca6507bf0125429c9a122edd95b7bdae4f8821629be9386b000879b1b98255

      • \Users\Admin\Desktop\UnRAR.exe

        Filesize

        382KB

        MD5

        c9b0ff0f2995b5ae5448d6abcef09661

        SHA1

        2d40fd959d1a15b0015fbd2b64e29ade19792637

        SHA256

        5a8c10b3cbb739f1ff0b4750172409b31dcb9f7e29ae010e8ee5c4736e0e2619

        SHA512

        c846bc0d138e09f99c80149bc27618c2a0398733c2a6c26c1ebd0aae08fa75b309e5b147f05e52c450ace4f24b52d98c70086330bc54e2e9a2d8f612e92b2dfb

      • \Users\Public\Documents\NGLA\GG_chrome.exe

        Filesize

        252KB

        MD5

        724826eaff8dd479d4238cde287fac85

        SHA1

        9b75073b39c35a64e0c73b4198adcc0b90ebf98e

        SHA256

        0ee23e998aa5bc1c51f12ed046cca481e9804909fc7bce422d2c75b76d4f3d39

        SHA512

        44abf15e7aa98a97d5a30b72f16f2d48214c87beb269c472c07303dfab902fa10e0659bf5d3b4cd0a91a96dd8cbfc0177687d49f9fe82731c62da0469e70cfc0

      • \Users\Public\Documents\NGLA\GG_chrome.exe

        Filesize

        252KB

        MD5

        724826eaff8dd479d4238cde287fac85

        SHA1

        9b75073b39c35a64e0c73b4198adcc0b90ebf98e

        SHA256

        0ee23e998aa5bc1c51f12ed046cca481e9804909fc7bce422d2c75b76d4f3d39

        SHA512

        44abf15e7aa98a97d5a30b72f16f2d48214c87beb269c472c07303dfab902fa10e0659bf5d3b4cd0a91a96dd8cbfc0177687d49f9fe82731c62da0469e70cfc0

      • \Users\Public\Documents\NGLA\Getinfo.dll

        Filesize

        231KB

        MD5

        87677b51f7a02638de679be61ab7f3d1

        SHA1

        2dba166d998ab502d7c97f6ea004f917e6d4da5a

        SHA256

        1305e245efcc098b9f56743a618561973249cf0529d82410d615794a81d8dead

        SHA512

        a220bb1fd3200c7f4d5c57cb384af4cb189e92a7b424d016f9d6b2d27820e15ffbea2d563238aacee868dad3bc4120c263f75c2956c4a706b9033f51d612cd79

      • \Users\Public\Documents\NGLA\NNN_chrome.exe

        Filesize

        82KB

        MD5

        ffcb0336d59bd63e23e527d823289c8f

        SHA1

        5c621187e80de7ead929e5d7487df0311dd776e9

        SHA256

        579b5d8b96f2cb10aead288085785f098bd7b7cce9e1f52dfb50d6655dfdf7b1

        SHA512

        6ca41e4c871739046abd55fa187f201f12e6ce0cbe5598c3e7fe3d95202cbf5159974ff66aaa802b379fb464664383bab3a46d20d358a3bedbdca0cd0bb94754

      • \Users\Public\Documents\NGLA\NNN_chrome.exe

        Filesize

        82KB

        MD5

        ffcb0336d59bd63e23e527d823289c8f

        SHA1

        5c621187e80de7ead929e5d7487df0311dd776e9

        SHA256

        579b5d8b96f2cb10aead288085785f098bd7b7cce9e1f52dfb50d6655dfdf7b1

        SHA512

        6ca41e4c871739046abd55fa187f201f12e6ce0cbe5598c3e7fe3d95202cbf5159974ff66aaa802b379fb464664383bab3a46d20d358a3bedbdca0cd0bb94754

      • \Users\Public\Documents\NGLA\Sysinv.dll

        Filesize

        38KB

        MD5

        7ccc83123c8ddfbc2681653b465eec85

        SHA1

        7803079fd9eb5858ea19d9f5297864f8e30279b9

        SHA256

        f01faba617b47220785973b7afc8f8d841bf1e8d8565cd5431199e9d7ceebf72

        SHA512

        f64f95bc80d24e0e5322a67b44afdd383d3b1505c0b1dc1f4851cc762ce7cd6a594eb75c10e2612ab6187e80645b7c776a608fded99928718684112b27c1dc4f

      • \Users\Public\Documents\NGLA\msvcp140.dll

        Filesize

        422KB

        MD5

        6ae5e49c946150cb8f5aed2955dff583

        SHA1

        92db0f6e1aaec7c19975e4b15c78564f93a3cd4e

        SHA256

        fb9420ba0cdde2946ceec8101dbec2d9f078bb20d554d09ade29181915d65432

        SHA512

        64d92dd1ae0b37c08ee7a798f081bb5af600a835369fff627c452ee3e88933a51c322afc4bae4a2972520ec73510ce7c85dfd8eee3932bc659783df7bd570555

      • \Users\Public\Documents\NGLA\vcruntime140.dll

        Filesize

        70KB

        MD5

        0ddaa0fdb6d99e6d8fd206980d2308c8

        SHA1

        39935192b2e88c1c82babd10e826a818a4bc3d04

        SHA256

        ccc7296c3acd4e7365555e9cf460674be5abee93a25bd07406842aed059666ad

        SHA512

        09772568169f019444bdfb21ecb78874680ae60f5bbbbc429b55f455a9e1a691f8ff6c6de5cf9eb723560b10da6d62fc4560d1b6e074225eaa7c71d146d0353c

      • memory/108-112-0x0000000000000000-mapping.dmp

      • memory/108-67-0x0000000000000000-mapping.dmp

      • memory/584-63-0x0000000074241000-0x0000000074243000-memory.dmp

        Filesize

        8KB

      • memory/584-58-0x0000000000000000-mapping.dmp

      • memory/748-110-0x0000000000000000-mapping.dmp

      • memory/836-116-0x0000000000000000-mapping.dmp

      • memory/992-114-0x0000000074191000-0x0000000074193000-memory.dmp

        Filesize

        8KB

      • memory/992-100-0x00000000003F0000-0x00000000003F6000-memory.dmp

        Filesize

        24KB

      • memory/992-104-0x00000000003B0000-0x00000000003B4000-memory.dmp

        Filesize

        16KB

      • memory/992-107-0x0000000074181000-0x0000000074183000-memory.dmp

        Filesize

        8KB

      • memory/992-82-0x0000000000000000-mapping.dmp

      • memory/1064-89-0x0000000000000000-mapping.dmp

      • memory/1100-64-0x0000000000000000-mapping.dmp

      • memory/1140-95-0x0000000010000000-0x000000001004A000-memory.dmp

        Filesize

        296KB

      • memory/1140-105-0x0000000000380000-0x00000000003C8000-memory.dmp

        Filesize

        288KB

      • memory/1140-76-0x0000000000000000-mapping.dmp

      • memory/1224-79-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

      • memory/1224-54-0x0000000075111000-0x0000000075113000-memory.dmp

        Filesize

        8KB

      • memory/1224-55-0x0000000000400000-0x0000000000425000-memory.dmp

        Filesize

        148KB

      • memory/1248-118-0x0000000000000000-mapping.dmp

      • memory/1480-113-0x0000000000000000-mapping.dmp

      • memory/1716-109-0x0000000000000000-mapping.dmp

      • memory/1788-108-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

        Filesize

        8KB