Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
Resource
win10v20210408
General
-
Target
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe
-
Size
731KB
-
MD5
3d9a9103b13744b626e67f5dab6618e7
-
SHA1
9ad16fb6810dd136985c8a78688b81e275ddf979
-
SHA256
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
-
SHA512
b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-ywrfvle.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\siyrcpf.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
gvpesyf.exegvpesyf.exegvpesyf.exegvpesyf.exepid process 3992 gvpesyf.exe 1996 gvpesyf.exe 1032 gvpesyf.exe 1520 gvpesyf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gvpesyf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation gvpesyf.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
gvpesyf.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini gvpesyf.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-ywrfvle.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exegvpesyf.exegvpesyf.exedescription pid process target process PID 3128 set thread context of 2784 3128 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 3992 set thread context of 1996 3992 gvpesyf.exe gvpesyf.exe PID 1032 set thread context of 1520 1032 gvpesyf.exe gvpesyf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2860 vssadmin.exe -
Processes:
gvpesyf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\GPU gvpesyf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" gvpesyf.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch gvpesyf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" gvpesyf.exe -
Modifies data under HKEY_USERS 21 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}\MaxCapacity = "15150" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640030003500630066006300340061002d0030003000300030002d0030003000300030002d0030003000300030002d003500300030003600300030003000300030003000300030007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exegvpesyf.exepid process 2784 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 2784 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe 1996 gvpesyf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3016 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
gvpesyf.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1996 gvpesyf.exe Token: SeDebugPrivilege 1996 gvpesyf.exe Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE Token: SeShutdownPrivilege 3016 Explorer.EXE Token: SeCreatePagefilePrivilege 3016 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
gvpesyf.exepid process 1520 gvpesyf.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
gvpesyf.exepid process 1520 gvpesyf.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exegvpesyf.exegvpesyf.exegvpesyf.exepid process 3128 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 3992 gvpesyf.exe 1032 gvpesyf.exe 1520 gvpesyf.exe 1520 gvpesyf.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exegvpesyf.exegvpesyf.exegvpesyf.exedescription pid process target process PID 3128 wrote to memory of 2784 3128 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 3128 wrote to memory of 2784 3128 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 3128 wrote to memory of 2784 3128 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 3128 wrote to memory of 2784 3128 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 3128 wrote to memory of 2784 3128 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 3128 wrote to memory of 2784 3128 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe 1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe PID 3992 wrote to memory of 1996 3992 gvpesyf.exe gvpesyf.exe PID 3992 wrote to memory of 1996 3992 gvpesyf.exe gvpesyf.exe PID 3992 wrote to memory of 1996 3992 gvpesyf.exe gvpesyf.exe PID 3992 wrote to memory of 1996 3992 gvpesyf.exe gvpesyf.exe PID 3992 wrote to memory of 1996 3992 gvpesyf.exe gvpesyf.exe PID 3992 wrote to memory of 1996 3992 gvpesyf.exe gvpesyf.exe PID 1996 wrote to memory of 728 1996 gvpesyf.exe svchost.exe PID 1996 wrote to memory of 3016 1996 gvpesyf.exe Explorer.EXE PID 1996 wrote to memory of 2860 1996 gvpesyf.exe vssadmin.exe PID 1996 wrote to memory of 2860 1996 gvpesyf.exe vssadmin.exe PID 1996 wrote to memory of 2860 1996 gvpesyf.exe vssadmin.exe PID 1996 wrote to memory of 1032 1996 gvpesyf.exe gvpesyf.exe PID 1996 wrote to memory of 1032 1996 gvpesyf.exe gvpesyf.exe PID 1996 wrote to memory of 1032 1996 gvpesyf.exe gvpesyf.exe PID 1032 wrote to memory of 1520 1032 gvpesyf.exe gvpesyf.exe PID 1032 wrote to memory of 1520 1032 gvpesyf.exe gvpesyf.exe PID 1032 wrote to memory of 1520 1032 gvpesyf.exe gvpesyf.exe PID 1032 wrote to memory of 1520 1032 gvpesyf.exe gvpesyf.exe PID 1032 wrote to memory of 1520 1032 gvpesyf.exe gvpesyf.exe PID 1032 wrote to memory of 1520 1032 gvpesyf.exe gvpesyf.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"C:\Users\Admin\AppData\Local\Temp\1acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f.sample.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeC:\Users\Admin\AppData\Local\Temp\gvpesyf.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe" -u3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft OneDrive\kqqzngiMD5
3caa504aa2f2abf61328e4017f7f6280
SHA1cab901ddee471e9d3d089e00de1eef55870ab7e0
SHA2560fa5c00c0fbfd16671b3ad680d0a574ae030c98463fcb493089a53831b21604d
SHA512338732ce07f62c26b688130b6f3a3534c1095ab24b83d69fb980c9733b5df07af02ebf5fccf7f66c52243b8d9c9811d8790766a39d39a61052c46b279f49e4f8
-
C:\ProgramData\Microsoft OneDrive\kqqzngiMD5
3caa504aa2f2abf61328e4017f7f6280
SHA1cab901ddee471e9d3d089e00de1eef55870ab7e0
SHA2560fa5c00c0fbfd16671b3ad680d0a574ae030c98463fcb493089a53831b21604d
SHA512338732ce07f62c26b688130b6f3a3534c1095ab24b83d69fb980c9733b5df07af02ebf5fccf7f66c52243b8d9c9811d8790766a39d39a61052c46b279f49e4f8
-
C:\ProgramData\Microsoft OneDrive\kqqzngiMD5
829ded0faec1c219f9496776041373bd
SHA16243538e0c2f09ce858f89427deded68771e4d8e
SHA25686b9e86fe87e443f3fed38c78ad41aef7b29b88afb12518d924c771f7f473208
SHA5127136a6dae2b5113a11e3c4eaf3a6e8e682585b0ea0f72d19b634855a7b1b16f55de811568479c433afbbe390a8020bbe50be95c6bb6e5795c8b963900ede78ae
-
C:\ProgramData\Microsoft OneDrive\kqqzngiMD5
1efc2b86eb12118d93a1cbfedab54d36
SHA136be3a0ec8bb3b032e5c855f3c8490526437a08c
SHA256c9a0f0f6340f513e3ece18e3a6f0256bc8631e6603acfdc90d6d8335a812864f
SHA5125c411076c33b0cfb487f70ccd30a04f3b9960fd9f402a0b73d778cd60c93dee99231a69b110b4999699f97386bdbb8edd254b8f77d2a9a41deb5f9c12a7a418d
-
C:\ProgramData\Microsoft OneDrive\kqqzngiMD5
1efc2b86eb12118d93a1cbfedab54d36
SHA136be3a0ec8bb3b032e5c855f3c8490526437a08c
SHA256c9a0f0f6340f513e3ece18e3a6f0256bc8631e6603acfdc90d6d8335a812864f
SHA5125c411076c33b0cfb487f70ccd30a04f3b9960fd9f402a0b73d778cd60c93dee99231a69b110b4999699f97386bdbb8edd254b8f77d2a9a41deb5f9c12a7a418d
-
C:\ProgramData\siyrcpf.htmlMD5
e41df5bce7e1ac986ec5c92e32cd88bd
SHA11852710c3560eb8d715015d3c173a079218d4826
SHA256d6028ba7d8d23407aee73b93315f38c92af5db3ecff7a66c12a433dc432c23d6
SHA512418983453ab8ca19e2646eaf957fccd44435e20dd87c75b24aac012dbe811b28a9a9520886c2e9937247a3161131094d8b061b86cb11e7f39efce2c12dfe4a72
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
3d9a9103b13744b626e67f5dab6618e7
SHA19ad16fb6810dd136985c8a78688b81e275ddf979
SHA2561acaa7aed372080632dd0958c63c0a9ad56f8b4dbdc3c265801321018766b29f
SHA512b76543636c4b25393e3a896fe9bf48d26dc6d6da72e417a00a63692e54e03d766c2e4e43f9c591b0cd62b7022e76be57ddbf14924e837e41932baa22b5eb9c34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.ywrfvleMD5
b5d4b08ac5018764df6d527af428632f
SHA1d9bbac3a29e7d30411b05f639c833d32e8357758
SHA256d1daf4233397c1067ebda0f1866d41db5d4941e12d6acd61f0044b39110bdf75
SHA512d405445a932dcf218617b70f765486de53869e73bb697fba705c65825c5ece2bbfff43ac0e70c62cfc74ef4353f084bed2112fcb4cfe6f8a6fb6c845607f35ba
-
memory/728-130-0x000000000FA10000-0x000000000FA87000-memory.dmpFilesize
476KB
-
memory/1032-139-0x0000000000000000-mapping.dmp
-
memory/1520-144-0x000000000042CD47-mapping.dmp
-
memory/1520-147-0x0000000000A80000-0x0000000000CCB000-memory.dmpFilesize
2.3MB
-
memory/1996-129-0x0000000000980000-0x0000000000BCB000-memory.dmpFilesize
2.3MB
-
memory/1996-128-0x0000000000760000-0x000000000097A000-memory.dmpFilesize
2.1MB
-
memory/1996-126-0x000000000042CD47-mapping.dmp
-
memory/2784-116-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/2784-120-0x0000000000910000-0x0000000000B5B000-memory.dmpFilesize
2.3MB
-
memory/2784-119-0x0000000000400000-0x00000000004A4400-memory.dmpFilesize
657KB
-
memory/2784-117-0x000000000042CD47-mapping.dmp
-
memory/2860-137-0x0000000000000000-mapping.dmp