Analysis
-
max time kernel
157s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
Resource
win10v20210408
General
-
Target
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe
-
Size
682KB
-
MD5
45ec8fc71ee99d25db903a68ca7f5ec3
-
SHA1
d460fc45d2355d352e60c1e95b0156f69487372e
-
SHA256
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
-
SHA512
85cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-oidgvle.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\siyrcpf.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
gvpesyf.exegvpesyf.exegvpesyf.exegvpesyf.exepid process 776 gvpesyf.exe 4032 gvpesyf.exe 2240 gvpesyf.exe 2136 gvpesyf.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ApproveWait.CRW.oidgvle svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\LockHide.CRW.oidgvle svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SplitRead.RAW.oidgvle svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ImportSubmit.CRW.oidgvle svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gvpesyf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation gvpesyf.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
gvpesyf.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat gvpesyf.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini gvpesyf.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-oidgvle.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exegvpesyf.exegvpesyf.exedescription pid process target process PID 568 set thread context of 348 568 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 776 set thread context of 4032 776 gvpesyf.exe gvpesyf.exe PID 2240 set thread context of 2136 2240 gvpesyf.exe gvpesyf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1148 vssadmin.exe -
Processes:
gvpesyf.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\GPU gvpesyf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" gvpesyf.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch gvpesyf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" gvpesyf.exe -
Modifies data under HKEY_USERS 21 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}\NukeOnDelete = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640030003500630066006300340061002d0030003000300030002d0030003000300030002d0030003000300030002d003500300030003600300030003000300030003000300030007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d05cfc4a-0000-0000-0000-500600000000}\MaxCapacity = "15150" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exegvpesyf.exepid process 348 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe 348 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe 4032 gvpesyf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2708 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
gvpesyf.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4032 gvpesyf.exe Token: SeDebugPrivilege 4032 gvpesyf.exe Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
gvpesyf.exepid process 2136 gvpesyf.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
gvpesyf.exepid process 2136 gvpesyf.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exegvpesyf.exegvpesyf.exegvpesyf.exepid process 568 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe 776 gvpesyf.exe 2240 gvpesyf.exe 2136 gvpesyf.exe 2136 gvpesyf.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exegvpesyf.exegvpesyf.exegvpesyf.exedescription pid process target process PID 568 wrote to memory of 348 568 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 568 wrote to memory of 348 568 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 568 wrote to memory of 348 568 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 568 wrote to memory of 348 568 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 568 wrote to memory of 348 568 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 568 wrote to memory of 348 568 d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe PID 776 wrote to memory of 4032 776 gvpesyf.exe gvpesyf.exe PID 776 wrote to memory of 4032 776 gvpesyf.exe gvpesyf.exe PID 776 wrote to memory of 4032 776 gvpesyf.exe gvpesyf.exe PID 776 wrote to memory of 4032 776 gvpesyf.exe gvpesyf.exe PID 776 wrote to memory of 4032 776 gvpesyf.exe gvpesyf.exe PID 776 wrote to memory of 4032 776 gvpesyf.exe gvpesyf.exe PID 4032 wrote to memory of 696 4032 gvpesyf.exe svchost.exe PID 4032 wrote to memory of 2708 4032 gvpesyf.exe Explorer.EXE PID 4032 wrote to memory of 1148 4032 gvpesyf.exe vssadmin.exe PID 4032 wrote to memory of 1148 4032 gvpesyf.exe vssadmin.exe PID 4032 wrote to memory of 1148 4032 gvpesyf.exe vssadmin.exe PID 4032 wrote to memory of 2240 4032 gvpesyf.exe gvpesyf.exe PID 4032 wrote to memory of 2240 4032 gvpesyf.exe gvpesyf.exe PID 4032 wrote to memory of 2240 4032 gvpesyf.exe gvpesyf.exe PID 2240 wrote to memory of 2136 2240 gvpesyf.exe gvpesyf.exe PID 2240 wrote to memory of 2136 2240 gvpesyf.exe gvpesyf.exe PID 2240 wrote to memory of 2136 2240 gvpesyf.exe gvpesyf.exe PID 2240 wrote to memory of 2136 2240 gvpesyf.exe gvpesyf.exe PID 2240 wrote to memory of 2136 2240 gvpesyf.exe gvpesyf.exe PID 2240 wrote to memory of 2136 2240 gvpesyf.exe gvpesyf.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"C:\Users\Admin\AppData\Local\Temp\d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab.sample.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeC:\Users\Admin\AppData\Local\Temp\gvpesyf.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe" -u3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"C:\Users\Admin\AppData\Local\Temp\gvpesyf.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\USOPrivate\kqqzngiMD5
f64d6f5bbdcabdc8af0ad960331c8bd1
SHA17bef51d9bb0361b74a97a9fd8721936a40937b38
SHA2560739ac709bcae44cb58c3ffbfa47d2b00c97ffd8c3e0e48f08c922b8da41540e
SHA5124fc410992bf11ba7fb7804953992820e2c529c360a44ee0f28135a9e2a63ed1b4e1c52071c7dc20ef67bb4601aaf36e4de6461b06571d8e08eca5d6221d3349a
-
C:\ProgramData\USOPrivate\kqqzngiMD5
f64d6f5bbdcabdc8af0ad960331c8bd1
SHA17bef51d9bb0361b74a97a9fd8721936a40937b38
SHA2560739ac709bcae44cb58c3ffbfa47d2b00c97ffd8c3e0e48f08c922b8da41540e
SHA5124fc410992bf11ba7fb7804953992820e2c529c360a44ee0f28135a9e2a63ed1b4e1c52071c7dc20ef67bb4601aaf36e4de6461b06571d8e08eca5d6221d3349a
-
C:\ProgramData\USOPrivate\kqqzngiMD5
075e9e231949e713ffd264b95897d457
SHA12ee8b70d13603fe5f15635d4c8c3393a650be3cf
SHA256b760a1e6e2a0c2b6ca33434251e19f20e2e3e6e36e2053468a557b8933363be0
SHA512c67b3f79531f70e756700ecd8411d36dd4628d539531cb7ae9cf1dab32ddc0f54d5d6ffadd77998b9fd26df90dbe92147270ca84cbd0f5787170ba7c4e1976e0
-
C:\ProgramData\USOPrivate\kqqzngiMD5
126c9672848bac8050f8f63b4afbe3c5
SHA158cdefde08ff84b453eb5a1d42d00370ff8b8dc8
SHA2561678b5c311334253be5678d5986bae53b61f0a061fb4ea3c63a4d9b64e5ecf9f
SHA5126d771799118363a7d4358354db59ca2f3f6f430c342a0d9f54e2d5d65b33586a2d6cbb34ea535e0403a3d890e593ab9bd8fd4043a9ecb7c2b0db61934330ef7d
-
C:\ProgramData\USOPrivate\kqqzngiMD5
273fa494b1275bde1cbf2ad82b6b8c14
SHA1f32c6e8d0f29ab44cf995bc38df9ec1cb3fd4c12
SHA256639b9fb475e945c8f64b09aa97ed45b6c9ddc9992e267a5eaecad9cf0dd2808d
SHA51292c9819cc378766a2cd1c3b3f810ae81244a2224cbc6034f7118ec3d578f5814ad1d523beda16b48eb8d2d0368d59400c4ed89b52be505f55be3f298e23f8a94
-
C:\ProgramData\siyrcpf.htmlMD5
fe807332938c236f20534b90979dd8da
SHA11fa39d0a08a893a1611993a3cc21197659817b94
SHA2564b3b9ddfb356728896239bd04f7fc13f830b35dc49135c817f7627b6b4e1f2e6
SHA51286b68070e1b7cae03332fa280cd8ae6e70c4894a539e3c3f4d6b487e17cdd49b10bfc7d59eafa99225ced7bbd32d28ca8cbc4807caf9ee5fd381dc87367906c2
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
45ec8fc71ee99d25db903a68ca7f5ec3
SHA1d460fc45d2355d352e60c1e95b0156f69487372e
SHA256d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA51285cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
45ec8fc71ee99d25db903a68ca7f5ec3
SHA1d460fc45d2355d352e60c1e95b0156f69487372e
SHA256d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA51285cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
45ec8fc71ee99d25db903a68ca7f5ec3
SHA1d460fc45d2355d352e60c1e95b0156f69487372e
SHA256d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA51285cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
45ec8fc71ee99d25db903a68ca7f5ec3
SHA1d460fc45d2355d352e60c1e95b0156f69487372e
SHA256d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA51285cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
-
C:\Users\Admin\AppData\Local\Temp\gvpesyf.exeMD5
45ec8fc71ee99d25db903a68ca7f5ec3
SHA1d460fc45d2355d352e60c1e95b0156f69487372e
SHA256d96950d14352749542917183d25c38234c7ab5249062d913ff88516077eadbab
SHA51285cf082b781aad9a6feed6969b2de3bee578fb1e5a3f96ba5d44b37c976e11be7097ed9eb206c4534f1b9e0ceff57ffd6cf00fb7c56144323b50d65c3dde8b5e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.oidgvleMD5
bae7adf938e0d256512bfa1d79da579b
SHA16e10b81d6fd3360ea617263dd44baadca3e45380
SHA2568141a8486449863312d381d0f4f99ebd7075bae4bb3b0a247f059647f2a7a290
SHA512cc8612ae053cfa8cf90b29224d928355f121a16a39d54ed45a7647a6591c0af580189496606f49c09df2a399395d0c636a03b5d04ca69c2a706c961a0ab97fc2
-
memory/348-117-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/348-121-0x0000000000970000-0x0000000000BBB000-memory.dmpFilesize
2.3MB
-
memory/348-120-0x0000000000400000-0x00000000004A4400-memory.dmpFilesize
657KB
-
memory/348-119-0x0000000000750000-0x000000000096A000-memory.dmpFilesize
2.1MB
-
memory/348-118-0x000000000042CD47-mapping.dmp
-
memory/568-114-0x0000000000830000-0x0000000001133000-memory.dmpFilesize
9.0MB
-
memory/696-131-0x0000000009990000-0x0000000009A07000-memory.dmpFilesize
476KB
-
memory/1148-139-0x0000000000000000-mapping.dmp
-
memory/2136-145-0x000000000042CD47-mapping.dmp
-
memory/2240-140-0x0000000000000000-mapping.dmp
-
memory/4032-130-0x0000000000A80000-0x0000000000CCB000-memory.dmpFilesize
2.3MB
-
memory/4032-127-0x000000000042CD47-mapping.dmp