Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 19:05
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
-
Size
18.3MB
-
MD5
90588afa689d1ecdedee6fb57bf5b635
-
SHA1
1f49217a42a8f75246c6953749441599d6d97007
-
SHA256
4de1f09c88032d3ec4421c72b04e07f43edf853e32808c4292929637c44534ef
-
SHA512
eb70df8a0134942f4e295a8ecc15845963ae89323c53f1966f3043d1c9536706729495b25ea81541cc062e6ad57e9753ca87d42555002b9477e40917232aacc6
-
SSDEEP
393216:9ml9mCKuyLVEvd9LpBXVujtA6UX5K0r+Xh1SgXrnKXzM6Fw:9mzmnuTBBQjtA3XDrCAIT2tFw
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SetupHost.Exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation SetupHost.Exe -
Executes dropped EXE 4 IoCs
Processes:
UvwtFdvCzZzzZKl.exeCTS.exeSetupHost.ExeDiagTrackRunner.exepid process 2044 UvwtFdvCzZzzZKl.exe 1448 CTS.exe 2676 SetupHost.Exe 1608 DiagTrackRunner.exe -
Loads dropped DLL 38 IoCs
Processes:
2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeUvwtFdvCzZzzZKl.exeSetupHost.ExeDiagTrackRunner.exepid process 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe 2044 UvwtFdvCzZzzZKl.exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 2676 SetupHost.Exe 1608 DiagTrackRunner.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
SetupHost.Exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer SetupHost.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName SetupHost.Exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeCTS.exeUvwtFdvCzZzzZKl.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe File created C:\Windows\CTS.exe CTS.exe File opened for modification C:\Windows\Logs\MoSetup\BlueBox.log UvwtFdvCzZzzZKl.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SetupHost.ExeDiagTrackRunner.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SetupHost.Exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SetupHost.Exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 DiagTrackRunner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz DiagTrackRunner.exe -
NTFS ADS 1 IoCs
Processes:
SetupHost.Exedescription ioc process File created C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA SetupHost.Exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SetupHost.Exepid process 2676 SetupHost.Exe 2676 SetupHost.Exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeCTS.exeUvwtFdvCzZzzZKl.exeSetupHost.ExeDiagTrackRunner.exedescription pid process Token: SeDebugPrivilege 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe Token: SeDebugPrivilege 1448 CTS.exe Token: SeBackupPrivilege 2044 UvwtFdvCzZzzZKl.exe Token: SeRestorePrivilege 2044 UvwtFdvCzZzzZKl.exe Token: SeBackupPrivilege 2044 UvwtFdvCzZzzZKl.exe Token: SeRestorePrivilege 2044 UvwtFdvCzZzzZKl.exe Token: SeBackupPrivilege 2676 SetupHost.Exe Token: SeRestorePrivilege 2676 SetupHost.Exe Token: SeBackupPrivilege 2676 SetupHost.Exe Token: SeRestorePrivilege 2676 SetupHost.Exe Token: SeDebugPrivilege 1608 DiagTrackRunner.exe Token: SeDebugPrivilege 1608 DiagTrackRunner.exe Token: SeDebugPrivilege 1608 DiagTrackRunner.exe Token: SeDebugPrivilege 1608 DiagTrackRunner.exe Token: SeBackupPrivilege 2044 UvwtFdvCzZzzZKl.exe Token: SeRestorePrivilege 2044 UvwtFdvCzZzzZKl.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
UvwtFdvCzZzzZKl.exeSetupHost.Exepid process 2044 UvwtFdvCzZzzZKl.exe 2676 SetupHost.Exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeUvwtFdvCzZzzZKl.exeSetupHost.Exedescription pid process target process PID 3048 wrote to memory of 2044 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe UvwtFdvCzZzzZKl.exe PID 3048 wrote to memory of 2044 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe UvwtFdvCzZzzZKl.exe PID 3048 wrote to memory of 2044 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe UvwtFdvCzZzzZKl.exe PID 3048 wrote to memory of 2044 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe UvwtFdvCzZzzZKl.exe PID 3048 wrote to memory of 2044 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe UvwtFdvCzZzzZKl.exe PID 3048 wrote to memory of 2044 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe UvwtFdvCzZzzZKl.exe PID 3048 wrote to memory of 2044 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe UvwtFdvCzZzzZKl.exe PID 3048 wrote to memory of 1448 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe CTS.exe PID 3048 wrote to memory of 1448 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe CTS.exe PID 3048 wrote to memory of 1448 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe CTS.exe PID 3048 wrote to memory of 1448 3048 2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe CTS.exe PID 2044 wrote to memory of 2676 2044 UvwtFdvCzZzzZKl.exe SetupHost.Exe PID 2044 wrote to memory of 2676 2044 UvwtFdvCzZzzZKl.exe SetupHost.Exe PID 2044 wrote to memory of 2676 2044 UvwtFdvCzZzzZKl.exe SetupHost.Exe PID 2044 wrote to memory of 2676 2044 UvwtFdvCzZzzZKl.exe SetupHost.Exe PID 2044 wrote to memory of 2676 2044 UvwtFdvCzZzzZKl.exe SetupHost.Exe PID 2044 wrote to memory of 2676 2044 UvwtFdvCzZzzZKl.exe SetupHost.Exe PID 2044 wrote to memory of 2676 2044 UvwtFdvCzZzzZKl.exe SetupHost.Exe PID 2676 wrote to memory of 1608 2676 SetupHost.Exe DiagTrackRunner.exe PID 2676 wrote to memory of 1608 2676 SetupHost.Exe DiagTrackRunner.exe PID 2676 wrote to memory of 1608 2676 SetupHost.Exe DiagTrackRunner.exe PID 2676 wrote to memory of 1608 2676 SetupHost.Exe DiagTrackRunner.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\UvwtFdvCzZzzZKl.exeC:\Users\Admin\AppData\Local\Temp\UvwtFdvCzZzzZKl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\$Windows.~WS\Sources\SetupHost.Exe"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\$Windows.~WS\Sources\DiagTrackRunner.exeC:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1608 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Windows.~WS\Sources\MediaSetupUIMgr.dllFilesize
14.6MB
MD59921c2a0d68a011620bd5916cc11e54d
SHA1e68c1c59600d28968dafadc300225b3ef8e4ebdc
SHA25650551abb9775962ff83ee746ad1e399d26fcc1520710c059464ec029466f4696
SHA5124ff9e0aa32700f4dff46212456cef4bb41dbe37141f4b9e87311013f51ce218080d7cc8b318d18ec633f3e6be73b60e56ba641a75520fbedbf23c9874b28cb9f
-
C:\$Windows.~WS\Sources\SetupCore.dllFilesize
1.9MB
MD5446969e79d71cb6075f26349ac9345bc
SHA16efefe6037458e495a07dd86dc68bf788c638ca9
SHA25626c62d4675f7e35d4741f5277d5b9d40cdcd6fd1cce86ef42c1cc8209f9224c3
SHA5128b1320207e92e9917addc0f25992dd6a589edea6aa102c51774ef22a387478e96d2903fa73163258668ee7cc2716588ea51f34fba040150b18cdd12f865e9f9d
-
C:\$Windows.~WS\Sources\SetupPlatform.dllFilesize
6.1MB
MD510fe8f9a16755bf9ca3c5e94bfbf7178
SHA1260c06924a55582d4f4dbdfe7d0bccdd00208f9b
SHA2562f836af8e4e83992cd1c8aab7820520cac6a6f9796924ac83672b838286724cd
SHA512c2aa007aaf009d5ad6081ed3fdea44964ed3a865aec9886dee1fa9bda424bf74135fd5c214a293897c561d8263c2528508bd01dda88c0c43cc3480146136d110
-
C:\$Windows.~WS\Sources\WINDLP.DLLFilesize
1.1MB
MD56ca8df94e48799196c24b7274a48fdaa
SHA10cb34852203277829668db49afc5d25bd382f8ba
SHA2560e516b94bd3014d82f20c680b205c915ad528e31522c1cd6d2c6c2c5b814d6a7
SHA512e5b7c46b155713a21690cba3f1a4f4e4b3d4613fffeea335d57a97701d993cb846bbc51fbea0038f7c7cbc734b3764a270196a26adde77134571d0524a5e7038
-
C:\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l1-1-0.dllFilesize
45KB
MD5cfd98d71d80f41c3f155e573b1ffdda1
SHA1966336882e88ca6a311c5e9948b4bb22a815bd7f
SHA2561b202df705c429d3d1be26f71274743f0859db81aedead53bf2624d35899294d
SHA51216d266bd3dc858bbc37fa95ad7f0a60ce654fbcf1f5c9b3f3e0abc1f7b95e86f2a04a9b0e1d98cae3e616af2129985f92aea7595aeeef898eae399e4669f44ff
-
C:\$Windows.~WS\Sources\api-ms-win-downlevel-user32-l1-1-1.dllFilesize
11KB
MD575285f0badb10b3291d8f921e76506c0
SHA1d769aba460a768cb065346d9a9c3263af1372160
SHA256a5af7a42ea3688d6fb5ce9388e11276bbeb3afb2e893b9f66b1bc7c9059d8f99
SHA512f40c8f6ede3010f523ab28f41ad38e41d1fd541554b59104a7d7468ddb004efe6bd690a9467be6461ade71ce7b10b120b8cacf6c429f37fef3d3fc8318c0284b
-
C:\$Windows.~WS\Sources\diagtrack.dllFilesize
901KB
MD56c3f6a6bc5ede978e9dfe1acce386339
SHA13b7b51d762c593e92123f9365a896ed64ee26a7a
SHA256b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c
SHA5123f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff
-
C:\$Windows.~WS\Sources\setupplatform.cfgFilesize
8KB
MD51405595a81a70c012ace6b3f618351b2
SHA19b398dbddef2a0c048790f6ca4be57899f0f71c0
SHA256ac6d806551c43ec35edf3f4b3eb38040f40c3bf216bc635e2af45ee05e3a6d43
SHA512a91e4c416a8c25e0462a5c5f71760b3fc81ad801f89af5bbedada02d52f8a77c67c9174d6583d54c4ce62ca655ef73f8b43104b22e2b1ed44f2c3ecc0f8ceb4d
-
C:\$Windows.~WS\Sources\unbcl.dllFilesize
827KB
MD59aebdb604a0cec305568f2742cc6a3d2
SHA1851ebeedcdb9a4d5ac7ec6f2bc9b84b1964681d9
SHA25682dde9532b94bc51748660270048aa29d635da2ae84df001a3d6c31cd1995c93
SHA5123dfbfe9e7b23f1f792c0cad1334ddbdd2bd54ae5f870652e95ef1fbd5a7451a8059af223c43429bf8fe992e8cd46997a9774b1c103ff49b962d7a371d679a9cb
-
C:\$Windows.~WS\Sources\wpx.dllFilesize
1.0MB
MD5c963819dd589b833b2fde3b9e08605f3
SHA172613ba4e8161fb8a6d0e0237e397285747a1e72
SHA256b59fc5c1c9e366d0cb8debe53359de9d38d5caab7e3f9b3e90519b92ac4c98e6
SHA5125181bc5d277216c383de6bbf6d7fac3975b063505b673db1d1e23400209cbffff96d5932020641ea5f14b0c3e303c49b0a2fbf199e2a0397ae7610be697d97d1
-
C:\Windows\CTS.exeFilesize
71KB
MD5f9d4ab0a726adc9b5e4b7d7b724912f1
SHA13d42ca2098475924f70ee4a831c4f003b4682328
SHA256b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc
SHA51222a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432
-
\$Windows.~WS\Sources\DiagTrackRunner.exeFilesize
77KB
MD576f30a1e149792d2542a253b920cbef6
SHA19040e0873df5cc2a64b850d1b8159b77528ba62c
SHA256488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159
SHA512ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84
-
\$Windows.~WS\Sources\SetupHost.exeFilesize
681KB
MD5a0b1786c1a59ddac1024956723f58a73
SHA1828d9cdb9cc2b6c49843422da49a14ebbf44d3d5
SHA25659a5573de59ae41e3781cd66a67281d5b30ff2e39f32d1caeb44ea20971c95c2
SHA512a017fb73e2a0653a448b802bf049c47613e3beca0c83d3d81c247dc3b33577cabbfd1b78f86dbdc7dbbed143aac95a50924e6b82fd58d4f0a6626fc3c8494ffc
-
\$Windows.~WS\Sources\SetupMgr.dllFilesize
678KB
MD55492a750f2c92ef126621fe0468b779a
SHA164e2d1fafbc008144df94cf3160319e0452d929e
SHA2562dd7d16db9d71fe0358cd520057d466585802f1d921a791cbfb0e7e607b55b10
SHA512a354ca3deafda57dfbaa7eb64409e663476a91a37d2e6cfcd06002e7790f40157719ba86b6a9bc4d159b9a9bde71c6a7c3e8f2852ed752d65826fdd8b4881a35
-
\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l1-1-1.dllFilesize
19KB
MD5dbeac4d60d3985a086052d56fd84228e
SHA144a717d41388ce53d8e77fe1bb5e34ed4b72a851
SHA256e5ce4dbda2c7bd078056cc17cc65714787cc50daa5e61de59fafa0d0223321b1
SHA51244b7c321f1cdaa0145c7f4766f6b4f90c6d86a9a3eb842d2a007f44b27d9b25efe89421820514080e2a45d99da4bddcb877fd754c01a4801840ea7b7228c62ba
-
\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l2-1-1.dllFilesize
15KB
MD54e2acbaa772797a0f86e15572fa44f84
SHA17f1846f886a27716ca918c65fb87458bd49fcfee
SHA25670b4b4c427f235b2c2c7d49b3aff7c5a799b7a9616e7a11d2de5d78156665ba7
SHA512b8143b54cf966f42abf9e2b083cd85aa1f7411fa4ceb2b8460946d708322ba2b81b93be771d8d04b027d0e22b13e68fa71bb53b6c2f6c8b3c0f5941d423d38b4
-
\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l4-1-0.dllFilesize
10KB
MD596fe4353f44be47fb877366d5f33c172
SHA1ddea638bd1694b2eda295a0f508e4a857f8450f2
SHA256904371b86f56414ff70d3d7a4ad878b70f8b9fd278e2b97a82a26bb13b89a9f4
SHA5122d0a0e97ef5eba8701446891dd669735540ef185e3f8fb14053243bf4b9163e9354e5f905bd26d1910a80d8780cfe2dcc68f6f2ad9bf3275bb7efb30eeafa464
-
\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l2-1-0.dllFilesize
16KB
MD5daec93c3ac8dca1807147d304879acb0
SHA1391cbc5e7cf40124f9640c1e7d6188e75af1b5f3
SHA256107cf218d9af2523fb24da10b381436bb858ac0f8b1012bc56bf088983b2e9db
SHA512ccc96c82b2cdcd36f56642cc6801de9d487ec593ccda9020efdc782cd3705e321367de7487080b5bdd10c89b9e6acf048a8f45a16c29caed5588bd6d1babe3d1
-
\$Windows.~WS\Sources\api-ms-win-downlevel-ole32-l1-1-1.dllFilesize
14KB
MD58cd60551eec672a732db658555c051d9
SHA1f675ee4b04a5a3afb758ff89e077dd401e192379
SHA2565d0ba298919d78b726c625c7e6ad31f2632e095f7c79ac08f0ff25f8e15a4295
SHA512d3950f90d50e90b2ba62fa1028ae6226c8fe2ee8c0517f769dafa3cc4ba81f38a50ce1676be3eb40669d7ea830752a331975867fb117937b7fffd21c2845b313
-
\$Windows.~WS\Sources\api-ms-win-downlevel-shlwapi-l1-1-1.dllFilesize
18KB
MD540baccd1e7f60085248785bea899c61e
SHA1d1e076fe8258ed5fb53707f639ceddaf7d5640fa
SHA256d59814bb8bbcff15e192aa600ac09f344ac089e95034258c1ea3748363132a59
SHA5124ad6b96b3aadfe5cccad0494e80258b709905349e82c858f27cbff4a871790bb7d0757a704f999cd86c9a788e44d286655940a81c8237e15aa2641e0ddf55930
-
\$Windows.~WS\Sources\wdscore.dllFilesize
193KB
MD58929e1ce63abc413ab88f31f3a45aba2
SHA149f37061d17cbe0482255aacfdabf10e67839ecb
SHA25680e3c3f207d0df8424711c133ad10082ca36ce2b5a6a19a179473aa994cc7161
SHA5123e8212e63595e0f3b1e661f4c7e0c839e9535777eea86b85dc1aad5b3eaa767652d96ead2b8d7fffefaaffcc621e0a20ef0d75120700ee2715af0b8860161cb5
-
\$Windows.~WS\Sources\wdsutil.dllFilesize
232KB
MD566190a933f32c6521a08c6ea76ac0fe3
SHA13b1a6786e900f4f4e9ca52fdbf50cc0b0cbfd9de
SHA256d9599ce02d1096fe3bc9bbfa8e5cc9dd859aad04bc725522eb9c8c25ca408df9
SHA512fc54735c1a1666176d23f8c8c2390b0cf4bfd0940dcb1fe7099e39ffbb80bcfbaca707b4cf95039fe42ae8eb5293b141ecfdfd0a47c035db9b51f077694c84fe
-
\Users\Admin\AppData\Local\Temp\UvwtFdvCzZzzZKl.exeFilesize
18.2MB
MD5db3fccad4aead91689d62822232d56bc
SHA1c00ecaf95ed3b727aae581d41af99b5fbc762865
SHA256aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4
SHA5128960b2c95db3a09ae2d7abf820ea45e7100959f20ccd7edcca9ec5028d684b28de3ac6ecdae834150d40b91c1c264ad29bc2288d388b528b970c0f7531acf909
-
memory/2676-109-0x0000000002690000-0x00000000026D9000-memory.dmpFilesize
292KB
-
memory/2676-110-0x0000000002690000-0x00000000026D9000-memory.dmpFilesize
292KB