Analysis

  • max time kernel
    116s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    11/01/2024, 10:34

General

  • Target

    3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe

  • Size

    30KB

  • MD5

    184a6edc0d24ab53d1d29ffb21af8f9e

  • SHA1

    c276a9561856bba4ace807936f81ea4d04004340

  • SHA256

    3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8

  • SHA512

    646c6c91c0d19d24ae6b5a14d6f536073285505e4c057e52d572911360b825088e4a23e6c1f91b329a7c87a7afb6ac2dca8fb5a5f3aeaba8b74d3529252a92c9

  • SSDEEP

    768:K0n6bDOYmtMd8bNN2WrATHL4Aicb81uEGTh:KZOY1d8bNNpK0ANEih

Malware Config

Extracted

Path

C:\Program Files (x86)\info.hta

Ransom Note
<html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>ALL YOUR VALUABLE DATA WAS ENCRYPTED!</div> </div> <div class='bold'>due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'><[email protected]></span></div> <div class="bold">Write this ID in the title of your message:<span class='mark'>54E847F6</span></span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'><[email protected]></span></div>

class='mark'>[email protected]</span></div>

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
    "C:\Users\Admin\AppData\Local\Temp\3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\system32\cmd.exe
      "cmd" /C vssadmin Delete Shadows /All /Quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:2992
    • C:\Windows\system32\netsh.exe
      "netsh.exe" Advfirewall set allprofiles state off
      2⤵
      • Modifies Windows Firewall
      PID:2092
    • C:\Windows\system32\netsh.exe
      "netsh.exe" Advfirewall set allprofiles state off
      2⤵
      • Modifies Windows Firewall
      PID:2100
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2816
  • C:\Windows\system32\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    1⤵
    • Interacts with shadow copies
    PID:2596
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF

    Filesize

    341B

    MD5

    50d09f9966a3457b9dff447bfa3ce35c

    SHA1

    4ca1c9195309e62139981fefb86c64038f33de2e

    SHA256

    9d36565225b20ac80ee8a64375e8b44747ff93d6559136615095448196c7f90e

    SHA512

    85223c2d73b40c5f6f73e33138ee6731015a38408dc6d2e8c6f07c6068075326f47ab1df45fe2443d4e2e6c7fefeee65377dbb7dfe1ba7781d25d2b198b83fc4

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF

    Filesize

    222B

    MD5

    d10e3ad2ec387711c3461027e1a92178

    SHA1

    16987be3d1fb0350e145e278c9a71d9a553af99e

    SHA256

    efaa0c4f1744acffd95e31e85a30221e1631e036b54d9ae22cdaf3206c9e0595

    SHA512

    e29d8754e4c1402937015f694e83f627508b36db435aed20682264fdf6cdeee1e7a0eca0523388e5a4cd1df8244726aa62c20591554c07c84882a3d5be3e967f

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK

    Filesize

    114B

    MD5

    3cefcd93f1b84f4382f42317dd34d9ad

    SHA1

    9e5530999a134b2150b356cb2b24b98c49278474

    SHA256

    5c0d4f7cdd85e53b1e660f6d3ab883c4d8479e7bc5e8b75123ed731ed7486df6

    SHA512

    3b46643ddcf33b7456ca6921c323035a4d8249c23c2249c4b578e501ea8579903b0d0b76dd9d5c994577a736765e8bbaf7669a3a4f54517dd7f95a6faddf5ef2

  • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK

    Filesize

    113B

    MD5

    d388e929a65b349f1d07882ae5f6d4f3

    SHA1

    38dbfb2aa4dd95178f93f3e3a191bb02f9905ee1

    SHA256

    933ffc5e6390caa519396019d79b695b2cf4beab963dfdf15979ec4aae0d519b

    SHA512

    92ecce6c9675fb4ec8f9a1dc6fe2764f4e6d582f0d87df8399845164901f02220687baaa548de2c19726b72fabe21aaa37d1565bba9f3c9d6915fa82fdf4e83f

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

    Filesize

    185B

    MD5

    528585111d41fbdbda515035ddf2272a

    SHA1

    102655f558c80206e713182890257d5638896cc8

    SHA256

    a61f98208c2e367c540653104d95113e49cd2162d539789962a47c00022f589c

    SHA512

    ef7ca4fc37fce57f68491840db1842dafba03e58636f4bb9c577c9d42d2d4ae3013fcd0498c5709f4ac2b312cc5952b57cb7afa5dcf31c0cf23a6f2b7b6ce85b

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

    Filesize

    496B

    MD5

    53d410e76dc8e80fa00b539d4758b5b1

    SHA1

    1932cdffe5225ec617a89c8917365859ae3f5102

    SHA256

    276f7b4ecd700539080436b83989219abb7d2d5a9a5951897f42f9b1b403f9b6

    SHA512

    b250cab6fc15f156160d71d1ba6ac22e68df719ff6fcb24053e38ae759cbe02d1b1ec9f292bfe71cad36c46d0a9d8cadef14851de935a533bf8b63428cc9d889

  • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

    Filesize

    1KB

    MD5

    f4d93b91597bdcf229154aad35963dad

    SHA1

    130931999625ec126f6bba709956682b7820727c

    SHA256

    ebd1f7fffe5644a58e62804c23c79052489cf24c3377ce321a75f5ded4b91661

    SHA512

    30946a18cddae640d08251c03653ef66adec69c9262767ce7ada97af296ffb1b7cad7a871e445199bddcef7303078719d84c9ebae7cc98ea2b6b8445a88eea06

  • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML

    Filesize

    806B

    MD5

    35a0738c8d8117864fcf9a28654296de

    SHA1

    ab6bc14606b611f4e51104e6b2f50cd4b4899aa1

    SHA256

    9dec2398e0e20b0d2874807455d97bd55a55d79b69d52273157e911c6047e47f

    SHA512

    1d07032dc05a6f96c8e10289e3646d1e28b61e723ef3490e91e713aeee7ec25b9eb6bd3219d0dfb393a56b24771215fc6a50d743e3cab75c5f2022527ee8219a

  • C:\Program Files (x86)\info.hta

    Filesize

    5KB

    MD5

    420d9c5c3f97095d2985c69fddc2c4cd

    SHA1

    030d46d2b1395ed93b9a5c36386a78ec259fa259

    SHA256

    bc822271b9584e6bb6e1caf9f984bd35cef64c263c24e9aa0b337c6c57e19a61

    SHA512

    d062f976fb61d30236482d192c5beca8a1392405f9597d66433fda6b1b4db96526c9bc4f114e48379771dda7719a1ea2cf13393e59a48a7cb6c08e1b40be7aaa

  • C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer

    Filesize

    5KB

    MD5

    d047105794da3816170fb5eab2732bec

    SHA1

    d4f70dc5cf6fabac15404791298b1d416ea47778

    SHA256

    5504e5c0723a734d1bc9cbb926df9594877c58fd6bdf466348d4a6a9127894bf

    SHA512

    71e2a7c5a8da04d11b16153c6d72f61fe77f60928c8758435e76e5b633f53fd52ad70d3453b5c1e638d2fdc4200bb526e20351a11cddccde3d3a8c0d2bfc04df

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

    Filesize

    12KB

    MD5

    2a24c42154a6f9c3863586d3a4584f46

    SHA1

    a64a0f984f2a63aef3d85e3baa18369cfcbe5dc7

    SHA256

    72d3aa89978a7c5ac62df587a20f34f4b0a8acfa6d9a482acd6320f5b4f5e6d1

    SHA512

    7a876f4a4ddb30345affbf692fbcb11ab5df08f5992eff2e50993c7fe107fb535cd6bbbeda74e8143b48e4db02c5090edc269a18ab6fd31863a1f379dfc260f8

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

    Filesize

    8KB

    MD5

    2158bed1c506ef33ca55c488f69dd37c

    SHA1

    0ddd607d4d45eb9e773ead18426082326f6e3ef4

    SHA256

    4c6c93722123a2130431c9e61272cb58beae080447e8a1bdc82f15375a275cbc

    SHA512

    b6fe90258e592347ef6400025424a6d2e0ca538f174221de177298b7d9498e0735c1b3797e95c927b56a96eb19da32a7be99d82f94a9220929450e2945a56791

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

    Filesize

    57B

    MD5

    73bc2992f65b0c8a702be02b9b95bb55

    SHA1

    056fdbfd5e5d759e54972279020886ecbab72e48

    SHA256

    e04b7b014662652fcc965baa9786b9956220254db25ac4a2409d77f8dd1810b4

    SHA512

    e70d8bb4b9fbdf56e96d60327ab9ef50d70cd256549f48b0865a45f2c716d9ff5f75f9148328af89e61074e122e53f16ecc3af7d682aa347a5d3e61391593c58

  • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

    Filesize

    7KB

    MD5

    a767a09cabd1099b5aa946fd9963289f

    SHA1

    f48a4c42f78d7a5628eba286cab75c10d059863a

    SHA256

    386492481ab673c26b8b33a99f53e30f54541274b3a42ce32e92af3164d3fcc1

    SHA512

    f9e25122fbf8797d79fd8d0c3178c193e53bc613439124e5986263aced2e1f7c84ec8141dce5a410a41ea7a5f76af0585617db353b14a74fc8dcddf73c229ebc

  • C:\Program Files\Java\jre7\bin\plugin2\msvcr100.dll

    Filesize

    384KB

    MD5

    22cf5f21339ed251c9233ba8beeae06e

    SHA1

    72707a0a05f56053616840475d96116ec5ef1808

    SHA256

    d910346d07dc0083ab7afe4d209ff742fd9f85e675153d0582e69e9261d1179a

    SHA512

    1ab838b28c1b4dc9a901d10ec582c51cd3116720750dbd05c1404cdd19565987333f4917d8730bf5f60d882f3a7a26c355af60893f501878cf06968d285703cf

  • C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif

    Filesize

    153B

    MD5

    b5f23bf84c74878b6d4c7f9be1444ad4

    SHA1

    6b86674f72e6139df9346a0282be01a3b249eb07

    SHA256

    fee35cac14c33b28c76f754b6dcc3d7dd1f038f6c6fbff57d5816b68f5c3f6c3

    SHA512

    4bd7ef2f50219c4860ec10cb12ef786868ae1d539dad107c3c78b84495c84a976772b0fbb2dae5604b49df0fef2f46a5079a7b755720cd2666d3303c28cd39d5

  • C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10

    Filesize

    27B

    MD5

    8c1ae08b6b91da739461b61b4df7907a

    SHA1

    f038a29bc188c66dbe56efd7a7a628d27ec8c117

    SHA256

    86ec9227278dd775e5498ef378a066c2c6ced424ebb642225f66e5da8c951e9f

    SHA512

    056837824ca737568b6d1c59562c88460bebae8becf2aea53529bf7e7fa7778879bdeeca3f2977e8adbad7603008dbec5cfaf4083ef1f8d176fd3a2093496229

  • C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5

    Filesize

    27B

    MD5

    33e5012d2be6a869c15605c192855575

    SHA1

    44c6d6439ed05b78fbb715ce5577831de973c66c

    SHA256

    8a6b639fbe60ae0af7466d9a77ceb89f2e1b2bcd60cc9c794b811048500a2a28

    SHA512

    485f571ea1dde2c79ee9f1a11a4e4b449a9616b50e65a7e53b36bb29212e28b2fb28dff347d4bd46f241dd7f43e081d48932e6d947156e9f24a48cf9dd52264a

  • C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7

    Filesize

    27B

    MD5

    be6cbdcaa92cf741cd6632feccb5dfc0

    SHA1

    d0c7029c1231d489ca0d345ea2f1f4a87998ddd4

    SHA256

    694afee03a92dc4c1d8edd1cbe6f1e3a9ea703e9042bf1fd062337090a9ef2d7

    SHA512

    86820bb06727b1965231443bcca11749b29bd156ef2963cdb72e2738e67ec9ef036848d043f0571a99d6cb0626e5bb410d95bbc658be4ebc0f0bb7fb3b8306c4

  • C:\Program Files\Java\jre7\lib\zi\GMT

    Filesize

    27B

    MD5

    ad3b9721cbbdae6f463d1a16f94c8819

    SHA1

    cae43bac76291ee4a5e1291c72ed2472fe721c1c

    SHA256

    28fcb66f6f115d7276d28b377baec7b7a2a55fe80fc75e02115698b71115aa77

    SHA512

    0e47cc7fa863e2f2f94676c25694c09f622df445a0c48bced619b73ae7d5ce2119202b07e0bff9da0836d3b0b25b2f882342eea5e266579f5de92caf8cda6863

  • C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo

    Filesize

    322KB

    MD5

    73996f7f3f67a397cec8b3a08392d673

    SHA1

    b8e515ba2169ddd57684aa693d336eecef887d81

    SHA256

    6c737483bd522869155224ab1ed0f5bcddb74ef548d9b1fdc05f3caaf5c25022

    SHA512

    62726626d54f2a98769911b588116ec5a9f5341853ae2badb193d4372d4d64a68d9ebc2c3926a68a8360821ab41610abfb7e73b23ac0e619291cd36bddfab610

  • C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\ReadMe.txt

    Filesize

    1KB

    MD5

    f672c9ad4ed1425afd1161039365af61

    SHA1

    3fead86b939ae7cee9660b69817294c4a753edc8

    SHA256

    7cb8e14ab227a09ff569c1b8d654c828369171e305442108b4772c333da9f82a

    SHA512

    b0652e4f636967b0dc490a6ce66b51e0bf1c5e2b49cbd7b02414fef6473b382b0afc4d75e26fad4919a7d734b536338ed63552a92f558e227cd06a421c16c21e

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck

    Filesize

    4B

    MD5

    07057cd6c07681bdf4f0f6dde66a9a94

    SHA1

    480b9ca1d38f3fa789e93e75d178f44de010c322

    SHA256

    3a688f941877f8e5f987a36563c9813e62af5840e44b4753258ff78d01798160

    SHA512

    f0fc3bfa027937bce4ee07df88c01fe4147d63828cadd618bcd9394d3ef98880b61d686227e8f3da2291c3fe8139cae6790e04e68b9d3203db4f9bc1828c966f

  • C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck

    Filesize

    4B

    MD5

    b485167c5b0e59d47009a16f90fe2659

    SHA1

    891ebccd5baa32daed16fb5a0825ca7a4464931f

    SHA256

    db44b8db4f05d720ef1a57abadeed0c164d47b17416c7dd7d136d8f10fba91c9

    SHA512

    665e3fcbd83b7876dd1dc7f34fadd8669debdfab8962bdce3b72b08139a75ef157c4f4c3b90ea9c1f20637bb4f2a29091d9186987d22c7d23428a2e7ccf80bd4

  • C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

    Filesize

    140KB

    MD5

    dddbbcf0525635268ec1709abc699d5e

    SHA1

    c18f69e4b343beb0968e05041c1cfd849acd26d4

    SHA256

    86ce98cc430e0066e4309480bbd9115e5b77ef81f2a03f90c8266eb3eaaa6e09

    SHA512

    518b5a306a28505672c47727709e4114d07bb8394ac0103439e0727445483bd3dd9aa4e0068d33e50a78ee520fcad9345fa89ce7d5899ed236fc24219495a531

  • C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

    Filesize

    140KB

    MD5

    8c7a42e91ce398875b5ba79f48ba0983

    SHA1

    dde8cbf62def9b4e6f364d6488893e0216edc62a

    SHA256

    697e5671a198dbeb1b060b40d2bed8a2c6b847045748ec5af8a095fd4775c1d6

    SHA512

    46eb4c7bcc74ce3b97617be5d8abc56f404dc906d2c14787acb0c54870a50984ebe2d56ecef89c9f6d3caa1e47af3a530681f247c24e0e7dddeae515f155fe13

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\CURRENT

    Filesize

    16B

    MD5

    b5f455d43d3f4af38f01f220f1fdac15

    SHA1

    70e235661ef4f2d8ab2d727a37b95d99fa90d2af

    SHA256

    f3298ac19b3faffb5fd68c24d2a7f0d9bb31212e87097e581989f5a59c5c28fe

    SHA512

    2291185c66682b0aabbe7ce0a4c057aa0fbd73bf6506bd6273116f6d8d555a0abf9bbf78f0e742e39bff87804b6d1956bb8b002c5bab86f2eab1763fdc5acd9d

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2

    Filesize

    8KB

    MD5

    5a37e84ff289d552e4a7d2087930c510

    SHA1

    3a5e59ee7ee90304fa5c1392e9a3e8161dabe7f8

    SHA256

    bbf0a847f0f82f5ede613b7f7a6b1fff0e7cb562447c593c8051856b2b6fb0b4

    SHA512

    555904019f5b3dd553edd29598abb30765b0e3d99440e124c2b5c88c0794e1aa915168ebe5c485e6b5a9d9a163a07ffcb2328e07943f374c13ce9e842b31dd3d

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IJKL5Z6W\desktop.ini

    Filesize

    67B

    MD5

    cf7ac9de2b246b5fe7ba5cc15004832e

    SHA1

    603201c4f9d709da153c3cdb22e182abe0a510ef

    SHA256

    f72e6af8a27c131f61e7df21163803ec9291143b62b2e7cd1a52de145b4c545b

    SHA512

    a0cba2eb4e08ffc87dc8cd50aea50ab87152f679657cccb8c910fda2f1c47af4b6111ebcea5a0bb83045de01516ad51e71937713a6487821ba82f6249fd809a2

  • C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms

    Filesize

    28KB

    MD5

    66029e57c1734957bd06c0b118ba88d3

    SHA1

    a551f77bcb73514a98f6df8db0e6151d998991aa

    SHA256

    534004a4e88f4c3fb7c80e539726bf3689706855e735494ec79e1ae08ef60c97

    SHA512

    3f9881c43c98243e87d79610dbda050a86366f63d5ca8aa62aead56807d3a2f004093deb374313319a3932821033a496f413eb6b8855e2ad95da5b7cad30fe74

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs

    Filesize

    954KB

    MD5

    a5dab070ce203e1c5641d33699906df5

    SHA1

    2ae0b96fe3d0480a014e40b747f40cbf6c4e7a5a

    SHA256

    35d5ec16cd41b5161c0fe02190d13aca6c1431093a5745c8b3d7d8d97e3ceec2

    SHA512

    eaff907e2890f4880c6be6284c2e0131bb5682e182aba2d1af1ee9ae9c01e7c1ccbb20a1a1ca79c314eb44b185f495975bc6d5d4012c9f5762c62fdbcdc77b2f

  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x7a5o34y.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

    Filesize

    48KB

    MD5

    39b6868e742fbcc066eb007ae7b47d80

    SHA1

    9da5d25b4450823671830f2fab5ceb8a08760570

    SHA256

    de062b3d44bbe3fef87021cd5f04c63430801753c7615c19dea956b5600f3a35

    SHA512

    0efcc20da76d8fddc1d2fd9db57bf447c87055a31cbb74d624c0ccd69cedced9b730f666ee0a10338a684dfc2d5b9a0a03e77e5acfcbae1a93931c8c99c8b215

  • memory/2500-1815-0x000000001A810000-0x000000001A890000-memory.dmp

    Filesize

    512KB

  • memory/2500-0-0x00000000001B0000-0x00000000001BE000-memory.dmp

    Filesize

    56KB

  • memory/2500-4-0x000000001A810000-0x000000001A890000-memory.dmp

    Filesize

    512KB

  • memory/2500-1710-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

    Filesize

    9.9MB

  • memory/2500-1-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

    Filesize

    9.9MB

  • memory/2500-13678-0x000007FEF5C80000-0x000007FEF666C000-memory.dmp

    Filesize

    9.9MB