Analysis
-
max time kernel
159s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 05:57
Static task
static1
Behavioral task
behavioral1
Sample
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
Resource
win10v2004-20220812-en
General
-
Target
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
-
Size
1.2MB
-
MD5
1aad30f76693aa8ec2fd2a9314b02125
-
SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2
-
SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
-
SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
-
SSDEEP
24576:ADqBNB/RLKAlkmrTgCQgoB/7nhYfxknKBCXzOvERcd8Gu7q:ADkpRkmvQgo9zS6nMv7+1u
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eaublmn.txt
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-eaublmn.txt
http://tmc2ybfqzgkaeilm.onion.cab
http://tmc2ybfqzgkaeilm.tor2web.org
http://tmc2ybfqzgkaeilm.onion/
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 5 IoCs
Processes:
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exepcrcyge.exepcrcyge.exepcrcyge.exepcrcyge.exepid process 1628 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe 1444 pcrcyge.exe 1492 pcrcyge.exe 1568 pcrcyge.exe 948 pcrcyge.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExitImport.CRW.eaublmn svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ClearRequest.RAW.eaublmn svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\DisableRegister.CRW.eaublmn svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pcrcyge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation pcrcyge.exe -
Loads dropped DLL 1 IoCs
Processes:
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exepid process 1340 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-eaublmn.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exepcrcyge.exepcrcyge.exedescription pid process target process PID 1340 set thread context of 1628 1340 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe PID 1444 set thread context of 1492 1444 pcrcyge.exe pcrcyge.exe PID 1568 set thread context of 948 1568 pcrcyge.exe pcrcyge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eaublmn.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eaublmn.bmp svchost.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1900 vssadmin.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exepcrcyge.exepid process 1628 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe 1492 pcrcyge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
pcrcyge.exepcrcyge.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1492 pcrcyge.exe Token: SeDebugPrivilege 1492 pcrcyge.exe Token: SeDebugPrivilege 1568 pcrcyge.exe Token: SeShutdownPrivilege 1256 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pcrcyge.exepid process 948 pcrcyge.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pcrcyge.exepid process 948 pcrcyge.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exetaskeng.exepcrcyge.exepcrcyge.exesvchost.exepcrcyge.exedescription pid process target process PID 1340 wrote to memory of 1628 1340 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe PID 1340 wrote to memory of 1628 1340 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe PID 1340 wrote to memory of 1628 1340 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe PID 1340 wrote to memory of 1628 1340 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe PID 1340 wrote to memory of 1628 1340 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe PID 1340 wrote to memory of 1628 1340 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe PID 1340 wrote to memory of 1628 1340 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe PID 1640 wrote to memory of 1444 1640 taskeng.exe pcrcyge.exe PID 1640 wrote to memory of 1444 1640 taskeng.exe pcrcyge.exe PID 1640 wrote to memory of 1444 1640 taskeng.exe pcrcyge.exe PID 1640 wrote to memory of 1444 1640 taskeng.exe pcrcyge.exe PID 1444 wrote to memory of 1492 1444 pcrcyge.exe pcrcyge.exe PID 1444 wrote to memory of 1492 1444 pcrcyge.exe pcrcyge.exe PID 1444 wrote to memory of 1492 1444 pcrcyge.exe pcrcyge.exe PID 1444 wrote to memory of 1492 1444 pcrcyge.exe pcrcyge.exe PID 1444 wrote to memory of 1492 1444 pcrcyge.exe pcrcyge.exe PID 1444 wrote to memory of 1492 1444 pcrcyge.exe pcrcyge.exe PID 1444 wrote to memory of 1492 1444 pcrcyge.exe pcrcyge.exe PID 1492 wrote to memory of 600 1492 pcrcyge.exe svchost.exe PID 600 wrote to memory of 1740 600 svchost.exe DllHost.exe PID 600 wrote to memory of 1740 600 svchost.exe DllHost.exe PID 600 wrote to memory of 1740 600 svchost.exe DllHost.exe PID 1492 wrote to memory of 1256 1492 pcrcyge.exe Explorer.EXE PID 1492 wrote to memory of 1900 1492 pcrcyge.exe vssadmin.exe PID 1492 wrote to memory of 1900 1492 pcrcyge.exe vssadmin.exe PID 1492 wrote to memory of 1900 1492 pcrcyge.exe vssadmin.exe PID 1492 wrote to memory of 1900 1492 pcrcyge.exe vssadmin.exe PID 1492 wrote to memory of 1568 1492 pcrcyge.exe pcrcyge.exe PID 1492 wrote to memory of 1568 1492 pcrcyge.exe pcrcyge.exe PID 1492 wrote to memory of 1568 1492 pcrcyge.exe pcrcyge.exe PID 1492 wrote to memory of 1568 1492 pcrcyge.exe pcrcyge.exe PID 1568 wrote to memory of 948 1568 pcrcyge.exe pcrcyge.exe PID 1568 wrote to memory of 948 1568 pcrcyge.exe pcrcyge.exe PID 1568 wrote to memory of 948 1568 pcrcyge.exe pcrcyge.exe PID 1568 wrote to memory of 948 1568 pcrcyge.exe pcrcyge.exe PID 1568 wrote to memory of 948 1568 pcrcyge.exe pcrcyge.exe PID 1568 wrote to memory of 948 1568 pcrcyge.exe pcrcyge.exe PID 1568 wrote to memory of 948 1568 pcrcyge.exe pcrcyge.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe"C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe"C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {15080C1B-E824-4AFB-ABD5-46633D7546BB} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe" -u4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft Help\aubdarbFilesize
654B
MD50bfa64e0a33137b1b96bdb118473c2b6
SHA1f1fa515f9dbce398c709299e9a09e463be159e84
SHA2566184978a72e79edc5e35584fc25548f8845663fbb53f9a2736b7c476cccfed80
SHA512d8481ba5365d358a943870ac20247fb8ff74de8f60f6ff4f4841dbc3560942b5592ab279c9c161ea20def86315fa9430c88b07625aff676b87afc44f51f47929
-
C:\ProgramData\Microsoft Help\aubdarbFilesize
654B
MD50bfa64e0a33137b1b96bdb118473c2b6
SHA1f1fa515f9dbce398c709299e9a09e463be159e84
SHA2566184978a72e79edc5e35584fc25548f8845663fbb53f9a2736b7c476cccfed80
SHA512d8481ba5365d358a943870ac20247fb8ff74de8f60f6ff4f4841dbc3560942b5592ab279c9c161ea20def86315fa9430c88b07625aff676b87afc44f51f47929
-
C:\ProgramData\Microsoft Help\aubdarbFilesize
654B
MD56eee66ef77dad342e4c5e375856a4c47
SHA109e9d246c5a40b2ca78e5295e5b0d38f8dc1943a
SHA25641157593b748de031e9562b1b3094958428aa02aa4835473120e802cb0d0387b
SHA512842995a99cb9a6769a270522985d4db442e0f58815eba7ddbc028954eadc79d9cc7e4c306f6a09e138ee28ff96437a6c2abbc66f9baa4ab05d86242f20e3e347
-
C:\ProgramData\Microsoft Help\aubdarbFilesize
654B
MD5d3f34dccff9b6b3787495b459930ac0a
SHA1bb49977527e74c36657d4d3a74b214ee3e7e5755
SHA256a1fa250ed84315421c70abd148bc99b881af0575c5125cf79488e94457c4ba9d
SHA512a3fdf4354d754363f536ba7fbec3b4174d2749455cf51ea1d98eff439eb08726e1a83c587acbf22e6aee75174da9631438bd16b9bc7cc817ca56e78e2ff8f2e8
-
C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exeFilesize
1.2MB
MD51aad30f76693aa8ec2fd2a9314b02125
SHA1a199494ac4f065578323c1058e0f0cd5df563bc2
SHA2568f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
SHA512fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
1.2MB
MD51aad30f76693aa8ec2fd2a9314b02125
SHA1a199494ac4f065578323c1058e0f0cd5df563bc2
SHA2568f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
SHA512fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
1.2MB
MD51aad30f76693aa8ec2fd2a9314b02125
SHA1a199494ac4f065578323c1058e0f0cd5df563bc2
SHA2568f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
SHA512fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
1.2MB
MD51aad30f76693aa8ec2fd2a9314b02125
SHA1a199494ac4f065578323c1058e0f0cd5df563bc2
SHA2568f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
SHA512fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
1.2MB
MD51aad30f76693aa8ec2fd2a9314b02125
SHA1a199494ac4f065578323c1058e0f0cd5df563bc2
SHA2568f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
SHA512fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
1.2MB
MD51aad30f76693aa8ec2fd2a9314b02125
SHA1a199494ac4f065578323c1058e0f0cd5df563bc2
SHA2568f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
SHA512fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
-
\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exeFilesize
1.2MB
MD51aad30f76693aa8ec2fd2a9314b02125
SHA1a199494ac4f065578323c1058e0f0cd5df563bc2
SHA2568f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
SHA512fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
-
memory/600-93-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmpFilesize
8KB
-
memory/600-87-0x00000000000E0000-0x0000000000157000-memory.dmpFilesize
476KB
-
memory/600-89-0x00000000000E0000-0x0000000000157000-memory.dmpFilesize
476KB
-
memory/948-115-0x0000000000BF0000-0x0000000000E3B000-memory.dmpFilesize
2.3MB
-
memory/948-108-0x0000000000401FA3-mapping.dmp
-
memory/1340-55-0x0000000074500000-0x0000000074AAB000-memory.dmpFilesize
5.7MB
-
memory/1340-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1340-65-0x0000000074500000-0x0000000074AAB000-memory.dmpFilesize
5.7MB
-
memory/1444-71-0x0000000000000000-mapping.dmp
-
memory/1444-81-0x00000000743F0000-0x000000007499B000-memory.dmpFilesize
5.7MB
-
memory/1492-86-0x00000000009B0000-0x0000000000BFB000-memory.dmpFilesize
2.3MB
-
memory/1492-79-0x0000000000401FA3-mapping.dmp
-
memory/1568-112-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB
-
memory/1568-100-0x0000000000000000-mapping.dmp
-
memory/1628-62-0x0000000000401FA3-mapping.dmp
-
memory/1628-58-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1628-60-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1628-57-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1628-69-0x0000000000A30000-0x0000000000C7B000-memory.dmpFilesize
2.3MB
-
memory/1628-66-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1628-67-0x0000000000610000-0x000000000082A000-memory.dmpFilesize
2.1MB
-
memory/1740-92-0x0000000000000000-mapping.dmp
-
memory/1900-99-0x0000000000000000-mapping.dmp