Malware Analysis Report

2024-09-11 01:52

Sample ID 230822-kw4fcscf81
Target 5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7
SHA256 5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7
Tags
medusalocker evasion ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7

Threat Level: Known bad

The file 5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7 was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware spyware stealer

Medusalocker family

MedusaLocker payload

Renames multiple (4592) files with added filename extension

Renames multiple (1481) files with added filename extension

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Drops startup file

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Drops desktop.ini file(s)

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious behavior: RenamesItself

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-08-22 08:57

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-22 08:57

Reported

2023-08-22 09:00

Platform

win7-20230712-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe"

Signatures

Renames multiple (4592) files with added filename extension

ransomware

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9YL4M0YZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8BD3DVY1\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4O2KO2QZ\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SBC6LOB0\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S4ZMPNI4\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N5AV1S7H\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-1024678951-1535676557-2778719785-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7O0ESC9S\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PZJP5X9V\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libcaca_plugin.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\Louisville C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Management.Instrumentation.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8 C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kcms.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_hover.png C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\mojo_core.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\VISSHE.DLL C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\localizedStrings.js C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_rest.png C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\ShvlRes.dll.mui C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\mozwer.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Defender\MsMpCom.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\java.security C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Ojinaga C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Moscow C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\wmlaunch.exe.mui C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_down.png C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\skin.dtd C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\flyout.css C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\yo.txt C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.cpl C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Dawson_Creek C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_hevc_plugin.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcolorthres_plugin.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uz.txt C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Xml.Linq.Resources.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libnsc_plugin.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\psfontj2d.properties C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\security\cacerts C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Accessibility.api C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe

"C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp

Files

C:\Users\Admin\Desktop\Pay2Decrypt5.txt

MD5 b52f31b7e9583c25805d7b112a8cf294
SHA1 96fbf5efe99da64bf8de7c53f8db754a1552c617
SHA256 5a906fc5e29f39e99bc76c5bfc650426380f0700ff80f72de28f11a5ca31b1c8
SHA512 3220d94ca67e33a7365a85a8b00b5630942a711ad587c27c82ca07553d711cb5e569f4b94494a1fac8ca9b48e307128bc36c94a9f1d5819405f901ed1d60eaae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOCK

MD5 3976e3f2540871200508387004108399
SHA1 f73a454c11395d1faae1ff03866daedf34cca5d9
SHA256 db3f2bba97d52266b362ade079768bd6d98e144c91e871f0e02e88d401ec1d0c
SHA512 626a44894cdbc4de909635c99c541e683a5e8f10d2633bb11014c10dfc0b6be855be1190c370f4db8667cf04048100e561910ab03e5754df736c23e57892f9e0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\CURRENT

MD5 2068fd06e10b3cf88098d3cdb6a0a786
SHA1 28cf633057d9236f771301a71abd6a583b03fc8f
SHA256 36acac0acf52c676f9ab5f12d06eb909bdd5abeb010570df9e0001b4f97eb06c
SHA512 3c71be15156145d6b9c88e231533103f7601984404a52a74bb382f062bace12849afe0d9beafdb94b93d520e9a1166befc269e7432131bb19381306a8ad892e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

MD5 18fee5c7ed0346482c941910736181a2
SHA1 7244061b88a50764f9771e78198d51e320d15c57
SHA256 4497cab8888dc793ea0e3bcb636ef99eb690b5658aa1c06f6f862b7eb9234965
SHA512 8ff2910c56724d4ac9cdacb6a511a502c6e88287a66e2031b9ee6ec995c751a3555b3e02675979c98c79154d4d5fe58cf4fb9e6723e3f9bc82e390996d72f973

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

MD5 06c19919a0538efeaa6bfd7654ebf028
SHA1 369adfb6290029c815e0b483209c5e4cad1e10c2
SHA256 a151fb2d87831b5636d6f3bf01b655e4dbdf52a776d2b5fbf05296016f6ef246
SHA512 fcf48db1a002dabf1f1a8560b3e690b63b721e5d9f2c3f502239c9483862d543b8ba3fcb2fde53429945b69341acdb2a64ab8a4beb0347248fe44010dc354603

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

MD5 765703ad9746b8c886e31448b4c24a75
SHA1 de2598e79ad3f87f02333b420bc66a8968dd46ea
SHA256 6dab8aa1cc40ada56cdfa892d2c45cc1ba9d45b66a25595d4cc32c52b75e45e2
SHA512 9fa0a0be6cc281a2de935f667a90438b3797661bd400ee8d13d20167e63341f364b1f8733ce0d12e9c9d2fc1b305c9e440c08718ac12a577aa16c8928d12246a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_2

MD5 b5f81f1463454327c047163b79d76751
SHA1 400a974e7dced25da55cb358a2b08ae3b4de3bed
SHA256 772d9a441e64e482a8a891f8fd1e29f60d0178975682c7a18ece8e173baed8d5
SHA512 88c98d7232cc91333d602e18aad6a3813d576115280b021432403ed5ef0f19f7fb2e8837cca705b7623ccc40e9acef9b30c8f0ad95dd87129fcf8fef68dcd488

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms

MD5 2d70aab545309522d35f6517ae063782
SHA1 c4a4baf8ef4aef7028b0c562560b1d636818b695
SHA256 77d2e034586400910ba775c0e5bbc28b122e48559034f20badee2871425720b4
SHA512 a3c95c715b0a6964828988a6ad4909a9e6471016419d01445ac30c96532d09ee081d3ee95c537fdb23c4cca77da0be788aceb23fdaa2ed92ecd7e16c9f7ced58

C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs

MD5 cbabfca4b9114a46c45e1a80e8d241ca
SHA1 fdf8de8e9ed37bd14f417cd1852be8c29f82b9ba
SHA256 1feef3b7289c3a08a601c1851ec59c4808f8f126e4100ff4efc4e4961e8aedc2
SHA512 6016cf7c2ff296d53f3ee02763e60f4515d1cc2e0c98317bb7cea3469a89ad0ee2aac21367b48b9fa2f152548868afef4405b4a1f56aeb5ac9101c7aab0a5154

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 b801089883d4ebcc8bc835f5e5538e68
SHA1 951f578caa71ed325bc4eff680542e0ba1dd76cd
SHA256 e9410a76bf5f565a773bff8d63324797d89427e425aed4e0f40148498787de33
SHA512 75060fdc185b4c94d33ace0bce33d59fc907a4f92c930625f612c843b37a6d3660bcef68c3f2516cf45469d0da2282c82c7432a760e2fe241ba7e6a6f1f9d95b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9tqj8t49.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

MD5 eb3eecfc111fc175621f12bc5c8bced4
SHA1 9cce0f29239e171509e374564d328e89516b0ece
SHA256 8a88784f09286a2674254b0232773f4a11719ff94427be8d38aaf692f435fcc6
SHA512 7bed463795472b7ff9d5141b7ea0c7722364aba5434bda3f613ca23a1ac6ed300558f2edb6b4020459363a7165e71c58e2f3961b3f47f300d8960aa2e5735b12

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

MD5 78ab0a37a85d471ad6152cb5680aa106
SHA1 7b76f71e660a1e670f611099112cabb928be2e54
SHA256 d19f9a500280d3d07bc446c2f02da0606154d513a64a98a5bba1827a57e748c9
SHA512 6ee51d49b1024531b34742dfa3f68b67a8bb70aa392f6fad8d5ea2894cdec66e678004c27f7668b3e99ce37aa13375ac3bd00183244052b5582933e0716af93b

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 3b291596109cf3b1c95d27a5f35f700e
SHA1 09e6e2cbfe692b02b33c2cebf149f9553fd3116c
SHA256 49c58ec1f8895536e7a9a27ee27ff6f4bb04f42485bd090688055301a25d556a
SHA512 3b397fcad0df355995137efe0af94dfe1391512e4768ad00b098365be6b35fca0f629c34f07632bad7095b4d281695784bdbdc1f87f913a9ebc7c6a974cd7646

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

MD5 ea44364b10e8973aac8e3ef69cfc52b4
SHA1 73eee8c7d0c511f0b0f07bb95df6590a28c325a4
SHA256 1e6d7b97553d9008addb3807a9034e0aa62dde9b45dab5a34a3568c8f67fad1c
SHA512 7d491e6f673000f9a3178df8bc62670bfd83f51f24258ed08b1a56b7c1b36b2e58949c0cdf3327f6f3cb2c6b1cbcb4ceda88fa94ba5c91242420657cd82a745e

C:\$Recycle.Bin\S-1-5-21-1024678951-1535676557-2778719785-1000\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook

MD5 8e7ca47c8e095b161e9b398a1f80367f
SHA1 dc7663f65246c2c9028a15ffff3e850b7f80bcea
SHA256 d818914e9595040dc012d3a97d2bf103c8038386305bc136e8089573e4fb490f
SHA512 6f9e18e33acb6b12f350d29c0ba269a111f6892ca8a4a9a16a0226996b6d594555ee0cd97ebe6ebb3b532f742c152b274c2806562be9875c947bd8085a483b07

C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll

MD5 3becf82a4aa12a2c6eb4352d7fbe4b8d
SHA1 dd846c96aa2425267fed929dbe726ee4f6a20adc
SHA256 d1e1c78c2a5386ad171f178baee164a09b826ea28972248a5bb2d3ac21707b96
SHA512 37cc0f2d7713064b569847cf913d16f23f5ed33d8eed129f0145126e38f00e15760248dcc77445247dec8d77cbe934a30298b304be20ffb58f7a2c1e98f12924

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 885b81f560aeb9cf7beef88fba75c35f
SHA1 76de15e121bc04f393bc59d6b4e240ed639b1ad3
SHA256 d7e57111e29a740392f7f1e812421b0cce279ff9a4fc63d1b9c8cecca5409b69
SHA512 62781719f7c364b6190578345e167e287fde1d31d31664c15ba757474ee67637aef7f79708ebaa3eca0e9c46c41ef5261145b09e9a7dfb016939e6fe727b8c2d

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

MD5 40dfee5ecc40dcf72781e048b9af6f61
SHA1 f064c5010ece8207b9ecfa4a0e0435d9e81ce4cc
SHA256 d96c9f4be7e8c444ec4356c8ea4ef989610d654f36241ca5713c2995860c9d72
SHA512 4b87bb044bc278d5e5d0c7a90cb7f018b82997c39a7463cffa64c2b69d96b0fcef4cab69f89fab2e6f81f10f13071b50a6f31c20e559918dbf5055c48fbd9210

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

MD5 bba78583029a19c572255f6873951214
SHA1 2ccc5f8fe926b21ba9e66fa5319f8cc8555f4680
SHA256 45ceda84b140b2b718a3e82f7c9c01c1da72571e256ec1142fd85f50d44cec3d
SHA512 4e0026f03bc3627a9a73d9ac52776aad5385864d70ba26d612b587be3a4ad4a3cfe6feb6f12e55cd8146a0c350ae3df0c4897a546a199a1745be9696f6a181f6

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

MD5 71f04c595c523faf90621661808f0759
SHA1 b209643710577121e92980400fe23d809edddc30
SHA256 71003577942c26d4b528b0a5fd59d832ea2137faa4ee2c62d3633775f2166cc5
SHA512 2027cf4eae3020bf750cbdf2ccd56acc60f2b0f9ebc1d414ff03148efefa4bce030fa0fbd0276426d9d037886616795fef132a2ede4d9ea84483105f500ef4a8

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

MD5 8d75c26e8c849e109ba3112d387777d4
SHA1 86a5d05537b7e7f8239d9b53c97e1a8e28b04a36
SHA256 647d57d49caa4ffa3c7623683dafe97a2bea94e2f412ebeeca979a773e4cad53
SHA512 ad5f5b2c0ac9701a5f32581d2316ddb9b543df373e47205df69daca0db803d4741f94e180a2674f9d0ab2479b0acce8812bb2c301ae33eb8016cffa86b8f10cc

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 18537af894eca2f18765cda298217329
SHA1 2546887baf98c71658201997b8185d13dec569fb
SHA256 2a05cfc34239a8e868662379afe0b04356a180f31be4f4d4e17b8eedec09c972
SHA512 51627469a273f490102361157c984c6b5b9ac1cdeb01921add2a18b27cdd163c1046bae66579e9d491fe78964ae36b0a779611bb6a8463089cb22826de4b8fa5

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 35d0c30245089864ca8b862d220c03bd
SHA1 12f0fa23aa51b3fea0155fe2947e3d83cacdfffc
SHA256 bdbcfbf3361e07e2385015e4ec87320469906ee2bb905cb4883cb6191a903b66
SHA512 b9713e2a6fce26892ab0178712bfa2ee72936d33f82c45700fd8df3cf2b8e7237426df78b5d55548f222ece464e92ee9b0fd358912adae214486ccf3d07363f7

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 16b44b0c2d3b4c050f32f1feff0117b9
SHA1 a3a46a678ead1f8d281d1968096a2aab560fc301
SHA256 6b6aeee45774a6fb37b3e5d2311677eb2927ce3be8a4f0b001b21174c33e1a99
SHA512 2a512884a1c1f137246a3af171b3548c21d523c1ee462dcdba1f1680dfa1886bf1808e330878bf79aed383dd17114bff1334ed2de332710b4d7cc66f2a565a25

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

MD5 58b7885983a9143baa28dcff3d4d3acf
SHA1 ca166e8f6d99b16397abe5d9d5d5d0cbc4c58ee7
SHA256 736c2d10023bed018a758fef3de36f710a9db6106fd18949b9d0963c6e5b6c22
SHA512 277d087d2eb0f49ffa2c5e90dd2664a7f70002f2bac232d378472d182b355d79941b96e9dd1a72cbd6cdd2d4a7a636276555b27b1cfcdc2757b14e0059411b34

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 4d753825247b3e080ac5c4c07fed15dd
SHA1 7570cc7eeb197014b644de221d4d501802572203
SHA256 706170ce3e69a8ba28a5791eab54c3907f9e757aa22c8c2653926773f52b7c76
SHA512 5833fb6b99245fe0257389c3bf9a2edbf3bd83cb03524b0b80dbb411271f2c86bed0e761e527ef97c92645ca697090bd1b21df0dd94b348121b14b51318962cd

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

MD5 92ae538cdd17e8b2d9550723f6dd23ed
SHA1 254c75f13fdb628c547e8a71224b10207c3ac01f
SHA256 f8bc03b0ef3f087fce6d78ae128858c54739a8905e30f9e1cae02e3fe9ce9060
SHA512 6a9490dcdbc1c300fd01112ee042ae7c4f2cc4a1a126c5184e1f5f4cec072d8011742d2f5c978bcbd18288fde1557bdb53f84cc80e52e9c9a0199b8edbc7f956

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

MD5 ab219157c3c7ec5801289051b1c92713
SHA1 9692dceb8b2adabd742d2bdde7a08581354a9c98
SHA256 7a40db4d0e188be6d0aa352c28de4d5bfa7a990cc337073f00db2778cc3424aa
SHA512 c8f33491887809244e399c95b95583a13b6612d14bcdcc7e6a9f9c3fbcfb1e831164fd07f816c071d5db51c906ca57cd962394d2ae73c672615d3d46ca298106

C:\Program Files\Java\jre7\COPYRIGHT

MD5 d176adc894102481ebab474a0d6d2712
SHA1 ca51c8082829422e19b249cceb1f87db726b6a03
SHA256 6a502c465d5f3043919e8f5e6e99db0e3566f0dcc108384e8999c55cc0d5b29b
SHA512 5eda84ecd03a9b91834e1a39c2362d869c69b3fd1d6f4bbb6f0e51cf356c5a212c306c42b859caf2161666f95a9d9792af73494f1c9b05d6ef32fcefa3616f3b

C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties

MD5 3b5b325fe3b7754c890f3a8cdd831817
SHA1 b40dfc4cb37d313ec5e06b58bd6a93554fd3c4fa
SHA256 0bb38dc7df1e1d659dd65771ebba2e998ecab076d527fcc9b58f4b49c5a448dd
SHA512 53f6d2d64b165677cfe6ab5f8378aaf3e22f3410657d0d037257c4cf850420faae3e1b20592ab1fc247049153299cb2fa4eb3b7750b38bcae2e3bc87671f5bd6

C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia

MD5 c92033a68aae58e777c6df95bbf55b26
SHA1 f54d51e00974d842b7e1950ef3db5d92636b9f56
SHA256 a5992b3c2bff41caaace1b17d1ee686737fafd25c7a6bd94be8692657ebb833c
SHA512 c05529ddb46b971eafa2b6a1b405b58ee4c016556a43a17327597a7107d949cc2651f059afc57c4f499755ec107203778d977c823a8eed3bdc0263c3bf8bc290

C:\Program Files\Java\jre7\lib\zi\CET

MD5 ad780385991e2bdd702151fc4044258d
SHA1 145e00a9fd511efb39eefd82e3a341d2f0ceb190
SHA256 26c63acd9b0239285ac73bf156c29d242d98da874bb3bf981f970eb75ac83078
SHA512 61765e26ebdbf23b12a9a91ccdf5d56f51f3af7e5e9244c0dd729a2ef99bd8003ce00841d084b86f4cad1b436d383073b396886654f94a7ce1d73954b6656445

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+4

MD5 7123d3f82b59802dd17f85f23f77ee62
SHA1 983e249471140efb1730ae5156d9be7f5f4362bb
SHA256 4347d355c7d120ebbefd490df2181470b95fa8278c28dd75d0b0b0913ee9b3a2
SHA512 d7a8d038a47d316df1c9a069ab802e623f23c914966d40b09905dc9cfbb6f4fd775d536e63cda837fbe7519c6db0a0f4d13453312e7115a03152c12ae5568e17

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6

MD5 5de49e39ba1bc63195d4532150b71173
SHA1 ae7df39dd4e290aab367ac1e886a962cd2c80ba7
SHA256 56e11b7a8be54c84028457036af3e72426e1ec33c6f3356fbda8c4602b38e3d7
SHA512 aee06d7ce0cbc62835dd43dc5b342f16369f7f37d73ae3558064237bc72710a220e3daa95dc6232d1b720b407c36e435eb69da3bf0633db4fa240136ba36bdcb

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8

MD5 aafbef9fa67558729cac483cfa74e9ca
SHA1 f0253c9da6d533bfe2273d1db4b18cf268c9946b
SHA256 1da505661f07e2cb9066e5b7d8517e0dfe93adbad0c5a9126e18eee556d0e14e
SHA512 f76b12194201c39b7cb8d67523e5a5ce251e7738018168350eb8141cd92231c77d4d2e0f28aab4f5320594d8d176d6226c7f2c6ff0d0e9e94eda32c94e3ea8dd

C:\Program Files\Java\jre7\lib\zi\Etc\GMT+9

MD5 560973644fdecfae59d894fd49540951
SHA1 69c6f64f04acca9e2a8ea3e691b61dd895b3a363
SHA256 800a1539b4c2f2abb353606a7363980bdd056929822174e921b55e93456b9d96
SHA512 abcc48022c0e3f44c6c84d4b3b07a3237d2d5ebba6a8a40cda6bf91b3210cc05abf14d452471364d806364a088f7d358bf9a5c2850eeefdb571b7e9f0bce770a

C:\Program Files\Java\jre7\lib\zi\Etc\GMT-10

MD5 5da186cba67dc813fe40d28d5e3adf4c
SHA1 9eecd17f98c5c9cf0642a22f849991d32c3c17d2
SHA256 2137103ed915b3346b8e46f997a660dd0544f256d65e7e5bd63e719fea5f5141
SHA512 cb71db6aedae8917c857bcf8c99dd7a63cb72f8d8182282fd4c41027dbca31e817264e55583dcef9d6e3450bacc68717d0ad074357efb1dbed09308b6245ae8c

C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7

MD5 36d622406599c1859933b7db2a8d1ed9
SHA1 1ea53967c999f541dbdf90b44509f554a8c6be5c
SHA256 093f25c5b070991caab6a4bf01dcbd466896c6fe697a9a2df80112642370d889
SHA512 f4e5cb3e122a74f0647caf103a92c5c0e51149458bdc71c3a4b4478bfb57e88cd4336885ece8bce3af9e57a20b49c56ab131f116c3512369b1252c52ac38864c

C:\Program Files\Java\jre7\LICENSE

MD5 4d4e0656ba0f5e1bae18e0b5a08a4167
SHA1 eb6e1422b9daa4593fd512a4de9479e04fe94243
SHA256 10b3535c526ca9459fd713a2f56640c5eb2fd3d5bf1e9489753e3271e1cbe4f1
SHA512 fb89f5498d16669bdb416c1756625159fa89b65503385eae906066d27875f7c6d93b6afe427087f74867bb3521e675b66f059828a9babedb440944829297e83c

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 37e347b3cac5452af652283dbab15c3e
SHA1 203becf7aa2662a5fdab9a6ce5cc52442d9fb1fb
SHA256 1023926180d761b7d3a3d8a7c0ee9f0d7d6ac9688cdeb1e61bc9dd9efc7c5eca
SHA512 aa3f5042c53c61fc6cc0941161b923b3eb33e87a788ee10aee6d481052c5d7aa1cff5d3134f93646a3377ac9e469107b0a3c9615ce075abb76bb9c7d235dfd1e

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 97305313574d63851a7ed8909d4caaa9
SHA1 f44c918723e5f56e268743e269d04b646ffce3fd
SHA256 9841984b7d0c63ce1f6c4300e6581488bec3d55c118cceac1f60aef447bba9f1
SHA512 66295bed4fe17ed6b5eb0ce80344b1ca1376c3ae38e2e0aba5cc42385ab5ae045faa52e793f5500ba993a2bf6252d97f24abe3d476bd640bf4248430d64bb516

C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

MD5 26238d17e91a273b2841e54b86931831
SHA1 bf19c006c8d0b675005b28d360d95184d17fa787
SHA256 02e303eb1302ed2311e748f09845290ba18c5924b125603a8e6750a979bc7c6c
SHA512 177bb2f6903ce6393f27e3075d2af470fa683dd9d5dea37d41168e9cd112a475ae248e77e7d1312099862bb0037b922cd76271e2713883fe6eef5c6ada39c4d5

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

MD5 0cac5367f066b4d526e8dbe2300885ae
SHA1 4bf5f1d5cab92fa71422478abcfac24039535890
SHA256 d6f47ab806ac63057da2ead7a1b7e15d2ba9d10289cecc82ae0fb8b9126a2310
SHA512 ee6337ba5a827a4b4e2b78738727ca73ad91bbb4428b8e242117dd9df573aaafddd620a7612d2e7ceb4d98468ec964de5df5a6f9f97656440815577f98ebf90b

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-22 08:57

Reported

2023-08-22 09:00

Platform

win10v2004-20230703-en

Max time kernel

138s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe"

Signatures

Renames multiple (1481) files with added filename extension

ransomware

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A

Disables Task Manager via registry modification

evasion

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe N/A

Legitimate hosting services abused for malware hosting/C2

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe

"C:\Users\Admin\AppData\Local\Temp\5a30d7c31580fcf1d91273153e8815af9ed0151635f732753c7e4ea67a9236d7.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3460 -ip 3460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 1008

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\Pay2Decrypt5.txt

MD5 e33e276ab1c537935a9877dce15067b7
SHA1 763df7feef8c38e0bd92faceccec4433ee354a3b
SHA256 d4793dd96db466ce43966b2466bccb8c97eea15425a66d5085bed66557676bee
SHA512 d4c3dde842cc57d3a927f35d282d2856d43e36415c96c5fe5db7bff03e8eedbc214819a6a556b09a8b61e07b0385b4ea7eef4c131f6f9b3d59b796e18ae5baf9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase\LOG

MD5 3251d405785846dd5e1ccb19a7bc62e5
SHA1 dc9d5d7e7e4eb51748189a47a73826d3e7f4f3cc
SHA256 70cf33b7546a38a6733bd31accf3e1b5e5dca85d9bae6eaa16618403747e1647
SHA512 4a851af3f27b4c01cdd8699c5d6c89ac1b05c4ad746dda9e7a3f6dd3ac1ede4ad5f14c1efe40489fb7e57cd4e1878efa20c78591a9542255b956fd9c4bb7abfe

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx

MD5 be68c73fc38ef64bc4b7adfc816c09f9
SHA1 b1894759e94bb014be9001fb6a2aa56fb8644e74
SHA256 8f851c346f8b84be97b3e3e7e7261ab2854168394737b30a9316c4f3775618bf
SHA512 cb389a74d71923437b110d1dba416d698399eb8e698d776b28b78bb411430fb0b3c0921c077d8680e142cd94ae30f8b397d7c3337a0127a87f8ddbffb7a65ba3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

MD5 5cb66b04faf38b9f3fb4dd3cf4dc9a53
SHA1 ca91671fdbb84220447f0d61a186c8d89eabe779
SHA256 5123a7d4133ffea9ec8f668421e7a024a70b2ae63fa864cf80b8f1487fb1522c
SHA512 ec0c5c12157119358721607b17addce381722de21aeecf1de72a765a3872a496aa540311c2f0ec9c1b1fd07533f58e75173bddeb3ecbe8ece7a1e37e6e51e446

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001

MD5 94ee23444499fd9c687d1c7f6ad51b7c
SHA1 1663e0e6316a4a7ea3b4adfa16b3f2a648c45e2c
SHA256 f7619d8bc06fb7d9119bdee640e7092536e3c6f2e9dfc329cdb275060d9c707a
SHA512 fc60c600c52d299b79c18135ad1571664be0e4406b5a8eec0b264c3196eb3681292faa3e2296d8976bb8a5f9686e1db3bbf4d7e88fc0d636e05bcc7d148909be

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

MD5 ecad63cd99ae6bb3afd9a68ade67f22c
SHA1 37bb0dc258cefbd78a2a2dc2231eef9475cfe33a
SHA256 db53b66f705a2c62198ba3b7905a3b6dcb4eecb6a11cd9972b1219fac01c3e2d
SHA512 33b1ae732f7354977c0cd23c94f88b6f85cb3e7ccc5291c780885eaf116e95245b8eb5e5dae3f3dd953c336893348bfb09c700f2613d0312b4e1be72fe0a51c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index

MD5 85f75126d5d4ea64ac4fe33935914fcd
SHA1 8f089645fd181336617135d408740b8cb47d51b0
SHA256 06f7e824d77e98b4356c6d31eeae730f593ef7bc0c13499e48f54dfbad43efad
SHA512 3165d4eaa93dbf7855c8ddf48d97fc3acf462f0fc84aecaa7a42bd10f63984f7f8384dd22091468066859c0993bf06403a59aa09081b4582bea49eecf592e255

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0

MD5 8c7c3168bf73e9c2be08688e29168c5d
SHA1 3165515141c47d5a5d73eefca498daf83d9eaeff
SHA256 e0304ef4174ce08a0640ef3781df86208a13fb3a943c1a7fe8ee8ed5a61b796b
SHA512 60705fbbaaa103ca4b4b3e2e97d2d28d67cc795e1ea2d127cf13a5decc386548e6f127024b49c9cad79a20fc927796e6dcfbdbf05b44ccee3f7c258de986f75f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1

MD5 1c52c95924dea0076d6585f2bffd834a
SHA1 c881799ce4bc1d9f7ab095eaeb25166c618350f5
SHA256 d94ca395cd274947a8b0593d33008bb72087825d3b911b54e9685b58666c8053
SHA512 55db4292cb6ce7f0115abc26671d65ea6bca065434b156d132f8f8e572f030aee9ed8fd15362e50a07d7d8efb4b3cfe9b0fdae713845fcb62b28115964cc7968

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3

MD5 ab2b0734b510f7ebd52abc0f9e24d792
SHA1 89d339f9ac9bdaafbb2be5a1be900ba21fa8062f
SHA256 8958f018c3a7a6b2e330bd4a7dd8f158de0aeb2db60ee0c4fef504242c05698d
SHA512 720e21456884b3d66d248c5620adf202ce88bf4a06b4284ddc765b79d9c36cdf3b2b05f4acec8f23808a48fe85be55b6ee585ee72496474a1643f43a32efd0d5

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 2a87b7b1145cd44d7ead26a791779ad9
SHA1 fd5299f3dc08021f86046e7e47de30a6c9a91e29
SHA256 31b03708fa443134a29fc36976b02d72300f2f23b07d8eca00240b04fbbddeab
SHA512 4cbece9757e869d354836ecaa30b9900a9d28a02607e89f65689c1f8d6cd8ca2a39861c084236ffb7f6f822add810b44380da3d162f7552385e2c836d6563967