Overview

overview

10

Static

static

10

makop_nowin.bin.exe

windows7-x64

10

makop_nowin.bin.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-04-2023 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    makop_nowin.bin.exe

  • Size

    34KB

  • MD5

    bd935610cb878e275d35f292b93d8459

  • SHA1

    2cfc4a68ece6c9465ba44f96b677cc00536908ad

  • SHA256

    3757824893405fd34313749b689879b40b02db3d8a682f9f88e23f63908881f7

  • SHA512

    2b754a4aeae53fc78fd07e08007d47f232d1b30855c098a3469459def47f912155f53bc918bdbae7fa0daf903185a38db76c9dfd354fa447729dc285b506907b

  • SSDEEP

    768:x4K+eQXL36kOK1R01WseZ0y/QyYvhITluDA1afkKIDo:xueQbgK1e1S235HA1a20

Score
10/10
makoppersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Program Files\Common Files\DESIGNER\readme-warning.txt

Family

makop

Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "makop" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: datalost@foxmail.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

datalost@foxmail.com

Signatures

  • Makop

    Ransomware family discovered by @VK_Intel in early 2020.

    ransomwaremakop
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 64 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 62 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 61 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\makop_nowin.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\makop_nowin.bin.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2724
    • C:\Users\Admin\AppData\Local\Temp\makop_nowin.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\makop_nowin.bin.exe" n2724
      2⤵
        PID:1840
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:1936
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          3⤵
          • Deletes backup catalog
          PID:1220
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:224
      • C:\Users\Admin\AppData\Local\Temp\makop_nowin.bin.exe
        "C:\Users\Admin\AppData\Local\Temp\makop_nowin.bin.exe" n2724
        2⤵
          PID:2008
        • C:\Users\Admin\AppData\Local\Temp\makop_nowin.bin.exe
          "C:\Users\Admin\AppData\Local\Temp\makop_nowin.bin.exe" n2724
          2⤵
            PID:1480
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4452
        • C:\Windows\system32\wbengine.exe
          "C:\Windows\system32\wbengine.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3748
        • C:\Windows\System32\vdsldr.exe
          C:\Windows\System32\vdsldr.exe -Embedding
          1⤵
            PID:3644
          • C:\Windows\System32\vds.exe
            C:\Windows\System32\vds.exe
            1⤵
            • Checks SCSI registry key(s)
            PID:1576
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 408 -p 3132 -ip 3132
            1⤵
              PID:2088
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 3132 -s 6216
              1⤵
              • Program crash
              PID:4516
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Modifies Installed Components in the registry
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of SetWindowsHookEx
              PID:4616
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:3728
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:1344

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Command-Line Interface

            1
            T1059

            Persistence

            Registry Run Keys / Startup Folder

            2
            T1060

            Privilege Escalation

            Defense Evasion

            File Deletion

            3
            T1107

            Modify Registry

            2
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Query Registry

            3
            T1012

            Peripheral Device Discovery

            2
            T1120

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Exfiltration

            Command and Control

            Web Service

            1
            T1102

            Impact

            Inhibit System Recovery

            3
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files\Common Files\DESIGNER\readme-warning.txt
              Filesize

              1KB

              MD5

              a0db2b736f236b31cb5d6c027f78da78

              SHA1

              9e02b24c00bf47ee0fd2c1f9aab712e53b6baf98

              SHA256

              4623a48d0fbaea158c3735136bf94762ab0c915fb2d129f8542e98a1d23366f1

              SHA512

              ee2a0ff3509fa0a75b1bd1b363ef6e2103428fa057597c6baeda81e29c9bb0d0b5356e9b464692d74687442b59cdea0d4a8d92484a07cc47220845b8fa88df6d

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
              Filesize

              414KB

              MD5

              5a13b3847ab75cc0a32015164fcced47

              SHA1

              d86f7c6d6127d528844da6172551044e0f49ea05

              SHA256

              57dd650155b562f57e32e65ecf30425062bdd8a522644605b48fc0f907b291f4

              SHA512

              dab1465e99a00a7ce85ad066c6298bb28c4a9425c7e86fe277b2f6f0d10c98f42938fdb9dd177cbf6bf6c94191190ea48eb6fcd4e127d249ea2f1039b05169c3

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db
              Filesize

              16KB

              MD5

              062c60b88a0952ef9fc73daacb9076a0

              SHA1

              773f07a9e8a1c094463db27700a02cef78118ab5

              SHA256

              066461dbba88e1eecfe69518040de7ce76e7ad47284cdcb20e552f9fb688559d

              SHA512

              6d7838cee4639ea71acd50521a4914234723521fe444380fd6d41dead577c25a362517a4c9beb94e1c5be75e4f7ddeb91db9f007b6355514301a75a3d306a820

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.[C27699C2].[datalost@foxmail.com].makop
              Filesize

              414KB

              MD5

              4edd6c5a3d4e70360c39cdb80cd4577d

              SHA1

              52dc351b3b6a48c922fbef2545ddc18d90ea22e4

              SHA256

              bb98e1deede666df4a3492a9c748c77140d75d588e7cf9ed7b5c4eb7428297ca

              SHA512

              7421e8546389a2b1c3fdf69470a716e18dd4a6e43c28af400124c7293deeb31bfe1e11a6e15f1139a7aba4d145c396d43b5b6736d552d6f40777886e3aecf1e4

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000025.db
              Filesize

              96KB

              MD5

              4107d03bcf2b02ea6c6aef68cdbe70ba

              SHA1

              8c89efecde02421e45ff0c95c304eaecd72fe832

              SHA256

              edf74377babe495bf41a6b6cf609ac641137e1e0ddcbcaa83866d3d77c2a9b16

              SHA512

              1e5f584e3d95c7f4c91008f4b5ca6c1e927b8e9ba62393d3be1f931522e41443e8f8716ee812de7dcef525658212962136552dd82c3ce7d65c628b81196d1f82

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
              Filesize

              1024KB

              MD5

              c8def59d92894f7940db0b5e5e917d6f

              SHA1

              e31c1ae0ecc33d0e4377b70339ac478cced40a25

              SHA256

              b70032cd195ea43aaa8dd1946312f7d0dc9cffde3ec9f255b60d6a0aed007475

              SHA512

              71043538104c98978e94b4663b1d13345ad0e7e2be0992380c3b4377fa667115dc49bb2919bbf4db29409c72215d81fbb01851f4ec113b302b687666435c8393

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db
              Filesize

              24B

              MD5

              f6b463be7b50f3cc5d911b76002a6b36

              SHA1

              c94920d1e0207b0f53d623a96f48d635314924d2

              SHA256

              16e4d1b41517b48ce562349e3895013c6d6a0df4fcffc2da752498e33c4d9078

              SHA512

              4d155dfedd3d44edfbbe7ac84d3e81141d4bb665399c2a5cf01605c24bd12e6faf87bb5b666ea392e1b246005dfabde2208ed515cd612d34bac7f965fd6cc57e

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
              Filesize

              1024KB

              MD5

              3adf3a8293ddfdc580936fb18bb2a44a

              SHA1

              3f275432d3480bd4fc25f1dd4322320bfafc7ce2

              SHA256

              8acc6e26ad69096f03761438045d8f5f89b9047609c836a555fe043b18caee38

              SHA512

              9421a5e662e2583f492d879904217cd772dd7ada1626f7cc471e00da07ad3c4cbdaf4275ba3e90341affe676810784a62e8fd91fc990ad7e0cf010838566b5e8

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
              Filesize

              1024KB

              MD5

              f6de62dea1896e46763819f57a27570b

              SHA1

              21f7a21d841b29e947befcef5a72d567ff9e9d75

              SHA256

              df05266935736007a2ee46a9655fafca777ab60e79a6f0a63c5eefd935875e09

              SHA512

              16413a643baf338e7b3b826e238723ab9a545732e575a68453766a66f6de6c37b15996706dfe15b12c036d8c3e97202f43802bf9679591d6c4d979946a51d442

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
              Filesize

              1024KB

              MD5

              9d4698986209a2aa6e661f2cc7633273

              SHA1

              ce5e1947ab88394c5f117ae5bde8e568c4af6ec1

              SHA256

              ae53824267c1d70dd940a59fa6e87a556c9cc0a4cf0ad5200ac62e13f42d8036

              SHA512

              01f47024097abd429f7a79a8966233db4b13e75d9ffdc4852a3ff43db335fa2f5c616ac66eec1e5c44e4c0c28aeea0da0d171c4a0a3d8e40a3bb5cdc6fffc197

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
              Filesize

              1024KB

              MD5

              d5219edde1fcd4fc23692a0f54e79eda

              SHA1

              ad9139d60bead933df32e5252827efe6cc2c3e7a

              SHA256

              b2f57a3c09fa54627323f991a02dc3ac840b018e6b9b3e22e7e0b81091adf086

              SHA512

              8a9e7a655b32bbfbd8ecb27d75d1e9775a984028acf52726cae842518263cf3167fb29c8aaaf041e529569a5db9c46a9cf3bfdb6701884acc1ab3248355082a6

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
              Filesize

              1024KB

              MD5

              e716dbbb13759681f5ec41f5705c0a26

              SHA1

              20e2e92be35253dbbfa54c94eddf303e3e862411

              SHA256

              249939be17c79ea037bdab2cd514e3b8e852165744d1eff4fec5bea19ae6084b

              SHA512

              29fd31bd6ee31d1379787653cb2a2eea99b689bd5debddc3c32a042a8cd658eed9fb83477da5a3d34269d50406ca8576b7ce2acabf0b37b29a7250ee010cf9d2

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
              Filesize

              7KB

              MD5

              fcd9c071663797458ddd588e3955490b

              SHA1

              4699a3e531e03953718496ae04a70355710d756a

              SHA256

              876e87ae2d94ec57b5080030439ab5bb55b3a41ea2224430a25e1f31aadef6e1

              SHA512

              3523423e469524a69cc3c2a20dc82a4c5e301cb957052d1e519a60e1d4d6a818f361a758549e5fe95e78caffbe338cab0721c5a522ad4fceef985061beab1b1e

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
              Filesize

              7KB

              MD5

              aa3d52be9fec05f1b1d32ecf2c675b7b

              SHA1

              6994fa561f7f14eb5e631da611daeeb201350bc5

              SHA256

              a68a3d23862723c7e94f8774d378880c365a60663322c1558c68d0bd0deafa05

              SHA512

              59428f6231eabcd08cb44b9a4ca6d1279fb17aa253ef0f3eb48ce4bfda3014562ceb708fb3f781196640f5cdbd72c2cf87f1bb3a342995d60ba04f9cb23c5e9c

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
              Filesize

              7KB

              MD5

              f92eb2e2faff6c2f83778b838aac1496

              SHA1

              825426cb7135adfd9ca5eaf0de2f261d4e378e1a

              SHA256

              74e8da75b658700fed796cb2b85c482ae104f3319335a1bf7f0fc1e3cfed77cc

              SHA512

              3f3679e9e61a54ba846273f94366590bf237b11ff2379ce99a2d224b4a9a2cb495246b6c0479750608ffd9fe521a885c4e20305c04dcde0cdf1d11a3814fe1ca

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
              Filesize

              7KB

              MD5

              1b2258ad2c7f06b302350f8eeee7b9f3

              SHA1

              61d8da48df40e9ba4695f45509ed2c9972992d65

              SHA256

              551fa8e63b279a037ce8d79cd51617be4fe56fe11380b53940e8e4320d08b49a

              SHA512

              737fb890d1bfd0690810307f677165fd82c4754d17a8edf2c2c68cb617993ffa25b9a6962887c0fa5418bd651d281a9535dfa8d364ef8e41be18eeaa5e0008b8

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db
              Filesize

              24B

              MD5

              2dd3f3c33e7100ec0d4dbbca9774b044

              SHA1

              b254d47f2b9769f13b033cae2b0571d68d42e5eb

              SHA256

              5a00cc998e0d0285b729964afd20618cbaecfa7791fecdb843b535491a83ae21

              SHA512

              c719d8c54a3a749a41b8fc430405db7fcde829c150f27c89015793ca06018ad9d6833f20ab7e0cfda99e16322b52a19c080e8c618f996fc8923488819e6e14bb

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
              Filesize

              1024KB

              MD5

              aa40cf7a45a344be270c1be7908ff10d

              SHA1

              e4389ce749d297568d2eba65e081ce8b2555f0b0

              SHA256

              eb6349744238855a9dfaf06f307761c28a7a7e2c07ec6d7ce90688a07dbf564e

              SHA512

              3fb8b97778280c1d3b6cbf012b56849d3f04d1a8ff1a623a60b933115a1a1f5e2149e3140ea855ad59bc0c46b9affc53b886f5a9a229a4e115383f5dc084e799

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db
              Filesize

              24B

              MD5

              635e15cb045ff4cf0e6a31c827225767

              SHA1

              f1eaaa628678441481309261fabc9d155c0dd6cb

              SHA256

              67219e5ad98a31e8fa8593323cd2024c1ca54d65985d895e8830ae356c7bdf1d

              SHA512

              81172ae72153b24391c19556982a316e16e638f5322b11569d76b28e154250d0d2f31e83e9e832180e34add0d63b24d36dd8a0cee80e8b46d96639bff811fa58

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
              Filesize

              1024KB

              MD5

              e191ef1160d6cad0dce51e30b933891d

              SHA1

              899799c5e006932ae43600d6c6b7f4bc15a78108

              SHA256

              55fe36e32c86934ecb78ad1aefeb966505852e76798ff7c819fdaaf1b85d8d97

              SHA512

              dcc3241391d921c5c78d6b386e50b8db34349733079a66f273ec47c4a45cb7c26a35fb66e1bf12073dff93b3c46ea1df7afff7fa0464dae0e31d7a4721fabef1

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db
              Filesize

              24B

              MD5

              2d84ad5cfdf57bd4e3656bcfd9a864ea

              SHA1

              b7b82e72891e16d837a54f94960f9b3c83dc5552

              SHA256

              d241584a3fd4a91976fafd5ec427e88f6e60998954dec39e388af88316af3552

              SHA512

              0d9bc1ee51a4fb91b24e37f85afbf88376c88345483d686c6cff84066544287c98534aa701d7d4d52e53f10a3bea73ee8bc38d18425fde6d66352f8b76c0cbb5

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
              Filesize

              24B

              MD5

              60476a101249aedff09a43e047040191

              SHA1

              de5b6a0adc7de7180e19286cf0f13567278cdb64

              SHA256

              35bc77a06bfdde8c8f3a474c88520262b88c7b8992ee6b2d5cf41dddc77a83fb

              SHA512

              f1d2dcc562a36434c6c6405ec4eac7ecfa76fc5a940114da6f94495b77584a132d5d82ad3556df749490be096cfd238fa8b484b7c734cbc4d074e963e5d451f4

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
              Filesize

              24B

              MD5

              ae6fbded57f9f7d048b95468ddee47ca

              SHA1

              c4473ea845be2fb5d28a61efd72f19d74d5fc82e

              SHA256

              d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

              SHA512

              f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db
              Filesize

              24B

              MD5

              d192f7c343602d02e3e020807707006e

              SHA1

              82259c6cb5b1f31cc2079a083bc93c726bfc4fbf

              SHA256

              bb4d233c90bdbee6ef83e40bff1149ea884efa790b3bef496164df6f90297c48

              SHA512

              aec90cf52646b5b0ef00ceb2a8d739befe456d08551c031e8dec6e1f549a6535c1870adb62eec0a292787ae6a7876388dd1b2c884cba8cc6e2d7993790102f43

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
              Filesize

              24B

              MD5

              2a8875d2af46255db8324aad9687d0b7

              SHA1

              7a066fa7b69fb5450c26a1718b79ad27a9021ca9

              SHA256

              54097cccae0cfce5608466ba5a5ca2a3dfeac536964eec532540f3b837f5a7c7

              SHA512

              2c39f05a4dffd30800bb7fbb3ff2018cf4cc96398460b7492f05ce6afd59079fd6e3eb7c4f8384a35a954a22b4934c162a38534ad76cfb2fd772bcf10e211f7c

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
              Filesize

              1024KB

              MD5

              0a086c16f1c7d90b1fe0e5889f0c63ca

              SHA1

              eb4a6d9ca43c36d776d201a711bfbb87d52f9f0c

              SHA256

              315c8542f3660a76f5a96274b5ed26fdea0db99c5507c086f31e14e78d6d1891

              SHA512

              de94167283ebe4286ba82a153b7dff3864a0ba5823132d0fa9261288027bed2918a851238ef00349954b38bd042d1d117f8176bb37b700a80d2c2c729bbab1b5

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db
              Filesize

              24B

              MD5

              f732bf1006b6529cffba2b9f50c4b07f

              SHA1

              d3e8d4af812bbc4f4013c53c4ffab992d1d714e3

              SHA256

              77739084a27cb320f208ac1927d3d9c3cac42748dbdf6229684ef18352d95067

              SHA512

              064d56217aeb2980a3bfaa1e252404613624d600c3a08b5cf0adcb259596a1c60ee903fdc2650972785e5ae9b7b51890ded01ec4da7b4de94ebda08aeaf662df

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db
              Filesize

              24B

              MD5

              fc94fe7bd3975e75cefad79f5908f7b3

              SHA1

              78e7da8d08e8898e956521d3b1babbf6524e1dca

              SHA256

              ee1ed3b49720b22d5fda63d3c46d62a96ca8838c76ab2d2f580b1e7745521aa5

              SHA512

              4ceaf9021b30734f4ce8b4d4a057539472e68c0add199cf9c3d1c1c95320da3884caf46943fc9f7281607ab7fa6476027860ebed8bbaa9c44b3f4056b5e074d3

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
              Filesize

              7KB

              MD5

              7ee9d88819d23c75d29913fe16b587a8

              SHA1

              d8216c5a846c7f8167589f1559844436d49dbea5

              SHA256

              d054b770bcf8e2caa455675925a03c00570337b3a83e8947c1a89d5d96626e0f

              SHA512

              cfc350cfaa8d9318b3ae7db3aeeda7df46e17f850176d211a93593c000dff5b16c789313668d4e0692e3b310dc989f81a615df73b9be1f8a5a2cd8552bc27e44

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
              Filesize

              7KB

              MD5

              21257b5d39cff972cdf8fa3e4eee0506

              SHA1

              f01e2991bdbb8fa9d6151b58aa292f3079187a6e

              SHA256

              724c7e69ce404ebb4f1ba5004de2eafc3e93780d58e3db74a4a25ac92341257c

              SHA512

              5985affe9a2d1af7e88b209b2571515331c29d354f705e51a5ea3460c41eedf51599f9c9cc04ae94f9edf74ad15cd1735db0742e59c65fa248297ae069073a03

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
              Filesize

              24B

              MD5

              379523b9f5d5b954e719b664846dbf8f

              SHA1

              930823ec80b85edd22baf555cad21cdf48f066aa

              SHA256

              3c9002caedf0c007134a7e632c72588945a4892b6d7ad3977224a6a5a7457bf4

              SHA512

              eca44de86bbc3309fa6eab400154d123dcd97dc1db79554ce58ce2426854197e2365f5eee42bac6e6e9455561b206f592e159ef82faf229212864894e6021e98

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db
              Filesize

              24B

              MD5

              5f243bf7cc0a348b6d31460a91173e71

              SHA1

              5696b34625f027ec01765fc2be49efcfd882bf8e

              SHA256

              1b1aed169f2acfae4cf230701bda91229cb582ff2ce29a413c5b8fe3b890d289

              SHA512

              9e08dfbbf20668b86df696a0d5969e04e6ee4a67e997ff392099bc7ff184b1b8965502215744be7fe423668b69099242bba54df3f0bfe4e70acdc7cad8195b02

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db
              Filesize

              24B

              MD5

              db7c049e5e4e336d76d5a744c28c54c8

              SHA1

              a4db9c8586b9e4fa24416eb0d00f06a9ebd16b02

              SHA256

              e8830e7ac4088cf3dd464caec33a0035d966a7de5ae4efc3580d59a41916ff7b

              SHA512

              b614037fb1c7d19d704bf15f355672114d25080223e7ee4424ad2cb7b89782219e7877b373bbc7fa44f3ad8df8a27eef4e8ccc765d44ec02a61e3b7fae88ae69

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPVLIKPI\Windows[1].json
              Filesize

              748B

              MD5

              28239eb3400580a6ad9aa7c673868314

              SHA1

              a773a49d4d9f6c255df08e45a28e806e92419b9f

              SHA256

              a0e38d5490e6af001f7f70df954400f0a8a3656d4c8545f279b9a0b10ef56f5b

              SHA512

              89f15aa9d41db152e95e1b3f2626aa17aa32130d12cb6ace40cf79bbdf1919b478b6eb7c8de513e4b18423ba54fa4ca1b2defe610e44c2f8dcae21d0088d157f

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K73XM1PZ\microsoft.windows[1].xml
              Filesize

              97B

              MD5

              4351adcc9852fb153e8214b532e5d2dd

              SHA1

              6681c3cd3f906e3b88c4ae45a2ace76eb8298782

              SHA256

              5cfebb1a9d72da95bacd0a7a8d1d18c78d489f1652f01e3be639bd4fda1eb88d

              SHA512

              33cfea0485fe586270223bdc60237cbc091d62e809410d709853573bae56f3d48a12805d626f09681cadb8978b9816580034a665e48e39ecf177b62260cbf25f

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\K73XM1PZ\microsoft.windows[1].xml
              Filesize

              340B

              MD5

              5fc767aed4c922338a56e8bba4f49374

              SHA1

              61d633db106d89c39ec225d3c7bd79f94ca8cce2

              SHA256

              5878ec764f22a1680d74b4483e557bf8b26fd053b3658743dac55ebcfff6e66e

              SHA512

              fc6a39d2543cab37097c5ebafde432c5e77844f82ca4f06bde65bd1056d317aba7a69218440a5561db53b0957a827ca6a9e60a89f61357c8ead2233bc9acdd6c

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\windows_immersivecontrolpanel_cw5n1h2txyewy!microsoft_windows_immersivecontrolpanel
              Filesize

              8KB

              MD5

              e06cd036069de05a72cb5d8fb2c4a96e

              SHA1

              c82f4a98a82b7edaa1a6fa60c5fd09c181126da2

              SHA256

              cfa593137bc0a4e54252aa68effdd12024e3acff311774960cf73d56112b1c43

              SHA512

              5b89f9ef7b3ee64bbe4561db6d8db26bc2e501b2b49c2115dda5a88cac1180491f68b910fe35f94d014141d3fdc29552bb225ad48e9beb155d98fbfc36262ac9

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133252853002446074.txt
              Filesize

              2KB

              MD5

              ecaea544af9da1114077b951d8cb520d

              SHA1

              5820b2d71e7b2543cf1804eb91716c4e9f732fde

              SHA256

              9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6

              SHA512

              dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133252853002446074.txt
              Filesize

              2KB

              MD5

              ecaea544af9da1114077b951d8cb520d

              SHA1

              5820b2d71e7b2543cf1804eb91716c4e9f732fde

              SHA256

              9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6

              SHA512

              dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133252853071363582.txt
              Filesize

              2KB

              MD5

              ecaea544af9da1114077b951d8cb520d

              SHA1

              5820b2d71e7b2543cf1804eb91716c4e9f732fde

              SHA256

              9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6

              SHA512

              dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
              Filesize

              1KB

              MD5

              239bb6e4192361aab7d34f421ca10812

              SHA1

              4e4eacc3c01475c4583eb45e84190768a90e44b4

              SHA256

              44ab8b6e0527c956f41665d44750777bbde5f829b0e9a90249b3605166dd5690

              SHA512

              0bd47555249addcd968faa7e5928c7dfc898a925e3faa2a7068f40b9c8f426fc9b7793e4fedc4d576f5cf57a3bc2f53b2f5a41d5143a09a74db9eb13e96cbee0

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
              Filesize

              1KB

              MD5

              4a09ef9029be6caf9afbb500eac5ab54

              SHA1

              9e6c3d74ade6b3d17a85a96f02742e682e2822a2

              SHA256

              8423873180ebe5b0d865b764d8972a2097868e98d0ef863faa210ea4540c1ec0

              SHA512

              d8625c19e8d021b0f9fc206566862703907e4f0bc1a0cb231fd901c98f2909e6408dd371be4bc4a5010c1fc9e6503158ce2dac793e8e9e9e82b702bd24ca65d5

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
              Filesize

              2KB

              MD5

              e415be7d0175f04bdb1c2c52f8140e66

              SHA1

              296594688e8e6b54e3c2899f1b58ddf32f33d487

              SHA256

              d5ca37ba49dc73a12db7bb4ce9c1943fc921867a0c81338ba83b19c7c9f1fe47

              SHA512

              ddae00172be9af4f4f8fae90879575fccd6088d7e773c40ba2caee6bab60aaa8324faa8ce589521d262146f88e547e86c7644423418c43748a77245044c7b81e

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
              Filesize

              6KB

              MD5

              f8349a4e7bff68e6e851fa8cf77924bc

              SHA1

              fd9afbe2daf5959a8365e75d01473a27ae3b1c4f

              SHA256

              f947f7f44fba6e5706da312566aae3c6aa280da5832e98c47c21c0c7b86ad509

              SHA512

              5206360ac4b1f1389c9e7fca00611b44e9f8086e41df6075a37f5250c23f4b4e05535f4d824688116f39290314d4b87f0257909723e72a8096a43e2415c9ebcd

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
              Filesize

              6KB

              MD5

              edf30176808c72d0d78c14394f260e9b

              SHA1

              b04723f20731ac17126b4ead6b04e8b52ab68104

              SHA256

              fcb7ac6e30a3a43165437d06e2adf980daf417b129d292ae420a49b2ec42686d

              SHA512

              34e7b3ac0906558d88d61e93ceabba7857c02d37ff85ee12622573f326fbd67ba59ce4b337f64487c173e52a79ec6370bf09d955e40f262133f05a35662db9bb

              Download Submit
            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
              Filesize

              5KB

              MD5

              75277db7d809db1f4bb7648b0d3c1b3e

              SHA1

              e4d76e4be84980558e3037300caae92c2dddf94c

              SHA256

              c98ff4fad27b47c98b82f5871658c5a8dcb10e1cd71699d1a1bea73012e672aa

              SHA512

              10fd56280c210de20835f920038a386d1ba7f564d39cd19f233e48b5401aa04e9c6831c5f52fdfc617b6613c3dd5561d1929d10b1f7f7845781e2dac85671539

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.[C27699C2].[datalost@foxmail.com].makop
              Filesize

              52KB

              MD5

              3dae410b2d5e9ad7a68a2575619c8bc5

              SHA1

              63dc12938889ea631a1f77163fa432d654cea542

              SHA256

              dfb7d2e46650b4753cd45a6cc33a5dfcd029956d330798df5f9db174f9eb1e5d

              SHA512

              36d81f806b8c0522f57594e1bc5e5516aa31d75c780b0ef331caa38aa844ca7683169a7f7716339eae0b644ba2d4045b4f2a384696c45e605d6ebfa3ca6e67f6

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\readme-warning.txt
              Filesize

              1KB

              MD5

              a0db2b736f236b31cb5d6c027f78da78

              SHA1

              9e02b24c00bf47ee0fd2c1f9aab712e53b6baf98

              SHA256

              4623a48d0fbaea158c3735136bf94762ab0c915fb2d129f8542e98a1d23366f1

              SHA512

              ee2a0ff3509fa0a75b1bd1b363ef6e2103428fa057597c6baeda81e29c9bb0d0b5356e9b464692d74687442b59cdea0d4a8d92484a07cc47220845b8fa88df6d

              Download Submit
            • memory/1344-20653-0x000001B69CFE0000-0x000001B69D000000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1344-20649-0x000001B69D320000-0x000001B69D340000-memory.dmp
              Filesize

              128KB

              Download
            • memory/1344-20811-0x000001AE9A800000-0x000001AE9C12F000-memory.dmp
              Filesize

              25.2MB

              Download
            • memory/1344-20655-0x000001B69D670000-0x000001B69D690000-memory.dmp
              Filesize

              128KB

              Download
            • memory/4616-20637-0x00000000043B0000-0x00000000043B1000-memory.dmp
              Filesize

              4KB

              Download