Analysis
-
max time kernel
150s -
max time network
64s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
Resource
win10v20210410
General
-
Target
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
-
Size
788KB
-
MD5
40ce00566109565d499b53a150716303
-
SHA1
c2decc8da4ea7f18236f7581130515bb378c21da
-
SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
-
SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-qgsajrd.txt
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-qgsajrd.txt
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion/
Extracted
C:\ProgramData\ummcbbc.html
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
exusltb.exeexusltb.exeexusltb.exeexusltb.exepid process 612 exusltb.exe 1700 exusltb.exe 788 exusltb.exe 1688 exusltb.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\GrantUndo.RAW.qgsajrd svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
exusltb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 3 IoCs
Processes:
exusltb.exeexusltb.exeexusltb.exedescription ioc process File created C:\Windows\SysWOW64\x\system.pif exusltb.exe File created C:\Windows\SysWOW64\x\system.pif exusltb.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat exusltb.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-qgsajrd.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exeexusltb.exeexusltb.exedescription pid process target process PID 1668 set thread context of 1516 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 612 set thread context of 1700 612 exusltb.exe exusltb.exe PID 788 set thread context of 1688 788 exusltb.exe exusltb.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-qgsajrd.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-qgsajrd.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1232 vssadmin.exe -
Processes:
exusltb.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main exusltb.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch exusltb.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" exusltb.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
svchost.exeexusltb.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\exusltb\Recent File List exusltb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications exusltb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\exusltb exusltb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Local AppWizard-Generated Applications\exusltb\Settings exusltb.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exebb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exeexusltb.exeexusltb.exeexusltb.exepid process 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe 1516 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe 612 exusltb.exe 1700 exusltb.exe 1700 exusltb.exe 1700 exusltb.exe 1700 exusltb.exe 1700 exusltb.exe 788 exusltb.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
exusltb.exeExplorer.EXEAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1700 exusltb.exe Token: SeDebugPrivilege 1700 exusltb.exe Token: SeShutdownPrivilege 1292 Explorer.EXE Token: SeShutdownPrivilege 1292 Explorer.EXE Token: 33 1980 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1980 AUDIODG.EXE Token: 33 1980 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1980 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 1688 exusltb.exe 1292 Explorer.EXE 1292 Explorer.EXE 1292 Explorer.EXE 1292 Explorer.EXE 1292 Explorer.EXE 1292 Explorer.EXE -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
exusltb.exeExplorer.EXEpid process 1688 exusltb.exe 1292 Explorer.EXE 1292 Explorer.EXE 1292 Explorer.EXE 1292 Explorer.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exeexusltb.exeexusltb.exeexusltb.exepid process 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe 612 exusltb.exe 788 exusltb.exe 1688 exusltb.exe 1688 exusltb.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exetaskeng.exeexusltb.exeexusltb.exesvchost.exeexusltb.exedescription pid process target process PID 1668 wrote to memory of 1516 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 1668 wrote to memory of 1516 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 1668 wrote to memory of 1516 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 1668 wrote to memory of 1516 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 1668 wrote to memory of 1516 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 1668 wrote to memory of 1516 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 1668 wrote to memory of 1516 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 1668 wrote to memory of 1516 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 1668 wrote to memory of 1516 1668 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 1796 wrote to memory of 612 1796 taskeng.exe exusltb.exe PID 1796 wrote to memory of 612 1796 taskeng.exe exusltb.exe PID 1796 wrote to memory of 612 1796 taskeng.exe exusltb.exe PID 1796 wrote to memory of 612 1796 taskeng.exe exusltb.exe PID 612 wrote to memory of 1700 612 exusltb.exe exusltb.exe PID 612 wrote to memory of 1700 612 exusltb.exe exusltb.exe PID 612 wrote to memory of 1700 612 exusltb.exe exusltb.exe PID 612 wrote to memory of 1700 612 exusltb.exe exusltb.exe PID 612 wrote to memory of 1700 612 exusltb.exe exusltb.exe PID 612 wrote to memory of 1700 612 exusltb.exe exusltb.exe PID 612 wrote to memory of 1700 612 exusltb.exe exusltb.exe PID 612 wrote to memory of 1700 612 exusltb.exe exusltb.exe PID 612 wrote to memory of 1700 612 exusltb.exe exusltb.exe PID 1700 wrote to memory of 584 1700 exusltb.exe svchost.exe PID 584 wrote to memory of 620 584 svchost.exe DllHost.exe PID 584 wrote to memory of 620 584 svchost.exe DllHost.exe PID 584 wrote to memory of 620 584 svchost.exe DllHost.exe PID 1700 wrote to memory of 1292 1700 exusltb.exe Explorer.EXE PID 1700 wrote to memory of 1232 1700 exusltb.exe vssadmin.exe PID 1700 wrote to memory of 1232 1700 exusltb.exe vssadmin.exe PID 1700 wrote to memory of 1232 1700 exusltb.exe vssadmin.exe PID 1700 wrote to memory of 1232 1700 exusltb.exe vssadmin.exe PID 1700 wrote to memory of 788 1700 exusltb.exe exusltb.exe PID 1700 wrote to memory of 788 1700 exusltb.exe exusltb.exe PID 1700 wrote to memory of 788 1700 exusltb.exe exusltb.exe PID 1700 wrote to memory of 788 1700 exusltb.exe exusltb.exe PID 788 wrote to memory of 1688 788 exusltb.exe exusltb.exe PID 788 wrote to memory of 1688 788 exusltb.exe exusltb.exe PID 788 wrote to memory of 1688 788 exusltb.exe exusltb.exe PID 788 wrote to memory of 1688 788 exusltb.exe exusltb.exe PID 788 wrote to memory of 1688 788 exusltb.exe exusltb.exe PID 788 wrote to memory of 1688 788 exusltb.exe exusltb.exe PID 788 wrote to memory of 1688 788 exusltb.exe exusltb.exe PID 788 wrote to memory of 1688 788 exusltb.exe exusltb.exe PID 788 wrote to memory of 1688 788 exusltb.exe exusltb.exe PID 584 wrote to memory of 1724 584 svchost.exe DllHost.exe PID 584 wrote to memory of 1724 584 svchost.exe DllHost.exe PID 584 wrote to memory of 1724 584 svchost.exe DllHost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {857F759E-7448-460E-9BBC-FA7BA45A59CA} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeC:\Users\Admin\AppData\Local\Temp\exusltb.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeC:\Users\Admin\AppData\Local\Temp\exusltb.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exe"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2401⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\grnkdaiMD5
38b2a008cf7af5973b89ab3e9d55ea36
SHA1062a0e84885acb98deb6af39266b395cbb42985c
SHA2563ba3ef8700f9cdecd9d2e1dffdaa400c9f458f5335ff0e24507f3310236d71b3
SHA512fa10b2ff9f9ac45fda2652bcd2bca05c3b1d03a51ec8872d82d0fdba42a3ec2a3e120d55d0f344b7e92a35cd04c2a11673c31fd347f7d77a0afd5883fb00ab15
-
C:\ProgramData\Microsoft\grnkdaiMD5
38b2a008cf7af5973b89ab3e9d55ea36
SHA1062a0e84885acb98deb6af39266b395cbb42985c
SHA2563ba3ef8700f9cdecd9d2e1dffdaa400c9f458f5335ff0e24507f3310236d71b3
SHA512fa10b2ff9f9ac45fda2652bcd2bca05c3b1d03a51ec8872d82d0fdba42a3ec2a3e120d55d0f344b7e92a35cd04c2a11673c31fd347f7d77a0afd5883fb00ab15
-
C:\ProgramData\Microsoft\grnkdaiMD5
6ddf8bbc2cb97d93ff4c14c8e0c38405
SHA18de44461242eef1423ab98d6c2ffc612fdda2b1e
SHA256629cb859a347ce415e8dee86eb195b2f59fc09cb42c38b889d920368f1ebea22
SHA5129fce8f0c4c84347cad9c623a53e778d34d138d7806181e93a5076f3f82a356059d047a8f340a8f06f10f3963429022a4103abcc6aafbcfe7a6e4987e6f1369ba
-
C:\ProgramData\Microsoft\grnkdaiMD5
8fa346c7847f012452d34a36bdefdb54
SHA117b7ed238f7c918b7768f2ed5519045427576094
SHA256fbe6a805bedd788835eeac2f9fe9bc2abb3c5b5959298f13ddc8df3f3e4b5117
SHA512adb4329b545e05e076101d499205ebbd0482583c643530f7376b0c4b3b137cf1fc862810b5837f1e8f0ca33a961bd7ca95f0c2f72a9999f6eb100ec282a1113b
-
C:\ProgramData\ummcbbc.htmlMD5
e214a0677050a52d9731d61b8880286c
SHA133aa2cbd165ae282658d9c6a03fc91f338510f63
SHA256a47755786a13906684e906e072258f510f0d19571fb82af64075a7f183cf70f6
SHA5121747eb5d8eec482ac398328c32b5e5cb54cb03ca3c6765ef60281486500aead3d1242e4f1039b15586c95a7f9a025e06cfc80c9ea8debdf1037233ecea1bc2e3
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
40ce00566109565d499b53a150716303
SHA1c2decc8da4ea7f18236f7581130515bb378c21da
SHA256bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA5128d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
40ce00566109565d499b53a150716303
SHA1c2decc8da4ea7f18236f7581130515bb378c21da
SHA256bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA5128d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
40ce00566109565d499b53a150716303
SHA1c2decc8da4ea7f18236f7581130515bb378c21da
SHA256bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA5128d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
40ce00566109565d499b53a150716303
SHA1c2decc8da4ea7f18236f7581130515bb378c21da
SHA256bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA5128d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
-
C:\Users\Admin\AppData\Local\Temp\exusltb.exeMD5
40ce00566109565d499b53a150716303
SHA1c2decc8da4ea7f18236f7581130515bb378c21da
SHA256bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA5128d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
-
memory/584-78-0x0000000000270000-0x00000000002E7000-memory.dmpFilesize
476KB
-
memory/584-82-0x000007FEFC301000-0x000007FEFC303000-memory.dmpFilesize
8KB
-
memory/612-69-0x0000000000000000-mapping.dmp
-
memory/620-81-0x0000000000000000-mapping.dmp
-
memory/788-87-0x0000000000000000-mapping.dmp
-
memory/1232-86-0x0000000000000000-mapping.dmp
-
memory/1516-65-0x0000000000400000-0x00000000004A4400-memory.dmpFilesize
657KB
-
memory/1516-67-0x00000000047D0000-0x0000000004A1B000-memory.dmpFilesize
2.3MB
-
memory/1516-61-0x0000000000400000-0x0000000004429000-memory.dmpFilesize
64.2MB
-
memory/1516-63-0x00000000045B0000-0x00000000047CA000-memory.dmpFilesize
2.1MB
-
memory/1516-62-0x000000000042CD47-mapping.dmp
-
memory/1668-64-0x0000000000360000-0x0000000000365000-memory.dmpFilesize
20KB
-
memory/1668-60-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1688-91-0x000000000042CD47-mapping.dmp
-
memory/1688-95-0x0000000004A70000-0x0000000004CBB000-memory.dmpFilesize
2.3MB
-
memory/1688-97-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1700-73-0x000000000042CD47-mapping.dmp
-
memory/1700-77-0x0000000004B70000-0x0000000004DBB000-memory.dmpFilesize
2.3MB
-
memory/1724-98-0x0000000000000000-mapping.dmp