Overview

overview

10

Static

static

10

20ed7ed36e...18.dll

windows10-1703-x64

10

Resubmissions

06-08-2024 12:58

240806-p7wxwazcqq 10

03-08-2024 17:38

240803-v77x2azfqn 10

30-07-2024 18:36

240730-w9akzssfmk 10

28-07-2024 20:03

240728-ysq8hs1hkq 10

Analysis

  • max time kernel
    76s
  • max time network
    77s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-08-2024 17:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20ed7ed36e052a523030ae979e872793_JaffaCakes118.dll

  • Size

    116KB

  • MD5

    20ed7ed36e052a523030ae979e872793

  • SHA1

    b686ea3f47c254082c584ee9d18d386af4e0c870

  • SHA256

    bec5d4b9979a2094fe1062512ea2754b9ce573b879b25167fa8a4f52f350edc9

  • SHA512

    7df169ae3bf9bf85205a7b5a4d5ed33aed897073dc003a7ef1eea529473fffe005b549bd72e9f098ed958c8a5232640dc12928413d0690a3b6692ffd0b32cb94

  • SSDEEP

    1536:CPp8kFF4+utlznGEvCrUmUYwGOmpX2yaICS4Aa7APtwdRW4M/5qAO:8vnuGqfGOqVBP+dlt

Score
10/10
sodinokibidiscoveryransomware

Malware Config

Extracted

Path

C:\Users\689ni-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 689ni. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AA6F49EDD2A72117 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/AA6F49EDD2A72117 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: 8Rdbmhm+gD6qW3YISNYVzUmIajEIpea5HBe7uFS8MHuFN/8pGcWY+5xds5fUpyGT y8C8EtafIHEJR3znIMvQjjEXmpWoxo0V2raOerVXoCUnwaozgi45ECeSmJozgBDG 77ENMcBqmzvjR7vjHXgppMtdcBWp2PKTxk5QUYhF1w3Ds9l3iKAcJlF4O05PmSWG q0uXELqUHeUkKZKF+aBxVL9WC5lnkG99RLj1nG940GVJ3AFrS8/ViMkVuIk3hHby IVJIU+MdigUQxbIf5jn/EkOoMTwnnWYZBAPfrFUwLS+ceVg6xDx7tV4o1RT5/3Tv EE36ll4q1zMO91bXJ2Ee+t/cjNrc2ayF31Szw1Zf6bQi06cS2R5nZuE1QBQs0sB4 8lqSI68N7Bo2JXP1uolAxPJCAJgdOggSgZbzyiIBTQOpUimqvNnpAOQONaWENvEq PtPmj2SiBPNW81TvcA6VYBd7OYsAP6HjPANFQdhofrGDw2UdW5XlQ1fsS7c8KHqB RtD4zikP9Y4jfPyDquvk8rN8feQng5EpTvvDyqDOJ1kxeAkmg1YVqgqGAEfS162a GrrURRXH4K2H4NsWA83u2yTe34TmHhlzE+mDOy8BTrbvpIkKxe4bHgVjpFRqOiUk 25oNMCB9mQu5nCPlCdOfP72vNWvauP0tWorcxT8ZGER/i9npItvdEROo+6/wyF5w FVjDEBKC7nCsrwPfSFdgrkXyWlchuIGSrKhSqxj2URTGoz1mB66/D8kkhMNIF9b2 McXIxYLXmfL0gAl9pH+LQbkvU9RM00KEsQtABHhvwSK/vj5VSkBnSaD0TuPH02b1 iyhkeUQQoezMBzNf9GvpwrCJvPlVk5qX6KfhWgEc73CmPo3oIrMkmpAimU+ohtly avd6ez3qECuYVcxx7cci+/rsi2Pgh5Q09nH6vv/tXRUTSQd0q0IzUumrA/a1yn0Q kUq2ighAvJvTDUl65UbyzFnFfMafIhO2RnW/DaqJFG1hJFvanOq3Q7iiqz+31zKp +lDkAfR6QX+du94tu/HVf5mlaWCu/8437c9N5+wEslQ7WDSZVCbcwsTX8Qk4LJwS BRUCH6dmOFMWh+DwefzPl0iCjtl7KQa80Fm3p6MmVvE1YMgZ41Jz05+oS92v1Obd Uy3VjblvXb7tKOxTAZ5j5EtNl3ouMhYLNYzHbgEWcndctkIXh7a5OXaNSkFQsbrR fjiXEdc4GB7imkxNymq2lhKqbUKhWut3zNLpzj3UK9Wer/49+1F4jHsOY5fasHiE 9co2yt1KKLdRLr0w8222sQCFDhyMLZaziNFXr+ixZBBToc3SzzukfsBzzrgE9Ynf v2ibxlfOZTuucsQgfIFskRtlA2f1fQ== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/AA6F49EDD2A72117

http://decryptor.cc/AA6F49EDD2A72117

Signatures

  • Sodin,Sodinokibi,REvil

    Ransomware with advanced anti-analysis and privilege escalation functionality.

    ransomwaresodinokibi
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 33 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 11 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 13 IoCs
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of SetWindowsHookEx 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\20ed7ed36e052a523030ae979e872793_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4140
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\20ed7ed36e052a523030ae979e872793_JaffaCakes118.dll,#1
      2⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    1⤵
      PID:4924
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1976
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\689ni-readme.txt
      1⤵
        PID:3612
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UnlockCopy.xls"
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2424
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UnlockCopy.xls"
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:268
      • C:\Program Files\VideoLAN\VLC\vlc.exe
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SwitchEnable.au"
        1⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4292
      • C:\Windows\system32\mspaint.exe
        "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\LockConfirm.jfif" /ForceBootstrapPaint3D
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4684
      • C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
        "C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4176
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\689ni-readme.txt
        1⤵
          PID:368
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:4140
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            2⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:252
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="252.0.1800900793\896745688" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1716 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10e56594-3fe2-4e42-8434-10755c9968f9} 252 "\\.\pipe\gecko-crash-server-pipe.252" 1796 216276eee58 gpu
              3⤵
                PID:2820
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="252.1.613751245\325333039" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {365fbb07-a9ee-4866-a768-b601c2720bd8} 252 "\\.\pipe\gecko-crash-server-pipe.252" 2152 2161c470d58 socket
                3⤵
                  PID:4412
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="252.2.2038635415\1539915842" -childID 1 -isForBrowser -prefsHandle 2844 -prefMapHandle 2880 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b00866fe-e673-460b-b349-72d33532707c} 252 "\\.\pipe\gecko-crash-server-pipe.252" 2816 2162765ea58 tab
                  3⤵
                    PID:4964
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="252.3.1028826935\24858059" -childID 2 -isForBrowser -prefsHandle 3404 -prefMapHandle 3396 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf6dffa6-0063-4954-ab6b-983517c32702} 252 "\\.\pipe\gecko-crash-server-pipe.252" 3432 21629d90a58 tab
                    3⤵
                      PID:760
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="252.4.291042117\220881302" -childID 3 -isForBrowser -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7ba3ebd-b5b8-4f1a-84f6-9b70e82821ea} 252 "\\.\pipe\gecko-crash-server-pipe.252" 4032 2162d565458 tab
                      3⤵
                        PID:4980
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="252.5.561858225\1469410186" -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7bb8869e-5233-4ff5-a49b-ac108f4c4bbe} 252 "\\.\pipe\gecko-crash-server-pipe.252" 5080 2162acfbe58 tab
                        3⤵
                          PID:756
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="252.6.1956400181\5350142" -childID 5 -isForBrowser -prefsHandle 4840 -prefMapHandle 4872 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {845710a0-32c6-42b6-a1d5-59c15594aa3b} 252 "\\.\pipe\gecko-crash-server-pipe.252" 5100 2162acfbb58 tab
                          3⤵
                            PID:2452
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="252.7.812568634\1827214013" -childID 6 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4af7d5f0-99a5-41c5-9a94-7a8beac493b3} 252 "\\.\pipe\gecko-crash-server-pipe.252" 5268 2162acfd358 tab
                            3⤵
                              PID:2212
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="252.8.276352074\1793345314" -childID 7 -isForBrowser -prefsHandle 5136 -prefMapHandle 4596 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {613349ca-a786-4304-8d20-ef3759b09a64} 252 "\\.\pipe\gecko-crash-server-pipe.252" 5108 2162ebd5558 tab
                              3⤵
                                PID:5456
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="252.9.1289981512\1274061254" -childID 8 -isForBrowser -prefsHandle 5152 -prefMapHandle 5136 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81c55504-4e52-45db-8d04-de9d8948792d} 252 "\\.\pipe\gecko-crash-server-pipe.252" 5916 2162f0db158 tab
                                3⤵
                                  PID:5688

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\689ni-readme.txt
                              Filesize

                              6KB

                              MD5

                              9a7d73ed239ed27bc40a96c82b4c867c

                              SHA1

                              e94af9a570c92db9164b843e402ba0676ec6977b

                              SHA256

                              cc8ecb64c02282362477005c01673a51db0a5d0475b2ab56a8012dae1dc56964

                              SHA512

                              43a5361137e8c5fd93b0b28d10a4387e09d1b895c4c0b55410cd33656cde32ba8a754c9d55bb1751edc2c6dc66828d98df0eb6f9a2aa23b229804fbd968ce987

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
                              Filesize

                              471B

                              MD5

                              7d4c4ae233eaa3d13c9d7720831f1e64

                              SHA1

                              556a1c2e05fcadf4e0015a6a47e0ce33ab562146

                              SHA256

                              ee68e521cc257eb3a395be61db55c9ec61617d9cf8f2efc833077933c37169bf

                              SHA512

                              76a4a11e3a67baae92d65d64f85f0d163288a393942814a7a685302c29b6b5684d423b77e6d9fd2bfa1029930bd8e7f19f5cebfa1cb6217c9049bf6b105b7932

                              Download Submit

                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
                              Filesize

                              412B

                              MD5

                              352ed0699cf173788b55399db6618b6f

                              SHA1

                              f347b7010b3ac32054909d8cc7242e0530696e54

                              SHA256

                              bb45bbcc61582e79f5a1de49fa7b2585e5ed71e0bf7c93c5c287219e0317f699

                              SHA512

                              728d68d90cb88a05d2be18b81ae299bb7a16274659d3d7d61d8743e3c009e469a3dec77f7fc30c99dc3fe2a75e138a8a6b6ba054d06b8cb5c31c9e43ba3b763e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json
                              Filesize

                              21B

                              MD5

                              f1b59332b953b3c99b3c95a44249c0d2

                              SHA1

                              1b16a2ca32bf8481e18ff8b7365229b598908991

                              SHA256

                              138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

                              SHA512

                              3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json
                              Filesize

                              417B

                              MD5

                              c56ff60fbd601e84edd5a0ff1010d584

                              SHA1

                              342abb130dabeacde1d8ced806d67a3aef00a749

                              SHA256

                              200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

                              SHA512

                              acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json
                              Filesize

                              87B

                              MD5

                              e4e83f8123e9740b8aa3c3dfa77c1c04

                              SHA1

                              5281eae96efde7b0e16a1d977f005f0d3bd7aad0

                              SHA256

                              6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

                              SHA512

                              bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyHistoryStats.json
                              Filesize

                              14B

                              MD5

                              6ca4960355e4951c72aa5f6364e459d5

                              SHA1

                              2fd90b4ec32804dff7a41b6e63c8b0a40b592113

                              SHA256

                              88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

                              SHA512

                              8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2D294DCB-86AD-4E65-9E9A-8B3C3EB70547
                              Filesize

                              169KB

                              MD5

                              86a62f6d760b0ef46e0b34c2732c7cf1

                              SHA1

                              f2a8868c308ad07cf17ed103750c9be54e299d39

                              SHA256

                              ce246d0030f717f32b1ed44d469aa0866bc95b506ff4ac875a8a089b2ba2f651

                              SHA512

                              29cefee31aa91f20489b363e6372982ef82fdbf218a2d4073b5036053455d8d7910a7c4886555b6c49ddb1167d4671ec4f570a9e2e4721ef4eaa5c66969edccc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
                              Filesize

                              321KB

                              MD5

                              5b4ea7676f0e3aa19f87eaf81cacfc69

                              SHA1

                              a776b52f53b1002255d87b4ced9f0d385d4f17ed

                              SHA256

                              7e04d3b29ddaa7b7480f081db4d4f3b881e5945b40cd9a7582986603f8ceadaf

                              SHA512

                              0a5cbf228584dd5b31b8d640f498ca1003683c571c5f77963b56dc7de6de3e8f5b161781f6d8344e2029816da2909cab293161265eac390646420def640c612b

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db
                              Filesize

                              24KB

                              MD5

                              8665de22b67e46648a5a147c1ed296ca

                              SHA1

                              b289a96fee9fa77dd8e045ae8fd161debd376f48

                              SHA256

                              b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

                              SHA512

                              bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres
                              Filesize

                              2KB

                              MD5

                              34bf999965875693204eb9f4c75f8b4b

                              SHA1

                              2c203077c4e2cf7a0b693f73590cb68b6a830074

                              SHA256

                              093f0120ead9bf6c23b5f178db3d65d3b260e3ba3f1583dbd046db4bfa34be07

                              SHA512

                              3072189bad791d729599a31337bba33ae411b35b64e7a594839dd06a837129c6f254e788bb37b29ae8f364d008eb53b07de347f5e6596be8e75d30a2ab455be9

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
                              Filesize

                              233B

                              MD5

                              d0e9b01e1eea1d666fd21efeae705279

                              SHA1

                              3f2cffeb1708f612dc1be576262e1c837785e9db

                              SHA256

                              281c44006a10bb3a35d7ef7d6d9677d74bceaaafb536d11a8565df547e082343

                              SHA512

                              78dea909fe527aed9f6e5e216439595007f17900c9946520cb5a864813a78e6812c4d47147b85835d706512c08cd56415bb6844caada20bb0d81f49fe334565f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
                              Filesize

                              2KB

                              MD5

                              404a3ec24e3ebf45be65e77f75990825

                              SHA1

                              1e05647cf0a74cedfdeabfa3e8ee33b919780a61

                              SHA256

                              cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2

                              SHA512

                              a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
                              Filesize

                              257B

                              MD5

                              4587d493d062954bde10da3bb1f986a2

                              SHA1

                              8d3a87c533ab8cfc51168913955790c46a39ff10

                              SHA256

                              620c0e90f5286f903c5501d7703e439cb3d6a9d8d47c8e614d7a53d0d588360a

                              SHA512

                              a5fbdc1d24fffec4aafc492a6b0779eab2fd926f39c41f49f0481fafed3918c77658ef23d915d3c99b9af358c2186242b4bca9f5c43ed5b459829b134f6e3d2f

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
                              Filesize

                              2KB

                              MD5

                              3a010d675c0199be1931071fa804684d

                              SHA1

                              953eba09f71f8ccd9015ae3a97aeb7b2b870587e

                              SHA256

                              e602a044156601c74de15646919021634821705181a181de4926a8c9431b18bb

                              SHA512

                              45bf4b63fe0052927dff6d152413f704ae28baa27a80b49ff9acfc3720166dcfe5b06754c6784fae89d7f72dbe58551ea2a03341b07e9922e3c1e00074031c36

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\9cf93943-7139-428f-ad85-13e1c9005086
                              Filesize

                              746B

                              MD5

                              2bee3fa4f15db30560cdca19cf3f6be8

                              SHA1

                              b5695d32d782a27c67cd8ec9d5d6082ad519647b

                              SHA256

                              465bde7a7e49446d5dfadce1f1f3ffc662436c6d11b163bf97f6f57537c9bb43

                              SHA512

                              3a797848caf880c374fafd0d276a7a223132e51d55bd9baa6a8334abe546766b57e11d5e3562d4d777c1565f2f13e47587e6beb2e18eb9be49149d1e24085f7a

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\bf6a712b-1f95-4eb9-a187-f65a2aef4dc7
                              Filesize

                              10KB

                              MD5

                              d64512ecd3503fead85465c090538c67

                              SHA1

                              2f2ffedfa6511ece5d8b9717aefd2b0f4c9f8413

                              SHA256

                              fec994fdc5a23db223e00f10d27c05ea900457ed94ae69019d8633205a72d63c

                              SHA512

                              42d2404f4a133cbab1ee8bc24e2eb8d10ed12dafd092d46f3bf7b9f688cb09f2bf91351dc6e61a74c592bfa4c4135783478747151596126a78fde25ebd670a60

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                              Filesize

                              6KB

                              MD5

                              fd52ef9809b8695cc08302aeb49098d7

                              SHA1

                              4e8c09118841093c0cdc763c6036afc72cbba280

                              SHA256

                              e7ed1c5a585908a7d9a09e47f2e2febb9a49044a29ed33ebe636af77a0eaac4b

                              SHA512

                              e1fadd9e3a1c44eb2c465a44c2fae166ab9586cd3445d86573837119957e6127afc90636f37f9fc51d4b186185cc025dea3b67e2d693ab3b144c8c0339765c65

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                              Filesize

                              1KB

                              MD5

                              327e9d47b244328a7c05645473d48f56

                              SHA1

                              286f0aa8985e09b97cae6859893790b56ab43b53

                              SHA256

                              b3503178fa42510577ad4188097aaead15ce93c0f31db736574ec3ba0328267c

                              SHA512

                              84d4a6cd9cc9e314a2b80fb6eae054d1c1b97cec699870d68ee94e098ff0a5573c88279e0a413349dfb496f5c75c869a51d932a412b14db53b7f0c3c1ac0a19e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                              Filesize

                              184KB

                              MD5

                              0ed2663971e8051b2bcb574926400fa8

                              SHA1

                              467756bf41c377bdb07c8be10d5391f1df1d80a7

                              SHA256

                              0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

                              SHA512

                              e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

                              Download Submit

                            • memory/2424-124-0x00007FFB37480000-0x00007FFB37490000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2424-321-0x00007FFB3A0C0000-0x00007FFB3A0D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2424-324-0x00007FFB3A0C0000-0x00007FFB3A0D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2424-323-0x00007FFB3A0C0000-0x00007FFB3A0D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2424-322-0x00007FFB3A0C0000-0x00007FFB3A0D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2424-117-0x00007FFB3A0C0000-0x00007FFB3A0D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2424-118-0x00007FFB3A0C0000-0x00007FFB3A0D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2424-119-0x00007FFB3A0C0000-0x00007FFB3A0D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2424-120-0x00007FFB3A0C0000-0x00007FFB3A0D0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2424-123-0x00007FFB37480000-0x00007FFB37490000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4292-547-0x00007FF75A700000-0x00007FF75A7F8000-memory.dmp

                              Filesize

                              992KB

                              Download

                            • memory/4292-550-0x00007FFB5C730000-0x00007FFB5D7E0000-memory.dmp

                              Filesize

                              16.7MB

                              Download

                            • memory/4292-549-0x00007FFB5DBA0000-0x00007FFB5DE56000-memory.dmp

                              Filesize

                              2.7MB

                              Download

                            • memory/4292-548-0x00007FFB6D940000-0x00007FFB6D974000-memory.dmp

                              Filesize

                              208KB

                              Download