Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 17:23
Static task
static1
Behavioral task
behavioral1
Sample
d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe
Resource
win10v2004-20221111-en
General
-
Target
d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe
-
Size
954KB
-
MD5
856cefc0c0bbe54ac88d71135c3437df
-
SHA1
a3175ff2386fb6a266743fba99e72549b5281d62
-
SHA256
d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
-
SHA512
17d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
SSDEEP
24576:pWt9iMnSn9wESmhYJBg3CztbeNr5X4GOL8:Ut9iMnSn9wE8JqYtaNr5XsY
Malware Config
Extracted
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-abrgzxi.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-abrgzxi.txt
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion/
Extracted
C:\ProgramData\zlwdkgg.html
http://pf5dahldauhrjxfd.onion.cab
http://pf5dahldauhrjxfd.tor2web.org
http://pf5dahldauhrjxfd.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 4 IoCs
Processes:
pdfisga.exepdfisga.EXepdfisga.EXepdfisga.EXepid process 2020 pdfisga.exe 1464 pdfisga.EXe 1184 pdfisga.EXe 2032 pdfisga.EXe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ReadClose.CRW.abrgzxi svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\DismountOpen.RAW.abrgzxi svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\GrantLimit.RAW.abrgzxi svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pdfisga.EXedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation pdfisga.EXe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 1 IoCs
Processes:
pdfisga.EXedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat pdfisga.EXe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-abrgzxi.bmp" Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exepdfisga.exepdfisga.EXedescription pid process target process PID 1048 set thread context of 948 1048 d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe PID 2020 set thread context of 1464 2020 pdfisga.exe pdfisga.EXe PID 1184 set thread context of 2032 1184 pdfisga.EXe pdfisga.EXe -
Drops file in Program Files directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-abrgzxi.txt svchost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-abrgzxi.bmp svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1924 vssadmin.exe -
Processes:
pdfisga.EXedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main pdfisga.EXe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch pdfisga.EXe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" pdfisga.EXe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963} svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\MaxCapacity = "15140" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640061006500300037006100650034002d0032006100330034002d0031003100650064002d0038003600630036002d003800300036006500360066003600650036003900360033007d0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion svchost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXepdfisga.EXepid process 948 d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe 1464 pdfisga.EXe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
pdfisga.EXeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1464 pdfisga.EXe Token: SeDebugPrivilege 1464 pdfisga.EXe Token: SeShutdownPrivilege 1400 Explorer.EXE Token: SeShutdownPrivilege 1400 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pdfisga.EXepid process 2032 pdfisga.EXe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pdfisga.EXepid process 2032 pdfisga.EXe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exepdfisga.exepdfisga.EXepdfisga.EXepid process 1048 d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe 2020 pdfisga.exe 1184 pdfisga.EXe 2032 pdfisga.EXe 2032 pdfisga.EXe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exetaskeng.exepdfisga.exepdfisga.EXesvchost.exepdfisga.EXedescription pid process target process PID 1048 wrote to memory of 948 1048 d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe PID 1048 wrote to memory of 948 1048 d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe PID 1048 wrote to memory of 948 1048 d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe PID 1048 wrote to memory of 948 1048 d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe PID 1048 wrote to memory of 948 1048 d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe PID 1048 wrote to memory of 948 1048 d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe PID 1048 wrote to memory of 948 1048 d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe PID 768 wrote to memory of 2020 768 taskeng.exe pdfisga.exe PID 768 wrote to memory of 2020 768 taskeng.exe pdfisga.exe PID 768 wrote to memory of 2020 768 taskeng.exe pdfisga.exe PID 768 wrote to memory of 2020 768 taskeng.exe pdfisga.exe PID 2020 wrote to memory of 1464 2020 pdfisga.exe pdfisga.EXe PID 2020 wrote to memory of 1464 2020 pdfisga.exe pdfisga.EXe PID 2020 wrote to memory of 1464 2020 pdfisga.exe pdfisga.EXe PID 2020 wrote to memory of 1464 2020 pdfisga.exe pdfisga.EXe PID 2020 wrote to memory of 1464 2020 pdfisga.exe pdfisga.EXe PID 2020 wrote to memory of 1464 2020 pdfisga.exe pdfisga.EXe PID 2020 wrote to memory of 1464 2020 pdfisga.exe pdfisga.EXe PID 1464 wrote to memory of 592 1464 pdfisga.EXe svchost.exe PID 592 wrote to memory of 744 592 svchost.exe DllHost.exe PID 592 wrote to memory of 744 592 svchost.exe DllHost.exe PID 592 wrote to memory of 744 592 svchost.exe DllHost.exe PID 1464 wrote to memory of 1400 1464 pdfisga.EXe Explorer.EXE PID 1464 wrote to memory of 1924 1464 pdfisga.EXe vssadmin.exe PID 1464 wrote to memory of 1924 1464 pdfisga.EXe vssadmin.exe PID 1464 wrote to memory of 1924 1464 pdfisga.EXe vssadmin.exe PID 1464 wrote to memory of 1924 1464 pdfisga.EXe vssadmin.exe PID 1464 wrote to memory of 1184 1464 pdfisga.EXe pdfisga.EXe PID 1464 wrote to memory of 1184 1464 pdfisga.EXe pdfisga.EXe PID 1464 wrote to memory of 1184 1464 pdfisga.EXe pdfisga.EXe PID 1464 wrote to memory of 1184 1464 pdfisga.EXe pdfisga.EXe PID 1184 wrote to memory of 2032 1184 pdfisga.EXe pdfisga.EXe PID 1184 wrote to memory of 2032 1184 pdfisga.EXe pdfisga.EXe PID 1184 wrote to memory of 2032 1184 pdfisga.EXe pdfisga.EXe PID 1184 wrote to memory of 2032 1184 pdfisga.EXe pdfisga.EXe PID 1184 wrote to memory of 2032 1184 pdfisga.EXe pdfisga.EXe PID 1184 wrote to memory of 2032 1184 pdfisga.EXe pdfisga.EXe PID 1184 wrote to memory of 2032 1184 pdfisga.EXe pdfisga.EXe PID 592 wrote to memory of 1952 592 svchost.exe DllHost.exe PID 592 wrote to memory of 1952 592 svchost.exe DllHost.exe PID 592 wrote to memory of 1952 592 svchost.exe DllHost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe"C:\Users\Admin\AppData\Local\Temp\d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe"C:\Users\Admin\AppData\Local\Temp/d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79.EXe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {6BA5B8A4-ED58-4357-8B16-308408FF3003} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeC:\Users\Admin\AppData\Local\Temp\pdfisga.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.EXe"C:\Users\Admin\AppData\Local\Temp/pdfisga.EXe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all4⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.EXe"C:\Users\Admin\AppData\Local\Temp\pdfisga.EXe" -u4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.EXe"C:\Users\Admin\AppData\Local\Temp/pdfisga.EXe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Mozilla\xptppmlFilesize
654B
MD59e399d5697fb2819c1662036024749d8
SHA112def11533993fab9e894039c9bc92d79e1620f8
SHA25696ffd334aa66366b7bc393fdb538261574c7c488b89d7a445a203f31dfb5870a
SHA512313136ffcdd1c1fbbd17664439acb9967785be2630926ce516036eba9dcb0d968ae39a397fa81b0e3f76d5c1be2127b8f80b194783d02a1542b2abc22ccfe06d
-
C:\ProgramData\Mozilla\xptppmlFilesize
654B
MD5a42183c956fd1e97ff781903ffb2a187
SHA1c44398228c866b9141d37a494efd72b8a5b8fbd3
SHA256239d453a7600d593bd484986887b817a983d4fdc7b08a6ad1b03fab6499bbad6
SHA51270b5e07536831b4abd176e4e8dc45f4cde6dae316ac411355f72444063c6e0c87f61090115f0ff1febd32705637dd4c0421750f2ef894bbda5d532ed1e205165
-
C:\ProgramData\Mozilla\xptppmlFilesize
654B
MD5280833d8f3d449546280b23f61529182
SHA1cb07eaf80710b1dba828dddae2d0de4a9e350c20
SHA2567c5babb11343d46eff1b34c5de6ae3fc7b6576590dd60393cbeee377b8f85bfe
SHA51284417cc9572d76100c74b52ae97e486ce2c27baa4fc3224d73735e922bf7b1050f620444ae2f778ff44779cd81611b4894849dd6b972b74e6e48d3205380ba63
-
C:\ProgramData\Mozilla\xptppmlFilesize
654B
MD57373315d28635fe40fcd87fe07e65043
SHA10286caecba99492776b019133f8158b8fc340316
SHA256f7921d126aceb0a271ea7bf74051edf3016d43264f03392ec993e37fb0007a66
SHA512de22618f49a73b0f4794f25e917af0af5b467c4d933c26d215f7af84de21effb9dec3306fbb6860f0f93080421f1c1d0625257d95ac273d86c46fc86e32e01a7
-
C:\ProgramData\zlwdkgg.htmlFilesize
62KB
MD5eaafd5ad96c6ada32099a7cfb15f1e3d
SHA1c01e035b9c9cf7a5c14cb00d372b445e9f44b6d9
SHA25610878f586a5d4779b3f5f0be95a88da81b0775532cf8be9cd3fa3e3f17fa1bb4
SHA512b74d01281125a2599b645fd80457594c6c9d317f4c50ca47adda76ae6e9b2b2d8224bd56e7717642acd84970282da69bb09c4e2f77232532b05f402e06fec361
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
954KB
MD5856cefc0c0bbe54ac88d71135c3437df
SHA1a3175ff2386fb6a266743fba99e72549b5281d62
SHA256d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
SHA51217d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
954KB
MD5856cefc0c0bbe54ac88d71135c3437df
SHA1a3175ff2386fb6a266743fba99e72549b5281d62
SHA256d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
SHA51217d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
954KB
MD5856cefc0c0bbe54ac88d71135c3437df
SHA1a3175ff2386fb6a266743fba99e72549b5281d62
SHA256d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
SHA51217d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
954KB
MD5856cefc0c0bbe54ac88d71135c3437df
SHA1a3175ff2386fb6a266743fba99e72549b5281d62
SHA256d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
SHA51217d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
C:\Users\Admin\AppData\Local\Temp\pdfisga.exeFilesize
954KB
MD5856cefc0c0bbe54ac88d71135c3437df
SHA1a3175ff2386fb6a266743fba99e72549b5281d62
SHA256d6f34c4fb40c7f7cf66efbf0eb1bfd3a55089f65181d4d0c2de3c183f7527c79
SHA51217d369d2ca266b72abbabb41405699f09934525175e230d7fa4342efa6242e0642a9b23f60c23934aa33e63cd7e31715356ce948ccabd3510274da028e99eb65
-
memory/592-91-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmpFilesize
8KB
-
memory/592-87-0x00000000003E0000-0x0000000000457000-memory.dmpFilesize
476KB
-
memory/592-85-0x00000000003E0000-0x0000000000457000-memory.dmpFilesize
476KB
-
memory/744-90-0x0000000000000000-mapping.dmp
-
memory/948-67-0x00000000008E0000-0x0000000000B2B000-memory.dmpFilesize
2.3MB
-
memory/948-56-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/948-57-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/948-64-0x00000000006C0000-0x00000000008DA000-memory.dmpFilesize
2.1MB
-
memory/948-61-0x0000000000401FA3-mapping.dmp
-
memory/948-66-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/948-68-0x0000000000400000-0x00000000004A4600-memory.dmpFilesize
657KB
-
memory/948-60-0x0000000000400000-0x00000000004A5000-memory.dmpFilesize
660KB
-
memory/1048-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1048-62-0x00000000029F0000-0x0000000002A3C000-memory.dmpFilesize
304KB
-
memory/1048-65-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1184-98-0x0000000000000000-mapping.dmp
-
memory/1184-108-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1464-84-0x00000000006D0000-0x000000000091B000-memory.dmpFilesize
2.3MB
-
memory/1464-78-0x0000000000401FA3-mapping.dmp
-
memory/1924-97-0x0000000000000000-mapping.dmp
-
memory/1952-114-0x0000000000000000-mapping.dmp
-
memory/2020-79-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2020-70-0x0000000000000000-mapping.dmp
-
memory/2032-106-0x0000000000401FA3-mapping.dmp