Analysis
-
max time kernel
150s -
max time network
35s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
Resource
win10v20210408
General
-
Target
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
-
Size
682KB
-
MD5
45ec8fc71ee99d25db903a68ca7f5ec3
-
SHA1
d460fc45d2355d352e60c1e95b0156f69487372e
-
SHA256
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
-
SHA512
85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ouygjrd.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-ouygjrd.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\ummcbbc.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
exusltb.exeexusltb.exeexusltb.exeexusltb.exepid process 1200 exusltb.exe 880 exusltb.exe 1092 exusltb.exe 1992 exusltb.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UnblockSuspend.RAW.ouygjrd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ReceiveCompare.CRW.ouygjrd svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UnpublishSync.RAW.ouygjrd svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
exusltb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
exusltb.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat exusltb.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-ouygjrd.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exeexusltb.exeexusltb.exedescription pid process target process PID 916 set thread context of 1968 916 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 1200 set thread context of 880 1200 exusltb.exe exusltb.exe PID 1092 set thread context of 1992 1092 exusltb.exe exusltb.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ouygjrd.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ouygjrd.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 544 vssadmin.exe -
Processes:
exusltb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main exusltb.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch exusltb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" exusltb.exe -
Modifies data under HKEY_USERS 19 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exeexusltb.exepid process 1968 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe 880 exusltb.exe 880 exusltb.exe 880 exusltb.exe 880 exusltb.exe 880 exusltb.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
exusltb.exeExplorer.EXEAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 880 exusltb.exe Token: SeDebugPrivilege 880 exusltb.exe Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: 33 1256 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1256 AUDIODG.EXE Token: 33 1256 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1256 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 1992 exusltb.exe 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 1992 exusltb.exe 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exeexusltb.exeexusltb.exeexusltb.exepid process 916 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe 1200 exusltb.exe 1092 exusltb.exe 1992 exusltb.exe 1992 exusltb.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exetaskeng.exeexusltb.exeexusltb.exesvchost.exeexusltb.exedescription pid process target process PID 916 wrote to memory of 1968 916 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 916 wrote to memory of 1968 916 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 916 wrote to memory of 1968 916 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 916 wrote to memory of 1968 916 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 916 wrote to memory of 1968 916 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 916 wrote to memory of 1968 916 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 916 wrote to memory of 1968 916 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 1736 wrote to memory of 1200 1736 taskeng.exe exusltb.exe PID 1736 wrote to memory of 1200 1736 taskeng.exe exusltb.exe PID 1736 wrote to memory of 1200 1736 taskeng.exe exusltb.exe PID 1736 wrote to memory of 1200 1736 taskeng.exe exusltb.exe PID 1200 wrote to memory of 880 1200 exusltb.exe exusltb.exe PID 1200 wrote to memory of 880 1200 exusltb.exe exusltb.exe PID 1200 wrote to memory of 880 1200 exusltb.exe exusltb.exe PID 1200 wrote to memory of 880 1200 exusltb.exe exusltb.exe PID 1200 wrote to memory of 880 1200 exusltb.exe exusltb.exe PID 1200 wrote to memory of 880 1200 exusltb.exe exusltb.exe PID 1200 wrote to memory of 880 1200 exusltb.exe exusltb.exe PID 880 wrote to memory of 580 880 exusltb.exe svchost.exe PID 580 wrote to memory of 1832 580 svchost.exe DllHost.exe PID 580 wrote to memory of 1832 580 svchost.exe DllHost.exe PID 580 wrote to memory of 1832 580 svchost.exe DllHost.exe PID 880 wrote to memory of 1208 880 exusltb.exe Explorer.EXE PID 880 wrote to memory of 544 880 exusltb.exe vssadmin.exe PID 880 wrote to memory of 544 880 exusltb.exe vssadmin.exe PID 880 wrote to memory of 544 880 exusltb.exe vssadmin.exe PID 880 wrote to memory of 544 880 exusltb.exe vssadmin.exe PID 880 wrote to memory of 1092 880 exusltb.exe exusltb.exe PID 880 wrote to memory of 1092 880 exusltb.exe exusltb.exe PID 880 wrote to memory of 1092 880 exusltb.exe exusltb.exe PID 880 wrote to memory of 1092 880 exusltb.exe exusltb.exe PID 1092 wrote to memory of 1992 1092 exusltb.exe exusltb.exe PID 1092 wrote to memory of 1992 1092 exusltb.exe exusltb.exe PID 1092 wrote to memory of 1992 1092 exusltb.exe exusltb.exe PID 1092 wrote to memory of 1992 1092 exusltb.exe exusltb.exe PID 1092 wrote to memory of 1992 1092 exusltb.exe exusltb.exe PID 1092 wrote to memory of 1992 1092 exusltb.exe exusltb.exe PID 1092 wrote to memory of 1992 1092 exusltb.exe exusltb.exe PID 580 wrote to memory of 908 580 svchost.exe DllHost.exe PID 580 wrote to memory of 908 580 svchost.exe DllHost.exe PID 580 wrote to memory of 908 580 svchost.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {22159274-32D0-4A17-A3DC-C027D2527EA7} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeC:\Users\Admin\AppData\Local\Temp\exusltb.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2281⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Mozilla\grnkdaiMD5
3d448c3b2aa1b73b50b01eda8b8e5bad
SHA1e1288c5396077e4bfbc6c08ca1ae6d3a497425bf
SHA256c334be02e307d90ce313ce4e13b602f545cb8b90524eea93731bf94b46778b90
SHA5123923594b8f9b6f995de11660abe4a7eccc640101033825528994def580cc85a8ca8662de120ff373b4cd83798dbbe4755620fa73b0b5a64f13985083af47e4b3
-
C:\ProgramData\Mozilla\grnkdaiMD5
3d448c3b2aa1b73b50b01eda8b8e5bad
SHA1e1288c5396077e4bfbc6c08ca1ae6d3a497425bf
SHA256c334be02e307d90ce313ce4e13b602f545cb8b90524eea93731bf94b46778b90
SHA5123923594b8f9b6f995de11660abe4a7eccc640101033825528994def580cc85a8ca8662de120ff373b4cd83798dbbe4755620fa73b0b5a64f13985083af47e4b3
-
C:\ProgramData\Mozilla\grnkdaiMD5
236aa221ef4d9cd94651633c4c6b5b35
SHA1f924803c1afc7cc27cdee57fb45078d26714adc6
SHA256afe78b207aa9660fc5afa25612239a6c08a216668b0cbe6200e2ef60883f3ada
SHA51212639e51c06d26e745e1e6e459e99df0c49fd723b52a37367985a93e890791a9d9741c25531e755c03cc113c81f0e35119e532e141af2687ab04fed731dc4e5a
-
C:\ProgramData\Mozilla\grnkdaiMD5
7038ec3fa76f6137436a0f91e28aa2b3
SHA12c33c7219ff442b6d9c1bcaad659d7c70efd0162
SHA2562b164ef89bdce6b1e646baa3445e3b90bec56e320bbddd05d2a7116fbc0c0dec
SHA5128aeb80777df46a93a5798a72da41dab43faacdedaf186e0fc9c4c842a6a970e8edb53ef7b138930f0a3262f9d8249e5c4c6ce6899ccd4da2b4535a3daaf358b7
-
C:\ProgramData\ummcbbc.htmlMD5
5f7bd089077fb6b7244ac81e93efb62f
SHA137b8f76b3be3d0ee4cb40b0d6de94206a037f5f7
SHA256854910482b1026c5ae107f14b1ba5a230baf91391ef1f93b7dccdcd5a8e1e993
SHA51227152073458db530c5c28b9ee98b192f6f16b93e3199d3c22dfb5eacc000981b229df827f6959f3db8e8a118f1b68a6e135d6f9b85d58b30c757408f3c74b406
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
45ec8fc71ee99d25db903a68ca7f5ec3
SHA1d460fc45d2355d352e60c1e95b0156f69487372e
SHA256d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA51285cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
45ec8fc71ee99d25db903a68ca7f5ec3
SHA1d460fc45d2355d352e60c1e95b0156f69487372e
SHA256d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA51285cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
45ec8fc71ee99d25db903a68ca7f5ec3
SHA1d460fc45d2355d352e60c1e95b0156f69487372e
SHA256d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA51285cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
45ec8fc71ee99d25db903a68ca7f5ec3
SHA1d460fc45d2355d352e60c1e95b0156f69487372e
SHA256d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA51285cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
45ec8fc71ee99d25db903a68ca7f5ec3
SHA1d460fc45d2355d352e60c1e95b0156f69487372e
SHA256d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA51285cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
-
memory/544-87-0x0000000000000000-mapping.dmp
-
memory/580-83-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmpFilesize
8KB
-
memory/580-79-0x0000000000270000-0x00000000002E7000-memory.dmpFilesize
476KB
-
memory/880-74-0x000000000042CD47-mapping.dmp
-
memory/880-78-0x00000000008E0000-0x0000000000B2B000-memory.dmpFilesize
2.3MB
-
memory/908-100-0x0000000000000000-mapping.dmp
-
memory/916-61-0x0000000000660000-0x0000000000F63000-memory.dmpFilesize
9.0MB
-
memory/1092-88-0x0000000000000000-mapping.dmp
-
memory/1200-69-0x0000000000000000-mapping.dmp
-
memory/1832-82-0x0000000000000000-mapping.dmp
-
memory/1968-64-0x0000000000700000-0x000000000091A000-memory.dmpFilesize
2.1MB
-
memory/1968-63-0x000000000042CD47-mapping.dmp
-
memory/1968-67-0x0000000000400000-0x00000000004A4400-memory.dmpFilesize
657KB
-
memory/1968-65-0x0000000075011000-0x0000000075013000-memory.dmpFilesize
8KB
-
memory/1968-66-0x0000000000920000-0x0000000000B6B000-memory.dmpFilesize
2.3MB
-
memory/1968-62-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1992-93-0x000000000042CD47-mapping.dmp
-
memory/1992-97-0x00000000006D0000-0x000000000091B000-memory.dmpFilesize
2.3MB
-
memory/1992-99-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB