Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-10-2022 15:55
Static task
static1
Behavioral task
behavioral1
Sample
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
Resource
win10v2004-20220812-en
General
-
Target
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe
-
Size
772KB
-
MD5
95f60b5b36d63307d83e3f3de9675a1d
-
SHA1
da733991d9618b3a3bb5cc503ba0e860f1e8ea29
-
SHA256
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
-
SHA512
de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
SSDEEP
12288:6sFxcCZxPEWJNy93q0DWm9+X6MSUJKzR9wz2U7qdyys2he3gxNMlKglt8RsrtUvy:bHP7gqXpKGNehe3x3r8CU
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-iulhzxi.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-iulhzxi.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\zlwdkgg.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
pdfisga.exepdfisga.exepdfisga.exepdfisga.exepid process 1376 pdfisga.exe 472 pdfisga.exe 1000 pdfisga.exe 276 pdfisga.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\WaitExit.RAW.iulhzxi svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pdfisga.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation pdfisga.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 3 IoCs
Processes:
pdfisga.exepdfisga.exepdfisga.exedescription ioc process File created C:\Windows\SysWOW64\x\system.pif pdfisga.exe File created C:\Windows\SysWOW64\x\system.pif pdfisga.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat pdfisga.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-iulhzxi.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exepdfisga.exepdfisga.exedescription pid process target process PID 1456 set thread context of 1516 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe PID 1376 set thread context of 472 1376 pdfisga.exe pdfisga.exe PID 1000 set thread context of 276 1000 pdfisga.exe pdfisga.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-iulhzxi.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-iulhzxi.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1280 vssadmin.exe -
Processes:
pdfisga.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main pdfisga.exe -
Modifies data under HKEY_USERS 19 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640061006500300037006100650034002d0032006100330034002d0031003100650064002d0038003600630036002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exef9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exepdfisga.exepdfisga.exepdfisga.exepid process 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe 1516 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe 1376 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 472 pdfisga.exe 1000 pdfisga.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1360 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
pdfisga.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 472 pdfisga.exe Token: SeDebugPrivilege 472 pdfisga.exe Token: SeShutdownPrivilege 1360 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pdfisga.exepid process 276 pdfisga.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pdfisga.exepid process 276 pdfisga.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exepdfisga.exepdfisga.exepdfisga.exepid process 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe 1376 pdfisga.exe 1000 pdfisga.exe 276 pdfisga.exe 276 pdfisga.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exetaskeng.exepdfisga.exepdfisga.exesvchost.exepdfisga.exedescription pid process target process PID 1456 wrote to memory of 1516 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe PID 1456 wrote to memory of 1516 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe PID 1456 wrote to memory of 1516 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe PID 1456 wrote to memory of 1516 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe PID 1456 wrote to memory of 1516 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe PID 1456 wrote to memory of 1516 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe PID 1456 wrote to memory of 1516 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe PID 1456 wrote to memory of 1516 1456 f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe PID 916 wrote to memory of 1376 916 taskeng.exe pdfisga.exe PID 916 wrote to memory of 1376 916 taskeng.exe pdfisga.exe PID 916 wrote to memory of 1376 916 taskeng.exe pdfisga.exe PID 916 wrote to memory of 1376 916 taskeng.exe pdfisga.exe PID 1376 wrote to memory of 472 1376 pdfisga.exe pdfisga.exe PID 1376 wrote to memory of 472 1376 pdfisga.exe pdfisga.exe PID 1376 wrote to memory of 472 1376 pdfisga.exe pdfisga.exe PID 1376 wrote to memory of 472 1376 pdfisga.exe pdfisga.exe PID 1376 wrote to memory of 472 1376 pdfisga.exe pdfisga.exe PID 1376 wrote to memory of 472 1376 pdfisga.exe pdfisga.exe PID 1376 wrote to memory of 472 1376 pdfisga.exe pdfisga.exe PID 1376 wrote to memory of 472 1376 pdfisga.exe pdfisga.exe PID 472 wrote to memory of 596 472 pdfisga.exe svchost.exe PID 596 wrote to memory of 804 596 svchost.exe DllHost.exe PID 596 wrote to memory of 804 596 svchost.exe DllHost.exe PID 596 wrote to memory of 804 596 svchost.exe DllHost.exe PID 472 wrote to memory of 1360 472 pdfisga.exe Explorer.EXE PID 472 wrote to memory of 1280 472 pdfisga.exe vssadmin.exe PID 472 wrote to memory of 1280 472 pdfisga.exe vssadmin.exe PID 472 wrote to memory of 1280 472 pdfisga.exe vssadmin.exe PID 472 wrote to memory of 1280 472 pdfisga.exe vssadmin.exe PID 472 wrote to memory of 1000 472 pdfisga.exe pdfisga.exe PID 472 wrote to memory of 1000 472 pdfisga.exe pdfisga.exe PID 472 wrote to memory of 1000 472 pdfisga.exe pdfisga.exe PID 472 wrote to memory of 1000 472 pdfisga.exe pdfisga.exe PID 1000 wrote to memory of 276 1000 pdfisga.exe pdfisga.exe PID 1000 wrote to memory of 276 1000 pdfisga.exe pdfisga.exe PID 1000 wrote to memory of 276 1000 pdfisga.exe pdfisga.exe PID 1000 wrote to memory of 276 1000 pdfisga.exe pdfisga.exe PID 1000 wrote to memory of 276 1000 pdfisga.exe pdfisga.exe PID 1000 wrote to memory of 276 1000 pdfisga.exe pdfisga.exe PID 1000 wrote to memory of 276 1000 pdfisga.exe pdfisga.exe PID 1000 wrote to memory of 276 1000 pdfisga.exe pdfisga.exe PID 596 wrote to memory of 1988 596 svchost.exe DllHost.exe PID 596 wrote to memory of 1988 596 svchost.exe DllHost.exe PID 596 wrote to memory of 1988 596 svchost.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe"C:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exeC:\Users\Admin\AppData\Local\Temp\f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674.exe3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {0CCD9567-6469-45F8-9FE2-4FF8E3C0E452} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\xptppmlFilesize
654B
MD5d604850b0c211b77456f9f2c6f5e9676
SHA16773715283688ddf6b5db3a9c94dfc0e58bf6daa
SHA256c9ea5c3d36864de9c858b9fd5fa833dcc904dec67be2adc3f90ffabe591a4ba5
SHA5129a4ae8c3c9fdc02b9b093cc809b99d027eb9c09f991a4aa666939f4fa8800d21d4745ce826215771828747c8051424738f74eae402f5df2a8e8f24010cc6466a
-
C:\ProgramData\Adobe\xptppmlFilesize
654B
MD5d604850b0c211b77456f9f2c6f5e9676
SHA16773715283688ddf6b5db3a9c94dfc0e58bf6daa
SHA256c9ea5c3d36864de9c858b9fd5fa833dcc904dec67be2adc3f90ffabe591a4ba5
SHA5129a4ae8c3c9fdc02b9b093cc809b99d027eb9c09f991a4aa666939f4fa8800d21d4745ce826215771828747c8051424738f74eae402f5df2a8e8f24010cc6466a
-
C:\ProgramData\Adobe\xptppmlFilesize
654B
MD500adb3e2d9317ad2589dcdfe8c23a22b
SHA1ac70dbf0dd39d8e50e37fa7c93ad18f2a8eed49b
SHA256100669ab3b5989c67644409945cbc053537d561d8c91e273c9203fb394d98fb6
SHA5122f4edef0dc7c968f79fd8a05d5ea21aa90efd084c9550fcfca549f8f0d6ae8927c0136ea2f35227337eac3c2eb570b3bf059f3522047a338ea0bd1082804f6dd
-
C:\ProgramData\Adobe\xptppmlFilesize
654B
MD500adb3e2d9317ad2589dcdfe8c23a22b
SHA1ac70dbf0dd39d8e50e37fa7c93ad18f2a8eed49b
SHA256100669ab3b5989c67644409945cbc053537d561d8c91e273c9203fb394d98fb6
SHA5122f4edef0dc7c968f79fd8a05d5ea21aa90efd084c9550fcfca549f8f0d6ae8927c0136ea2f35227337eac3c2eb570b3bf059f3522047a338ea0bd1082804f6dd
-
C:\ProgramData\zlwdkgg.htmlFilesize
63KB
MD50b941d485f8f7d5eba5ebd7c39790a40
SHA1312a29ddc2f74115402e5dd63311ba0b02104788
SHA25605cac189bf20125a30c0b07e9b47eb25cdfcc5977c49019d71d91e1a360ab366
SHA512ab535c12b64fd59560cd54477542de434572176f62bac80505e903ba315ed002c6d513a3c9d17d1b2d0722a6c8b3a2d216c214beac6d0ebeb5359d67d0f6a0fb
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
772KB
MD595f60b5b36d63307d83e3f3de9675a1d
SHA1da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
772KB
MD595f60b5b36d63307d83e3f3de9675a1d
SHA1da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
772KB
MD595f60b5b36d63307d83e3f3de9675a1d
SHA1da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
772KB
MD595f60b5b36d63307d83e3f3de9675a1d
SHA1da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
772KB
MD595f60b5b36d63307d83e3f3de9675a1d
SHA1da733991d9618b3a3bb5cc503ba0e860f1e8ea29
SHA256f9ae18f90c502fc22c826eb8322a907fa6ddd2b38fdc1b10353d123b8910e674
SHA512de63bb1117043ee0a7fb478c4a2ba3d283d7f3d71f39fdbe357d2aa403f8f4a4e7eafe53595794ef99c35156aedd3854ba2e015b259af573492e90c96e3f34ff
-
memory/276-106-0x0000000000401FA3-mapping.dmp
-
memory/276-111-0x0000000028A00000-0x0000000028C4B000-memory.dmpFilesize
2.3MB
-
memory/472-78-0x0000000000401FA3-mapping.dmp
-
memory/472-83-0x00000000289F0000-0x0000000028C3B000-memory.dmpFilesize
2.3MB
-
memory/596-90-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmpFilesize
8KB
-
memory/596-84-0x0000000000670000-0x00000000006E7000-memory.dmpFilesize
476KB
-
memory/596-86-0x0000000000670000-0x00000000006E7000-memory.dmpFilesize
476KB
-
memory/804-89-0x0000000000000000-mapping.dmp
-
memory/1000-97-0x0000000000000000-mapping.dmp
-
memory/1280-96-0x0000000000000000-mapping.dmp
-
memory/1376-69-0x0000000000000000-mapping.dmp
-
memory/1456-54-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/1456-60-0x0000000000360000-0x0000000000364000-memory.dmpFilesize
16KB
-
memory/1516-67-0x0000000028990000-0x0000000028BDB000-memory.dmpFilesize
2.3MB
-
memory/1516-66-0x0000000000400000-0x00000000004A4600-memory.dmpFilesize
657KB
-
memory/1516-64-0x0000000028770000-0x000000002898A000-memory.dmpFilesize
2.1MB
-
memory/1516-62-0x0000000000401FA3-mapping.dmp
-
memory/1516-61-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1516-58-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1516-57-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/1516-55-0x00000000001B0000-0x00000000002AA000-memory.dmpFilesize
1000KB
-
memory/1988-113-0x0000000000000000-mapping.dmp