Resubmissions

17-01-2021 18:22

210117-p2y29rzwds 10

05-01-2021 05:07

210105-svmjjn3wwa 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-01-2021 05:07

General

  • Target

    AnyDesk.exe

  • Size

    262KB

  • MD5

    53e7b9e873404afdd22cdeba41b4e1c9

  • SHA1

    18b1a19f826e9d48d5776f6e3c279547f3ff517d

  • SHA256

    c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec

  • SHA512

    ccc0af85ea847c45d11e213030e6b3224503c22fe70519049095b1d84cbf61e50c72ab370a03e456338127b52d462826248a6413706ab900afac16adf1deb9dd

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "moloch" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: moloch_helpdesk@tutanota.com or moloch_helpdesk@protonmail.ch .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

moloch_helpdesk@tutanota.com

moloch_helpdesk@protonmail.ch

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Installed Components in the registry 2 TTPs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 17742 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 16 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Control Panel 5 IoCs
  • Modifies registry class 30 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 95 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
      2⤵
      • Modifies extensions of user files
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n948
        3⤵
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
          "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n948
          4⤵
            PID:2544
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4088
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:1188
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:2148
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:584
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s seclogon
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2220
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1768
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:756
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2580 -s 2560
        1⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:184
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4076
      • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
        "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
        1⤵
        • Modifies Control Panel
        • Suspicious use of SetWindowsHookEx
        PID:2352
      • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
        1⤵
        • Enumerates system info in registry
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:204

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Execution

      Command-Line Interface

      1
      T1059

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Defense Evasion

      File Deletion

      3
      T1107

      Modify Registry

      3
      T1112

      Install Root Certificate

      1
      T1130

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      3
      T1012

      Peripheral Device Discovery

      2
      T1120

      System Information Discovery

      3
      T1082

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Web Service

      1
      T1102

      Impact

      Inhibit System Recovery

      3
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_324a22d6b747ed978d3969eb719eea89c473c72_41822faa_cab_0fcdd283\Report.wer
        MD5

        1b0183b94d6195675d29f6fb981ec199

        SHA1

        cdbc07c4e23daffe06c88c3ae8b8ec048174a9d5

        SHA256

        15b1683fb7bdf72bb552c8d8b70f5c9e516e7cd15b66c424acc7b8a950029963

        SHA512

        37c68670d70e6b49cf7cba1aed65b6ab32b599ea1fc54cd44eaffd76ae3439ba01a6437cb8dfe5955cdc1e9dfca505a2361e234171335798012b5e3adf0f95cd

      • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_324a22d6b747ed978d3969eb719eea89c473c72_41822faa_cab_0fcdd283\memory.hdmp
        MD5

        456581b4a023d5e3d6dac00fd2b05d12

        SHA1

        4fbf9bb127749d0c855b8228a2e9bd037fc96178

        SHA256

        d049675d5bf0d18e3ea50d76bb0272a1d53014ad99d792b64906c4a9705b7be1

        SHA512

        7bf19987bfc36ed6311a46fd05869114c46ab5d748b889978ffd89ec708c916fa83244545b241c2a9e011378047ae1f633138d041ab303cb1a2f3189bef7ee1c

      • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_324a22d6b747ed978d3969eb719eea89c473c72_41822faa_cab_0fcdd283\minidump.mdmp
        MD5

        84820e1274aecb77d2bb6ba35b770a30

        SHA1

        8d0f874d57c46253bf52bd5c5f7b9f9987cefafd

        SHA256

        5d1b7cc2eff664a29c51c155eb1b2baf28f36dc967aedb30bb8fa51c16ea24f9

        SHA512

        00dfda5299d5a36136cb7440a4d9d29552bad6ca830d011f6033e00fa96483fb82dad8aa88aa87aeb1fe1a02360ad6716bb34ee576eec57c7deeb9734801c616

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db
        MD5

        d866df59ea63885d8aaa6b1484afd465

        SHA1

        448fd8bc776d169ac532f5fd7b3ea4db3b441667

        SHA256

        f4a0db9e82c1205a10f1f2b9c4c4bb12fa50182b84704859bdd992ddad22917b

        SHA512

        bcbba072bddd276ce4ac28bdf9dda08b1503cb72bbd45135ff45f760725aa6673072c6e098c323c6054895717d73279015790150b24c244463e649098d6b1462

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db
        MD5

        bf74bc31171404279d5fc6e5b442be80

        SHA1

        9245a523a0132988d5ed5ac791c9f3de57b3f810

        SHA256

        ed849f246e6b390eac2cd8a67d199aa60055db65b100bd2f4ea92797be58e284

        SHA512

        d1bf765cd06ea8e6c760ee23223b4822a84980b62fd5cb2ed96f4e535d5bfb8e64f6b497472ed6cea664f985557cdd44d0d31d2e6a3ec6b6c4aae273d26a186b

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.db
        MD5

        44fb9bb86eeb0205272a6e5b0f4d1122

        SHA1

        afeb766d20c5d57cf6ffa0908cfb25f6365a7032

        SHA256

        11a515503f170f1fdab8eef78354c1868e8b93897ae7db77dd0b71d00c11765c

        SHA512

        6db267285815c5dcd783c5cb69f026541cc89e80b9feb341e91895f49a61f85c4fbbd23d9c36c3aa5de6bb44414ca28afb8d0ae117513b36a4c2c74f019874e7

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db
        MD5

        ec189e1aca87207542dd0bcbedc7d4b8

        SHA1

        6f742134f0d5ab2f56d8ea5930d1988e57fdd303

        SHA256

        a8d097b09b44aa510605845e9e158c3979d2c5163a4766798f249129ea07cd00

        SHA512

        00c55b83feb2db9d9ef3bf27fbe9866cc41b24d56535648e2b3541fe644f2547e420035bad2f07bffaa11431bc93b21c90bef8cc7ed89c7b2f2ad691df408ffc

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db
        MD5

        780b5f65ebc34a05c4172df9aabbe611

        SHA1

        ed1dad03d80493bc196887a57291e07a844a178c

        SHA256

        de0ffb27572af8963048ad5eaca4e9f49116174ee198cc510316e7d1de43f2c1

        SHA512

        d85f43aece33225dda07c64a128edaeda426e42aea1c941e56823cd4544c6b7717d73e7bc505ecd847563b32ad5ebba12d8501f5ab53f127ea1ec21b3b492d19

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
        MD5

        0dee6f7f34cfa122decfeab8048b5330

        SHA1

        5ddd0c25a047b382338b05d525e3025a099ffc79

        SHA256

        ff79914bc22b3ec0c238ce67444d372fc019f97d221d0582def390c2a0c8b108

        SHA512

        f0f4ed97b8ca9be72eb6cec6361c87f172feb6cd64392f155577151ad4e96301410f89854d725c7805f507f2de0383ab117c32b24a989c7ed29189759bff7c5b

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db
        MD5

        919186437ad6397f4e553d8f4e9efc08

        SHA1

        c32c27992316c27fc2685a6ade4b260e037af80c

        SHA256

        2aad32bec48bf20931772ead0ade101f5a8a0840ff799ad309d35cc32a5e5ca6

        SHA512

        198187213530c561fa38e48844c6e6024363eedd04e94a30b88a8589a0bb6323c39e0b0475fd2a96887b3ac30efcc0b02a4afb259531a6b376f8534ae9826814

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db
        MD5

        32802467e38b751209fd7b8329ac7414

        SHA1

        e3413823d1d554a5281a05d0c7b095ac1f915435

        SHA256

        9227ddd17df8f1315b1d15aac0f503c9facf41252dd912e2c392f3ff6791711d

        SHA512

        658a49831683f0edebb5f78f1be8c383e81089f000e55322c79b94abd7eef8327d23b4b150911161762a294de8122a0182860ac9edaf040962566e3af1b745ff

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
        MD5

        f1a1901e68d4a1e846aefe7032d2f026

        SHA1

        bbad1df2b708d7905b8aa732ed8e4c13eefd27cf

        SHA256

        1be12e11ca7c861aad4b0242de11ee50d465a2453f1e14bcf1736c1380f659b6

        SHA512

        a395c1bcff6e074edc088a5a2f1998ed9065af7509ecea439c3c2a4f526eb291e36efabec40c659ff9aa6c39faf68e672b70b79683677585a46597f2599ffa2f

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db
        MD5

        4a888955350bceeefada3ab18d41cd1e

        SHA1

        5a5c73eb2ac0f1f4fa5682fa4f85e17780a4177f

        SHA256

        53cf9a4b42b87a5ac1fcac04788b2dcd3acdf60f5c725de36e2c58c53b87cdce

        SHA512

        cd8ea54af10aea78d1f1cd59e92ffa342b35c888e05b5f5620916d1773c0de4e5d6e130f6e96f6c5a912a8300c4ccdb03acffc758631243e8722579333418da5

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db
        MD5

        f13013721e539b0287b62b80297dbafc

        SHA1

        bb4365eb30c21ef74cbd7d25710752074ac4855d

        SHA256

        936da531c61f0af3a4603b08b7c299fec63cf70d6bcb55142d7aa93c9c6a7318

        SHA512

        0deeb120905a7bf1db0a84f6eefa667ec514cc54d8ee689127a84b041b2f644525f6aa9627737bd4d30967a510483f3745e5a527f2f3a1bff0d2c710dbb5c9ca

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db
        MD5

        0c4f90602242339a6dd6d555006d3c9e

        SHA1

        01ee7be425b18653520376a129f5fdc2b46f0700

        SHA256

        bfe080ca2b68ddfd543cb340a7fe821aebeebc315a313c824fcfbe0afd813091

        SHA512

        ec5e214dbda4dad8aaaedad29ce6ab0209ebdd74db154a872eaadd70906be9c8c4da8fb9692401bcc6569a311becce0e092aba0b9611fdf9d00f1a570c8261ab

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db
        MD5

        6296de68e3bce2bd433a57feee1197e1

        SHA1

        f6050ef83ffe3effd43a872e30d20aac368db989

        SHA256

        b39acaf2496f8c21e9b81da4c3636d1b0510975549a7abeedc252e010e3fb935

        SHA512

        485cdaf172c92489b0006dd759bf6876c0d7bbd23fad042fd00e049831f85facfb979c1fa9c61a468456574cd8e04b653493dab30c6fd9863f0fdb7be2d2a4d0

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db
        MD5

        d4f6f6a7eab5f7fb159c85de4875a475

        SHA1

        d9178a64d13be270bae0e5f19f9bd2ed1edff961

        SHA256

        891a95db0666659ca614a8646329f1eb46062d5c1ccd65698149327310483163

        SHA512

        8180e4a17d6886be0a14b735e6f1b559550c36189cc305702861e022d65bb41792bd1309cceef3c0667646fd7fbe475426d271ab791d0eca2037b3d22081fa24

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db
        MD5

        53b5ea9ea39c6b0793e2216374c6c2c9

        SHA1

        f52723a807c163cef0fe8ebc87f0a45424fcd1b7

        SHA256

        c1722770257e3f8d81259072f44b3a4561a6cf952645ed8715f6ad503765e930

        SHA512

        688a86b5d39a6a70c9b20b47115bc46a69a2e11ab98a52f84181d9b08fd86a52f3fc05db5f84da3f46d84d6b33bc69f790e7f28fc5c5e9f00ad3efcfacd69966

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db
        MD5

        dfa322b8646f086363d9ac9765aa6ceb

        SHA1

        f9141486db87be30695977051d9072abefe70ddb

        SHA256

        489d7006b0cadbf2a324eb02832862e3d1e58a7a7a76c3df865fb1b7b3eb389b

        SHA512

        96545c6223a65abc0e7e36b2330cacb12107366a0f752c2d97605299e5e5e948badcd70f3fb0f18e6cbf72f68d7d59e227a613b7ff3d8d9dbff8a5ad7ae11f91

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db
        MD5

        ca29ac31c558fc594b13ca464d8a1e45

        SHA1

        6f02e666992452a6521847ca3067767cc870366e

        SHA256

        03b06b01da7d98790893dcc968c1d3899143c3f56967d68a2860faf0ac315311

        SHA512

        e75c631a60871da1c2b46935ca2bd5998e7cca0b24fa09b0d7249107c3a56c7f477d0fdd62d715cb1a9c38f1a07aeb101f0d6d023463731f6a65e72103fb2185

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
        MD5

        a7757e9ef6396bda23a35a093ece92cc

        SHA1

        31560fc98cd30d9a4a7eceac35c33e4a1435ebc0

        SHA256

        1ea8bf5a3a95f3beab67ef42b716534930aea51134ffe5ddcda4c8bc22b1e39d

        SHA512

        fad1bb1b63576b240ce558082988eac6035ae063297cc73382dc6ab72ae64deb06e580e80e2bb825f3c5dd691fc73b4cf1d6578fa04a797e4861ebdb63f1ec85

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db
        MD5

        07d9ed155acfe3217698debb8fb0a27c

        SHA1

        180e8f55347ad26a16710aeaae115fa272d2956b

        SHA256

        95dbb32b9549a437e77b5390c2573bf48492f0d8586f1ec03176e90699c32ad7

        SHA512

        78e15b651c708962f4c4dea853c072f9b9990b0d8633f2111c6da6e63c7b7cac353ac7e0dfe948404dedcfafc84593af13d5f2dadf4a627ce4e33605478e2a48

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
        MD5

        1d7c0989659664f2958eee46442a17a9

        SHA1

        b8b0ed744c443e471591463609ac83cda46c8ab6

        SHA256

        94f096a5ea99b3fbe31348d55ca9985c5d4f40a50089db5f10acf1990868d4ef

        SHA512

        938b9ddb9d8ff9e1d09503cbe6fa1dbd775f508bbd9e4f14935f086f118d249827be9ed61ad87673d90c7060bc68d8448143f20272dc8b8f8b68fe5870e668c6

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db
        MD5

        a7ec9520ffcc8111414697367ea6e4ec

        SHA1

        4d29730c4465f058635c204e4ed1b2d6b23097ee

        SHA256

        2ec501a1741f285d42f23b131274f18fb4846b80e7eace651a8871722227a130

        SHA512

        b83d132026da3cea6e7310cc83b3f98654bcf18c5d17a23c448cd62bff16d4ccc8dc6f7d5d597a6f3c12f743d7ffc9a3145958af0002fa7398e99c9fb37ae29f

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db
        MD5

        593cc1b8f4044a8bdba11788ed3ed73d

        SHA1

        9f1f1ce04f45199df93f66fd0099338df832ed9e

        SHA256

        cb339c8a46d1f994c8fd79959be188634d4143cbd7055fab94c8aad680183776

        SHA512

        38444cb8012ac44a6020bfd9d6c35950a41b00269df3c499216384933735ef0d9b6d530542ce19cbafac33ca119c8675337d090205f3d78c3ef7efe9b4199d9b

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
        MD5

        8f4fbd923f7f88e501bb30bb0dc1e6bb

        SHA1

        c6e0426d01ce5249b5b457b81646b3e42ffbc4b9

        SHA256

        a0ed2eaa493c8fb4691291d939da2fe3c9eb223ef786c491f86c78c3b9188658

        SHA512

        9e8b715879b5f01d41db864a2df1577372fa98dc49037ccc6fbf8fc5314af19e7e81214f01b34dfb9b5b2f374753fd9f5256af81d70b690c11940e1ed12b8b58

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db
        MD5

        c27765be33d0f5906f59905bd234abbe

        SHA1

        520f2fbb7d720fdf0e1d90ba6e533343a65ab878

        SHA256

        d5ed14137ec08a694dfcd267ecea49a8e807d10028a72517a2967b3b86876217

        SHA512

        837d2acd0443139f79f6920c3f6aa1aca08637556ea8c809f08032e2124f9427bbfda070247d9411fc905dfbd9d7ec3d6dec57205e98cd57c005334bdb8131c0

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db
        MD5

        a09acafd2296496773e5701c9ec1c891

        SHA1

        f091b9a6e9364e23fc5fa5c702deae03bc7772dd

        SHA256

        2e71617591daf75f63e1aa9789919b62ffa1278672c2a1a4fd45ca417a4efc12

        SHA512

        6c4b7eb6556b16fa1a360016633f50b665a40ddade22d1a0e1fcb7f0cf619bedc28cdf6d75fe05d7e70e124f1048f1c5a82411ba706feb13f4827fbaf3271500

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\UnifiedTileCache.dat
        MD5

        78682ca408ac0c394ad5ec9e7ae36edc

        SHA1

        b721fbe9a7e8e9031add8b3d42ecea141d6e3130

        SHA256

        00f0158414ac6ecf96d49bd7f1961f112d44b351ef1ede454280cf3a61540073

        SHA512

        c5b8a1983a65da634af7f1223863b6bb45cd9305b0cb781f6bf38773e0814abb47c1cd5c7e2d51a7e7df345fd38e215887939256db788824b3cb00502e899517

      • C:\Users\Admin\AppData\Local\Temp\WERD1CA.tmp.appcompat.txt
        MD5

        573a631ebe2958dd73d3eea8c0c03063

        SHA1

        b7690fca8d976307755700380a6f3a0bf46c74f6

        SHA256

        54ac56f28ef8b1d5fcb697a16426d7889da4c6a4c66b1e2a61f22ba1fc4128f2

        SHA512

        c7424642afa01cf4abb39ee97f4d47c087f3f617e627480f1a9f19c8002cb306b1673d8fdafc783ddff8418e6051a8293ca523c759215b7bfab2614473267fe0

      • C:\Users\Admin\AppData\Roaming\827763568
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • C:\Users\Admin\AppData\Roaming\827763568
        MD5

        bc56a6edf3619ff519ba00f436a812d8

        SHA1

        a344a1d107b20ff70eb45ee9af00e19991493624

        SHA256

        917670687a68199f0258565da44a2a89f0e532c5c424b3efa8669ccc6d999911

        SHA512

        c0861202006f40252f021eb9b656e5f8777d83e2869e82382f6f60692ab82fc6ff5428b3fd7e14a31b77ebc53562a35608cfdc6e5845fe7deffdc700d3d608cc

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
        MD5

        38ad9694abe9d773b00cc87fc340aa5a

        SHA1

        f7ff13ace4f027e253b2a9265ee892b5d5fd9633

        SHA256

        dbe6fbbcc7b80ec3ab4cc55a96779765614e32423e87bbd1a780749bad601f7f

        SHA512

        d98a42050a47044d99b2a2ab15d9f72d0b508825477284b1d0c02c60eee6de946b62977d3ef4ddd677148a47f10a3d802ea66f143c3d365dbe9ebef3108fad8b

      • C:\Users\All Users\Microsoft\Windows\WER\Temp\WERCF38.tmp.WERInternalMetadata.xml
        MD5

        629cf6726b358b100bb9eed7bb792d15

        SHA1

        c4f9aef8b9e8c385020f83a6c4ecf0bc28e4a182

        SHA256

        8b6813850aca9b807b9a691a07507f08ea918351d70718c659ee85fe050d3083

        SHA512

        782aa2b65b6ad661dadc2409d58fe107c1bb2067387dece0be78f879faebb3cff31c21e246a7cfca8c56ecade07effaec403dfcd7fa35b08043ca411dcc9c11b

      • \Users\Admin\AppData\Local\Temp\nsa8709.tmp\System.dll
        MD5

        fccff8cb7a1067e23fd2e2b63971a8e1

        SHA1

        30e2a9e137c1223a78a0f7b0bf96a1c361976d91

        SHA256

        6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

        SHA512

        f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

      • \Users\Admin\AppData\Local\Temp\nsaACD1.tmp\System.dll
        MD5

        fccff8cb7a1067e23fd2e2b63971a8e1

        SHA1

        30e2a9e137c1223a78a0f7b0bf96a1c361976d91

        SHA256

        6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

        SHA512

        f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

      • memory/184-20-0x0000020304800000-0x0000020304801000-memory.dmp
        Filesize

        4KB

      • memory/184-18-0x0000020304800000-0x0000020304801000-memory.dmp
        Filesize

        4KB

      • memory/184-19-0x0000020304800000-0x0000020304801000-memory.dmp
        Filesize

        4KB

      • memory/584-13-0x0000000000000000-mapping.dmp
      • memory/948-5-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

      • memory/948-4-0x0000000000405A20-mapping.dmp
      • memory/948-3-0x0000000000400000-0x000000000041E000-memory.dmp
        Filesize

        120KB

      • memory/1188-9-0x0000000000000000-mapping.dmp
      • memory/1520-7-0x0000000000000000-mapping.dmp
      • memory/2148-12-0x0000000000000000-mapping.dmp
      • memory/2544-15-0x0000000000405A20-mapping.dmp
      • memory/4088-8-0x0000000000000000-mapping.dmp