Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
Resource
win10v20210408
General
-
Target
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
-
Size
731KB
-
MD5
3d9a9103b13744b626e67f5dab6618e7
-
SHA1
9ad16fb6810dd136985c8a78688b81e275ddf979
-
SHA256
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
-
SHA512
b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-aijhjrd.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-aijhjrd.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\ummcbbc.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
exusltb.exeexusltb.exeexusltb.exeexusltb.exepid process 1724 exusltb.exe 1224 exusltb.exe 1108 exusltb.exe 1620 exusltb.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\FormatHide.RAW.aijhjrd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConvertFromExport.RAW.aijhjrd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SplitInstall.CRW.aijhjrd svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
exusltb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
exusltb.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat exusltb.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-aijhjrd.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exeexusltb.exeexusltb.exedescription pid process target process PID 1860 set thread context of 608 1860 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 1724 set thread context of 1224 1724 exusltb.exe exusltb.exe PID 1108 set thread context of 1620 1108 exusltb.exe exusltb.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-aijhjrd.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-aijhjrd.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1768 vssadmin.exe -
Processes:
exusltb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main exusltb.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch exusltb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" exusltb.exe -
Modifies data under HKEY_USERS 19 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exeexusltb.exepid process 608 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1224 exusltb.exe 1224 exusltb.exe 1224 exusltb.exe 1224 exusltb.exe 1224 exusltb.exe 1224 exusltb.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
exusltb.exeExplorer.EXEAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1224 exusltb.exe Token: SeDebugPrivilege 1224 exusltb.exe Token: SeShutdownPrivilege 1380 Explorer.EXE Token: SeShutdownPrivilege 1380 Explorer.EXE Token: 33 1400 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1400 AUDIODG.EXE Token: 33 1400 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1400 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 1620 exusltb.exe 1380 Explorer.EXE 1380 Explorer.EXE 1380 Explorer.EXE 1380 Explorer.EXE 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 1620 exusltb.exe 1380 Explorer.EXE 1380 Explorer.EXE 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exeexusltb.exeexusltb.exeexusltb.exepid process 1860 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1724 exusltb.exe 1108 exusltb.exe 1620 exusltb.exe 1620 exusltb.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exetaskeng.exeexusltb.exeexusltb.exesvchost.exeexusltb.exedescription pid process target process PID 1860 wrote to memory of 608 1860 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 1860 wrote to memory of 608 1860 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 1860 wrote to memory of 608 1860 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 1860 wrote to memory of 608 1860 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 1860 wrote to memory of 608 1860 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 1860 wrote to memory of 608 1860 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 1860 wrote to memory of 608 1860 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 1652 wrote to memory of 1724 1652 taskeng.exe exusltb.exe PID 1652 wrote to memory of 1724 1652 taskeng.exe exusltb.exe PID 1652 wrote to memory of 1724 1652 taskeng.exe exusltb.exe PID 1652 wrote to memory of 1724 1652 taskeng.exe exusltb.exe PID 1724 wrote to memory of 1224 1724 exusltb.exe exusltb.exe PID 1724 wrote to memory of 1224 1724 exusltb.exe exusltb.exe PID 1724 wrote to memory of 1224 1724 exusltb.exe exusltb.exe PID 1724 wrote to memory of 1224 1724 exusltb.exe exusltb.exe PID 1724 wrote to memory of 1224 1724 exusltb.exe exusltb.exe PID 1724 wrote to memory of 1224 1724 exusltb.exe exusltb.exe PID 1724 wrote to memory of 1224 1724 exusltb.exe exusltb.exe PID 1224 wrote to memory of 580 1224 exusltb.exe svchost.exe PID 580 wrote to memory of 1060 580 svchost.exe DllHost.exe PID 580 wrote to memory of 1060 580 svchost.exe DllHost.exe PID 580 wrote to memory of 1060 580 svchost.exe DllHost.exe PID 1224 wrote to memory of 1380 1224 exusltb.exe Explorer.EXE PID 1224 wrote to memory of 1768 1224 exusltb.exe vssadmin.exe PID 1224 wrote to memory of 1768 1224 exusltb.exe vssadmin.exe PID 1224 wrote to memory of 1768 1224 exusltb.exe vssadmin.exe PID 1224 wrote to memory of 1768 1224 exusltb.exe vssadmin.exe PID 1224 wrote to memory of 1108 1224 exusltb.exe exusltb.exe PID 1224 wrote to memory of 1108 1224 exusltb.exe exusltb.exe PID 1224 wrote to memory of 1108 1224 exusltb.exe exusltb.exe PID 1224 wrote to memory of 1108 1224 exusltb.exe exusltb.exe PID 1108 wrote to memory of 1620 1108 exusltb.exe exusltb.exe PID 1108 wrote to memory of 1620 1108 exusltb.exe exusltb.exe PID 1108 wrote to memory of 1620 1108 exusltb.exe exusltb.exe PID 1108 wrote to memory of 1620 1108 exusltb.exe exusltb.exe PID 1108 wrote to memory of 1620 1108 exusltb.exe exusltb.exe PID 1108 wrote to memory of 1620 1108 exusltb.exe exusltb.exe PID 1108 wrote to memory of 1620 1108 exusltb.exe exusltb.exe PID 580 wrote to memory of 1604 580 svchost.exe DllHost.exe PID 580 wrote to memory of 1604 580 svchost.exe DllHost.exe PID 580 wrote to memory of 1604 580 svchost.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {1BE0CBE4-911B-48D1-B680-F34040E03C34} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeC:\Users\Admin\AppData\Local\Temp\exusltb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x26c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
fe8e5290385df3f9d101d4a741f9bb55
SHA1a37a8f6cc2ed1f299d98f79b041d8b43dc9e6eea
SHA25693d66e8fa46ed13a17fecd212383b0dc85efeeb47b99e7a40d6385c6636e8be9
SHA5123be1c439e3a11399b10b6c56c5319fc364c484e454310ab687310717327a74c346a279dd96c7435b676138cf8b160a96fa37645ea3a0f635733c783837766101
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
fe8e5290385df3f9d101d4a741f9bb55
SHA1a37a8f6cc2ed1f299d98f79b041d8b43dc9e6eea
SHA25693d66e8fa46ed13a17fecd212383b0dc85efeeb47b99e7a40d6385c6636e8be9
SHA5123be1c439e3a11399b10b6c56c5319fc364c484e454310ab687310717327a74c346a279dd96c7435b676138cf8b160a96fa37645ea3a0f635733c783837766101
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
aa82244cf6d3354cfc5146f3d513e20c
SHA16878534a9f3adaeb4c3afddcf48e8407a0ae7e7d
SHA2562d636f8bb6b712a2c0279f19bd55af13124fbcf52f23a19561aa9ff1ec1df5a3
SHA5126a09f1d3381512d33c3646216326a79c9918da34e91eea279921e01035e311d1124549e90cf520b7b5c3503768c68c1f51ce9f046c4fb5b35bb831a1fcf6f1ad
-
C:\ProgramData\Microsoft Help\grnkdaiMD5
6855ae266727911674dad6aa9310a827
SHA17f1da8283ccd56bb8a5141f6c0636f8e3d7b09dd
SHA256916c8c7e5fdce76bb6d978edb3bce1348d0c48ca4a29eebfbaeaa8d7a6618aca
SHA512e7b8a1d70a05ba3e6157f4bd9241f981963e1782a9ee1cace4c4fe3acd485e7285e49eced16399abad144b5241980c8cfdac08d4f9a8c438e7a6baf13202faf9
-
C:\ProgramData\ummcbbc.htmlMD5
7c99b464cde9a9872192d5a32156115b
SHA1542c3a825aeed96bc2181cbd1352721570630c3a
SHA2569251f2a0aeb5edcd7bcbf4c56cd082256000e6b49c81ad444cb45a5c9462c2d4
SHA512c060263ddc92ac2ebe890b9f1dd2b6489b827cdcd5e6e57b722a62c9a082eef5bf8029be3893989c656bdf69d5f8da0f75bc07199d72f5a062a044be61915274
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
memory/580-79-0x00000000004A0000-0x0000000000517000-memory.dmpFilesize
476KB
-
memory/580-83-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmpFilesize
8KB
-
memory/608-62-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/608-67-0x0000000000400000-0x00000000004A4400-memory.dmpFilesize
657KB
-
memory/608-66-0x00000000006D0000-0x000000000091B000-memory.dmpFilesize
2.3MB
-
memory/608-65-0x00000000757D1000-0x00000000757D3000-memory.dmpFilesize
8KB
-
memory/608-64-0x00000000004B0000-0x00000000006CA000-memory.dmpFilesize
2.1MB
-
memory/608-63-0x000000000042CD47-mapping.dmp
-
memory/1060-82-0x0000000000000000-mapping.dmp
-
memory/1108-88-0x0000000000000000-mapping.dmp
-
memory/1224-78-0x0000000000C10000-0x0000000000E5B000-memory.dmpFilesize
2.3MB
-
memory/1224-74-0x000000000042CD47-mapping.dmp
-
memory/1604-100-0x0000000000000000-mapping.dmp
-
memory/1620-93-0x000000000042CD47-mapping.dmp
-
memory/1620-97-0x0000000000940000-0x0000000000B8B000-memory.dmpFilesize
2.3MB
-
memory/1620-99-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1724-69-0x0000000000000000-mapping.dmp
-
memory/1768-87-0x0000000000000000-mapping.dmp