Analysis
-
max time kernel
39s -
max time network
49s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-05-2024 17:30
Behavioral task
behavioral1
Sample
Nurik.exe
Resource
win11-20240426-en
Errors
General
-
Target
Nurik.exe
-
Size
210KB
-
MD5
bb252d8aa4f5834229ea080c11db0b59
-
SHA1
7de57dfc07520a7f3013abc807446e8611914812
-
SHA256
ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c
-
SHA512
0e9aa28aeb33328b7b7140a461b45e4a211cb68326130e174b54dd260d3f44323a3ab86f16571e0b0e55c9597f293b9a5d085e1bb01f4fbe2cdb2b20080e4c5a
-
SSDEEP
3072:tXbHXK681mboHFtHODlewZp0EAVHLqaHSegMc11irm+uhdtNp+5hBu:tXb6Ib2ewwZpTEH+NvlNpoh
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/cVQrB6DR
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3324-1-0x0000000000490000-0x00000000004CA000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\WindowsSecurity family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4736 powershell.exe 4760 powershell.exe 4732 powershell.exe 2564 powershell.exe -
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
Processes:
Nurik.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk Nurik.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk Nurik.exe -
Executes dropped EXE 2 IoCs
Processes:
WindowsSecuritydqveec.exepid process 3624 WindowsSecurity 5024 dqveec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nurik.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSecurity" Nurik.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
dqveec.exedescription ioc process File opened (read-only) \??\Q: dqveec.exe File opened (read-only) \??\W: dqveec.exe File opened (read-only) \??\X: dqveec.exe File opened (read-only) \??\J: dqveec.exe File opened (read-only) \??\B: dqveec.exe File opened (read-only) \??\G: dqveec.exe File opened (read-only) \??\K: dqveec.exe File opened (read-only) \??\M: dqveec.exe File opened (read-only) \??\U: dqveec.exe File opened (read-only) \??\Y: dqveec.exe File opened (read-only) \??\A: dqveec.exe File opened (read-only) \??\H: dqveec.exe File opened (read-only) \??\I: dqveec.exe File opened (read-only) \??\L: dqveec.exe File opened (read-only) \??\N: dqveec.exe File opened (read-only) \??\O: dqveec.exe File opened (read-only) \??\R: dqveec.exe File opened (read-only) \??\V: dqveec.exe File opened (read-only) \??\E: dqveec.exe File opened (read-only) \??\Z: dqveec.exe File opened (read-only) \??\S: dqveec.exe File opened (read-only) \??\T: dqveec.exe File opened (read-only) \??\P: dqveec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Modifies WinLogon 2 TTPs 1 IoCs
Processes:
dqveec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" dqveec.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
dqveec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\Wallpaper dqveec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1560 taskkill.exe 856 taskkill.exe -
Modifies registry class 4 IoCs
Processes:
dqveec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon dqveec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile dqveec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" dqveec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2994005945-4089876968-1367784197-1000\{6AAE41D7-DAFD-46E2-B4DB-4F8E20EDE2D0} dqveec.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeNurik.exepid process 4732 powershell.exe 4732 powershell.exe 2564 powershell.exe 2564 powershell.exe 4736 powershell.exe 4736 powershell.exe 4760 powershell.exe 4760 powershell.exe 3324 Nurik.exe 3324 Nurik.exe 3324 Nurik.exe 3324 Nurik.exe 3324 Nurik.exe 3324 Nurik.exe 3324 Nurik.exe 3324 Nurik.exe 3324 Nurik.exe 3324 Nurik.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Nurik.exepowershell.exepowershell.exepowershell.exepowershell.exeWindowsSecuritytaskkill.exedqveec.exetaskkill.exeWMIC.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3324 Nurik.exe Token: SeDebugPrivilege 4732 powershell.exe Token: SeDebugPrivilege 2564 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 4760 powershell.exe Token: SeDebugPrivilege 3324 Nurik.exe Token: SeDebugPrivilege 3624 WindowsSecurity Token: SeDebugPrivilege 1560 taskkill.exe Token: SeShutdownPrivilege 5024 dqveec.exe Token: SeCreatePagefilePrivilege 5024 dqveec.exe Token: SeDebugPrivilege 856 taskkill.exe Token: SeIncreaseQuotaPrivilege 808 WMIC.exe Token: SeSecurityPrivilege 808 WMIC.exe Token: SeTakeOwnershipPrivilege 808 WMIC.exe Token: SeLoadDriverPrivilege 808 WMIC.exe Token: SeSystemProfilePrivilege 808 WMIC.exe Token: SeSystemtimePrivilege 808 WMIC.exe Token: SeProfSingleProcessPrivilege 808 WMIC.exe Token: SeIncBasePriorityPrivilege 808 WMIC.exe Token: SeCreatePagefilePrivilege 808 WMIC.exe Token: SeBackupPrivilege 808 WMIC.exe Token: SeRestorePrivilege 808 WMIC.exe Token: SeShutdownPrivilege 808 WMIC.exe Token: SeDebugPrivilege 808 WMIC.exe Token: SeSystemEnvironmentPrivilege 808 WMIC.exe Token: SeRemoteShutdownPrivilege 808 WMIC.exe Token: SeUndockPrivilege 808 WMIC.exe Token: SeManageVolumePrivilege 808 WMIC.exe Token: 33 808 WMIC.exe Token: 34 808 WMIC.exe Token: 35 808 WMIC.exe Token: 36 808 WMIC.exe Token: SeIncreaseQuotaPrivilege 808 WMIC.exe Token: SeSecurityPrivilege 808 WMIC.exe Token: SeTakeOwnershipPrivilege 808 WMIC.exe Token: SeLoadDriverPrivilege 808 WMIC.exe Token: SeSystemProfilePrivilege 808 WMIC.exe Token: SeSystemtimePrivilege 808 WMIC.exe Token: SeProfSingleProcessPrivilege 808 WMIC.exe Token: SeIncBasePriorityPrivilege 808 WMIC.exe Token: SeCreatePagefilePrivilege 808 WMIC.exe Token: SeBackupPrivilege 808 WMIC.exe Token: SeRestorePrivilege 808 WMIC.exe Token: SeShutdownPrivilege 808 WMIC.exe Token: SeDebugPrivilege 808 WMIC.exe Token: SeSystemEnvironmentPrivilege 808 WMIC.exe Token: SeRemoteShutdownPrivilege 808 WMIC.exe Token: SeUndockPrivilege 808 WMIC.exe Token: SeManageVolumePrivilege 808 WMIC.exe Token: 33 808 WMIC.exe Token: 34 808 WMIC.exe Token: 35 808 WMIC.exe Token: 36 808 WMIC.exe Token: SeShutdownPrivilege 5024 dqveec.exe Token: SeCreatePagefilePrivilege 5024 dqveec.exe Token: SeIncreaseQuotaPrivilege 3732 WMIC.exe Token: SeSecurityPrivilege 3732 WMIC.exe Token: SeTakeOwnershipPrivilege 3732 WMIC.exe Token: SeLoadDriverPrivilege 3732 WMIC.exe Token: SeSystemProfilePrivilege 3732 WMIC.exe Token: SeSystemtimePrivilege 3732 WMIC.exe Token: SeProfSingleProcessPrivilege 3732 WMIC.exe Token: SeIncBasePriorityPrivilege 3732 WMIC.exe Token: SeCreatePagefilePrivilege 3732 WMIC.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Nurik.exedqveec.exepid process 3324 Nurik.exe 5024 dqveec.exe 5024 dqveec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Nurik.exedqveec.execmd.exedescription pid process target process PID 3324 wrote to memory of 4732 3324 Nurik.exe powershell.exe PID 3324 wrote to memory of 4732 3324 Nurik.exe powershell.exe PID 3324 wrote to memory of 2564 3324 Nurik.exe powershell.exe PID 3324 wrote to memory of 2564 3324 Nurik.exe powershell.exe PID 3324 wrote to memory of 4736 3324 Nurik.exe powershell.exe PID 3324 wrote to memory of 4736 3324 Nurik.exe powershell.exe PID 3324 wrote to memory of 4760 3324 Nurik.exe powershell.exe PID 3324 wrote to memory of 4760 3324 Nurik.exe powershell.exe PID 3324 wrote to memory of 4896 3324 Nurik.exe schtasks.exe PID 3324 wrote to memory of 4896 3324 Nurik.exe schtasks.exe PID 3324 wrote to memory of 5024 3324 Nurik.exe dqveec.exe PID 3324 wrote to memory of 5024 3324 Nurik.exe dqveec.exe PID 3324 wrote to memory of 5024 3324 Nurik.exe dqveec.exe PID 5024 wrote to memory of 3296 5024 dqveec.exe cmd.exe PID 5024 wrote to memory of 3296 5024 dqveec.exe cmd.exe PID 5024 wrote to memory of 3296 5024 dqveec.exe cmd.exe PID 3296 wrote to memory of 1560 3296 cmd.exe taskkill.exe PID 3296 wrote to memory of 1560 3296 cmd.exe taskkill.exe PID 3296 wrote to memory of 1560 3296 cmd.exe taskkill.exe PID 3296 wrote to memory of 856 3296 cmd.exe taskkill.exe PID 3296 wrote to memory of 856 3296 cmd.exe taskkill.exe PID 3296 wrote to memory of 856 3296 cmd.exe taskkill.exe PID 3296 wrote to memory of 808 3296 cmd.exe WMIC.exe PID 3296 wrote to memory of 808 3296 cmd.exe WMIC.exe PID 3296 wrote to memory of 808 3296 cmd.exe WMIC.exe PID 3296 wrote to memory of 3732 3296 cmd.exe WMIC.exe PID 3296 wrote to memory of 3732 3296 cmd.exe WMIC.exe PID 3296 wrote to memory of 3732 3296 cmd.exe WMIC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nurik.exe"C:\Users\Admin\AppData\Local\Temp\Nurik.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nurik.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nurik.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Roaming\WindowsSecurity"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\dqveec.exe"C:\Users\Admin\AppData\Local\Temp\dqveec.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 04⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Users\Admin\AppData\Roaming\WindowsSecurityC:\Users\Admin\AppData\Roaming\WindowsSecurity1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D81⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a2d855 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
640KB
MD50312ee70f802287aa57586862423b784
SHA10d1c992d3a81c6107c60ad99c3f0e9535a96d298
SHA256fdee42f8c8260761f35e043dd4440340c236a7fb26e1b9db7b6ac92ac316d46f
SHA512fa22fd27ac0e00b4351a0d8d1de6d6b03630b1132ce65f3c7214e81c891bcd8e99cee8133ce73844c6e5c5f6299aba45ebed3fad774adfa59ecdc36a429e5557
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD55b705b4839f481b2485f2195c589cad0
SHA1a55866cd9e6fedf352d0e937101755ea61a50c86
SHA256f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6
SHA512f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hoo1bral.hpr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\dqveec.exeFilesize
6.7MB
MD5f2b7074e1543720a9a98fda660e02688
SHA11029492c1a12789d8af78d54adcb921e24b9e5ca
SHA2564ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA51273f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
-
C:\Users\Admin\AppData\Local\Temp\one.rtfFilesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
C:\Users\Admin\AppData\Local\Temp\rniw.exeFilesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
C:\Users\Admin\AppData\Local\Temp\windl.batFilesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
C:\Users\Admin\AppData\Roaming\WindowsSecurityFilesize
210KB
MD5bb252d8aa4f5834229ea080c11db0b59
SHA17de57dfc07520a7f3013abc807446e8611914812
SHA256ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c
SHA5120e9aa28aeb33328b7b7140a461b45e4a211cb68326130e174b54dd260d3f44323a3ab86f16571e0b0e55c9597f293b9a5d085e1bb01f4fbe2cdb2b20080e4c5a
-
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txtFilesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
memory/2564-32-0x0000021B54010000-0x0000021B5415F000-memory.dmpFilesize
1.3MB
-
memory/3324-930-0x00007FF839DA0000-0x00007FF83A862000-memory.dmpFilesize
10.8MB
-
memory/3324-2-0x00007FF839DA0000-0x00007FF83A862000-memory.dmpFilesize
10.8MB
-
memory/3324-1-0x0000000000490000-0x00000000004CA000-memory.dmpFilesize
232KB
-
memory/3324-929-0x000000001CEA0000-0x000000001CF2E000-memory.dmpFilesize
568KB
-
memory/3324-0-0x00007FF839DA3000-0x00007FF839DA5000-memory.dmpFilesize
8KB
-
memory/3324-64-0x00007FF839DA0000-0x00007FF83A862000-memory.dmpFilesize
10.8MB
-
memory/3324-62-0x000000001B370000-0x000000001B37C000-memory.dmpFilesize
48KB
-
memory/4732-20-0x00007FF839DA0000-0x00007FF83A862000-memory.dmpFilesize
10.8MB
-
memory/4732-3-0x00007FF839DA0000-0x00007FF83A862000-memory.dmpFilesize
10.8MB
-
memory/4732-9-0x000001FA64540000-0x000001FA64562000-memory.dmpFilesize
136KB
-
memory/4732-18-0x000001FA7CC40000-0x000001FA7CD8F000-memory.dmpFilesize
1.3MB
-
memory/4732-13-0x00007FF839DA0000-0x00007FF83A862000-memory.dmpFilesize
10.8MB
-
memory/4732-14-0x00007FF839DA0000-0x00007FF83A862000-memory.dmpFilesize
10.8MB
-
memory/4732-15-0x00007FF839DA0000-0x00007FF83A862000-memory.dmpFilesize
10.8MB
-
memory/4732-19-0x00007FF839DA0000-0x00007FF83A862000-memory.dmpFilesize
10.8MB
-
memory/4736-43-0x00000170EF770000-0x00000170EF8BF000-memory.dmpFilesize
1.3MB
-
memory/4760-54-0x000001AE39EA0000-0x000001AE39FEF000-memory.dmpFilesize
1.3MB
-
memory/5024-99-0x000000000BEB0000-0x000000000BEC0000-memory.dmpFilesize
64KB
-
memory/5024-101-0x000000000BEB0000-0x000000000BEC0000-memory.dmpFilesize
64KB
-
memory/5024-100-0x000000000BEB0000-0x000000000BEC0000-memory.dmpFilesize
64KB
-
memory/5024-106-0x000000000BF70000-0x000000000BF80000-memory.dmpFilesize
64KB
-
memory/5024-107-0x000000000BF70000-0x000000000BF80000-memory.dmpFilesize
64KB
-
memory/5024-108-0x000000000BEB0000-0x000000000BEC0000-memory.dmpFilesize
64KB
-
memory/5024-109-0x000000000BEB0000-0x000000000BEC0000-memory.dmpFilesize
64KB
-
memory/5024-110-0x000000000BF70000-0x000000000BF80000-memory.dmpFilesize
64KB
-
memory/5024-102-0x000000000BEB0000-0x000000000BEC0000-memory.dmpFilesize
64KB
-
memory/5024-95-0x000000000BE40000-0x000000000BE78000-memory.dmpFilesize
224KB
-
memory/5024-96-0x000000000BE10000-0x000000000BE1E000-memory.dmpFilesize
56KB
-
memory/5024-77-0x0000000006300000-0x00000000068A6000-memory.dmpFilesize
5.6MB
-
memory/5024-76-0x0000000000C60000-0x000000000130E000-memory.dmpFilesize
6.7MB