Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 23:51
Static task
static1
Behavioral task
behavioral1
Sample
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
Resource
win10v2004-20220901-en
General
-
Target
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
-
Size
181KB
-
MD5
388c279f454dc300cd9c809c6a933f86
-
SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77
-
SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
-
SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
SSDEEP
3072:sfKigMo5+zbn0vSXWS1qh2BNqF728MDEbpmPu4:zv5+f0amkBa72ND04
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-wxsqcsi.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\ProgramData\yrnkowk.html
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Executes dropped EXE 4 IoCs
Processes:
dajjvan.exedajjvan.EXEdajjvan.EXEdajjvan.EXEpid process 376 dajjvan.exe 2368 dajjvan.EXE 3964 dajjvan.EXE 4612 dajjvan.EXE -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\RequestProtect.CRW.wxsqcsi svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UseAdd.CRW.wxsqcsi svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dajjvan.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dajjvan.EXE -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 5 IoCs
Processes:
dajjvan.EXEdescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 dajjvan.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE dajjvan.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies dajjvan.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 dajjvan.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini dajjvan.EXE -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-wxsqcsi.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exedajjvan.exedajjvan.EXEdescription pid process target process PID 4928 set thread context of 1344 4928 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 376 set thread context of 2368 376 dajjvan.exe dajjvan.EXE PID 3964 set thread context of 4612 3964 dajjvan.EXE dajjvan.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1684 4928 WerFault.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 5108 376 WerFault.exe dajjvan.exe 2116 3964 WerFault.exe dajjvan.EXE -
Processes:
dajjvan.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\GPU dajjvan.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" dajjvan.EXE Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch dajjvan.EXE Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" dajjvan.EXE -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\MaxCapacity = "15140" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320033003300390065003000340035002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\NukeOnDelete = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXEdajjvan.EXEpid process 1344 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE 1344 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE 2368 dajjvan.EXE 2368 dajjvan.EXE 2368 dajjvan.EXE 2368 dajjvan.EXE 2368 dajjvan.EXE 2368 dajjvan.EXE 2368 dajjvan.EXE 2368 dajjvan.EXE 2368 dajjvan.EXE 2368 dajjvan.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
dajjvan.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 2368 dajjvan.EXE Token: SeDebugPrivilege 2368 dajjvan.EXE Token: SeShutdownPrivilege 2948 Explorer.EXE Token: SeCreatePagefilePrivilege 2948 Explorer.EXE Token: SeShutdownPrivilege 2948 Explorer.EXE Token: SeCreatePagefilePrivilege 2948 Explorer.EXE Token: SeShutdownPrivilege 2948 Explorer.EXE Token: SeCreatePagefilePrivilege 2948 Explorer.EXE Token: SeShutdownPrivilege 2948 Explorer.EXE Token: SeCreatePagefilePrivilege 2948 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
dajjvan.EXEpid process 4612 dajjvan.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
dajjvan.EXEpid process 4612 dajjvan.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exedajjvan.exedajjvan.EXEdajjvan.EXEpid process 4928 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 376 dajjvan.exe 3964 dajjvan.EXE 4612 dajjvan.EXE 4612 dajjvan.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exedajjvan.exedajjvan.EXEsvchost.exedajjvan.EXEdescription pid process target process PID 4928 wrote to memory of 1344 4928 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 4928 wrote to memory of 1344 4928 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 4928 wrote to memory of 1344 4928 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 4928 wrote to memory of 1344 4928 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 4928 wrote to memory of 1344 4928 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 4928 wrote to memory of 1344 4928 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE PID 376 wrote to memory of 2368 376 dajjvan.exe dajjvan.EXE PID 376 wrote to memory of 2368 376 dajjvan.exe dajjvan.EXE PID 376 wrote to memory of 2368 376 dajjvan.exe dajjvan.EXE PID 376 wrote to memory of 2368 376 dajjvan.exe dajjvan.EXE PID 376 wrote to memory of 2368 376 dajjvan.exe dajjvan.EXE PID 376 wrote to memory of 2368 376 dajjvan.exe dajjvan.EXE PID 2368 wrote to memory of 764 2368 dajjvan.EXE svchost.exe PID 764 wrote to memory of 3392 764 svchost.exe mousocoreworker.exe PID 764 wrote to memory of 3392 764 svchost.exe mousocoreworker.exe PID 764 wrote to memory of 2308 764 svchost.exe DllHost.exe PID 764 wrote to memory of 2308 764 svchost.exe DllHost.exe PID 2368 wrote to memory of 2948 2368 dajjvan.EXE Explorer.EXE PID 2368 wrote to memory of 3964 2368 dajjvan.EXE dajjvan.EXE PID 2368 wrote to memory of 3964 2368 dajjvan.EXE dajjvan.EXE PID 2368 wrote to memory of 3964 2368 dajjvan.EXE dajjvan.EXE PID 3964 wrote to memory of 4612 3964 dajjvan.EXE dajjvan.EXE PID 3964 wrote to memory of 4612 3964 dajjvan.EXE dajjvan.EXE PID 3964 wrote to memory of 4612 3964 dajjvan.EXE dajjvan.EXE PID 3964 wrote to memory of 4612 3964 dajjvan.EXE dajjvan.EXE PID 3964 wrote to memory of 4612 3964 dajjvan.EXE dajjvan.EXE PID 3964 wrote to memory of 4612 3964 dajjvan.EXE dajjvan.EXE
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe"C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE"C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 5403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4928 -ip 49281⤵
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeC:\Users\Admin\AppData\Local\Temp\dajjvan.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE"C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE"C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE" -u3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE"C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 4404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 5162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 376 -ip 3761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3964 -ip 39641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\WindowsHolographicDevices\akatxdgFilesize
654B
MD57b0e96fd3d00722c57ebbf79d5adcc93
SHA182f05afbec9bdcf27c4dd684dd85e09a8cea83d6
SHA2561a9cc5bcd51c457e202b99149d1dbb033ec4b5701b12e1748bc6a7526b1d5343
SHA512030ca177d913ce36e4eec1e0394da8e56b53a3096cda960374162acbbb9a93a0534f0ab2ae11e60d5accabd632d4571f353443eff71b11c1a76eec0e853ae2cc
-
C:\ProgramData\WindowsHolographicDevices\akatxdgFilesize
654B
MD57b0e96fd3d00722c57ebbf79d5adcc93
SHA182f05afbec9bdcf27c4dd684dd85e09a8cea83d6
SHA2561a9cc5bcd51c457e202b99149d1dbb033ec4b5701b12e1748bc6a7526b1d5343
SHA512030ca177d913ce36e4eec1e0394da8e56b53a3096cda960374162acbbb9a93a0534f0ab2ae11e60d5accabd632d4571f353443eff71b11c1a76eec0e853ae2cc
-
C:\ProgramData\WindowsHolographicDevices\akatxdgFilesize
654B
MD55eecbf6e4e7b03a4fe0aa1ae17a1c740
SHA1269324fcee0b40453832185764c626b9ef9a7fcb
SHA256bf96c4576ad8d572c1d9178628f52c419f7216102bc1bca2abaa3932ebf34a61
SHA512d25781ef026855c3d3b9871643715103c7099ee6370aa6c4d87a9eb74911611188ef1e80caecb56b1f719b7602ced98adea4c21b1a616e6d10332e2249c8a76f
-
C:\ProgramData\WindowsHolographicDevices\akatxdgFilesize
654B
MD5713d0e1b8374a0adc9dc6680041ff6bc
SHA1c8469c5a3cd23b89031e1c00f94233d1c90b09eb
SHA25643bf5072140debf41a660da53bbeba92fd7b6733986e888456f7e1d23dd708cd
SHA51236aa3f3df591cc8a101c6962c2e3b35ca25ee58704a7a6204745716b0bda23dfff24a165c73e4a375ec99489f0f4620c8367d646c6f7847923436dc3d5b259c1
-
C:\ProgramData\WindowsHolographicDevices\akatxdgFilesize
654B
MD5a430a4811cc6e365ef720f972f1f6c8d
SHA102608eaa1f1f4b060d90f075e6f4ffded8573056
SHA256da7ba51d192c2cf4409b5614bcc22d42c67714226e15ddeaf5ec53df227c0edf
SHA512261f66290f885a3f8bc894573717fc1a85322e5e4597d584c8131c93179eb7c279b65b10b5ab15de51b82a7d37ef3716b25cecbab5491bdc6142bcb82231bfd1
-
C:\ProgramData\yrnkowk.htmlFilesize
226KB
MD5e41fcc0194a2847d023ffa393c3348ad
SHA14dd9b68d635927957c2bf3ebcab9dddd5f0e2737
SHA256941b3b473b4473b174b042fcd978d136cd95e97f37c65cc1b1b8ad0704d79331
SHA512df2f81ae384d74215af9d3799865dccdfeba1028f23b1b09e854353e8b45909488d96faa3e28d23d42bbbf448f391e26e84501f45a0ffc089987651a9fddbb94
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
C:\Users\Admin\AppData\Local\Temp\dajjvan.exeFilesize
181KB
MD5388c279f454dc300cd9c809c6a933f86
SHA1a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA25601384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA5128d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.wxsqcsiFilesize
36KB
MD566e7f224de1307a81a245c61365f06c1
SHA1620ab28bedf4a46c613cb3611d469b5b017ce2a6
SHA256b8e24a256a10821dd5cbdf1dd5fdf8bd92f0e737914fbe5f393c1e26cdeed491
SHA512654afb19d876af02bba80e79548b1fe2bf54ed68bd4af23e9b98ecab4c602ceda6f63ddc9ca870341fcc131f60e46f7c1649dcf1f55085b72616ad104b6fa0cb
-
memory/764-150-0x000000000DFA0000-0x000000000E017000-memory.dmpFilesize
476KB
-
memory/1344-135-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1344-138-0x0000000000400000-0x0000000000426E00-memory.dmpFilesize
155KB
-
memory/1344-139-0x0000000000710000-0x0000000000843000-memory.dmpFilesize
1.2MB
-
memory/1344-137-0x0000000000500000-0x0000000000602000-memory.dmpFilesize
1.0MB
-
memory/1344-134-0x0000000000000000-mapping.dmp
-
memory/2308-155-0x0000000000000000-mapping.dmp
-
memory/2368-149-0x0000000000860000-0x0000000000993000-memory.dmpFilesize
1.2MB
-
memory/2368-144-0x0000000000000000-mapping.dmp
-
memory/3392-153-0x0000000000000000-mapping.dmp
-
memory/3964-160-0x0000000000000000-mapping.dmp
-
memory/3964-162-0x0000000000401000-0x0000000000405000-memory.dmpFilesize
16KB
-
memory/4612-164-0x0000000000000000-mapping.dmp
-
memory/4612-169-0x00000000007E0000-0x0000000000913000-memory.dmpFilesize
1.2MB
-
memory/4928-132-0x0000000000401000-0x0000000000405000-memory.dmpFilesize
16KB