Analysis
-
max time kernel
196s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 13:34
Static task
static1
Behavioral task
behavioral1
Sample
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
Resource
win10v2004-20220812-en
General
-
Target
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe
-
Size
698KB
-
MD5
438fee4986d75c2fb9a1f9239010f8ca
-
SHA1
c29e54756f10517557349c0bdb573d7847e00429
-
SHA256
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7
-
SHA512
ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598
-
SSDEEP
12288:pQyHYh6UeeLrQp0/XoU8bTRsdi9JSZPLGhX9H1QO7l4n2A1muOhsXL:pQ6UeeLkMB8bTRskSjeXh+Ok7OhY
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-mhgskmn.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-mhgskmn.txt
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion/
Extracted
C:\ProgramData\nydzthc.html
http://kph3onblkthy4z37.onion.cab
http://kph3onblkthy4z37.tor2web.org
http://kph3onblkthy4z37.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
pcrcyge.exepcrcyge.exepcrcyge.exepcrcyge.exepid process 1352 pcrcyge.exe 1172 pcrcyge.exe 1552 pcrcyge.exe 2016 pcrcyge.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\JoinUnregister.RAW.mhgskmn svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\LimitBlock.RAW.mhgskmn svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\FormatEnable.RAW.mhgskmn svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\CopyApprove.CRW.mhgskmn svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pcrcyge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation pcrcyge.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
pcrcyge.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat pcrcyge.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-mhgskmn.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exepcrcyge.exepcrcyge.exedescription pid process target process PID 1908 set thread context of 1088 1908 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe PID 1352 set thread context of 1172 1352 pcrcyge.exe pcrcyge.exe PID 1552 set thread context of 2016 1552 pcrcyge.exe pcrcyge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-mhgskmn.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-mhgskmn.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2044 vssadmin.exe -
Processes:
pcrcyge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main pcrcyge.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exepcrcyge.exepid process 1088 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe 1172 pcrcyge.exe 1172 pcrcyge.exe 1172 pcrcyge.exe 1172 pcrcyge.exe 1172 pcrcyge.exe 1172 pcrcyge.exe 1172 pcrcyge.exe 1172 pcrcyge.exe 1172 pcrcyge.exe 1172 pcrcyge.exe 1172 pcrcyge.exe 1172 pcrcyge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
pcrcyge.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1172 pcrcyge.exe Token: SeDebugPrivilege 1172 pcrcyge.exe Token: SeShutdownPrivilege 1432 Explorer.EXE Token: SeShutdownPrivilege 1432 Explorer.EXE Token: SeShutdownPrivilege 1432 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pcrcyge.exepid process 2016 pcrcyge.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pcrcyge.exepid process 2016 pcrcyge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pcrcyge.exepid process 2016 pcrcyge.exe 2016 pcrcyge.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1432 Explorer.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exetaskeng.exepcrcyge.exepcrcyge.exesvchost.exepcrcyge.exedescription pid process target process PID 1908 wrote to memory of 1088 1908 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe PID 1908 wrote to memory of 1088 1908 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe PID 1908 wrote to memory of 1088 1908 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe PID 1908 wrote to memory of 1088 1908 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe PID 1908 wrote to memory of 1088 1908 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe PID 1908 wrote to memory of 1088 1908 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe PID 1908 wrote to memory of 1088 1908 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe 4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe PID 908 wrote to memory of 1352 908 taskeng.exe pcrcyge.exe PID 908 wrote to memory of 1352 908 taskeng.exe pcrcyge.exe PID 908 wrote to memory of 1352 908 taskeng.exe pcrcyge.exe PID 908 wrote to memory of 1352 908 taskeng.exe pcrcyge.exe PID 1352 wrote to memory of 1172 1352 pcrcyge.exe pcrcyge.exe PID 1352 wrote to memory of 1172 1352 pcrcyge.exe pcrcyge.exe PID 1352 wrote to memory of 1172 1352 pcrcyge.exe pcrcyge.exe PID 1352 wrote to memory of 1172 1352 pcrcyge.exe pcrcyge.exe PID 1352 wrote to memory of 1172 1352 pcrcyge.exe pcrcyge.exe PID 1352 wrote to memory of 1172 1352 pcrcyge.exe pcrcyge.exe PID 1352 wrote to memory of 1172 1352 pcrcyge.exe pcrcyge.exe PID 1172 wrote to memory of 596 1172 pcrcyge.exe svchost.exe PID 596 wrote to memory of 996 596 svchost.exe DllHost.exe PID 596 wrote to memory of 996 596 svchost.exe DllHost.exe PID 596 wrote to memory of 996 596 svchost.exe DllHost.exe PID 1172 wrote to memory of 1432 1172 pcrcyge.exe Explorer.EXE PID 1172 wrote to memory of 2044 1172 pcrcyge.exe vssadmin.exe PID 1172 wrote to memory of 2044 1172 pcrcyge.exe vssadmin.exe PID 1172 wrote to memory of 2044 1172 pcrcyge.exe vssadmin.exe PID 1172 wrote to memory of 2044 1172 pcrcyge.exe vssadmin.exe PID 1172 wrote to memory of 1552 1172 pcrcyge.exe pcrcyge.exe PID 1172 wrote to memory of 1552 1172 pcrcyge.exe pcrcyge.exe PID 1172 wrote to memory of 1552 1172 pcrcyge.exe pcrcyge.exe PID 1172 wrote to memory of 1552 1172 pcrcyge.exe pcrcyge.exe PID 1552 wrote to memory of 2016 1552 pcrcyge.exe pcrcyge.exe PID 1552 wrote to memory of 2016 1552 pcrcyge.exe pcrcyge.exe PID 1552 wrote to memory of 2016 1552 pcrcyge.exe pcrcyge.exe PID 1552 wrote to memory of 2016 1552 pcrcyge.exe pcrcyge.exe PID 1552 wrote to memory of 2016 1552 pcrcyge.exe pcrcyge.exe PID 1552 wrote to memory of 2016 1552 pcrcyge.exe pcrcyge.exe PID 1552 wrote to memory of 2016 1552 pcrcyge.exe pcrcyge.exe PID 596 wrote to memory of 624 596 svchost.exe DllHost.exe PID 596 wrote to memory of 624 596 svchost.exe DllHost.exe PID 596 wrote to memory of 624 596 svchost.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe"C:\Users\Admin\AppData\Local\Temp\4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe"C:\Users\Admin\AppData\Local\Temp\4edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {18BC3B0D-879D-41B4-9059-326FFE2AEB07} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeC:\Users\Admin\AppData\Local\Temp\pcrcyge.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe" -u4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD5c4a1c21a2f3d29fe1b8f54be188f45cf
SHA1d2f9b723345ac69a8514a8fd4dde0b9e844c94c8
SHA256680d5d12fb9f8db1420fa7d3ad4fbc5fa73e9919ef3d44c3b5ba5e4e1dd09880
SHA512a71772e985abcc2bac5b4c57311bb6b5b24a32de626559e807c5a49fac22a43f11b9b2ebcee384b0d2149cb0c0f56b88bf4e9802600032831b18143b22f07844
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD5c4a1c21a2f3d29fe1b8f54be188f45cf
SHA1d2f9b723345ac69a8514a8fd4dde0b9e844c94c8
SHA256680d5d12fb9f8db1420fa7d3ad4fbc5fa73e9919ef3d44c3b5ba5e4e1dd09880
SHA512a71772e985abcc2bac5b4c57311bb6b5b24a32de626559e807c5a49fac22a43f11b9b2ebcee384b0d2149cb0c0f56b88bf4e9802600032831b18143b22f07844
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD5eecac3dedeb33ca0fb9a530eb4b84d56
SHA1a0a4a3c88269b2b8e5ba95f5841668a7bbb39d37
SHA2568bd922cd2914d2a846fbf55366da1d977df68c822dba5c80d0e918ef90a5fd2c
SHA512ae770280dd18e33f71c5b495ff59be004ce7967ce2cf64c93eedf0957e002658c75cc7e03ffaffc9fb16acf796426240bed9143ba18d1baf77e2e3f0319ef783
-
C:\ProgramData\Package Cache\aubdarbFilesize
654B
MD56c67509539c0adf29382407ff7cb7529
SHA14fa3f5b32af1aad012516477f82f5580e42e22db
SHA25677004e3c7f7840c3bb56210f57cc05160bd3028a394157a4bc631a854c67acb6
SHA512c9a2ddeab8c554159ebaa11d693a30f239911d17d11fc029a1f4fb00801b30afee409e43ad48c4070d4ea0eb1af5f8cf3add6833ce018776df916409fdd46fcd
-
C:\ProgramData\nydzthc.htmlFilesize
62KB
MD5f2504d5ce2252f663eaf9479d1fa59f0
SHA1e127848391f013faa3979e10926cb89e357d59ae
SHA256e9aecf0c300a5260f0780f2a0fbd0e92add34b7d5fa4b62e2ad22774841d566d
SHA512111c4dd1a5126c500faab34d864e641c75985bcabb9a3c00ae3f81b17c83f94bc35348dd14b0271ca03a955d9c6294feda96a8910facdbb7b9982f1cfe5e4ea5
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
698KB
MD5438fee4986d75c2fb9a1f9239010f8ca
SHA1c29e54756f10517557349c0bdb573d7847e00429
SHA2564edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7
SHA512ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
698KB
MD5438fee4986d75c2fb9a1f9239010f8ca
SHA1c29e54756f10517557349c0bdb573d7847e00429
SHA2564edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7
SHA512ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
698KB
MD5438fee4986d75c2fb9a1f9239010f8ca
SHA1c29e54756f10517557349c0bdb573d7847e00429
SHA2564edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7
SHA512ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
698KB
MD5438fee4986d75c2fb9a1f9239010f8ca
SHA1c29e54756f10517557349c0bdb573d7847e00429
SHA2564edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7
SHA512ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598
-
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exeFilesize
698KB
MD5438fee4986d75c2fb9a1f9239010f8ca
SHA1c29e54756f10517557349c0bdb573d7847e00429
SHA2564edebdad5db6686b6d2310bac908929c40bb126f0d67bc6251207c397b23e0c7
SHA512ea6fd27158a95f167074548200aef75cb0089c47ac9a21a074374bd082f3d44ae4e21baa490cb1869351010b8e11f7815f44c7d4bd89b26e8296aa4dd55d8598
-
memory/596-87-0x000007FEFB741000-0x000007FEFB743000-memory.dmpFilesize
8KB
-
memory/596-81-0x00000000004A0000-0x0000000000517000-memory.dmpFilesize
476KB
-
memory/596-83-0x00000000004A0000-0x0000000000517000-memory.dmpFilesize
476KB
-
memory/624-109-0x0000000000000000-mapping.dmp
-
memory/996-86-0x0000000000000000-mapping.dmp
-
memory/1088-64-0x0000000000AF0000-0x0000000000D3B000-memory.dmpFilesize
2.3MB
-
memory/1088-62-0x00000000008D0000-0x0000000000AEA000-memory.dmpFilesize
2.1MB
-
memory/1088-55-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1088-57-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1088-65-0x0000000000401000-0x00000000004A5000-memory.dmpFilesize
656KB
-
memory/1088-54-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1088-63-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1088-59-0x0000000000401FA3-mapping.dmp
-
memory/1088-61-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1172-80-0x00000000007D0000-0x0000000000A1B000-memory.dmpFilesize
2.3MB
-
memory/1172-74-0x0000000000401FA3-mapping.dmp
-
memory/1352-67-0x0000000000000000-mapping.dmp
-
memory/1552-94-0x0000000000000000-mapping.dmp
-
memory/2016-101-0x0000000000401FA3-mapping.dmp
-
memory/2016-107-0x0000000000CE0000-0x0000000000F2B000-memory.dmpFilesize
2.3MB
-
memory/2044-93-0x0000000000000000-mapping.dmp