ctblocker | 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
Size

181KB
MD5

388c279f454dc300cd9c809c6a933f86
SHA1

a14c3dd8068a893da6e4d66f7d2f02528685da77
SHA256

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded
SHA512

8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511
SSDEEP

3072:sfKigMo5+zbn0vSXWS1qh2BNqF728MDEbpmPu4:zv5+f0amkBa72ND04

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-wxsqcsi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. OEPDF5O-4LJNDHV-6GUPU4R-D5ETOCR-EY4VZD6-KDN2ONA-5K47JTT-A6EM2CS T2GHLAM-GOADOZA-3WKNTE7-EJFU4II-SK2LKR4-JMWDLP6-Z6K54DP-R3KIS2C VJFFHVI-4KEXGPM-6HELCS2-6IOL4EH-C45I4QB-NIO65LK-7QDKCR7-ZNNEIUJ Follow the instructions on the server.

URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion/

Extracted

Path

C:\ProgramData\yrnkowk.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://pf5dahldauhrjxfd.onion.cab or http://pf5dahldauhrjxfd.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://pf5dahldauhrjxfd.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://pf5dahldauhrjxfd.onion.cab

http://pf5dahldauhrjxfd.tor2web.org

http://pf5dahldauhrjxfd.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Executes dropped EXE 4 IoCs

Processes:

dajjvan.exedajjvan.EXEdajjvan.EXEdajjvan.EXE

pid process

376 dajjvan.exe
2368 dajjvan.EXE
3964 dajjvan.EXE
4612 dajjvan.EXE

pid	process
376	dajjvan.exe
2368	dajjvan.EXE
3964	dajjvan.EXE
4612	dajjvan.EXE

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\RequestProtect.CRW.wxsqcsi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UseAdd.CRW.wxsqcsi	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

dajjvan.EXE

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation dajjvan.EXE
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	dajjvan.EXE

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 5 IoCs

Processes:

dajjvan.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	dajjvan.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	dajjvan.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	dajjvan.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	dajjvan.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini	dajjvan.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-wxsqcsi.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exedajjvan.exedajjvan.EXE

description	pid	process	target process
PID 4928 set thread context of 1344	4928	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 376 set thread context of 2368	376	dajjvan.exe	dajjvan.EXE
PID 3964 set thread context of 4612	3964	dajjvan.EXE	dajjvan.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1684	4928	WerFault.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
5108	376	WerFault.exe	dajjvan.exe
2116	3964	WerFault.exe	dajjvan.EXE

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

dajjvan.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\GPU	dajjvan.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	dajjvan.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	dajjvan.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	dajjvan.EXE

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\MaxCapacity = "15140"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320033003300390065003000340035002d0030003000300030002d0030003000300030002d0030003000300030002d006400300031003200300030003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{2339e045-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXEdajjvan.EXE

pid	process
1344	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
1344	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
2368	dajjvan.EXE
2368	dajjvan.EXE
2368	dajjvan.EXE
2368	dajjvan.EXE
2368	dajjvan.EXE
2368	dajjvan.EXE
2368	dajjvan.EXE
2368	dajjvan.EXE
2368	dajjvan.EXE
2368	dajjvan.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

dajjvan.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2368	dajjvan.EXE
Token: SeDebugPrivilege	2368	dajjvan.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE
Token: SeShutdownPrivilege	2948	Explorer.EXE
Token: SeCreatePagefilePrivilege	2948	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

dajjvan.EXE

pid process

4612 dajjvan.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

dajjvan.EXE

pid process

4612 dajjvan.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exedajjvan.exedajjvan.EXEdajjvan.EXE

pid process

4928 01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
376 dajjvan.exe
3964 dajjvan.EXE
4612 dajjvan.EXE
4612 dajjvan.EXE

pid	process
4612	dajjvan.EXE

pid	process
4612	dajjvan.EXE

pid	process
4928	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
376	dajjvan.exe
3964	dajjvan.EXE
4612	dajjvan.EXE
4612	dajjvan.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exedajjvan.exedajjvan.EXEsvchost.exedajjvan.EXE

description	pid	process	target process
PID 4928 wrote to memory of 1344	4928	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 4928 wrote to memory of 1344	4928	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 4928 wrote to memory of 1344	4928	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 4928 wrote to memory of 1344	4928	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 4928 wrote to memory of 1344	4928	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 4928 wrote to memory of 1344	4928	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe	01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
PID 376 wrote to memory of 2368	376	dajjvan.exe	dajjvan.EXE
PID 376 wrote to memory of 2368	376	dajjvan.exe	dajjvan.EXE
PID 376 wrote to memory of 2368	376	dajjvan.exe	dajjvan.EXE
PID 376 wrote to memory of 2368	376	dajjvan.exe	dajjvan.EXE
PID 376 wrote to memory of 2368	376	dajjvan.exe	dajjvan.EXE
PID 376 wrote to memory of 2368	376	dajjvan.exe	dajjvan.EXE
PID 2368 wrote to memory of 764	2368	dajjvan.EXE	svchost.exe
PID 764 wrote to memory of 3392	764	svchost.exe	mousocoreworker.exe
PID 764 wrote to memory of 3392	764	svchost.exe	mousocoreworker.exe
PID 764 wrote to memory of 2308	764	svchost.exe	DllHost.exe
PID 764 wrote to memory of 2308	764	svchost.exe	DllHost.exe
PID 2368 wrote to memory of 2948	2368	dajjvan.EXE	Explorer.EXE
PID 2368 wrote to memory of 3964	2368	dajjvan.EXE	dajjvan.EXE
PID 2368 wrote to memory of 3964	2368	dajjvan.EXE	dajjvan.EXE
PID 2368 wrote to memory of 3964	2368	dajjvan.EXE	dajjvan.EXE
PID 3964 wrote to memory of 4612	3964	dajjvan.EXE	dajjvan.EXE
PID 3964 wrote to memory of 4612	3964	dajjvan.EXE	dajjvan.EXE
PID 3964 wrote to memory of 4612	3964	dajjvan.EXE	dajjvan.EXE
PID 3964 wrote to memory of 4612	3964	dajjvan.EXE	dajjvan.EXE
PID 3964 wrote to memory of 4612	3964	dajjvan.EXE	dajjvan.EXE
PID 3964 wrote to memory of 4612	3964	dajjvan.EXE	dajjvan.EXE

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:3392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:2308

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe
"C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE
"C:\Users\Admin\AppData\Local\Temp\01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded.EXE"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 540
3⤵
- Program crash
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4928 -ip 4928
1⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:376

C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE
"C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE
"C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE" -u
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE
"C:\Users\Admin\AppData\Local\Temp\dajjvan.EXE"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 440
4⤵
- Program crash
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 516
2⤵
- Program crash
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 376 -ip 376
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3964 -ip 3964
1⤵
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevices\akatxdg
Filesize
654B

MD5
7b0e96fd3d00722c57ebbf79d5adcc93

SHA1
82f05afbec9bdcf27c4dd684dd85e09a8cea83d6

SHA256
1a9cc5bcd51c457e202b99149d1dbb033ec4b5701b12e1748bc6a7526b1d5343

SHA512
030ca177d913ce36e4eec1e0394da8e56b53a3096cda960374162acbbb9a93a0534f0ab2ae11e60d5accabd632d4571f353443eff71b11c1a76eec0e853ae2cc

Download Submit
C:\ProgramData\WindowsHolographicDevices\akatxdg
Filesize
654B

MD5
7b0e96fd3d00722c57ebbf79d5adcc93

SHA1
82f05afbec9bdcf27c4dd684dd85e09a8cea83d6

SHA256
1a9cc5bcd51c457e202b99149d1dbb033ec4b5701b12e1748bc6a7526b1d5343

SHA512
030ca177d913ce36e4eec1e0394da8e56b53a3096cda960374162acbbb9a93a0534f0ab2ae11e60d5accabd632d4571f353443eff71b11c1a76eec0e853ae2cc

Download Submit
C:\ProgramData\WindowsHolographicDevices\akatxdg
Filesize
654B

MD5
5eecbf6e4e7b03a4fe0aa1ae17a1c740

SHA1
269324fcee0b40453832185764c626b9ef9a7fcb

SHA256
bf96c4576ad8d572c1d9178628f52c419f7216102bc1bca2abaa3932ebf34a61

SHA512
d25781ef026855c3d3b9871643715103c7099ee6370aa6c4d87a9eb74911611188ef1e80caecb56b1f719b7602ced98adea4c21b1a616e6d10332e2249c8a76f

Download Submit
C:\ProgramData\WindowsHolographicDevices\akatxdg
Filesize
654B

MD5
713d0e1b8374a0adc9dc6680041ff6bc

SHA1
c8469c5a3cd23b89031e1c00f94233d1c90b09eb

SHA256
43bf5072140debf41a660da53bbeba92fd7b6733986e888456f7e1d23dd708cd

SHA512
36aa3f3df591cc8a101c6962c2e3b35ca25ee58704a7a6204745716b0bda23dfff24a165c73e4a375ec99489f0f4620c8367d646c6f7847923436dc3d5b259c1

Download Submit
C:\ProgramData\WindowsHolographicDevices\akatxdg
Filesize
654B

MD5
a430a4811cc6e365ef720f972f1f6c8d

SHA1
02608eaa1f1f4b060d90f075e6f4ffded8573056

SHA256
da7ba51d192c2cf4409b5614bcc22d42c67714226e15ddeaf5ec53df227c0edf

SHA512
261f66290f885a3f8bc894573717fc1a85322e5e4597d584c8131c93179eb7c279b65b10b5ab15de51b82a7d37ef3716b25cecbab5491bdc6142bcb82231bfd1

Download Submit
C:\ProgramData\yrnkowk.html
Filesize
226KB

MD5
e41fcc0194a2847d023ffa393c3348ad

SHA1
4dd9b68d635927957c2bf3ebcab9dddd5f0e2737

SHA256
941b3b473b4473b174b042fcd978d136cd95e97f37c65cc1b1b8ad0704d79331

SHA512
df2f81ae384d74215af9d3799865dccdfeba1028f23b1b09e854353e8b45909488d96faa3e28d23d42bbbf448f391e26e84501f45a0ffc089987651a9fddbb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajjvan.exe
Filesize
181KB

MD5
388c279f454dc300cd9c809c6a933f86

SHA1
a14c3dd8068a893da6e4d66f7d2f02528685da77

SHA256
01384b94c25808ed1f6b8d91b184e1adab539ebd8f2c63b2347992820bd42ded

SHA512
8d9e69e64ba9cebd413a6c4e7e3bc347054926f241623c4ce6609fac085062e794d2cf98545216c79ec24b672059042337e416baa8aef97594adbfa1abe5c511

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.JPG.wxsqcsi
Filesize
36KB

MD5
66e7f224de1307a81a245c61365f06c1

SHA1
620ab28bedf4a46c613cb3611d469b5b017ce2a6

SHA256
b8e24a256a10821dd5cbdf1dd5fdf8bd92f0e737914fbe5f393c1e26cdeed491

SHA512
654afb19d876af02bba80e79548b1fe2bf54ed68bd4af23e9b98ecab4c602ceda6f63ddc9ca870341fcc131f60e46f7c1649dcf1f55085b72616ad104b6fa0cb

Download Submit
memory/764-150-0x000000000DFA0000-0x000000000E017000-memory.dmp

Filesize
476KB

Download
memory/1344-135-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1344-138-0x0000000000400000-0x0000000000426E00-memory.dmp

Filesize
155KB

Download
memory/1344-139-0x0000000000710000-0x0000000000843000-memory.dmp

Filesize
1.2MB

Download
memory/1344-137-0x0000000000500000-0x0000000000602000-memory.dmp

Filesize
1.0MB

Download
memory/1344-134-0x0000000000000000-mapping.dmp

Download
memory/2308-155-0x0000000000000000-mapping.dmp

Download
memory/2368-149-0x0000000000860000-0x0000000000993000-memory.dmp

Filesize
1.2MB

Download
memory/2368-144-0x0000000000000000-mapping.dmp

Download
memory/3392-153-0x0000000000000000-mapping.dmp

Download
memory/3964-160-0x0000000000000000-mapping.dmp

Download
memory/3964-162-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/4612-164-0x0000000000000000-mapping.dmp

Download
memory/4612-169-0x00000000007E0000-0x0000000000913000-memory.dmp

Filesize
1.2MB

Download
memory/4928-132-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download