Overview

overview

10

Static

static

1

bacon_2018...in.exe

windows7-x64

10

bacon_2018...in.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 18:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bacon_2018-04-13_22-27.bin.exe

  • Size

    144KB

  • MD5

    8ee82932641f3f527110b0f8ce6b11ce

  • SHA1

    fef4e9bc0d20f52423e02ec0bc6a52ea36af97a5

  • SHA256

    e9bbcfb5d9f42ef0dd75eb435e78d5226087679593893e0c08977694e720cd7a

  • SHA512

    6330e3ef0d523406edaf6a2e4e597a460a59e80efe477e574e6e49455637221505152ebb885be9fdd139831e78636567c11f1d161ce4e39a9e65d094ea65968a

  • SSDEEP

    3072:tjQgjwASUryVehsZnsTQqLSA/thZhUzcB4r50W23HnBB:R9iV3nspZ/t/6KWmH

Score
10/10
dharmapersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail bacon@oddwallps.com Write this ID in the title of your message B59AF26F In case of no answer in 24 hours write us to theese e-mails: pepsi666@protonmail.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

bacon@oddwallps.com

pepsi666@protonmail.com

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 38 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of FindShellTrayWindow 61 IoCs
  • Suspicious use of SendNotifyMessage 28 IoCs
  • Suspicious use of SetWindowsHookAW 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\bacon_2018-04-13_22-27.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\bacon_2018-04-13_22-27.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookAW
    • Suspicious use of WriteProcessMemory
    PID:4524
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4104
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:1532
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:3756
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:6032
        • C:\Windows\system32\mode.com
          mode con cp select=1251
          3⤵
            PID:3852
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            3⤵
            • Interacts with shadow copies
            PID:5208
        • C:\Windows\System32\mshta.exe
          "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
          2⤵
            PID:5516
          • C:\Windows\System32\mshta.exe
            "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
            2⤵
              PID:5100
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:324
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 444 -p 2512 -ip 2512
            1⤵
              PID:2732
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2512 -s 7048
              1⤵
              • Program crash
              PID:6052
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Modifies Installed Components in the registry
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:460
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4388
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:5024

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            2
            T1060

            Privilege Escalation

            Defense Evasion

            File Deletion

            2
            T1107

            Modify Registry

            2
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Query Registry

            4
            T1012

            System Information Discovery

            4
            T1082

            Peripheral Device Discovery

            2
            T1120

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Impact

            Inhibit System Recovery

            2
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-B59AF26F.[bacon@oddwallps.com].java
              Filesize

              2.9MB

              MD5

              1ced9a760dbc843a4b8eaf4f8d4e3577

              SHA1

              56c000fbfd20cf60a634c7ad729fee18867f27b7

              SHA256

              2a939fa024828dae515062b55f490bcecafd151042ea586a52c03560d8acd691

              SHA512

              e502d58d3d4c18fedd97cf77aeea3c7e3c849759420fad629c0cf234ab973e5cd3f7a577ed4ae27aa2b8fb1eca738f030aa31eabb5a73d5fb81b96df71e48e13

              Download Submit
            • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
              Filesize

              13KB

              MD5

              b194fa9cf2fe141a38640a3719bc6eb2

              SHA1

              329c51c549977b9f3a401f91b7ae6325a8229d48

              SHA256

              52f4e33449d723c43fe7fe17af3417e2e4450c570218ede0ba4eb9eac9134370

              SHA512

              3385c993a3bca777fbff7b097bef96fd3fd5919a1cd1d28d6fd221a91dca0dc526aef56cb783536e09ef522e51602c73f7bf30c37f82c847abd9f144aec3a706

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\ADDENTER.VBS.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              640KB

              MD5

              d632e5e516374bae104a3c3a9eaa3dd1

              SHA1

              0f91900c4521e2d12f83f391f7b0102c9b1c3a59

              SHA256

              fc00f62dabc7273a6eaed05f6ee3944fcf89487faa878bb0d34762e316aed0b7

              SHA512

              b9e812e45d00001afa0a48e9d65b0489af541619cbda7e0781264fc797b3548a01ee480302b4b023be0b2d78272a08b14bbab21e596b2fd614d6b4c7d65db977

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\COMPRESSUNBLOCK.MOD.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              998KB

              MD5

              cf6d6ff0c440345cc9994bead2d434fa

              SHA1

              6e0474251e83459b925973958df6b07936fecf8c

              SHA256

              7d6c9b00ef87c4b8df309f61b1d8a9bea25ef13f3effb7733f3d0e47cd3149c7

              SHA512

              0d3d506fbfe3789a8b30f79454080ec7ff393a2194b31ec8f61e4c261277ad66cf0fac53269af75f0bae4ad93e5f41613cfeb7ee55acb0f8deb2398c67bc1840

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\EDITPING.MPA.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              614KB

              MD5

              658ee4d7094ce57aa7392a616b190744

              SHA1

              158eae6e1d18f5a2e5814015fbd536d479fb5601

              SHA256

              3b45561e9aa694a214bc4244b778ae598315328e68e5cf7802171838fc2f13ff

              SHA512

              2a8c248016530a2e860705ade9429a328367bbcfa87fbe1ce07d9a08a5ea0080facb407d596f5ec74c01aba9083d7889183a1eab4185376ddf533299ae464519

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\EDITRESIZE.TTS.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              409KB

              MD5

              59491dc3db3a824c0d8ceac2211a4f48

              SHA1

              93c8dd27722bbff777e3be9b3818a7bb3a5619e0

              SHA256

              16042bc6307228cc5ca9f00bbe008b76baffea70ad85d322063f4fccc3c7a3b3

              SHA512

              71791390b8e134bbfb36b85cae725ee10ee7af061edd4571be85e44657069155688c32a73fd115df5d0c8dc8ba63e1d0468983758512417797e74f351ee415bb

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\ENTERREPAIR.AAC.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              563KB

              MD5

              f0fe841c24428ce1fed5593d598407b1

              SHA1

              9f5f459a012e0426aa83e04c278ef680eb101d88

              SHA256

              0ff3348fc684b88c18cb631808aedc4f73a9515fc5147dfbbfea6fad8bb1fc45

              SHA512

              c6d48394643cf58ef4f89fa840e7685a302a7bb0a670890867b4e6985f260a501e09a5e20cbf05c2e73df6ded93dbd9f67b1cc68a4d9595b035b97dd726634a0

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\EXPANDREGISTER.TTS.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              717KB

              MD5

              887714e28dafbe4e0f8694d630f64bc5

              SHA1

              ee24ab8afd87153d885baa58a357a08eb1025e1e

              SHA256

              45bef5f8a75a120015e5f256026c5c1f032fb1a378b2db4e704ac2d72d7fc392

              SHA512

              5b3c143d2d1b746c41df2f65c24d42cc547529148a7eb091b4adb07bbdf8a12c4bfcccc67b99d6248c6384b9b91e6af45d8dc24c76318b7e472054b55ba962e6

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\FILES ENCRYPTED.TXT
              Filesize

              226B

              MD5

              9ceed252dfa5e21a5a08786bf81a6174

              SHA1

              516391ea045ea848be94674dc582686fe704f60a

              SHA256

              aa34c8784fc3a369e5701e657deb97c778c16677c7ac5e6485193c20c86b3ae2

              SHA512

              2d89da950c4580905451c612c2928c04b3cb4e137b7d43a82f0feec2ef94cc1895e722ee7394a0e9556f893d5cecd2f57814d88c1ad2af406584b8068a6f68d8

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\FORMATCONVERT.SQL.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              281KB

              MD5

              8f8d696da4cf94bf4763db614b80205c

              SHA1

              fb60a73664832665d6085ee9bf012d0351d0240d

              SHA256

              7503e8801b0703d7e00db6da02e93d74c08852ec8f5f300b891d8d8078614a4b

              SHA512

              2fea4ac9d5d7f2b2035fefc7daf2f3c6eec8e409688eedd4bf5695a0fd304caeaa7cf4b6632987ba1a763693cdf7a601ddf897dbfbeb634b4622e7cee00ba8f6

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\MICROSOFT EDGE.LNK.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              2KB

              MD5

              42300905fe507662ce0f08344b77b0bf

              SHA1

              6d5cf8608598a19ab2e8333bd8f51115686f74fe

              SHA256

              52d9d13e1545f59c495556022166c1848378d16a19d637a1cfe1d06dae9795ab

              SHA512

              02db3984ca4ea585278ab41ed4149c81532497ac10e362076477cbbb61e89598c366ea9436eedb1db36d5d829172f9ec0f3b4abccbc3ff07d192055b3e537aea

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\OPTIMIZECOMPRESS.XLSB.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              307KB

              MD5

              deffffa1ac564b27b454fa241f6f30f2

              SHA1

              45162f56774bc0aff22cc423c81d72b288764da5

              SHA256

              4bd73ea5dafc905671b9ff5a439a082ad4bc19ceb0ef425c1441714e03eb3bc0

              SHA512

              e28818f45b5a2fb578c52072bb9c43383959a1197bed6642124778304db7366a75c7ee249f1d988f82cd598d4d6701e3c3e7de5f3634d4a5cbc01cf5d97e4735

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\REDODISCONNECT.CSS.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              691KB

              MD5

              413c18052dce6f687c98717ab5af8634

              SHA1

              a6478aa5dca53759224513a7a4e750bc37ac974a

              SHA256

              b5b8994026c8b4418adf790f54096a3338b73f0802536bdc785bae6d8a34ea42

              SHA512

              d6c1d38be5b61e6b4828f1665eb5cefccd28a2b485813b2ee3e76ee3ce018233ed4d9ac2f402c8e26f93034633a7d3fcde08051bdeb41ac9fcbf09acbc974024

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\REGISTERPROTECT.XLSX.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              665KB

              MD5

              ed3f68b9ca4e76f1048fcdf87e1c8ecb

              SHA1

              b4f1d2ea0c572cff976c780399de1b134f0dffbd

              SHA256

              843adf188f63ba073aaeab85105632aac423367b784f02e50b8d4646659dd540

              SHA512

              475effdaf68ee3b2e67aa7cb6c15ecfb03ec5c37ab7a9d79d9ded695d0b32d81bf78e7362fbb3bb6c8033c49b6294a844b09c9b24e8f82971fd54d7af66db953

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\RESETUNINSTALL.MP2V.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              512KB

              MD5

              ce083f455d10c4409f4e6f4764534508

              SHA1

              951a9f4a74123714b57e509de97357ac8f830d89

              SHA256

              63733563e2304b5bcdbbb985f3674395a18c55792df94858bb4b8f6ecca69fc7

              SHA512

              ea4b3666283436d2619495bbe36de0ea2567cf41940a7b2606faaef6f8090b6a84f5f440295edfe6e2a434bc1a5f916945c54966e1faca5b18420003b6591f52

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\REVOKEIMPORT.TIFF.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              589KB

              MD5

              a003f52a46c581d3c20b3a00204a0692

              SHA1

              f044ad78c5dc1863a5fb1d15ca2ff1699fd7c1d3

              SHA256

              d46ec861d913392e485f1e9b01d68695efe26676228b1dfa7b8f801254cc982c

              SHA512

              e83c16db79ca6cbaf760ee044cb86713c784b100e8049d801273ddb44daa2ba42beed3b16898cb5db760201ced7b8f51d166f94e9239df94c072fa4ddbbc8cf5

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\SHOWCONFIRM.RAM.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              435KB

              MD5

              844cf45be2c1463f2aa9613e87781236

              SHA1

              813245baae7392b1f54f05d2e5d9ca8fb38b0d06

              SHA256

              ee8706268175609acf0e4bd5bd024a4a992593122c353a77ac189b4463cefc2b

              SHA512

              2d5b1a8cc05bfcc4323bb373391c4f4dc440b97d33bb8774d73abbbb3bbddd676a384d5370fbd0463a9ea01d69e0a1809cede5cffb4d6d34f0bcc04d551319fc

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\SKIPREAD.M3U.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              333KB

              MD5

              15dd47a795f6985915f7bebabacb8932

              SHA1

              ad980973f09b25fd272bad4f8cdbafb25beee1bd

              SHA256

              5878b3776dca607a96b94ca2cc1813464621bc80ecb2db5e5ad2daa36d74058c

              SHA512

              2b621f6c33a34a55e352622bcb7cb746e67c8281ed2741b2cab1a807b1dab7b3050b53746d64b718af0e98052602f6de9f6f0be0eb4953f5c6fa0d1a39bd571c

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\SPLITMOUNT.BIN.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              461KB

              MD5

              2baaba8fb0fbb2281f5abffe8e4dba2c

              SHA1

              43fb0aa1a71f4405fcd986ce0e19ef8d5e940ba6

              SHA256

              365c352be00fcaf903985db425b679d93bc362d22024de4032a5e8c0ea7e2a09

              SHA512

              e5ee401c635ea759b3f1e59276fa2e9ac8eda9877c9ad292fb0eb915e216785e73ce5fed0e331ad93901feb55cef1aa28d375e2496f113e09b835d09b33f4687

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\STEPREVOKE.WTV.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              256KB

              MD5

              881618db8adf2e3adb1d203d2b8d18b5

              SHA1

              c0d441bae8fa1e70f8058d9418694621ed030690

              SHA256

              04b4532e7b2c2c4d8100233ab8c8c801ca6fb4ea241f6f06f8993dfc951db80b

              SHA512

              7b7021ab6757dddf68b3c95151a8ec71693a17c00356587fcd5614d875faaeb1f9e0a0f0cf47c3a35a42895b958beed17536dd931810a43754f56b009a476532

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\SUSPENDENABLE.FON.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              537KB

              MD5

              6aad68617d43a7a5385291648a5c648e

              SHA1

              c41980507d955a0d709b9f3f36872f08551da1bf

              SHA256

              99a2a082f4180727aab85198b338fdcdeb9edd4b8dba100c7f7c6defb804e377

              SHA512

              a680b516af5458036cae08a63c6b8d79dc714af5c1bd520fe69c74f6b86ebd932d47b5d63faea2f8f877d7065aa886c024503d56e2a6cf527719dcb0c8aac643

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\UNDOCOPY.NFO.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              486KB

              MD5

              02276ca0c6be3d755f95cdb3859c5321

              SHA1

              b35e788dfb44dd29f810395bbf5e41544e0a5cd5

              SHA256

              6e3a8afddf55891a421630b6f09474f6f090cf8fb5bd165d11d48e30cde953a2

              SHA512

              0a5a448f6f4768576c02ddca6374f7e28e719c8ea740dfea3e64b9f4225b87ae6814bf73c8e0e48cdd4b43a1b4e4565c867d29d6a645d454e687014b8792935b

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\UNINSTALLCOMPARE.ODS.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              358KB

              MD5

              01ca1e055a949e83d49f69fb47530f3b

              SHA1

              a58227066620f551323525f13fb3b366bc21c5f8

              SHA256

              c3781736657b6cbe4b64089907407d63f39e9169a45d1e19a8bebe72cee5178a

              SHA512

              ab1d88df0d849d735cfe8140b056306e626cac609566149b1eb0b266e57cda966c4c3944897c6b3f9ff07bb6d76956fd7ea515a11e4fcf82caf0d7f68a587245

              Download Submit
            • C:\USERS\ADMIN\DESKTOP\WAITSPLIT.PCX.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              384KB

              MD5

              f9ac35e2acaf61e0de68f5aabbeab55f

              SHA1

              2de936141f5efe43103dc6cce1d49f3f2d7fe5af

              SHA256

              8aa204b344c2bc43207533ec0cda06d8a7f33bc651a6f60664d3ebc4fa7730aa

              SHA512

              9f052ebaae50035b87ccac4469bf6c7d54ac8f015a26552696b513411d92c082605b3e00e0d251969e011e5a7106828d13fe50e379acf4dc78ab0b0c109a8ba5

              Download Submit
            • C:\USERS\PUBLIC\DESKTOP\ACROBAT READER DC.LNK.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              2KB

              MD5

              3b5bcce011e4742f2555c116f1a023b2

              SHA1

              c563b837f8993e4b83e97507631e34e0622d9d85

              SHA256

              b843799e455b5705d61ba6ef804e59d1f0166d43343f333d0f8380c46929736e

              SHA512

              032304ba27c46a5d18fcdf368aa25ab62c9b1d4eca86c8b8203fb945f18b4d7da8db425ff1c4766e826cec439eaecf7508284d2d539343ae137af45c0a19e1bd

              Download Submit
            • C:\USERS\PUBLIC\DESKTOP\FILES ENCRYPTED.TXT
              Filesize

              226B

              MD5

              9ceed252dfa5e21a5a08786bf81a6174

              SHA1

              516391ea045ea848be94674dc582686fe704f60a

              SHA256

              aa34c8784fc3a369e5701e657deb97c778c16677c7ac5e6485193c20c86b3ae2

              SHA512

              2d89da950c4580905451c612c2928c04b3cb4e137b7d43a82f0feec2ef94cc1895e722ee7394a0e9556f893d5cecd2f57814d88c1ad2af406584b8068a6f68d8

              Download Submit
            • C:\USERS\PUBLIC\DESKTOP\FIREFOX.LNK.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              1KB

              MD5

              78c7f3d89306957200b13f7f4e0bf907

              SHA1

              5c3e3a6a973f8aa2780ea0d6a0e4702856bbb64a

              SHA256

              18c7b1f3c94369c51b5ebb93e67af234d72f4afc811a89f8adbacf76df366159

              SHA512

              3a1d1ed0f432bb0426fd3ae99f1be8ccccc78f20efad2164510bad24edd7d289847f25802fc0a1c2b2a8dea593f9ae7512b997bc9c426ff6086a8df0dd47a8d9

              Download Submit
            • C:\USERS\PUBLIC\DESKTOP\GOOGLE CHROME.LNK.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              2KB

              MD5

              1e246286333e0f313dc34020c00f5913

              SHA1

              99d424489ea5230386d2c16450480bcdec5528b4

              SHA256

              940c29b978845207fe850a6da6f2486d79a9809599db7b9aab91682144fd7079

              SHA512

              cf3b61adc2d7edcc91fe26a7293468bf9fb6bedb24dbf34e186c752e1a0c149d800e71ea512be176db1c7f1c30c569f482f1d6563aa446e1917149e01cbf52c9

              Download Submit
            • C:\USERS\PUBLIC\DESKTOP\VLC MEDIA PLAYER.LNK.ID-B59AF26F.[BACON@ODDWALLPS.COM].JAVA
              Filesize

              1KB

              MD5

              e052c85ddce0ffec11f51cd553e6ab08

              SHA1

              a0d95804b6ce8a53740ac4652553ddd7fbd2563c

              SHA256

              9cd6d058aa28cebd702e8900f5402d786ae100833346cc8d696117bdc69012fc

              SHA512

              d3008a9444c4053c8420b0618b969f1ecb7bccf8f51cea844d7064bdbf7e3505af98c0ee0e6929b37581ccb4bb4bfafda425e6a483cc513a589247ac874e5951

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
              Filesize

              174B

              MD5

              e0fd7e6b4853592ac9ac73df9d83783f

              SHA1

              2834e77dfa1269ddad948b87d88887e84179594a

              SHA256

              feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

              SHA512

              289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.id-B59AF26F.[bacon@oddwallps.com].java
              Filesize

              414KB

              MD5

              19686680161303400af93dd71bfb2afc

              SHA1

              8c3aef97bc9610e99a9615381ac8638af90b2ceb

              SHA256

              2cd4c06973aa22670e6ed79384b1ef541bc8ed729b6f207921d25aca579b5549

              SHA512

              e405fd86915e63c3fba7f480671a78d42cf33af84527c0f8ffdf193bd2b999f8d191546887cd05d5cb46bffd3661a6eead98e9ae1e7382336d036ba11e6cdd1a

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
              Filesize

              1024KB

              MD5

              e1a1789de067ef62f02fe83e434311c4

              SHA1

              dd480ea89d232f9fe755a395e0e4672f4a31a0d1

              SHA256

              36d69e268ba457379e3243cd42054ea0e6a2ce1692a4fde4b4d0c5ca762078aa

              SHA512

              88a0bcc6d6fc8b8c7f1aa3f5cdb7fc25c58d91edaca9252cf790deb8398e9b2d0cf69bbf0bc23e026700b0dfa507f0173997f6cd3190c06ccb3d75e840d720bd

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
              Filesize

              24B

              MD5

              ae6fbded57f9f7d048b95468ddee47ca

              SHA1

              c4473ea845be2fb5d28a61efd72f19d74d5fc82e

              SHA256

              d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

              SHA512

              f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
              Filesize

              7KB

              MD5

              9fb34927bfe818475b23593712e9784e

              SHA1

              902dc8b903a385ae5bbc9b2ef00fc3e1745aeb7a

              SHA256

              249c322024e42c3c748a0170c166a575ccfb3cef9d26de1629a598a54a279dbc

              SHA512

              37cc7eac1024e4e75c7bae24fcef5db6c181f3bca8d5f4d0defde90e036755d6558903fbe1d53e4e7413633bcc219751cc040e9d0f5d01b1de4f16532f5a6031

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
              Filesize

              14KB

              MD5

              e6e6caffa121e050cf1f4f24e1c77b51

              SHA1

              e13cee6f7aaead8e765e3ab0efa842f0d55fc792

              SHA256

              d8c1b15c5b2975fe4705f04a6e720a54e6e84239e1a738eddd1752c3907029f9

              SHA512

              8445e5c8d2f46b7afbf30ebbf79039e84d928a8f07709c2e74e7042821e867feb423e582a676bef825eccee88223aca321090faa03badda4d61670f914d8d2ef

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\X2AZMHV0\microsoft.windows[1].xml
              Filesize

              97B

              MD5

              cda714539bdee296b4ad711d1773d900

              SHA1

              58b80843a131344b113a7745435379bd0be187da

              SHA256

              824da4967bebf150d7ffa6d9ba8f7161f10a15de2b6bb6010377ba841777c3f0

              SHA512

              6a731658c5c349487f35d2be7b1dcc24a7bebbd61ff8785d1ae01f5394bc125bfab3b9473159aa83c95932e3a1f40ee5d4941c68f3e801f680cc99bfecd7d8ae

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_WINWORD_EXE_15
              Filesize

              36KB

              MD5

              bad093419be1135cfe9694ea77088c78

              SHA1

              76204c7ca72cf666add9c9931389d635c82e8af0

              SHA256

              136808af50ee73df9befd76f7aca21765782565b0095227c5a287f3be0b5ef3c

              SHA512

              3b5cb7f80d7cbc557b5a32a995cd607257ac8e56af935ce6f64c54ba1f311a65ef00c69c69047b6eb7bb678c2b1bc0a3c37548aef417ea49e414e1a34bcf651d

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133244213420156740.txt
              Filesize

              74KB

              MD5

              37dc03570f0e48ca9b20174030114348

              SHA1

              a01c09a9c50fa60f5127395cdb50f6911c60acf6

              SHA256

              389eba3fcf2041cb2053912e561287b9e6d0d1467de78dca2eac1118e2fc7187

              SHA512

              d58a26d335eacd877c1c6ee194a70718de749352542a3fdc39539e32286b82631bc42e1469acf3d7b41b53807f66b84e2ec7780bde331d0fe8a45cf8bff5124a

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133244213500732227.txt
              Filesize

              2KB

              MD5

              ecaea544af9da1114077b951d8cb520d

              SHA1

              5820b2d71e7b2543cf1804eb91716c4e9f732fde

              SHA256

              9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6

              SHA512

              dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
              Filesize

              9KB

              MD5

              794033afc4cd1b5ca447813e55db44b6

              SHA1

              047c2e99da3997ae28f2c223e4d55901373d081c

              SHA256

              ead1f2744f5b02dc030151b7485e8080a7de19090564032ac718c1fd496aa194

              SHA512

              37b7e8720e923af0ebe6ac1517178de7db5c261e8f897720b1292890c7304456887c40ae04de9b4d01a4b114988f6bff6218c031be90d5d1e9e8d503dd9875fa

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
              Filesize

              14KB

              MD5

              207598794aea7321d8fd4378f670123c

              SHA1

              3ab2b07b4ff30f60a41cd7ba02dc4f528a7ceafc

              SHA256

              d9694fd77cc3de80bda436a12cfaa3a3c037e7b4dd8dd0b5cd2012111726a1d5

              SHA512

              67c12cc4af49fa345eef8330dc07dffa54fccc45fe12cab499378ffaee0dcc62237b9a8c7a060095e9ac05cdb6e1b11ab43ae8ebf366453f996565ef4840aab0

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
              Filesize

              14KB

              MD5

              e672c2cea99383b18be27e660c9e3643

              SHA1

              eb364aaa983468ff09ce55d2caeb5ec355883826

              SHA256

              e221defb91e1022ad4d739864e0227913073490fff75125303f2c6b4fb86057e

              SHA512

              0d72c21652ef9d101dc9feb4fcc0e193f91e0b0cd38da65114a8cb5f93557be483c20c77c46bdf13d031bb9e90db4bf0793ec8769fd5f2a8329fa5dcd3628328

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
              Filesize

              13KB

              MD5

              b194fa9cf2fe141a38640a3719bc6eb2

              SHA1

              329c51c549977b9f3a401f91b7ae6325a8229d48

              SHA256

              52f4e33449d723c43fe7fe17af3417e2e4450c570218ede0ba4eb9eac9134370

              SHA512

              3385c993a3bca777fbff7b097bef96fd3fd5919a1cd1d28d6fd221a91dca0dc526aef56cb783536e09ef522e51602c73f7bf30c37f82c847abd9f144aec3a706

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id-B59AF26F.[bacon@oddwallps.com].java
              Filesize

              52KB

              MD5

              5436479322731bc7ea546aa355366e1f

              SHA1

              dfe9f3a66972df8818f6d2de2082dc1096a57ac7

              SHA256

              a1f37c8c7d91ea63f0f46ced171b3c19c2e83b33840d920c2f32f8a0e430ee7a

              SHA512

              cc4d6f3a966b516c6491b5815c5f2844aac55e2cc6a69fcf2c28712d74036acef3a16ba071cc288e75602a12e6f5e1cc69035a044c454c5b25b7862500d61922

              Download Submit
            • memory/460-23685-0x0000000004720000-0x0000000004721000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4524-4092-0x0000000000400000-0x0000000000429000-memory.dmp
              Filesize

              164KB

              Download
            • memory/5024-23715-0x0000015CC70D0000-0x0000015CC70F0000-memory.dmp
              Filesize

              128KB

              Download
            • memory/5024-23712-0x0000015CC6D40000-0x0000015CC6D60000-memory.dmp
              Filesize

              128KB

              Download
            • memory/5024-23707-0x0000015CC6D80000-0x0000015CC6DA0000-memory.dmp
              Filesize

              128KB

              Download
            • memory/5024-23962-0x00000154C4400000-0x00000154C5D2F000-memory.dmp
              Filesize

              25.2MB

              Download
            • memory/5024-23964-0x00000154C4400000-0x00000154C5D2F000-memory.dmp
              Filesize

              25.2MB

              Download