Analysis
-
max time kernel
151s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
Resource
win10v20210410
General
-
Target
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe
-
Size
788KB
-
MD5
40ce00566109565d499b53a150716303
-
SHA1
c2decc8da4ea7f18236f7581130515bb378c21da
-
SHA256
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
-
SHA512
8d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-tfpixtg.txt
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion/
Extracted
C:\ProgramData\kwivvrl.html
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
pwqidta.exepwqidta.exepwqidta.exepwqidta.exepid process 2728 pwqidta.exe 3748 pwqidta.exe 2728 pwqidta.exe 2256 pwqidta.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\InitializeExit.CRW.tfpixtg svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pwqidta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation pwqidta.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 8 IoCs
Processes:
pwqidta.exepwqidta.exepwqidta.exedescription ioc process File created C:\Windows\SysWOW64\x\system.pif pwqidta.exe File created C:\Windows\SysWOW64\x\system.pif pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini pwqidta.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-tfpixtg.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exepwqidta.exepwqidta.exedescription pid process target process PID 3736 set thread context of 1468 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 2728 set thread context of 3748 2728 pwqidta.exe pwqidta.exe PID 2728 set thread context of 2256 2728 pwqidta.exe pwqidta.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2756 vssadmin.exe -
Processes:
pwqidta.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" pwqidta.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\GPU pwqidta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" pwqidta.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch pwqidta.exe -
Modifies data under HKEY_USERS 25 IoCs
Processes:
svchost.exepwqidta.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\pwqidta\Recent File List pwqidta.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320036003600640031006300610034002d0030003000300030002d0030003000300030002d0030003000300030002d003500300030003600300030003000300030003000300030007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\pwqidta pwqidta.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\MaxCapacity = "15150" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications pwqidta.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Local AppWizard-Generated Applications\pwqidta\Settings pwqidta.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exebb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exepwqidta.exepwqidta.exepwqidta.exepid process 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe 1468 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe 1468 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe 2728 pwqidta.exe 2728 pwqidta.exe 3748 pwqidta.exe 3748 pwqidta.exe 3748 pwqidta.exe 3748 pwqidta.exe 3748 pwqidta.exe 3748 pwqidta.exe 3748 pwqidta.exe 3748 pwqidta.exe 2728 pwqidta.exe 2728 pwqidta.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
pwqidta.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3748 pwqidta.exe Token: SeDebugPrivilege 3748 pwqidta.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pwqidta.exepid process 2256 pwqidta.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pwqidta.exepid process 2256 pwqidta.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exepwqidta.exepwqidta.exepwqidta.exepid process 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe 2728 pwqidta.exe 2728 pwqidta.exe 2256 pwqidta.exe 2256 pwqidta.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exepwqidta.exepwqidta.exepwqidta.exedescription pid process target process PID 3736 wrote to memory of 1468 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 3736 wrote to memory of 1468 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 3736 wrote to memory of 1468 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 3736 wrote to memory of 1468 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 3736 wrote to memory of 1468 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 3736 wrote to memory of 1468 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 3736 wrote to memory of 1468 3736 bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe PID 2728 wrote to memory of 3748 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 3748 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 3748 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 3748 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 3748 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 3748 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 3748 2728 pwqidta.exe pwqidta.exe PID 3748 wrote to memory of 716 3748 pwqidta.exe svchost.exe PID 3748 wrote to memory of 3052 3748 pwqidta.exe Explorer.EXE PID 3748 wrote to memory of 2756 3748 pwqidta.exe vssadmin.exe PID 3748 wrote to memory of 2756 3748 pwqidta.exe vssadmin.exe PID 3748 wrote to memory of 2756 3748 pwqidta.exe vssadmin.exe PID 3748 wrote to memory of 2728 3748 pwqidta.exe pwqidta.exe PID 3748 wrote to memory of 2728 3748 pwqidta.exe pwqidta.exe PID 3748 wrote to memory of 2728 3748 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 2256 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 2256 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 2256 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 2256 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 2256 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 2256 2728 pwqidta.exe pwqidta.exe PID 2728 wrote to memory of 2256 2728 pwqidta.exe pwqidta.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"C:\Users\Admin\AppData\Local\Temp\bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21.sample.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeC:\Users\Admin\AppData\Local\Temp\pwqidta.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeC:\Users\Admin\AppData\Local\Temp\pwqidta.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe"C:\Users\Admin\AppData\Local\Temp\pwqidta.exe" -u3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe"C:\Users\Admin\AppData\Local\Temp\pwqidta.exe" -u4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\USOPrivate\hmvkwmbMD5
e39708d8e9ba5a7c81058ed879c45d2a
SHA1cf63a01f0e19a91a842234edcc41309d03780c10
SHA256f1f435c67a184a9a78130a2b507369a20df8d0732b8a5d2e0ec3dc9ad16aa36f
SHA512396fac9c9f14365f96656f40abd08c8be1fbbc82cef75f604cd33857a1da26f41aa89cd121a3d03281da2d34c7e04fe4ee51bd2b8b6653f032d2e7ed95d15c4b
-
C:\ProgramData\USOPrivate\hmvkwmbMD5
e39708d8e9ba5a7c81058ed879c45d2a
SHA1cf63a01f0e19a91a842234edcc41309d03780c10
SHA256f1f435c67a184a9a78130a2b507369a20df8d0732b8a5d2e0ec3dc9ad16aa36f
SHA512396fac9c9f14365f96656f40abd08c8be1fbbc82cef75f604cd33857a1da26f41aa89cd121a3d03281da2d34c7e04fe4ee51bd2b8b6653f032d2e7ed95d15c4b
-
C:\ProgramData\USOPrivate\hmvkwmbMD5
e62ad7367e301415d6b1c65bad0361c6
SHA10c94f6196ad539eb94a3fd201c2d3f81ffc6e9d3
SHA2564d34a2ac717d00af89b67afb4302c3db0c30d20c7a52dc446314844d8e80403f
SHA5127c71eda1e0ae3968376a5067e85758dfbb3368ff6181a0567d804f40747224997bc6b515395ff90861d59164bd33c95e60dc183482e6b26ea70c85439cf726d8
-
C:\ProgramData\USOPrivate\hmvkwmbMD5
15ffa8de86e4d30e439620eb28651040
SHA1f34466b3e30d96732683a01c5a79e4c15c18d363
SHA256aaeea164d833760f281fdcbc17a08992839a43dca5e9204aa828dad85f69e814
SHA51207314214bbdfe34a97285840dc39b36f545036fcb8692cd2ef62e593b37f4785c3f6af312889214f2d79f044ef15dabeaa788bb7392c4ddd95d5ebc737744f91
-
C:\ProgramData\USOPrivate\hmvkwmbMD5
cfe49bf12375964d251ad351c18e6b65
SHA1e4214de06093281b16176dac906926bc82d7d1ab
SHA2565e162b2a3d1f1d1204e1b8e0c2cf0380234adf18f6abae492e4bb126e7e30902
SHA51242b78d1ba4bd42c9681ea71bb123630aec9b4c9ee26e877f107af8c208ba21a9798c9b3d5b3dcb828e82da51dc9aef1e36d0728df2c3e640ba37a1f149daad18
-
C:\ProgramData\kwivvrl.htmlMD5
a572ca991c9a594a12566b75b330aa37
SHA18393edaa135eda8a8a859fb6e8b2b4de633407ec
SHA256ba7e2b30dbcffe791d2668e4141c747b66fed219ac2222bab7142ddb5b51a40a
SHA51284278935e8df9a35e38cc182e6540799076e42cfe10fa1da3857134ca25145ac128603a928f069da47aaa4513a5e317aef3479ea9811b49d3f2dbda78fe4456b
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
40ce00566109565d499b53a150716303
SHA1c2decc8da4ea7f18236f7581130515bb378c21da
SHA256bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA5128d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
40ce00566109565d499b53a150716303
SHA1c2decc8da4ea7f18236f7581130515bb378c21da
SHA256bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA5128d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
40ce00566109565d499b53a150716303
SHA1c2decc8da4ea7f18236f7581130515bb378c21da
SHA256bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA5128d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
40ce00566109565d499b53a150716303
SHA1c2decc8da4ea7f18236f7581130515bb378c21da
SHA256bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA5128d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
40ce00566109565d499b53a150716303
SHA1c2decc8da4ea7f18236f7581130515bb378c21da
SHA256bb639437f50637545c4b0e963295b72a9bfd43bb7a9545d5e496123172845d21
SHA5128d9c13aa0b5f44cff62e7e676df7b524420330008f69697c2e9b287084fa243e0ef47b9696814e4dafdc27e113aa792a82b0bb4e376bad7b90cb967396ed8b1c
-
memory/716-127-0x0000000006AE0000-0x0000000006B57000-memory.dmpFilesize
476KB
-
memory/1468-114-0x0000000000400000-0x0000000004429000-memory.dmpFilesize
64.2MB
-
memory/1468-121-0x0000000000400000-0x00000000004A4400-memory.dmpFilesize
657KB
-
memory/1468-118-0x00000000048C0000-0x0000000004B0B000-memory.dmpFilesize
2.3MB
-
memory/1468-117-0x00000000046A0000-0x00000000048BA000-memory.dmpFilesize
2.1MB
-
memory/1468-116-0x000000000042CD47-mapping.dmp
-
memory/2256-142-0x0000000004950000-0x0000000004B9B000-memory.dmpFilesize
2.3MB
-
memory/2256-139-0x000000000042CD47-mapping.dmp
-
memory/2728-138-0x0000000000620000-0x0000000000625000-memory.dmpFilesize
20KB
-
memory/2728-135-0x0000000000000000-mapping.dmp
-
memory/2756-133-0x0000000000000000-mapping.dmp
-
memory/3736-115-0x00000000004D0000-0x000000000061A000-memory.dmpFilesize
1.3MB
-
memory/3748-123-0x000000000042CD47-mapping.dmp
-
memory/3748-126-0x0000000004880000-0x0000000004ACB000-memory.dmpFilesize
2.3MB