Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
29-05-2024 15:40
General
-
Target
VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe
-
Size
392KB
-
MD5
6653ef20d2a3a6ef656d9c886ebabd93
-
SHA1
bb0cc0b05bb70a3d347faa94fb36a35c771b0692
-
SHA256
48ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d
-
SHA512
b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360
-
SSDEEP
3072:viHZTdn6oWzjNtxPPnGau7GMuOYHAifZEeKPi6u7KzrN7ivE5oY4KppRsqYaefiU:QZqPtvGauSM4HAifkGOzrN+HKkalM
Malware Config
Extracted
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\# DECRYPT MY FILES #.txt
cerber
http://cerberhhyed5frqa.xlfp45.win/F8F0-0007-31B7-0291-9045
http://cerberhhyed5frqa.slr849.win/F8F0-0007-31B7-0291-9045
http://cerberhhyed5frqa.ret5kr.win/F8F0-0007-31B7-0291-9045
http://cerberhhyed5frqa.zgf48j.win/F8F0-0007-31B7-0291-9045
http://cerberhhyed5frqa.xltnet.win/F8F0-0007-31B7-0291-9045
http://cerberhhyed5frqa.onion/F8F0-0007-31B7-0291-9045
Extracted
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.html
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Gozi
Gozi is a well-known and widely distributed banking trojan.
-
Contacts a large (16394) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 2 IoCs
-
Modifies Control Panel 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"1⤵
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\DisplaySwitch.exe"C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\DisplaySwitch.exe"2⤵
- Adds policy Run key to start application
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:537601 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"3⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /t /f /im "DisplaySwitch.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\DisplaySwitch.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im "DisplaySwitch.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe" > NUL2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /t /f /im "VirusShare_6653ef20d2a3a6ef656d9c886ebabd93.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:232 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\# DECRYPT MY FILES #.htmlFilesize
12KB
MD59acfa5a09789f013c9eae681dbddbbb3
SHA139439dad079222c78750d4690092a9341194e35d
SHA2565b7866f03d40b89dc03642c62f50634bbd791ae302b1d5edb3e154d2e71be3bb
SHA5124f41eab62d5b0212f9f9d6293dd82679b22c8983e8f3ae09e742181201f2a49dd6c526393841b73f1d255a654c467b3f6f097e3126c3dd5b65e900a314c40613
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\# DECRYPT MY FILES #.txtFilesize
10KB
MD5ed8389aeea4807eb5e2157bb33573ccc
SHA1cad2c0914c451215f320eab92bc00fe87f7ee9f2
SHA25648b354906afe9c0ec31e1c4a580e3cba26bcceafe23cd1fc2e82a5f8e8525c3c
SHA5122f8652870d5f989c55ccabb436f34cf47f5e9fdece99210b2c01272258039640284c24d14b7af8532d2638d47d7d6631fc50d0b51ba4939e65fc65c40f902546
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\# DECRYPT MY FILES #.urlFilesize
85B
MD5e1c621542687542936dff6ccb3dae7ba
SHA11f8dddda5a7a22cef58799273ca540a7df20fb8a
SHA256eb12992612cffd64ddc758f638465b6747c2d2fb957fcaaa1adbdae6e6dacab8
SHA512ad82bc151d20ce7233b7d856504c9402cdf0165d07ceea4673ad4b5def55dfdc764a839298c4623879d61af363371e3cbf2c825785cc414270dbc1697fec2f37
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\# DECRYPT MY FILES #.vbsFilesize
219B
MD535a3e3b45dcfc1e6c4fd4a160873a0d1
SHA1a0bcc855f2b75d82cbaae3a8710f816956e94b37
SHA2568ad5e0f423ce1ff13f45a79746813f0f1d56993d7f125ab96f3d93fb54bdc934
SHA5126d8e68b969ef67903aff526e983b0fb496678e4c819139e560a11f754a36c4b5770ac2ecf3fc1d9cb5aaa84f80363b4f55553255569503893192911b80d9d853
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCFilesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCCFilesize
252B
MD5368cc4cc4e4ba43f27d209f8fcb65b99
SHA11a79d738ba290de2a262cfcbd56a917e774150ab
SHA2566da382ad7ffe9b2a76bb99a2f4db1d07f145299ac55400840dc3f920ca706708
SHA51252132a5c9d83b8aea3e923c2ff0efc62401e7a4fe547ed2f8eed3d93a035da6c4bbfcabab456326d064e597ba9959bb5931109441a2ab130336a050fefaae563
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD546bd4aa3490fe975f02b15c46841302f
SHA17a4e6c949d998860ae54d6651e2abe765e89a5e8
SHA2565acfeb16eb2d86bea94a3f45eb488f341e1cccab97cff06e386d59ddc3619159
SHA5127a83778c367a55fe2afea933cd3b190fc3d1639f9e81e1d68666f59172b91389fda850e569044e78dd57d4bb2e678161742998cc6080b32f064d981619dc10ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56bb8c2a0dfabd128468644573abc91eb
SHA137c1153067644e813ff8feea1dfd04155fb4de63
SHA2567e861ffe3e0ea1a423fdd3e801c9d86723565b55d6d3f13260975c30708b1d3c
SHA5125e7c67f14ca2a438fa9da07d1f077b814f6e93b31f2ccd5c05b142f502cfe02e46a9794ad14d318d76c91acb28aae2dc887c8256094e83242495726e4d19a59d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ba6df00dc23d031df1cb75382a73602a
SHA14c29c5368f3c2ed8b2a1e6f6c55b16c55f7b7e6c
SHA256b55e9c004e571522fc53f5ff041175a88780eac69208ccff3c7d862df202dbbc
SHA5122fa115d241aa74d2053903897cd51edcb745909f0fa3a70abed651a2c86a7bdd9b9e83a8addf742be110a23c0175642138635e9a0f14e05e28ee138946b77ffb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59bb47479b626e744fb6ef7efa8a52fdd
SHA1387cd348eb785545d725c68df32f24433d921409
SHA2567b24dcc2f7e4e66176436f2d99616237ad3ebd7f9110839e2b267abc6e6974d6
SHA512b761c60232c882ddba662aa41f788184a0fc1abeb44e0d85869e1225f2da57521cd67f70f458b5b7aa086aaee63b2e5b4a572d3197555e472fb476d0854ee9e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f32c26b285bfaabf4294a61ff6cca8b5
SHA19078c9aa7b212abd240b09b733051489fc6d8d33
SHA256d31b36a36dedc34518643dacc0f132a56001c2b4528c0d7e1c55a692b2dfb9d2
SHA512a152b44701b2f9e2a7f66c2c41492c402a7b4a352e1e205040d2a43b83e5738ee55cb8e03d756d27acb1e7e8feae7d3fde5ff31caff925bf17d80e75e901b19f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD53702124a06a13e21ed95eac2318850b6
SHA10e152bd5ca40ed2ad877822ca5b712e9819b22a1
SHA256de3eed3caa972515281c7ffe907cda9836c842f2a99521601d50dac404f62274
SHA512afc2f62c61b0c3c219a29d6784f08076cfdc6f762dc15d1e25473ac9dded87b7ffd69498e8c4d5e4b42cdf0f8eaeda3e059157a64e6bf03d4afbbc92a889eec3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5653bce59b681cac40d9bc73f81ec1fc5
SHA15176058331fe51bca55330d2538f4cc6327e0749
SHA2566fad2287901a0c61b18d0f71363dfd790869c18d3cdec902d0cc002ac55e718a
SHA512ad0cce5240531bd9043c46ed762909552aadd2e55f425c5f2efb167ce31e0f300b85f1a52ff6139bdfa7f47eda34e5372c3b1f99933d525d96ede6ee5b46eddb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5fe2a747910c6dbb143c4d1a371f59f88
SHA18ce82272e2b3df4fc90eb7be8fe0c06bcfd6a6de
SHA2569b706ca370a7d9bb6e0c8f8cd06f59553204f81fcaea28e38ea34b51e74e2fab
SHA512b3d6e4d6986a6569d31aa8e4246590153d78369b604cef5cacb48f64872f71af0b62222fd8429783f6bf8d48e4145aea40de2a920766c946e59f6c413f94d468
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD520c4ee9c266b3385163dde903e8a0481
SHA14dd7c65f9367d116f52a0bee30d4ed5d16e6a2d0
SHA256073bbbdf3ef1c07a02c2b4ffe1b705cbbfcd5c3b6b5741e9ac67ad9ee0d0afd5
SHA5129027a765e2c3246c933439312b3e631bb4cd4c1f01625cb2fdf7dfc38c75499e58bbaece8a43e20c5ace6f02ce945565c8b93fff990b47662e8a4e29b9c0b779
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c68ae38e68d5eb9a1c8ae3134575dcb7
SHA164259e82333026f5790d554803793ddd452e4c8d
SHA256c177e4d693affcd116e68231a2eefe0c585eb0c2c580dbce1622feeef2e554ed
SHA51238d9aca0ac908c7a1cdf6ae9342599a1947d23c0e87fad191e14f8acc38185232d9369eed6cef69e651b0688668fbf6ae0738ba30227ded58b1bd0e905bdabaf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a2043de39cdbf517797b9a4f3ae6e244
SHA1ce5a13e3e6677742e68fd047fdd8e6e6e934c0d7
SHA2563c8b3c428d7aa45b807b22307f393c3d5eedbb7859cf400110754b5ca277fa38
SHA51234ff69aca3f1af2a127cde8f665a1025237e1a6d8a276b26089f808cccdcf2cd3b94dc0f4fad5b50ca9b6343b71463f461f36f06c40bd00ba4f059d36735f1e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD50c45eb550af9fbedea434243cc2c23e1
SHA13eb8c22b158db2e18acf589ec7b6b3c2e380827a
SHA256402cf29b76f75c6987a42bae0f9103019615a57667b4258d6d60270c39120b50
SHA5123957e0bfb8625258edcbc4b7fdc728bbda91b39c1ff957e0b09be08d6f2532aa3ae7e32208acbbe0bc259e3498ed9cb2f08ea8fd46d8bd3e76f08a937a1c493f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56a8b8870b98ce9ff2272d76a6d8c7350
SHA1b47c550277d10807bdd66345a5488ec9ae377475
SHA2566f8ee3d9e443ca1ba83fe42cf5ed1f556d24ff7ba7711b3718a1e04be7f24604
SHA51263af49780474062916810d5ae44283bbe629d0351b0d0110d5d451d9b3bd3bf0c19638e3267c319326fe08e246601d90e1f84264fec56fb2ac995b4ff5ccf241
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5eb7378c19e69ee20d1923e68601bb748
SHA1f3050cfff2bd677a5e848128deaab49cb445c8c9
SHA2566e88051817035c25bc0ca9949309ca086c98df15459c0d514c58341a5477a959
SHA512514db4a1766abfe8da0322618cec11fb690b748507d74e3d4ae87a742e754aa4126575cd886f31161490cbb76d8be58fdc5b2b0b5033b808d3e0334ffe345fef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5a042209ce4acefdc452cd756e06d3b1b
SHA1b0f90c8e82f48f46ddc485a63089eeb875beca6b
SHA2562e480c67c08371b58437504651404070f617b112457e555ef783f22759b63011
SHA512e87d7427b711539faac3e342556894e0a3269579e6be0ae74c6f2315b8deabe934af2dce378f72d705e3a8269f755695f42bf3f3bd760c7ca9f052847fe1b234
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5a8a229d0f0dc36749d50b39999fec8eb
SHA152102d1372028b4bb0b56d57cf142a9167f7cbb5
SHA2562a03e76f91c121e596a7403845074fbcc7b4eb26c4370af4f57b5bc26bc11f8b
SHA5129aac3e94b6f9a2572aa3489b56e2a6f501f8db459a7eb91a3dc740bed20e3ac6e83659f8d65151649416686067089497f97c6d98bd9235c6d2ddd008dfa6977f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E274A3C1-1DD1-11EF-87B3-6E1D43634CD3}.datFilesize
5KB
MD51fc59bf6f532d722a22179f9ac51fc31
SHA1f363ff7372651a7a46bfe353d578f3a0e58f2560
SHA256c13f728d375fbdcd7f77c7b64f2f2db4a47fb7b4b6ca2aef87b9ff216695d380
SHA51299d66f0c0a15f079b09037b3bc4931705548f15b64666161a5c10711810716d0fc557c3fa708e46986046f21df319f50b8a7a8dc5f63180e2b991fdabe3bf87e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4Z80JE5\favicon[1].icoFilesize
4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
C:\Users\Admin\AppData\Local\Temp\Tar12DB.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\DisplaySwitch.lnkFilesize
1KB
MD5816587686dfe810f46b3c6d0fc140ee7
SHA1954a91b461301949686276bdc9610444f096add9
SHA25610e0c5bcff7f58c0e032a1027abc43fd75b0c2621ad62a11f81309987213ec76
SHA51210887975d9fac811d1df2c98e7013705b6188d614631dc25d0857bf4852c6b2c915f38b3fabc3a6f6da296a2f1cbb4bed59bf8b1d6eab9549a9d1a5c1e01b39f
-
\Users\Admin\AppData\Roaming\{B1742F51-9A6E-9153-98B4-65A8CA63BBDA}\DisplaySwitch.exeFilesize
392KB
MD56653ef20d2a3a6ef656d9c886ebabd93
SHA1bb0cc0b05bb70a3d347faa94fb36a35c771b0692
SHA25648ff838a7fe98ec2c5bb59a8a76100047abcfa6db824f4982b8e7fdf2110f05d
SHA512b68b37147ce0d1389d62f5f72ebb616edc7d2ed2aaa484e85f6dc4b6070c9ce973a523e11e311686dc0efb0757fe52dcfa430afb1f48f98ecfdc257c6f3cc360
-
memory/2060-1-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2060-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2060-20-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2060-0-0x00000000001B0000-0x00000000001CF000-memory.dmpFilesize
124KB
-
memory/3008-474-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-478-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-501-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-497-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-468-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-470-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-472-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-495-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-510-0x0000000003920000-0x0000000003922000-memory.dmpFilesize
8KB
-
memory/3008-476-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-479-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-499-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-1116-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-39-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-26-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-25-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-24-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-483-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-485-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-16-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-488-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-490-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3008-492-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB