Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 06:47
Static task
static1
Behavioral task
behavioral1
Sample
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
Resource
win10v2004-20220812-en
General
-
Target
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe
-
Size
1.0MB
-
MD5
d23c1057bfe4f1aaaf5a5a5bc37bd061
-
SHA1
741a668f93266819a91a8876c74126e97f3ed1cd
-
SHA256
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
-
SHA512
31bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c
-
SSDEEP
24576:85PDHbsqZzwSRH3lPjCPH9MedZurmTR/zQu:81bsqZTH3lPjCFMa4mlzQu
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-zyjgzxi.txt
http://onja764ig6vah2jo.onion.cab
http://onja764ig6vah2jo.tor2web.org
http://onja764ig6vah2jo.onion/
Extracted
C:\Users\Admin\Documents\Decrypt-All-Files-zyjgzxi.txt
http://onja764ig6vah2jo.onion.cab
http://onja764ig6vah2jo.tor2web.org
http://onja764ig6vah2jo.onion/
Extracted
C:\ProgramData\zlwdkgg.html
http://onja764ig6vah2jo.onion.cab
http://onja764ig6vah2jo.tor2web.org
http://onja764ig6vah2jo.onion
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
pdfisga.exepdfisga.exepdfisga.exepdfisga.exepid process 1504 pdfisga.exe 1816 pdfisga.exe 920 pdfisga.exe 1160 pdfisga.exe -
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UnlockUnblock.RAW.zyjgzxi svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SyncBackup.CRW.zyjgzxi svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\NewRestore.RAW.zyjgzxi svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ResolveEdit.CRW.zyjgzxi svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\InstallClose.RAW.zyjgzxi svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PopRepair.RAW.zyjgzxi svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pdfisga.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation pdfisga.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
pdfisga.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat pdfisga.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\Decrypt-All-Files-zyjgzxi.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exepdfisga.exepdfisga.exedescription pid process target process PID 620 set thread context of 1312 620 f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe PID 1504 set thread context of 1816 1504 pdfisga.exe pdfisga.exe PID 920 set thread context of 1160 920 pdfisga.exe pdfisga.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-zyjgzxi.bmp svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\Decrypt-All-Files-zyjgzxi.txt svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 960 vssadmin.exe -
Processes:
pdfisga.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main pdfisga.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch pdfisga.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" pdfisga.exe -
Modifies data under HKEY_USERS 19 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640061006500300037006100650034002d0032006100330034002d0031003100650064002d0038003600630036002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exepdfisga.exepid process 1312 f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe 1816 pdfisga.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1192 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
pdfisga.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1816 pdfisga.exe Token: SeDebugPrivilege 1816 pdfisga.exe Token: SeShutdownPrivilege 1192 Explorer.EXE Token: SeShutdownPrivilege 1192 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pdfisga.exepid process 1160 pdfisga.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pdfisga.exepid process 1160 pdfisga.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pdfisga.exepid process 1160 pdfisga.exe 1160 pdfisga.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exetaskeng.exepdfisga.exepdfisga.exesvchost.exepdfisga.exedescription pid process target process PID 620 wrote to memory of 1312 620 f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe PID 620 wrote to memory of 1312 620 f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe PID 620 wrote to memory of 1312 620 f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe PID 620 wrote to memory of 1312 620 f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe PID 620 wrote to memory of 1312 620 f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe PID 620 wrote to memory of 1312 620 f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe PID 620 wrote to memory of 1312 620 f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe PID 620 wrote to memory of 1312 620 f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe PID 1628 wrote to memory of 1504 1628 taskeng.exe pdfisga.exe PID 1628 wrote to memory of 1504 1628 taskeng.exe pdfisga.exe PID 1628 wrote to memory of 1504 1628 taskeng.exe pdfisga.exe PID 1628 wrote to memory of 1504 1628 taskeng.exe pdfisga.exe PID 1504 wrote to memory of 1816 1504 pdfisga.exe pdfisga.exe PID 1504 wrote to memory of 1816 1504 pdfisga.exe pdfisga.exe PID 1504 wrote to memory of 1816 1504 pdfisga.exe pdfisga.exe PID 1504 wrote to memory of 1816 1504 pdfisga.exe pdfisga.exe PID 1504 wrote to memory of 1816 1504 pdfisga.exe pdfisga.exe PID 1504 wrote to memory of 1816 1504 pdfisga.exe pdfisga.exe PID 1504 wrote to memory of 1816 1504 pdfisga.exe pdfisga.exe PID 1504 wrote to memory of 1816 1504 pdfisga.exe pdfisga.exe PID 1816 wrote to memory of 592 1816 pdfisga.exe svchost.exe PID 592 wrote to memory of 1144 592 svchost.exe DllHost.exe PID 592 wrote to memory of 1144 592 svchost.exe DllHost.exe PID 592 wrote to memory of 1144 592 svchost.exe DllHost.exe PID 1816 wrote to memory of 1192 1816 pdfisga.exe Explorer.EXE PID 1816 wrote to memory of 960 1816 pdfisga.exe vssadmin.exe PID 1816 wrote to memory of 960 1816 pdfisga.exe vssadmin.exe PID 1816 wrote to memory of 960 1816 pdfisga.exe vssadmin.exe PID 1816 wrote to memory of 960 1816 pdfisga.exe vssadmin.exe PID 1816 wrote to memory of 920 1816 pdfisga.exe pdfisga.exe PID 1816 wrote to memory of 920 1816 pdfisga.exe pdfisga.exe PID 1816 wrote to memory of 920 1816 pdfisga.exe pdfisga.exe PID 1816 wrote to memory of 920 1816 pdfisga.exe pdfisga.exe PID 920 wrote to memory of 1160 920 pdfisga.exe pdfisga.exe PID 920 wrote to memory of 1160 920 pdfisga.exe pdfisga.exe PID 920 wrote to memory of 1160 920 pdfisga.exe pdfisga.exe PID 920 wrote to memory of 1160 920 pdfisga.exe pdfisga.exe PID 920 wrote to memory of 1160 920 pdfisga.exe pdfisga.exe PID 920 wrote to memory of 1160 920 pdfisga.exe pdfisga.exe PID 920 wrote to memory of 1160 920 pdfisga.exe pdfisga.exe PID 920 wrote to memory of 1160 920 pdfisga.exe pdfisga.exe PID 592 wrote to memory of 1568 592 svchost.exe DllHost.exe PID 592 wrote to memory of 1568 592 svchost.exe DllHost.exe PID 592 wrote to memory of 1568 592 svchost.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe"C:\Users\Admin\AppData\Local\Temp\f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Users\Admin\AppData\Local\Temp\f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe"C:\Users\Admin\AppData\Local\Temp\f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵PID:1144
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵PID:1568
-
C:\Windows\system32\taskeng.exetaskeng.exe {2E49704A-2A00-4DD8-888C-0589D7E14CF2} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
PID:960 -
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe"C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\xptppmlFilesize
654B
MD5d0e91c0914cc217d418a524a86c074b0
SHA19f41805d9e755dccc911e7a49381f5e50ed17139
SHA2560247c7b4adfdfe6b54e49b3484fed37e90e43233623e0ee1094cb0ecee42ca48
SHA512d2c957c5bf457baaec7860e3a0fbfad6b60afe00db98acd71a4d19cfef82439703999ed7c8d56868f59da9ad040029b3642b9de21c6476bec1ad2311c318f443
-
C:\ProgramData\Package Cache\xptppmlFilesize
654B
MD5d0e91c0914cc217d418a524a86c074b0
SHA19f41805d9e755dccc911e7a49381f5e50ed17139
SHA2560247c7b4adfdfe6b54e49b3484fed37e90e43233623e0ee1094cb0ecee42ca48
SHA512d2c957c5bf457baaec7860e3a0fbfad6b60afe00db98acd71a4d19cfef82439703999ed7c8d56868f59da9ad040029b3642b9de21c6476bec1ad2311c318f443
-
C:\ProgramData\Package Cache\xptppmlFilesize
654B
MD5a8399bcaf11fed2bdd562987e7bb66e1
SHA1d30f20c496e84c62ed259cd03ae25cd5f9f533a1
SHA256d972998fa81b3c7493d612fb164f470cdeace932c7f0c01c596e71271193dbcf
SHA512b8aaf4f5d1ebb2e07c678af6d5c5d69b5baac96a93615ab0481635c2edf96c9126e09e2d06b436b2843a139b4b252c96bbb7aceecefe2f35f2792722733df03a
-
C:\ProgramData\Package Cache\xptppmlFilesize
654B
MD54c020f680945277cdb6194fea6357652
SHA1d89a9a9c7de8081b853139ae3a48a634399e48ff
SHA256203850bdbe497a25d67efe0fdd296cb4c57ff48625ed536f4b8f215ede9fff06
SHA512bccd161b259f81c3301baa5d40daf3d6ca2e5ca69734683956eb0c421d0b76082c470d166c88404b6829502b140d8c6e0333383b02f2a995e4dfb2f63d2c43df
-
C:\ProgramData\zlwdkgg.htmlFilesize
62KB
MD589cb8fb27162d06cfd4718fd6e30770e
SHA1daa134769247a0de85848d233151fc48fc1a6ab3
SHA2565a39acf5dd83e959eb56422632fe0359a900cbbc6131ce5088e04cfab37985c3
SHA512e8e1ba7c0e8a95fd27beeabfd5db07c43cb324d5e255ebc997baf4fc1654147cf65750b75d15972039b7a015758bb2c0061a1e6291e8567a6e49352e553c7d41
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1.0MB
MD5d23c1057bfe4f1aaaf5a5a5bc37bd061
SHA1741a668f93266819a91a8876c74126e97f3ed1cd
SHA256f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
SHA51231bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1.0MB
MD5d23c1057bfe4f1aaaf5a5a5bc37bd061
SHA1741a668f93266819a91a8876c74126e97f3ed1cd
SHA256f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
SHA51231bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1.0MB
MD5d23c1057bfe4f1aaaf5a5a5bc37bd061
SHA1741a668f93266819a91a8876c74126e97f3ed1cd
SHA256f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
SHA51231bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1.0MB
MD5d23c1057bfe4f1aaaf5a5a5bc37bd061
SHA1741a668f93266819a91a8876c74126e97f3ed1cd
SHA256f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
SHA51231bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
1.0MB
MD5d23c1057bfe4f1aaaf5a5a5bc37bd061
SHA1741a668f93266819a91a8876c74126e97f3ed1cd
SHA256f9889210ed894d5da3930689339cc617fb73555d0668542665fd3b0a3a83f319
SHA51231bbf7e147dd25001b035bc68649f235488debea5adc3d54a25b3c0047b3f45b070fd4cb81d6919c972ca6747389973c07c3c94cc8bbe2304fa61c6ef35b4c5c
-
memory/592-82-0x00000000003B0000-0x0000000000424000-memory.dmpFilesize
464KB
-
memory/592-84-0x00000000003B0000-0x0000000000424000-memory.dmpFilesize
464KB
-
memory/592-88-0x000007FEFC331000-0x000007FEFC333000-memory.dmpFilesize
8KB
-
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmpFilesize
8KB
-
memory/620-60-0x0000000074C10000-0x00000000751BB000-memory.dmpFilesize
5.7MB
-
memory/620-81-0x0000000074C10000-0x00000000751BB000-memory.dmpFilesize
5.7MB
-
memory/920-95-0x0000000000000000-mapping.dmp
-
memory/920-103-0x0000000074C10000-0x00000000751BB000-memory.dmpFilesize
5.7MB
-
memory/960-94-0x0000000000000000-mapping.dmp
-
memory/1144-87-0x0000000000000000-mapping.dmp
-
memory/1160-101-0x00000000012CBD1E-mapping.dmp
-
memory/1160-108-0x0000000000C00000-0x0000000000E40000-memory.dmpFilesize
2.2MB
-
memory/1312-64-0x00000000006C0000-0x0000000000900000-memory.dmpFilesize
2.2MB
-
memory/1312-62-0x00000000004B0000-0x00000000006BF000-memory.dmpFilesize
2.1MB
-
memory/1312-61-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1312-59-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1312-58-0x00000000011EBD1E-mapping.dmp
-
memory/1312-56-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1312-55-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1504-75-0x0000000074660000-0x0000000074C0B000-memory.dmpFilesize
5.7MB
-
memory/1504-69-0x0000000074660000-0x0000000074C0B000-memory.dmpFilesize
5.7MB
-
memory/1504-66-0x0000000000000000-mapping.dmp
-
memory/1568-110-0x0000000000000000-mapping.dmp
-
memory/1816-80-0x00000000008B0000-0x0000000000AF0000-memory.dmpFilesize
2.2MB
-
memory/1816-73-0x00000000012CBD1E-mapping.dmp