Analysis
-
max time kernel
152s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 23:51
Static task
static1
Behavioral task
behavioral1
Sample
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
Resource
win10v2004-20220901-en
General
-
Target
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
-
Size
181KB
-
MD5
388c279f454dc300cd9c809c6a933f86
-
SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77
-
SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
-
SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
SSDEEP
3072:sfKigMo5+zbn0vSXWS1qh2BNqF728MDEbpmPu4:zv5+f0amkBa72ND04
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pipalmn.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-pipalmn.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\ProgramData\nydzthc.html
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
pcrcyge.exepcrcyge.EXEpcrcyge.EXEpcrcyge.EXEpid process 952 pcrcyge.exe 700 pcrcyge.EXE 1280 pcrcyge.EXE 1736 pcrcyge.EXE -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ResolveUnblock.CRW.pipalmn svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\DisconnectSkip.CRW.pipalmn svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pcrcyge.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation pcrcyge.EXE -
Loads dropped DLL 9 IoCs
Processes:
WerFault.exeWerFault.exepid process 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 1188 WerFault.exe 268 WerFault.exe 268 WerFault.exe 268 WerFault.exe 268 WerFault.exe 268 WerFault.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
pcrcyge.EXEdescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat pcrcyge.EXE -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-pipalmn.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exepcrcyge.exepcrcyge.EXEdescription pid process target process PID 1996 set thread context of 2024 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 952 set thread context of 700 952 pcrcyge.exe pcrcyge.EXE PID 1280 set thread context of 1736 1280 pcrcyge.EXE pcrcyge.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pipalmn.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-pipalmn.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1756 1996 WerFault.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 1188 952 WerFault.exe pcrcyge.exe 268 1280 WerFault.exe pcrcyge.EXE -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1704 vssadmin.exe -
Processes:
pcrcyge.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main pcrcyge.EXE -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140" svchost.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXEpcrcyge.EXEpid process 2024 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE 700 pcrcyge.EXE -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
pcrcyge.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 700 pcrcyge.EXE Token: SeDebugPrivilege 700 pcrcyge.EXE Token: SeShutdownPrivilege 1284 Explorer.EXE Token: SeShutdownPrivilege 1284 Explorer.EXE Token: SeShutdownPrivilege 1284 Explorer.EXE Token: SeShutdownPrivilege 1284 Explorer.EXE Token: SeShutdownPrivilege 1284 Explorer.EXE Token: SeShutdownPrivilege 1284 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pcrcyge.EXEpid process 1736 pcrcyge.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pcrcyge.EXEpid process 1736 pcrcyge.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exepcrcyge.exepcrcyge.EXEpcrcyge.EXEpid process 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 952 pcrcyge.exe 1280 pcrcyge.EXE 1736 pcrcyge.EXE 1736 pcrcyge.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exetaskeng.exepcrcyge.exepcrcyge.EXEsvchost.exepcrcyge.EXEdescription pid process target process PID 1996 wrote to memory of 2024 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 1996 wrote to memory of 2024 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 1996 wrote to memory of 2024 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 1996 wrote to memory of 2024 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 1996 wrote to memory of 2024 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 1996 wrote to memory of 2024 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 1996 wrote to memory of 2024 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 1996 wrote to memory of 1756 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe WerFault.exe PID 1996 wrote to memory of 1756 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe WerFault.exe PID 1996 wrote to memory of 1756 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe WerFault.exe PID 1996 wrote to memory of 1756 1996 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe WerFault.exe PID 1768 wrote to memory of 952 1768 taskeng.exe pcrcyge.exe PID 1768 wrote to memory of 952 1768 taskeng.exe pcrcyge.exe PID 1768 wrote to memory of 952 1768 taskeng.exe pcrcyge.exe PID 1768 wrote to memory of 952 1768 taskeng.exe pcrcyge.exe PID 952 wrote to memory of 700 952 pcrcyge.exe pcrcyge.EXE PID 952 wrote to memory of 700 952 pcrcyge.exe pcrcyge.EXE PID 952 wrote to memory of 700 952 pcrcyge.exe pcrcyge.EXE PID 952 wrote to memory of 700 952 pcrcyge.exe pcrcyge.EXE PID 952 wrote to memory of 700 952 pcrcyge.exe pcrcyge.EXE PID 952 wrote to memory of 700 952 pcrcyge.exe pcrcyge.EXE PID 952 wrote to memory of 700 952 pcrcyge.exe pcrcyge.EXE PID 952 wrote to memory of 1188 952 pcrcyge.exe WerFault.exe PID 952 wrote to memory of 1188 952 pcrcyge.exe WerFault.exe PID 952 wrote to memory of 1188 952 pcrcyge.exe WerFault.exe PID 952 wrote to memory of 1188 952 pcrcyge.exe WerFault.exe PID 700 wrote to memory of 600 700 pcrcyge.EXE svchost.exe PID 600 wrote to memory of 1764 600 svchost.exe DllHost.exe PID 600 wrote to memory of 1764 600 svchost.exe DllHost.exe PID 600 wrote to memory of 1764 600 svchost.exe DllHost.exe PID 700 wrote to memory of 1284 700 pcrcyge.EXE Explorer.EXE PID 700 wrote to memory of 1704 700 pcrcyge.EXE vssadmin.exe PID 700 wrote to memory of 1704 700 pcrcyge.EXE vssadmin.exe PID 700 wrote to memory of 1704 700 pcrcyge.EXE vssadmin.exe PID 700 wrote to memory of 1704 700 pcrcyge.EXE vssadmin.exe PID 700 wrote to memory of 1280 700 pcrcyge.EXE pcrcyge.EXE PID 700 wrote to memory of 1280 700 pcrcyge.EXE pcrcyge.EXE PID 700 wrote to memory of 1280 700 pcrcyge.EXE pcrcyge.EXE PID 700 wrote to memory of 1280 700 pcrcyge.EXE pcrcyge.EXE PID 1280 wrote to memory of 1736 1280 pcrcyge.EXE pcrcyge.EXE PID 1280 wrote to memory of 1736 1280 pcrcyge.EXE pcrcyge.EXE PID 1280 wrote to memory of 1736 1280 pcrcyge.EXE pcrcyge.EXE PID 1280 wrote to memory of 1736 1280 pcrcyge.EXE pcrcyge.EXE PID 1280 wrote to memory of 1736 1280 pcrcyge.EXE pcrcyge.EXE PID 1280 wrote to memory of 1736 1280 pcrcyge.EXE pcrcyge.EXE PID 1280 wrote to memory of 1736 1280 pcrcyge.EXE pcrcyge.EXE PID 1280 wrote to memory of 268 1280 pcrcyge.EXE WerFault.exe PID 1280 wrote to memory of 268 1280 pcrcyge.EXE WerFault.exe PID 1280 wrote to memory of 268 1280 pcrcyge.EXE WerFault.exe PID 1280 wrote to memory of 268 1280 pcrcyge.EXE WerFault.exe PID 600 wrote to memory of 1048 600 svchost.exe DllHost.exe PID 600 wrote to memory of 1048 600 svchost.exe DllHost.exe PID 600 wrote to memory of 1048 600 svchost.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe"C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE"C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 2283⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {1B50EDA9-BC0B-4BD1-9BD4-BAC5EA014372} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE"C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE"C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE" -u4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE"C:\Users\Admin\AppData\Local\Temp\pcrcyge.EXE"5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 2285⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 2043⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD54997072d79fbd79bbf908cfc01d4cd8b
SHA17482e5e53065c57b8e1629e986665af8e4ae6b0b
SHA25620cf006506c21a0fbe063ff833c2a254f34c47c87c2b4ebe897e22bfe62dcddc
SHA51285631b73be56ba048f0142aef4e4e567fbb12de0356f9b411dc9ba15f6facf0e14a07b65cacc6da05cfa20212586d609265eaa2e55e0ed4b5ba39ca413711095
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD54997072d79fbd79bbf908cfc01d4cd8b
SHA17482e5e53065c57b8e1629e986665af8e4ae6b0b
SHA25620cf006506c21a0fbe063ff833c2a254f34c47c87c2b4ebe897e22bfe62dcddc
SHA51285631b73be56ba048f0142aef4e4e567fbb12de0356f9b411dc9ba15f6facf0e14a07b65cacc6da05cfa20212586d609265eaa2e55e0ed4b5ba39ca413711095
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD55b1e938e957dd848d2c57b6bada1f9f2
SHA14d910a85a4a64ecc9d816e6e7d688ef772deaaff
SHA256c155c7eee3b04188ad65b34da61a286af926c1538a40e5cc4da3aff2580ffe72
SHA512f85e7f93e9554873e825baeaf006a5598806688b6d60b82ff507d523dc55a816dd1029ed3f8aff2151fb68b35abff3b526b4f85d895061ae35c284c54bd196c6
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD55b1e938e957dd848d2c57b6bada1f9f2
SHA14d910a85a4a64ecc9d816e6e7d688ef772deaaff
SHA256c155c7eee3b04188ad65b34da61a286af926c1538a40e5cc4da3aff2580ffe72
SHA512f85e7f93e9554873e825baeaf006a5598806688b6d60b82ff507d523dc55a816dd1029ed3f8aff2151fb68b35abff3b526b4f85d895061ae35c284c54bd196c6
-
C:\ProgramData\nydzthc.htmlFilesize
62KB
MD534026a3de3eb530b8f97fb49884effec
SHA1d1fa8dcdd85939b00f2024ac406dd5554fb0b7af
SHA2567493b68956b1539478b73521f45cf873bce47191ea37e2f5d3da9daef9bf6c37
SHA512b1f04a3dce8d1ca15c3bcfd50ee80b7def27d61516eb5201670289e66a3ff044ae4357814519ff3d8493f82773812ea7786cfce2ea0d0d5df58d68aa03ec9f7a
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
memory/268-112-0x0000000000000000-mapping.dmp
-
memory/600-93-0x000007FEFB831000-0x000007FEFB833000-memory.dmpFilesize
8KB
-
memory/600-87-0x0000000000450000-0x00000000004C7000-memory.dmpFilesize
476KB
-
memory/600-89-0x0000000000450000-0x00000000004C7000-memory.dmpFilesize
476KB
-
memory/700-86-0x00000000005E0000-0x0000000000713000-memory.dmpFilesize
1.2MB
-
memory/700-76-0x0000000000420A9C-mapping.dmp
-
memory/952-68-0x0000000000000000-mapping.dmp
-
memory/1048-121-0x0000000000000000-mapping.dmp
-
memory/1188-79-0x0000000000000000-mapping.dmp
-
memory/1280-100-0x0000000000000000-mapping.dmp
-
memory/1704-99-0x0000000000000000-mapping.dmp
-
memory/1736-108-0x0000000000420A9C-mapping.dmp
-
memory/1736-118-0x00000000005B0000-0x00000000006E3000-memory.dmpFilesize
1.2MB
-
memory/1756-65-0x0000000000000000-mapping.dmp
-
memory/1764-92-0x0000000000000000-mapping.dmp
-
memory/1996-54-0x0000000000401000-0x0000000000405000-memory.dmpFilesize
16KB
-
memory/2024-66-0x0000000000400000-0x0000000000426E00-memory.dmpFilesize
155KB
-
memory/2024-64-0x0000000000430000-0x0000000000563000-memory.dmpFilesize
1.2MB
-
memory/2024-63-0x0000000076031000-0x0000000076033000-memory.dmpFilesize
8KB
-
memory/2024-62-0x0000000000220000-0x0000000000322000-memory.dmpFilesize
1.0MB
-
memory/2024-59-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2024-60-0x0000000000420A9C-mapping.dmp
-
memory/2024-57-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2024-56-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB