Analysis
-
max time kernel
127s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 15:50
Static task
static1
Behavioral task
behavioral1
Sample
9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe
Resource
win10-en-20211014
General
-
Target
9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe
-
Size
782KB
-
MD5
f8965a89dea0bc5a9eb9473e15203c4b
-
SHA1
4c64c26c74c0fac039a0974a95ab5e48f8e8d4e3
-
SHA256
9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d
-
SHA512
79dd477be26046d4eba9039fa148fdaeba85100bd3d78e0af8db95571672964603c187864b2f11fcf366abc61263bd87117bfed2b943d4d2c632330b6023e1c3
Malware Config
Extracted
djvu
http://rlrz.org/fhsgtsspen6
Signatures
-
Detected Djvu ransomware 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1512-116-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/1512-115-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1328-118-0x0000000004D40000-0x0000000004E5B000-memory.dmp family_djvu behavioral1/memory/1512-119-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2964-124-0x0000000000424141-mapping.dmp family_djvu behavioral1/memory/2964-125-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
build3.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exepid process 1308 build3.exe 404 build3.exe 4012 mstsca.exe 1560 mstsca.exe 2096 mstsca.exe 2216 mstsca.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\633ab587-c642-451d-8b22-0d410722ec77\\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe\" --AutoStart" 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.2ip.ua 12 api.2ip.ua 22 api.2ip.ua -
Suspicious use of SetThreadContext 5 IoCs
Processes:
9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exebuild3.exemstsca.exemstsca.exedescription pid process target process PID 1328 set thread context of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 set thread context of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1308 set thread context of 404 1308 build3.exe build3.exe PID 4012 set thread context of 1560 4012 mstsca.exe mstsca.exe PID 2096 set thread context of 2216 2096 mstsca.exe mstsca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3632 schtasks.exe 1712 schtasks.exe -
Processes:
9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exepid process 1512 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 1512 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 2964 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 2964 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exebuild3.exebuild3.exemstsca.exemstsca.exemstsca.exedescription pid process target process PID 1328 wrote to memory of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1328 wrote to memory of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1328 wrote to memory of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1328 wrote to memory of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1328 wrote to memory of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1328 wrote to memory of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1328 wrote to memory of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1328 wrote to memory of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1328 wrote to memory of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1328 wrote to memory of 1512 1328 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1512 wrote to memory of 3952 1512 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe icacls.exe PID 1512 wrote to memory of 3952 1512 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe icacls.exe PID 1512 wrote to memory of 3952 1512 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe icacls.exe PID 1512 wrote to memory of 2232 1512 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1512 wrote to memory of 2232 1512 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 1512 wrote to memory of 2232 1512 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 wrote to memory of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 wrote to memory of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 wrote to memory of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 wrote to memory of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 wrote to memory of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 wrote to memory of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 wrote to memory of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 wrote to memory of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 wrote to memory of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2232 wrote to memory of 2964 2232 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe PID 2964 wrote to memory of 1308 2964 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe build3.exe PID 2964 wrote to memory of 1308 2964 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe build3.exe PID 2964 wrote to memory of 1308 2964 9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe build3.exe PID 1308 wrote to memory of 404 1308 build3.exe build3.exe PID 1308 wrote to memory of 404 1308 build3.exe build3.exe PID 1308 wrote to memory of 404 1308 build3.exe build3.exe PID 1308 wrote to memory of 404 1308 build3.exe build3.exe PID 1308 wrote to memory of 404 1308 build3.exe build3.exe PID 1308 wrote to memory of 404 1308 build3.exe build3.exe PID 1308 wrote to memory of 404 1308 build3.exe build3.exe PID 1308 wrote to memory of 404 1308 build3.exe build3.exe PID 1308 wrote to memory of 404 1308 build3.exe build3.exe PID 404 wrote to memory of 3632 404 build3.exe schtasks.exe PID 404 wrote to memory of 3632 404 build3.exe schtasks.exe PID 404 wrote to memory of 3632 404 build3.exe schtasks.exe PID 4012 wrote to memory of 1560 4012 mstsca.exe mstsca.exe PID 4012 wrote to memory of 1560 4012 mstsca.exe mstsca.exe PID 4012 wrote to memory of 1560 4012 mstsca.exe mstsca.exe PID 4012 wrote to memory of 1560 4012 mstsca.exe mstsca.exe PID 4012 wrote to memory of 1560 4012 mstsca.exe mstsca.exe PID 4012 wrote to memory of 1560 4012 mstsca.exe mstsca.exe PID 4012 wrote to memory of 1560 4012 mstsca.exe mstsca.exe PID 4012 wrote to memory of 1560 4012 mstsca.exe mstsca.exe PID 4012 wrote to memory of 1560 4012 mstsca.exe mstsca.exe PID 1560 wrote to memory of 1712 1560 mstsca.exe schtasks.exe PID 1560 wrote to memory of 1712 1560 mstsca.exe schtasks.exe PID 1560 wrote to memory of 1712 1560 mstsca.exe schtasks.exe PID 2096 wrote to memory of 2216 2096 mstsca.exe mstsca.exe PID 2096 wrote to memory of 2216 2096 mstsca.exe mstsca.exe PID 2096 wrote to memory of 2216 2096 mstsca.exe mstsca.exe PID 2096 wrote to memory of 2216 2096 mstsca.exe mstsca.exe PID 2096 wrote to memory of 2216 2096 mstsca.exe mstsca.exe PID 2096 wrote to memory of 2216 2096 mstsca.exe mstsca.exe PID 2096 wrote to memory of 2216 2096 mstsca.exe mstsca.exe PID 2096 wrote to memory of 2216 2096 mstsca.exe mstsca.exe PID 2096 wrote to memory of 2216 2096 mstsca.exe mstsca.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe"C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe"C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe"2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\633ab587-c642-451d-8b22-0d410722ec77" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe"C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe"C:\Users\Admin\AppData\Local\Temp\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe"C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe"C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
50d9d5311b74576fbbb5c9f204fdc16b
SHA17dd97b713e33f287440441aa3bb7966a2cb68321
SHA256d76a71e8dfd6961d4912a23b2fd207f2a93c67523dfcda252358eafa5821b2ad
SHA51267d02ce79bb8fd641783ba12ab5587900a03416627939084ce87f22b42ca7d50765947e2238b3c6a70a74bce3c9233b486aaa10feb57e714646e4d02c0c926c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
8f19b97ffda28eb06efc2181fd126b9c
SHA1142443021d6ffaf32d3d60635d0edf540a039f2e
SHA25649607d1b931a79642c5268292b4f16f2db7ec77b53f8abddbc0cce36ed88e3f7
SHA5126577704c531cc07d1ae8d61dfe6d8735d29d1386038fa9e3f5580c80c30dc04570ec0160f51903d05b180c4af68f0eb8e23e2106c3bb367afd32d033aae031e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
91e5798f6070530e69820fe23ecabbe2
SHA183c2b15fac84573ca3ea3d59df21f4edf557a2a9
SHA25608783d2857908ffbb26e7f7ad4bb082a469e541cccf1db08c9090a2acb1012a2
SHA512d9efe05eff84bcd491868080202d64459f258ce150adb3f765cc311f46eef954d20b0b4222a24dbeb03e4abe2f80944e0477dbf0d0dad8a058e7361b3416ac62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
272d862bbfd93e995b050c79cdc54612
SHA192405fac71026754ed0a0c3539db7f7180d9838e
SHA256a03ad174cc4a1c3e48738a0378e8cba1f53c5a6dd72b22dcd7220cd121b3fa78
SHA512e6ae3f210b5b2278941970df7a1bf76e086645a427bf43148806204da4d41c90247b9c9e336cff5d501f6c07a4084b8289dcf1f61fbc5ef7434c4dee1ad970af
-
C:\Users\Admin\AppData\Local\633ab587-c642-451d-8b22-0d410722ec77\9f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d.exeMD5
f8965a89dea0bc5a9eb9473e15203c4b
SHA14c64c26c74c0fac039a0974a95ab5e48f8e8d4e3
SHA2569f6afa09d7d82aa7527a2dc83c0819b37192a8513879979d01c79f5741b0092d
SHA51279dd477be26046d4eba9039fa148fdaeba85100bd3d78e0af8db95571672964603c187864b2f11fcf366abc61263bd87117bfed2b943d4d2c632330b6023e1c3
-
C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exeMD5
0fea771099e342facd95a9d659548919
SHA19f8b56a37870f8b4ac5aa0ff5677a666f94c7197
SHA2566f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403
SHA5122c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3
-
C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exeMD5
0fea771099e342facd95a9d659548919
SHA19f8b56a37870f8b4ac5aa0ff5677a666f94c7197
SHA2566f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403
SHA5122c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3
-
C:\Users\Admin\AppData\Local\c82fbb1c-9e61-437e-898b-0bbe64dea29c\build3.exeMD5
0fea771099e342facd95a9d659548919
SHA19f8b56a37870f8b4ac5aa0ff5677a666f94c7197
SHA2566f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403
SHA5122c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeMD5
0fea771099e342facd95a9d659548919
SHA19f8b56a37870f8b4ac5aa0ff5677a666f94c7197
SHA2566f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403
SHA5122c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeMD5
0fea771099e342facd95a9d659548919
SHA19f8b56a37870f8b4ac5aa0ff5677a666f94c7197
SHA2566f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403
SHA5122c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeMD5
0fea771099e342facd95a9d659548919
SHA19f8b56a37870f8b4ac5aa0ff5677a666f94c7197
SHA2566f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403
SHA5122c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeMD5
0fea771099e342facd95a9d659548919
SHA19f8b56a37870f8b4ac5aa0ff5677a666f94c7197
SHA2566f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403
SHA5122c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeMD5
0fea771099e342facd95a9d659548919
SHA19f8b56a37870f8b4ac5aa0ff5677a666f94c7197
SHA2566f032f671284b3812373e90b0ab5b16ea737bd7dc87d22b8f2aabe558334e403
SHA5122c1eeb2909acdc1ac36a677dba5131775e97dd107cd60f03bc6672be1791b2dd83a9f588719cb376cc4771570c6b2c202e783e30450ae3c2aa48bbaf2ee049c3
-
memory/404-135-0x0000000000401AFA-mapping.dmp
-
memory/404-139-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/404-134-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1308-130-0x0000000000000000-mapping.dmp
-
memory/1308-138-0x00000000032A0000-0x00000000032A4000-memory.dmpFilesize
16KB
-
memory/1328-118-0x0000000004D40000-0x0000000004E5B000-memory.dmpFilesize
1MB
-
memory/1328-117-0x0000000004CA0000-0x0000000004D32000-memory.dmpFilesize
584KB
-
memory/1512-116-0x0000000000424141-mapping.dmp
-
memory/1512-119-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1MB
-
memory/1512-115-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1MB
-
memory/1560-144-0x0000000000401AFA-mapping.dmp
-
memory/1712-146-0x0000000000000000-mapping.dmp
-
memory/2096-148-0x00000000035BE000-0x00000000035CE000-memory.dmpFilesize
64KB
-
memory/2096-152-0x0000000003250000-0x000000000339A000-memory.dmpFilesize
1MB
-
memory/2216-150-0x0000000000401AFA-mapping.dmp
-
memory/2232-122-0x0000000000000000-mapping.dmp
-
memory/2964-125-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1MB
-
memory/2964-124-0x0000000000424141-mapping.dmp
-
memory/3632-137-0x0000000000000000-mapping.dmp
-
memory/3952-120-0x0000000000000000-mapping.dmp
-
memory/4012-142-0x00000000033A8000-0x00000000033B9000-memory.dmpFilesize
68KB