Analysis
-
max time kernel
1194s -
max time network
1208s -
platform
windows11_x64 -
resource
win11 -
submitted
11-11-2021 17:10
Static task
static1
Behavioral task
behavioral1
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-en-20211104
Behavioral task
behavioral3
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win7-de-20211104
Behavioral task
behavioral4
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win11
Behavioral task
behavioral5
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
78556a2fc01c40f64f11c76ef26ec3ff.exe
Resource
win10-de-20211104
General
-
Target
78556a2fc01c40f64f11c76ef26ec3ff.exe
-
Size
4.9MB
-
MD5
78556a2fc01c40f64f11c76ef26ec3ff
-
SHA1
b66a7117d0e22dc0421337e20612ea08f1b2c9e3
-
SHA256
7d3192cad53f934173187f91d8555065d69e09b4f127275a1d47f9f1f9405c5c
-
SHA512
c001603616e7539612e75707664c5356f3fc16a2e6e9033a77f0d4f3cf2854a71310f194e8d9f41207f41c1b60bd7b8fcd49797ba3cfc96a2d406bc55ab104d3
Malware Config
Signatures
-
StrongPity
StrongPity is a spyware developed by PROMETHIUM APT group mainly used in government sponsored attacks.
-
StrongPity Spyware 3 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\winpickr.exe family_strongpity C:\Windows\SysWOW64\winpickr.exe family_strongpity C:\Windows\SysWOW64\winpickr.exe family_strongpity -
Executes dropped EXE 4 IoCs
Processes:
npp.8.1.7.Installer.x64.exewinpickr.exewinpickr.exentuis32.exepid process 1012 npp.8.1.7.Installer.x64.exe 476 winpickr.exe 1876 winpickr.exe 1524 ntuis32.exe -
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 4 IoCs
Processes:
npp.8.1.7.Installer.x64.exepid process 1012 npp.8.1.7.Installer.x64.exe 1012 npp.8.1.7.Installer.x64.exe 1012 npp.8.1.7.Installer.x64.exe 1012 npp.8.1.7.Installer.x64.exe -
Drops file in System32 directory 1 IoCs
Processes:
78556a2fc01c40f64f11c76ef26ec3ff.exedescription ioc process File created C:\Windows\SysWOW64\winpickr.exe 78556a2fc01c40f64f11c76ef26ec3ff.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
winpickr.exesvchost.exeWaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs winpickr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winpickr.exepid process 1876 winpickr.exe 1876 winpickr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exesvchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 2400 svchost.exe Token: SeCreatePagefilePrivilege 2400 svchost.exe Token: SeShutdownPrivilege 2400 svchost.exe Token: SeCreatePagefilePrivilege 2400 svchost.exe Token: SeShutdownPrivilege 2400 svchost.exe Token: SeCreatePagefilePrivilege 2400 svchost.exe Token: SeShutdownPrivilege 2324 svchost.exe Token: SeCreatePagefilePrivilege 2324 svchost.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe Token: SeSecurityPrivilege 3992 TiWorker.exe Token: SeBackupPrivilege 3992 TiWorker.exe Token: SeRestorePrivilege 3992 TiWorker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
78556a2fc01c40f64f11c76ef26ec3ff.exewinpickr.exesvchost.exedescription pid process target process PID 780 wrote to memory of 1012 780 78556a2fc01c40f64f11c76ef26ec3ff.exe npp.8.1.7.Installer.x64.exe PID 780 wrote to memory of 1012 780 78556a2fc01c40f64f11c76ef26ec3ff.exe npp.8.1.7.Installer.x64.exe PID 780 wrote to memory of 1012 780 78556a2fc01c40f64f11c76ef26ec3ff.exe npp.8.1.7.Installer.x64.exe PID 780 wrote to memory of 476 780 78556a2fc01c40f64f11c76ef26ec3ff.exe winpickr.exe PID 780 wrote to memory of 476 780 78556a2fc01c40f64f11c76ef26ec3ff.exe winpickr.exe PID 780 wrote to memory of 476 780 78556a2fc01c40f64f11c76ef26ec3ff.exe winpickr.exe PID 1876 wrote to memory of 1524 1876 winpickr.exe ntuis32.exe PID 1876 wrote to memory of 1524 1876 winpickr.exe ntuis32.exe PID 1876 wrote to memory of 1524 1876 winpickr.exe ntuis32.exe PID 2324 wrote to memory of 2216 2324 svchost.exe MoUsoCoreWorker.exe PID 2324 wrote to memory of 2216 2324 svchost.exe MoUsoCoreWorker.exe PID 2324 wrote to memory of 3260 2324 svchost.exe MoUsoCoreWorker.exe PID 2324 wrote to memory of 3260 2324 svchost.exe MoUsoCoreWorker.exe PID 2324 wrote to memory of 3312 2324 svchost.exe MoUsoCoreWorker.exe PID 2324 wrote to memory of 3312 2324 svchost.exe MoUsoCoreWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"C:\Users\Admin\AppData\Local\Temp\78556a2fc01c40f64f11c76ef26ec3ff.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\system32\\winpickr.exe update2⤵
- Executes dropped EXE
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e9c9949297a9b53d28d70458f37a614e 3/aaMElYZ0uRt/xCEjQ3LQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\winpickr.exeC:\Windows\SysWOW64\winpickr.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"C:\ProgramData\Microsoft\WindowsData\ntuis32.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e9c9949297a9b53d28d70458f37a614e 3/aaMElYZ0uRt/xCEjQ3LQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe e9c9949297a9b53d28d70458f37a614e 3/aaMElYZ0uRt/xCEjQ3LQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\WindowsData\ntuis32.exeMD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
C:\ProgramData\Microsoft\WindowsData\ntuis32.exeMD5
6b0279da0e09514269437f0c7bda9c69
SHA1edf15ad1973450b00762037877974394d27130b9
SHA256ed2eae7c0a6cd81d108d71289a49e4a187078a9a6af8400c6a3253d802a7ac95
SHA5125556d0693f7151a4efba9652da0fdc129c29ae5372521152660f4529735fabdb5443895e4eb6540bae1155ead3609c7091dfae5fe3e4715ee6194103fa795787
-
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exeMD5
0392a100a1e09ae747e45382deceef4d
SHA1053d176f7d6f5af15291805338b59d3891ba58dc
SHA25618107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622
SHA512ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905
-
C:\Users\Admin\AppData\Local\Temp\npp.8.1.7.Installer.x64.exeMD5
0392a100a1e09ae747e45382deceef4d
SHA1053d176f7d6f5af15291805338b59d3891ba58dc
SHA25618107fa059cf457b0b351b683e08e01a3b029ba277f5ca4583a4e3322df21622
SHA512ee069bfc3306ab893757253cc7d1eabc2a7cfc3bb4f1df37656972b0287a3dabcd62c1c441d135266240c6d5d2e45c267fce5044bab915f6e2703c286cdef905
-
C:\Users\Admin\AppData\Local\Temp\nsbE5A9.tmp\InstallOptions.dllMD5
05bf02da51e717f79f6b5cbea7bc0710
SHA107471a64ef4dba9dc19ce68ae6cce683af7df86d
SHA256ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5
SHA512c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6
-
C:\Users\Admin\AppData\Local\Temp\nsbE5A9.tmp\InstallOptions.dllMD5
05bf02da51e717f79f6b5cbea7bc0710
SHA107471a64ef4dba9dc19ce68ae6cce683af7df86d
SHA256ca092ba7f275b0c9000098cdd1a9876fe8dc050fcb40a0e8a1ab8335236e9dc5
SHA512c09e475babd5eb675cdf903b2b754b8b68450a731cb520f3dcbf9abe0ed03d19256f009429977d3a51decb3a2a938be0b28dbafeb407409fa85e54da6dbaaad6
-
C:\Users\Admin\AppData\Local\Temp\nsbE5A9.tmp\LangDLL.dllMD5
ab1db56369412fe8476fefffd11e4cc0
SHA1daad036a83b2ee2fa86d840a34a341100552e723
SHA2566f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b
SHA5128d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d
-
C:\Users\Admin\AppData\Local\Temp\nsbE5A9.tmp\System.dllMD5
0d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
C:\Windows\SysWOW64\winpickr.exeMD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
C:\Windows\SysWOW64\winpickr.exeMD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
C:\Windows\SysWOW64\winpickr.exeMD5
c66279129816fd2986495f5fcfec8625
SHA144bd7a588f94595b09f41553905dfc0f4e2b564e
SHA2561380160229604c7d499372dd8192024451291d8bf54e87f19c9e2077b1f165c6
SHA5123dbd69e166391f8d9cd4dd1cdfd80c165f44279eef3785c0062b3ad14b0e19e2899c24a3817f179788225569b5bf3d776575ae8f9eeb09ab9d88f82b2dbf2d04
-
memory/476-148-0x0000000000000000-mapping.dmp
-
memory/1012-146-0x0000000000000000-mapping.dmp
-
memory/1524-157-0x0000000000000000-mapping.dmp
-
memory/2216-160-0x0000000000000000-mapping.dmp
-
memory/2400-156-0x000001CC94070000-0x000001CC94074000-memory.dmpFilesize
16KB
-
memory/2400-154-0x000001CC91920000-0x000001CC91930000-memory.dmpFilesize
64KB
-
memory/2400-155-0x000001CC919A0000-0x000001CC919B0000-memory.dmpFilesize
64KB
-
memory/2400-165-0x000001CC94090000-0x000001CC94094000-memory.dmpFilesize
16KB
-
memory/2400-166-0x000001CC93FB0000-0x000001CC93FB1000-memory.dmpFilesize
4KB
-
memory/2400-168-0x000001CC93F70000-0x000001CC93F71000-memory.dmpFilesize
4KB
-
memory/3260-164-0x0000000000000000-mapping.dmp
-
memory/3312-169-0x0000000000000000-mapping.dmp