Overview

overview

10

Static

static

10

loader.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    137s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-04-2024 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    28KB

  • MD5

    0d74b1b35a300a46c077a159c9bb1f54

  • SHA1

    cf866b0dd5eed866cee681a61dcad1d2a2b868e9

  • SHA256

    ae0f395572e1922d28a526075665b5be9cf619044348fe9058569f9dd94f52c9

  • SHA512

    dd0487163c66c7f8ddc7d36191abed25e1f4163852c72cecd506dafc16f7ccd4947f79f4dff006773cc11076b46d22cdb1de776f8b637ad60918135b2ef0a8cd

  • SSDEEP

    768:dn3kIompLNMfKXROor9inlucg+wiNzGp5ek:t3kI/OIEor9inVg+Zk

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\important.txt

Ransom Note
All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. We also have all your passwords and cookies so you cannot escape. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - https://www.coinmama.com Bitpanda - https://www.bitpanda.com Payment informationAmount: 0.0079 BTC Bitcoin Address: 3Gq3M3xz5dstUaCn7iLLxLRTBMs3BLKwPn
Wallets

3Gq3M3xz5dstUaCn7iLLxLRTBMs3BLKwPn

URLs

https://www.coinmama.com

https://www.bitpanda.com

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 35 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 6 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 3 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2852
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:700
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4776
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1368
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:304
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:528
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\important.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1572
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4132
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1400
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:3556
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:888
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UseSend.png" /ForceBootstrapPaint3D
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:356
    • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
      "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2116
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1528
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:5012
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2296
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:528
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:4380
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\important.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:4700
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\desktop.ini
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:4788
    • C:\Windows\System32\xpsrchvw.exe
      "C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\SubmitResize.edrwx"
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:3804
    • C:\Windows\system32\mspaint.exe
      "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\AssertWatch.jfif" /ForceBootstrapPaint3D
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:436
    • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
      "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2444
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
      1⤵
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      PID:264
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4180
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff26c19758,0x7fff26c19768,0x7fff26c19778
        2⤵
          PID:4700
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1684,i,4531310775501916199,5846848961544293529,131072 /prefetch:2
          2⤵
            PID:4728
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1684,i,4531310775501916199,5846848961544293529,131072 /prefetch:8
            2⤵
              PID:4684
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1684,i,4531310775501916199,5846848961544293529,131072 /prefetch:8
              2⤵
                PID:3784
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2896 --field-trial-handle=1684,i,4531310775501916199,5846848961544293529,131072 /prefetch:1
                2⤵
                  PID:4732
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1684,i,4531310775501916199,5846848961544293529,131072 /prefetch:1
                  2⤵
                    PID:3884
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4420 --field-trial-handle=1684,i,4531310775501916199,5846848961544293529,131072 /prefetch:1
                    2⤵
                      PID:4184
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1684,i,4531310775501916199,5846848961544293529,131072 /prefetch:8
                      2⤵
                        PID:1616
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1684,i,4531310775501916199,5846848961544293529,131072 /prefetch:8
                        2⤵
                          PID:2316
                      • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                        1⤵
                          PID:272
                        • C:\Windows\System32\rundll32.exe
                          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                          1⤵
                            PID:4876
                          • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
                            "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
                            1⤵
                            • Checks processor information in registry
                            • Enumerates system info in registry
                            • Suspicious behavior: AddClipboardFormatListener
                            • Suspicious use of SetWindowsHookEx
                            PID:3488
                          • C:\Windows\system32\mspaint.exe
                            "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\AddExpand.dib"
                            1⤵
                            • Drops file in Windows directory
                            • Suspicious use of SetWindowsHookEx
                            PID:2160
                          • \??\c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
                            1⤵
                              PID:2560
                            • C:\Windows\system32\mspaint.exe
                              "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\CheckpointStep.png" /ForceBootstrapPaint3D
                              1⤵
                              • Suspicious use of SetWindowsHookEx
                              PID:1320
                            • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
                              "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
                              1⤵
                              • Modifies registry class
                              • Suspicious behavior: AddClipboardFormatListener
                              • Suspicious use of SetWindowsHookEx
                              PID:3600

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                              Filesize

                              264KB

                              MD5

                              f50f89a0a91564d0b8a211f8921aa7de

                              SHA1

                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                              SHA256

                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                              SHA512

                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                              Filesize

                              1KB

                              MD5

                              c2db9155bdd20c5ca0e6775c0c6a40f4

                              SHA1

                              e76c2746111f585f284b8c7ddfc2eac579761783

                              SHA256

                              1e89335524f832e6d00f102c4914698f47857058378028648ed4059549e55e2c

                              SHA512

                              887a87f7b7023f64180de99ff21da7be8ba8e37257a60a8c05fa0d74291afc88be04da9c57305e73157d4c336bf49a9f5eb8ae7cabebd11ef41a8507743bf679

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                              Filesize

                              371B

                              MD5

                              d7e2167def21dcb89c945932da9bb08f

                              SHA1

                              a13f4db63c3ac1028c1097342b08e8717f55dedc

                              SHA256

                              74fd9b95ec3020f0906ff445b02d2f3db5b3e3128b485479626419d5de3c59da

                              SHA512

                              f6ecdc58011a089f189d17601617773eb016f1fb1b217ab4989f78598b1dfbfe05df39c45a673a4851745c23246cbfb7c0529a2ad11eed6cc59515837e59d0d9

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              fb4191d484f333b926c5dbac9eeb27f6

                              SHA1

                              668c59cc75d24ad9e1545cea1355f06cb8da0799

                              SHA256

                              ba53752965b6c8e0c4b94cf4fbdaa7a703653932b7626bf356803eee92a8c213

                              SHA512

                              3cee718d2ebdbb2c15536089420ae0a64397287e6ba2049aacdf70cf22c12f090462ae579e16747561883b22c7052498ee162efb437026c50aa5e57620774ff7

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                              Filesize

                              273KB

                              MD5

                              04a67ef2c6ae962ab57145d24094a52e

                              SHA1

                              e9b211c69a4f531bf676ea59c7ca694c565a071e

                              SHA256

                              026919b5db7391faa93db041752912278008aa1c1d775477bb0061f2da2c4a9b

                              SHA512

                              48409c75bd3fb1a116d576929679787defaa45d37b96a267756888a3d087529db5b9dd3962250c3af9f8693adf07bf8470770370490218b7a2a06d4466a38c44

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
                              Filesize

                              233B

                              MD5

                              5e55c39202d6ebc4e8b3f04d214b662d

                              SHA1

                              d9b0a10d76279f09e994fc5775e2f49aee43512a

                              SHA256

                              27e6200918f40a0850ddfeeaf36f52ac53626916886f15728a8fbfc7c302b2e7

                              SHA512

                              e733a72362b92ec7c23c8609b6376b45fead13fc59978dfe56a29747017ed737f4fd0baaeebb7a65e3f3197bb1942105af5f0f8afda977951efb5e16c49336d3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
                              Filesize

                              473B

                              MD5

                              3c1f3612b99510a76d4e8e11001d9060

                              SHA1

                              001e9d11acbc5eec0779a0b9c025c2837442ebf1

                              SHA256

                              d57f7108eafde9a791e84a8bc713c58429cd9ec25b0e55c9f926b5b05b7c4979

                              SHA512

                              af63b75321ab6aa48223dd64ef54cae053dbab97e453f45445728b5798a8f9410bbef54f16ed71d8273a9a7b17be60cc534546539f82c79d889bf65d4d8c6f66

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
                              Filesize

                              713B

                              MD5

                              7a5efbef9cbece58e30e666ff4de47a5

                              SHA1

                              78d3338915e83b7c1ee998a3bd1ebcf0908cd818

                              SHA256

                              f9954460eee5f3caaa0566e32b32102f84adae472536991e4153d92efa3b86f4

                              SHA512

                              f5dd9a37216cf72bc6d6ba0a81de6640c7e7b53777edd069bd762d859ac11ad6a6f3dbca007f021498695ad19a43f7844e86cb7dbf7a8b2708e3cfecc1308679

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
                              Filesize

                              2KB

                              MD5

                              404a3ec24e3ebf45be65e77f75990825

                              SHA1

                              1e05647cf0a74cedfdeabfa3e8ee33b919780a61

                              SHA256

                              cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

                              SHA512

                              a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF2430523E1C0A39E7.TMP
                              Filesize

                              16KB

                              MD5

                              4e3351dde380cc96437097dddfbf822e

                              SHA1

                              5afd5560498259475432b3cc47e70ff05a7ef19b

                              SHA256

                              465a028209bf7ee3ef06987954f6671fde9b7b1b8308b10415126aa3555346ec

                              SHA512

                              ef67d8150d4455e5fa2ee2e8719025e8fe897c4e773443f6c51e8a328d647975c465231e7fc03d0844f63af7254b10cb1ce00c5aa247ba5046d3576770e0b764

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                              Filesize

                              222B

                              MD5

                              d7b64993f7dedb792ef00f99ab4fb3d5

                              SHA1

                              2ad6efb43fe5e6de69b6e4313833ad8b799b3bd4

                              SHA256

                              e71bb4c4d5d9969a3a958ff9dbd3f878830e1984706637a0a51d63f2e208667c

                              SHA512

                              28c666bf91f8caad1f63ea997e608c053f1bc223683953a1240fe417e04e5304e3d1768d83d0ecf873034c87f881d87a2d87272ba5324a9613523e1dda86151e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\svchost.exe
                              Filesize

                              28KB

                              MD5

                              0d74b1b35a300a46c077a159c9bb1f54

                              SHA1

                              cf866b0dd5eed866cee681a61dcad1d2a2b868e9

                              SHA256

                              ae0f395572e1922d28a526075665b5be9cf619044348fe9058569f9dd94f52c9

                              SHA512

                              dd0487163c66c7f8ddc7d36191abed25e1f4163852c72cecd506dafc16f7ccd4947f79f4dff006773cc11076b46d22cdb1de776f8b637ad60918135b2ef0a8cd

                              Download Submit

                            • C:\Users\Admin\Desktop\important.txt
                              Filesize

                              941B

                              MD5

                              5fdc7e501de0d03fbda6f3dd7acb920a

                              SHA1

                              dc8d97ded3e372e28b239f113fc302cdb735bb94

                              SHA256

                              d0ef7c6d59cb28093c7418c9b32296669aa32a26721733c9fa08db4d55e07e88

                              SHA512

                              ea43036af4008ad5c8c1bebc017e5967ab7bc218f929b1efc6498aca2ddf40d2755205fd696c034b013abce2e2039e5320aed3f44c708a8faf161d1289a5524b

                              Download Submit

                            • memory/528-213-0x000001FCF0300000-0x000001FCF0400000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/1528-249-0x000002B7C09D0000-0x000002B7C09D2000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/1528-252-0x000002B7C08E0000-0x000002B7C08E1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/1528-182-0x000002B7C1720000-0x000002B7C1730000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/1528-166-0x000002B7C1620000-0x000002B7C1630000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/1528-201-0x000002B7BE8E0000-0x000002B7BE8E2000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/1528-256-0x000002B7BE8D0000-0x000002B7BE8D1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2444-263-0x0000025AA9510000-0x0000025AA9520000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-453-0x00007FFF0AB70000-0x00007FFF0AB80000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-451-0x00007FFF0AB70000-0x00007FFF0AB80000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-706-0x00007FFF0AB70000-0x00007FFF0AB80000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-707-0x00007FFF0AB70000-0x00007FFF0AB80000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-705-0x00007FFF0AB70000-0x00007FFF0AB80000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-704-0x00007FFF0AB70000-0x00007FFF0AB80000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-458-0x00007FFF07240000-0x00007FFF07250000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-457-0x00007FFF07240000-0x00007FFF07250000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-454-0x00007FFF0AB70000-0x00007FFF0AB80000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3488-452-0x00007FFF0AB70000-0x00007FFF0AB80000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3680-9-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/3680-76-0x000000001BE00000-0x000000001BF00000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/3680-77-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/3680-78-0x000000001BE00000-0x000000001BF00000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/4188-8-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/4188-1-0x00007FFF2E020000-0x00007FFF2EA0C000-memory.dmp

                              Filesize

                              9.9MB

                              Download

                            • memory/4188-0-0x0000000000840000-0x000000000084E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/4380-225-0x000001F245600000-0x000001F245700000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/4380-229-0x000001F233DE0000-0x000001F233DE2000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/4380-223-0x000001F245200000-0x000001F245300000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/4380-233-0x000001F244CC0000-0x000001F244CC2000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/4380-217-0x000001F234000000-0x000001F234100000-memory.dmp

                              Filesize

                              1024KB

                              Download

                            • memory/4380-231-0x000001F244CA0000-0x000001F244CA2000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/4380-226-0x000001F233DB0000-0x000001F233DB2000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/4380-220-0x000001F2446A0000-0x000001F2447A0000-memory.dmp

                              Filesize

                              1024KB

                              Download