Analysis
-
max time kernel
1800s -
max time network
1795s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:01
General
-
Target
System.exe
-
Size
66KB
-
MD5
8d6ab03994b0ce3466873aa7532fe76b
-
SHA1
156aecd4d8e65d205181ad5eace466c8798d3c86
-
SHA256
e5242266d9fc1e27e583a920ff6b9ff445c0942793ed80a92d5c5b6792d25f62
-
SHA512
2c1df9fb201b4a750378dfa7029755239167efa51ae4ddc9c5042218a1d01c3bf5557c09faeda4f3f68818082a6f95526d5776d432b5b6774ae2c1c90dc7a84c
Malware Config
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 29 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 51 IoCs
-
Suspicious use of SendNotifyMessage 51 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" A:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" B:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" D:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" E:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" F:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" G:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" H:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" I:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" J:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" K:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" L:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" M:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" N:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" O:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" P:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" Q:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" R:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" S:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" T:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" U:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" V:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" W:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" X:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" Y:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" Z:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\Desktop\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\Documents\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HELP_ME_RECOVER_MY_FILES.txtMD5
a9b0f276e953a902c58d3663644b8c61
SHA1f42c6061136fbf8c13c1f493d4af283c6351897a
SHA256d360747728919b8fe9cb37b08a52bde689afc39e68c437c60a6fd6a655c82671
SHA5123dd9af421e87e048ba73e5e2574cbbe3c7007e3baacd2de3bbc01529e9864455f2e9c99c50a1ee1b00f8d0082705bfd4de528907cd4e4d2d2d614dfc63c5c992
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnkMD5
519b868d3480f17ce01bc87dd93fecae
SHA13fef906e8d7db48654f9a8d2bf2bfeb1e89cfd47
SHA25677f765cab861711a19d8947c5ca15e581dd50a385df7d18108da6bba7639bcb9
SHA512867d61ccaa2b59bb703b87d1436d39241197fcdf6dd5e1256105617463f20a001fe5bf58a32756d461fe9827a868ad5058c5c1aa5b65a90d45259bcafcc5e1da
-
C:\Users\Admin\Desktop\BlockWrite.jpeg.cryptedMD5
7ab2abb5ddea18e13a47754df04e3d80
SHA18cb19c522eaa00ec95c10257c9dff4b7ecf3d415
SHA2568992fdf164ce96ca75c208ebafed769ec3f3396e9da93c2101cff9a4ecaa1bea
SHA512cd9f41f108c1a0fb4675dcf1facf2706aed4a7ba82fac7bdd7535b66d3836b16da934bfed683cb757942509d66048e967b26e218c9616909442a9a49fa377ab8
-
C:\Users\Admin\Desktop\DisconnectTrace.mhtml.cryptedMD5
e0087b660a6e52214233ad698ac45819
SHA103b81b463b78096304b7a6400b75e9c0d3e8c223
SHA25615d26297d7c14f4b7cf2850eb3c0623d37fd0d63ac3ed4a79408e4a93b8fc6b4
SHA512cb99373cf29ab8d71a2ef945f4bb94b4756ac7c898c0ce9475cd559d3246b13bde8b70c7dcd58f380c16b4228c04e540bd41b9725a0b6300117b2d7d6b0f2727
-
C:\Users\Admin\Desktop\ExpandSearch.avi.cryptedMD5
fb0f3bd03a0a4077009f20632d7bff6f
SHA1394f7501402a2eb4b2841e6d5f7481d3ccaf37ef
SHA2569ca316325b396dd593469c486837dc1eb1b02939c8f91a910355b27cf716a8e5
SHA5124fde74238faf01710c8bba47c793f1aaa09973023d763a4ee7ef1dff51b827e07e6b301da85c23752a56085018d7adf562ef30b7a96edafafd7d867a9ee8f86f
-
C:\Users\Admin\Desktop\InstallMount.htm.cryptedMD5
787407ff1ae0a872bd3fbbf2767da86e
SHA1cf6acf9b1640e5fb2c585333b0b801d947ac74e4
SHA25651b4031d2874d4e22d5f416ced8e0157ff7f8fdbf9952ebafc88ee987357dd61
SHA5126dc8118e6c8888b270ef797c6f03b9f576619de82662e67614d627610e32353e70a0914e40e0455963b2013a0a28a5f32a84b2b0e1b7d015cd85aeb7d2198edd
-
C:\Users\Admin\Desktop\InvokeSplit.snd.cryptedMD5
e02169e4f2e1b42bfcaa829dd386f787
SHA1ee096598d0b1d6c574c51d177ba0dccabc72152e
SHA256d8309a76397f45d6b100f863c3f55a0f5d264f77840720020e54b9a24caad04d
SHA51241690473077fc4729f34ad7b2d4abde1ad67f8e9c2a067541da95567e6878c4b06d9470a87b1c3783f5b9c06853820b4b1d0654c13f5c7dde0a1d95d634d4988
-
C:\Users\Admin\Desktop\LockClose.7z.cryptedMD5
66e056a9ee54b86c5f5f9f33cafd538d
SHA12d64757d2a9df94742cb1757ecc76121e935fd4c
SHA2562a048c92c5c0631dc74e0e562d804abbd582f95f27bb878994597e93ada6582e
SHA512837b1b7070d22cc28e78db923d0d1fef7dca92697a0fb523a6ea4497d0229b133e95b6c97a6077e11f79b70810ec94d069d7ffc0ab19fb25b0da312416829ae8
-
C:\Users\Admin\Desktop\RepairUnlock.pptx.cryptedMD5
ee526f48c2e7759ece8bc1498f6002d7
SHA19d68dff6adfadfb025e5b30d42654bd574505911
SHA256580ec1b9e27ea45bdf2494b29b7e0ec901a4eab04f93b040dd41528da5e40537
SHA512bb765a2161d79d6c80daead9a22e465875b382c0dbc68926eff128e941e5c8f031fce98d2658d61045067874b4abec61910cddfe18c3a5860e565c6820c775ec
-
C:\Users\Admin\Desktop\RequestLimit.rar.cryptedMD5
f56007e115de8c181bbb898dda9cd034
SHA15fa076403f9a8ee1d9f469d53121c500aec6d23a
SHA256b7f0b4b45aa863f7a6f7415c1c9a5bdb9b3e5ea9bd07300fbc36e48c72c9276b
SHA5120f48eb7b6b4cee90e2efb56ff9232c3e48dae71980a62af46f4d1fef4d791ab1aa88273986a28fafdec00478b89631cbac4d4ce1fe1941f5c6b9f31cad7c1290
-
C:\Users\Admin\Desktop\TraceUnprotect.odt.cryptedMD5
65109974fde98bd2aa594943947457a7
SHA1aace0cd49e46dd653cb6b32660bea37350b0da08
SHA256abc38dd0e2930c6cfdeccf4e3c435ac6ac2c8624b822efc40c2cc8d7da328049
SHA512f0522a720cb174a4b0e4faed47a87ea8503884b321a1f74f1ed1bdc8d499ba394f071b7322e3c058a6c260429bdddf758071da0dc69ae55775177d9e08cba73d
-
C:\Users\Admin\Desktop\UndoConfirm.jpg.cryptedMD5
77671b10eb1904db97741e8de6612f91
SHA1626923f9edf138f5529dd8f47833d8ca8a274c3c
SHA2564895153e822992444beff70988c5a2030f4552cb7f2354e1a35966bbe75f86df
SHA512fd399829fc454311673b02db81987534665f93d48950deb212fd02b87ccd69da1f5e1ab10a884e5a386cf72c40f08160d541cb26aeee29ba9f0a7ea87d44d0e4
-
C:\Users\Admin\Documents\Are.docx.cryptedMD5
4a0b95041508690966c4e4a7dd7b26fb
SHA1bfdcbdb56fb8ddc1e0d9b179b61779cc2b5aa813
SHA256d5e115b9e252e11c957f104692c47a72acd2e31f0f162d0b5c53f25bd2937431
SHA512576c8a83ae4e26e6af64b030c2785bdfc51d38475cb3eacd65bcc585f021d2a68cc6afdddee53c5dd8f58f6d92c19053b6cb2bc1f678032aeccf9cc379c2cac7
-
C:\Users\Admin\Documents\CompareConvert.rtf.cryptedMD5
1f9f42766badc4197622c4340303a9f3
SHA1186c1c8fa087944c878cb259fd07e4d1950cdd66
SHA25649a70a6275a66aa67084567799b18c629982d5c9a9687b03ce247d0aa259da24
SHA512b8ee5187c97f09fe8e1a778943b98ebc17852fa16fa124d1b2268d25c09edbd3fe7c05ce043d83eb97658e0949cf73aa01d7b39f544ce6b57db2c245baf13e39
-
C:\Users\Admin\Documents\DisconnectUpdate.xlsx.cryptedMD5
0016a79f9601e430fe635ada797d1455
SHA13c2ad501a0ebd1e6907533ee2eabb8dd7f04aba3
SHA2564a4c031bc69c4bb420d177ec7e0832f73704002a2ce8edca64801f82a811db65
SHA5127bd3b2eee1f9b80d777803406cc95944b4e89535cdd7b1b5891cd88445d1b531226b000569bd5b6b53f42f41695fd1275feb1d2d13a8c8065d766580ffc569a4
-
C:\Users\Admin\Documents\Files.docx.cryptedMD5
9f9d32f7a96ae543f479c53b7a8a2e50
SHA11089544e42bc9bfc469b8762d277cd09d273e05c
SHA2568a837406b7c8392c22df7c57c0839be7944c59ad91414c0ccd0d015d104e90e6
SHA512d9f2bc2ce819720cba6c6ef074476cdd6f8679582046d4d8dbd1dcc6dbed5931ed46176995532c0ac8b717f0f7126861f70926c7d687bd97b1a446e2e4a7864e
-
C:\Users\Admin\Documents\MoveUse.ppt.cryptedMD5
a4b21440b190caa91ac11b8e3312f24a
SHA10768c90c1819ac4975a40bf303fa7bf372380595
SHA256d60e4ae6b14e79fd15cff60f0484a49ee9b7d32f56f1a3bbbb1283915c532614
SHA512305fddd4171875b2d097fb5fc97671335d6af71198dcb3bb6e1a5efdce9e584fa7196e34c82b64be8ca698c73a4d19ec1f701f80429cbb792114188b9e17c9e6
-
C:\Users\Admin\Documents\Opened.docx.cryptedMD5
6ec19227af796164b731231f04220f60
SHA1be8bd6dc85e02d951c22a2dc92dd0f96d39b5833
SHA2563945527dc572c2481ccc9cb41bec4e86d249e66c6a3d92c76e176084d2940780
SHA512177f4ae714c25daf9d9b7f7970d8d289441bcbf4348f026555449892ec994feb4b0f732556062d4a4b646e75c43a7e8020469b4bad92cc07dcf6ad5702ca6e4a
-
C:\Users\Admin\Documents\Recently.docx.cryptedMD5
6ff78c80a1c369421f29647d005209ed
SHA1704f08f3629d9682673df82bbb16e2cec978cfc3
SHA2564088966aaede8f1860e14fc57d0d7a4d890576f519d20607f1c7c4b943c5bd75
SHA51233631e68ad47cae8cba03b06ffa567dd9dcc1ef1f2a2f1011b6c42d3eb7746411dad338d72c40dda4938adf1c7ba5155e78e8748055d93df323b5f451b31d0b3
-
C:\Users\Admin\Documents\SaveMount.html.cryptedMD5
a96167adb9e11e617712c5232a22d7ed
SHA120c591cf178ad3e4fd9d71362ef0a02bb91d7859
SHA256727cf847466f62f8a9e72bc05cc3b967a9d1f18f1e7b1d6752ce894d67e5adbf
SHA512c3df79c6c3b105c707ba629cd7f4a1c75653f76b85ccd9fb735e38bb7d044694d49da8b6e7c3088d9475f8304c465295befb9e391422d126ebd968d7f7493757
-
C:\Users\Admin\Documents\SplitExit.odt.cryptedMD5
e4a77066adde11bbc970c18e3eca2fd1
SHA1293d0aecbf5ac293876684cb274a58ac646552e7
SHA25605846e05e972f5035d74a65c839d523fe576f6208997e9deccf19cfaf4629259
SHA5120cd32416d23d5fb7e41f17468c75e70dd4f37ec6753eeb652a0292aef66900bc23b5b8198de8aa4a2abb53f260943a83144c1506f15565c0c3270d9d1e05a9c0
-
C:\Users\Admin\Documents\These.docx.cryptedMD5
6bb35e08d08860298126b621b25adc2d
SHA1774dfba8c1d6c0646ce23bc1e596911b643218dd
SHA2565c1b00abb77a79114915068f75ee5e86aef21fe7bf9bba66a1bde04d55338c9d
SHA512a38ac31c938a04f85fe0c2c107cc82d8c8f16d255214642dc56cc9fa6565fdd8c61728cd355f14774de90f4a13d679a95ad4db2caa6f01cf95039188ea1b30df
-
C:\Users\Admin\Music\CheckpointCopy.jpeg.cryptedMD5
3877d7eddf3d92d847ac6b462cad54ba
SHA1b66d29f72a4d28c6cd93b099ca14ea285f788a33
SHA25617261fd8a40ec78f4e99379b9fe7002316964dddcea3855b7b32860fce66ef1a
SHA512fa29a2f4e986689d1be61a224f264380d92047e38476bae684125df0f0f0e9ddfe21ce268ecadbdb90e053ae5adb0384fcc29f6833c3edb106447dfc19fcf889
-
C:\Users\Admin\Music\DismountRegister.dwg.cryptedMD5
cbe6445cc0da649377d5655a424f9167
SHA1c1ae9a4f53d404277680164408242c2b732fafee
SHA2567cdfa68c4c017062d42b52310facf7581afe172cc11a30833d09c2c9f6039bc3
SHA512eafb33addd94d1fb69b60391cfafc1d76d218534addc02ecc620ef9f7127882ef9952e12c9e127b1d220bc4247e567265c903595811ec286732e944b92ad1aaf
-
C:\Users\Admin\Music\RenameImport.jpg.cryptedMD5
59668dcb56b17b0f8363ab2aa2d24ac3
SHA1b9e7d52f26183f7875826773967624a2aeee8aa6
SHA256e82f6cee047a42238258765071b83bf50328344707353933ed9ae9e18b1e5809
SHA5121154900ff520665497dc0a71b08a13b0a2845663919c3a787a75760ae3534ed73f7f4ab07b024b6d91405911ad740a8095b301e8b073cfa0f37e069a7d1a57dc
-
C:\Users\Admin\Music\StepDebug.ods.cryptedMD5
e6b0c7d6f984939e0a467e3fa2a9e543
SHA1eacf8f83071780cc5bd4852e2fbcc148cd60b48c
SHA2565921ec3b9fbee5d88032dff2fa6e6e9779a289907ba3ee54ce747ed83915733a
SHA5124a6983f201bfe4fe74c6bb8435862cde31041e4fa7111414349425bf1210154fe3784373214d14fef0902f4b1b1034f674dae4ad53171ece4f9f09cbd948691d
-
C:\Users\Admin\Music\StopReset.jpeg.cryptedMD5
558ecc42fafb43ba3b91654751f71d23
SHA1a819ff857da1cafe5550a1226acc478f80924f03
SHA256ae904b1d3fe7c9ab655ff5d52fd806a0e25a733303138facf3a8d336be561c96
SHA51203e521b5022b6e9628ffce0a30c30f5e25b92a499ab33447db8464ec8563863a428ad876359dbd9ee97a6ca0143c946b2cf5323896551e668ba3b8a25a5948a1
-
C:\Users\Admin\Music\SuspendGroup.xlsx.cryptedMD5
af251314e7e689d90eea365ffd00f83d
SHA15cd3b17c74254bb0b7c58dbec1e932746e880b9b
SHA2565371c6525cb30229e8828c3cfc1333721706df0df5f6d516cc6bde63de39439a
SHA51287a5d0dcf3d7ddb322b3f6329278b523915c3383a9a32c917ae1d987fc85383a7862081d52622549494b07027ee65e7531c1d182bd5a7b14286e341a9a67ed21
-
C:\Users\Admin\Music\SwitchSuspend.csv.cryptedMD5
8cd34e7fb041f5e873ab436f7dd9e1e4
SHA1d0c0b3ec66daafc791917cad456a38161d91c145
SHA2569804717ac8ef30725602ea693eed5229e1a7b151a8b82c49973b9c1f8ac4281f
SHA512fe3249ded8799f2bd2832317b6876204fe0453cb30be76382f92124fdf2329911234a7cfced50f1327e03589f37c959543e6f7ceaae9cb9ebd52e7e12157355c
-
C:\Users\Admin\Music\WaitAdd.rtf.cryptedMD5
ba693a16c46b513f537708ef558af07a
SHA11586f156f3d4d46063f1ee0791e08e7592416243
SHA2565f16587ffba363e53da92d9461844b21566e11c6f3fb98d549d4762ebe775f2b
SHA512ec2f852090e57464f715a9853644a06c1f9ee111b09666a67a2d22310a69ef388d98f5b84669351fb700f3f0fccba5250f2eda2171bd2734449a6b5e5619cf34
-
C:\Users\Admin\Pictures\DenyGet.png.cryptedMD5
f444d249e71123e2b7f8a1dc5c3a21c2
SHA198b35d5bcb63b174164412ac6ae66b1eb59abc20
SHA256924135e1e0d3152cf5c977b8094aeda36189c29fb99b8ef40de8b19950a200ec
SHA512f9bf5d693bce4c495edb745baa1310f3fb8161a4a0abb5d5d3ff34d8bafee1a6f9f9550ad0af10b0ac17cccd9f06b3b00edb66576c4c642cf1ff068d72825d15
-
C:\Users\Admin\Pictures\RestoreOut.jpeg.cryptedMD5
6ba8915677fe0ed837b3dd0c0ec0e3bb
SHA1538c88ec842e3ba58f75485979046f0b426e5fe5
SHA25628f4df6cfc4a1e148591f586a2bb278cb17e6d39f7d012348816dae89128580c
SHA512b7a4f883d5082acef63091caf76bf1de9909af5872bb29dd64b321c19c3ddd4e906aef25c4fa707fb9c9760b2a0dbb657ba50ad2260d88824465fb3bcb6f456e
-
C:\Users\Admin\Pictures\SplitNew.dwg.cryptedMD5
1e02e77526455bf4c1345d6c2787d5bb
SHA14ec23ad14ba5665cc513c23a6ccfcc29ea3a7e4a
SHA256ad74fa4e63cab4acd09888bff3514a67d48fa140e81d7aefa18e2153ced84885
SHA51232314e715b65cd3defe5b12992d4553a4932ef5d63ba9518ccf44d04b575de992ccb8eaff94ad375303fa46dc9ef08a21ba1830604bcee1c9eb78b11f240389a
-
C:\Users\Admin\Pictures\SyncCheckpoint.raw.cryptedMD5
4372e694d8255619ac7c62150c83dde7
SHA12137977d1c80f994a96750a2507c4e0f8d112bed
SHA2561fd5047bf4f63c736516a623844af557dec73a30f3943bdf4a9ea0496df4bc8d
SHA5121bc32168e01fc573a0f0a11e4423891efc2affb07eb2b3222bc49147cf6bd5521f8fe884237edc23bf88e5d71dda968d014992db468465dea81112775f30ce10
-
C:\Users\Admin\Pictures\SyncComplete.tiff.cryptedMD5
57a1fe1fc5a099dd9829f2c8214f6136
SHA1d857e1693c9e205f333b5d7ecadb2dc746a80d8d
SHA256d3f547191fde86c16a4081025c9b3400b7e3a8f542a884c305eaf0b50fef7850
SHA5121087e491f1bc58e9c269ea4fc77f74bc72b7eb91af2e96a362e14522cd957b995bfd7c1a415fa64102895db37c3970b21e32774980d3f835c659114e89399da0
-
C:\Users\Admin\Pictures\UnregisterUse.tiff.cryptedMD5
280d794fadc9cb5dfcabfba3accfa79a
SHA12824c3f2d3237c9e63af76a9c63cb0997b22622c
SHA2560d10b5b80c4957dbb5c5914d1839545c9fac40f00e81d9218193862378e34060
SHA512fd323535ea85a555762e6c8547bb57ca946ca7e96d1b5dede66ea37e88a87df16e1946d8d561faab08eee810cc8b7b4d5d5a340176940f28ceab8756ceb3a5b2
-
C:\Users\Admin\Pictures\Wallpaper.jpg.cryptedMD5
cb6ef98fa7fe971a5cefea27c78fed87
SHA13a38648702a417bbca53ee6a282104b1655881dc
SHA2567c265defa446ce9fe2298af5e4626aaa87b5efe975da91ebd7a1c860aadb657e
SHA512b7d920aba0e8392fd99cea8611f69786961942b81b394dc5936844ecdd7667491370d4118526c6aeb1c0443ad6b55d25f6889d93272c5416cc6789749d881f32
-
memory/184-9-0x0000000000000000-mapping.dmp
-
memory/196-81-0x0000000000000000-mapping.dmp
-
memory/200-23-0x0000000000000000-mapping.dmp
-
memory/212-64-0x0000000000000000-mapping.dmp
-
memory/268-91-0x0000000000000000-mapping.dmp
-
memory/416-60-0x0000000000000000-mapping.dmp
-
memory/416-6-0x0000000000000000-mapping.dmp
-
memory/496-68-0x0000000000000000-mapping.dmp
-
memory/500-12-0x0000000000000000-mapping.dmp
-
memory/500-87-0x0000000000000000-mapping.dmp
-
memory/508-22-0x0000000000000000-mapping.dmp
-
memory/508-72-0x0000000000000000-mapping.dmp
-
memory/580-1-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/580-0-0x00007FFC354A0000-0x00007FFC35E8C000-memory.dmpFilesize
9.9MB
-
memory/692-32-0x0000000000000000-mapping.dmp
-
memory/732-78-0x0000000000000000-mapping.dmp
-
memory/752-19-0x0000000000000000-mapping.dmp
-
memory/936-39-0x0000000000000000-mapping.dmp
-
memory/936-10-0x0000000000000000-mapping.dmp
-
memory/1020-35-0x0000000000000000-mapping.dmp
-
memory/1160-13-0x0000000000000000-mapping.dmp
-
memory/1180-85-0x0000000000000000-mapping.dmp
-
memory/1180-8-0x0000000000000000-mapping.dmp
-
memory/1352-28-0x0000000000000000-mapping.dmp
-
memory/1444-27-0x0000000000000000-mapping.dmp
-
memory/1484-97-0x0000000000000000-mapping.dmp
-
memory/1524-76-0x0000000000000000-mapping.dmp
-
memory/2008-96-0x0000000000000000-mapping.dmp
-
memory/2008-66-0x0000000000000000-mapping.dmp
-
memory/2060-29-0x0000000000000000-mapping.dmp
-
memory/2064-77-0x0000000000000000-mapping.dmp
-
memory/2124-14-0x0000000000000000-mapping.dmp
-
memory/2204-55-0x0000000000000000-mapping.dmp
-
memory/2236-43-0x0000000000000000-mapping.dmp
-
memory/2316-65-0x0000000000000000-mapping.dmp
-
memory/2316-26-0x0000000000000000-mapping.dmp
-
memory/2336-42-0x0000000000000000-mapping.dmp
-
memory/2344-31-0x0000000000000000-mapping.dmp
-
memory/2344-16-0x0000000000000000-mapping.dmp
-
memory/2400-11-0x0000000000000000-mapping.dmp
-
memory/2744-7-0x0000000000000000-mapping.dmp
-
memory/2944-25-0x0000000000000000-mapping.dmp
-
memory/2948-79-0x0000000000000000-mapping.dmp
-
memory/2952-5-0x0000000000000000-mapping.dmp
-
memory/2956-49-0x0000000000000000-mapping.dmp
-
memory/2960-47-0x0000000000000000-mapping.dmp
-
memory/2960-34-0x0000000000000000-mapping.dmp
-
memory/2996-53-0x0000000000000000-mapping.dmp
-
memory/3008-94-0x0000000000000000-mapping.dmp
-
memory/3028-17-0x0000000000000000-mapping.dmp
-
memory/3104-21-0x0000000000000000-mapping.dmp
-
memory/3188-63-0x0000000000000000-mapping.dmp
-
memory/3188-36-0x0000000000000000-mapping.dmp
-
memory/3188-50-0x0000000000000000-mapping.dmp
-
memory/3204-73-0x0000000000000000-mapping.dmp
-
memory/3204-62-0x0000000000000000-mapping.dmp
-
memory/3244-57-0x0000000000000000-mapping.dmp
-
memory/3288-37-0x0000000000000000-mapping.dmp
-
memory/3292-61-0x0000000000000000-mapping.dmp
-
memory/3336-48-0x0000000000000000-mapping.dmp
-
memory/3380-41-0x0000000000000000-mapping.dmp
-
memory/3500-90-0x0000000000000000-mapping.dmp
-
memory/3504-89-0x0000000000000000-mapping.dmp
-
memory/3520-45-0x0000000000000000-mapping.dmp
-
memory/3548-74-0x0000000000000000-mapping.dmp
-
memory/3584-40-0x0000000000000000-mapping.dmp
-
memory/3584-92-0x0000000000000000-mapping.dmp
-
memory/3612-67-0x0000000000000000-mapping.dmp
-
memory/3620-38-0x0000000000000000-mapping.dmp
-
memory/3620-51-0x0000000000000000-mapping.dmp
-
memory/3680-75-0x0000000000000000-mapping.dmp
-
memory/3684-33-0x0000000000000000-mapping.dmp
-
memory/3692-46-0x0000000000000000-mapping.dmp
-
memory/3692-93-0x0000000000000000-mapping.dmp
-
memory/3716-44-0x0000000000000000-mapping.dmp
-
memory/3748-54-0x0000000000000000-mapping.dmp
-
memory/3792-95-0x0000000000000000-mapping.dmp
-
memory/3812-52-0x0000000000000000-mapping.dmp
-
memory/3844-69-0x0000000000000000-mapping.dmp
-
memory/3860-15-0x0000000000000000-mapping.dmp
-
memory/3864-56-0x0000000000000000-mapping.dmp
-
memory/3868-70-0x0000000000000000-mapping.dmp
-
memory/3868-83-0x0000000000000000-mapping.dmp
-
memory/3924-71-0x0000000000000000-mapping.dmp
-
memory/3924-4-0x0000000000000000-mapping.dmp
-
memory/3928-30-0x0000000000000000-mapping.dmp
-
memory/3936-58-0x0000000000000000-mapping.dmp
-
memory/3944-3-0x0000000000000000-mapping.dmp
-
memory/3956-88-0x0000000000000000-mapping.dmp
-
memory/3988-59-0x0000000000000000-mapping.dmp
-
memory/4000-82-0x0000000000000000-mapping.dmp
-
memory/4004-18-0x0000000000000000-mapping.dmp
-
memory/4016-84-0x0000000000000000-mapping.dmp
-
memory/4032-86-0x0000000000000000-mapping.dmp
-
memory/4052-20-0x0000000000000000-mapping.dmp
-
memory/4056-80-0x0000000000000000-mapping.dmp
-
memory/4056-24-0x0000000000000000-mapping.dmp
-
memory/4112-120-0x0000000000000000-mapping.dmp
-
memory/4140-98-0x0000000000000000-mapping.dmp
-
memory/4156-121-0x0000000000000000-mapping.dmp
-
memory/4184-99-0x0000000000000000-mapping.dmp
-
memory/4212-122-0x0000000000000000-mapping.dmp
-
memory/4232-100-0x0000000000000000-mapping.dmp
-
memory/4272-101-0x0000000000000000-mapping.dmp
-
memory/4316-102-0x0000000000000000-mapping.dmp
-
memory/4360-103-0x0000000000000000-mapping.dmp
-
memory/4368-123-0x0000000000000000-mapping.dmp
-
memory/4400-104-0x0000000000000000-mapping.dmp
-
memory/4440-105-0x0000000000000000-mapping.dmp
-
memory/4484-106-0x0000000000000000-mapping.dmp
-
memory/4528-107-0x0000000000000000-mapping.dmp
-
memory/4604-108-0x0000000000000000-mapping.dmp
-
memory/4648-109-0x0000000000000000-mapping.dmp
-
memory/4664-124-0x0000000000000000-mapping.dmp
-
memory/4692-110-0x0000000000000000-mapping.dmp
-
memory/4736-111-0x0000000000000000-mapping.dmp
-
memory/4752-132-0x0000000000000000-mapping.dmp
-
memory/4776-112-0x0000000000000000-mapping.dmp
-
memory/4820-113-0x0000000000000000-mapping.dmp
-
memory/4864-114-0x0000000000000000-mapping.dmp
-
memory/4908-115-0x0000000000000000-mapping.dmp
-
memory/4952-116-0x0000000000000000-mapping.dmp
-
memory/4996-117-0x0000000000000000-mapping.dmp
-
memory/5036-118-0x0000000000000000-mapping.dmp
-
memory/5076-119-0x0000000000000000-mapping.dmp
