Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/08/2024, 13:34

General

  • Target

    F-Secure-Safe-Network-Installer.exe

  • Size

    3.0MB

  • MD5

    9c15aac2f31dd9e1e8d64cf8f04ea5d6

  • SHA1

    aaeeb05a24f6e7ef77d46ba71794490afbc414ab

  • SHA256

    e082c6d30278139fdab5a7ddddecbcbafad12ab4dff1d5a960d9704fe635c007

  • SHA512

    0249416a9a1b526b887007704133166353fa97f9def8e57725092ee61f3bc0f5090238699c47733962495cd64550413acf25ff3086d1617e4440e9b6eba1a975

  • SSDEEP

    49152:+zk68h1xr/Rq09zUWUus6qidDQjvBJVSq2UCur80qDt5OXqj:+I6Q/Rq09zUWUus6qidE80qDt5OXqj

Malware Config

Extracted

Path

C:\wlJ8FiR2h.README.txt

Family

lockbit

Ransom Note
~~~ LockBit 3.0 the world's fastest ransomware since 2019~~~ >>>> Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom DeathGrip Ransomware Attack | t.me/DeathGripRansomware This computer is attacked by russian ransomware community of professional black hat hackers. Your every single documents / details is now under observation of those hackers. If you want to get it back then you have to pay 1000$ for it. This Attack Is Done By Team RansomVerse You Can Find Us On Telegram @DeathGripRansomware Contact The Owner For The Decrypter Of This Ransomware #DeathGripMalware >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. You can obtain information about us on Telegram t.me/DeathGripRansomware >>>> You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID Download and install TOR Browser https://www.torproject.org/ Write to a chat and wait for the answer, we will always answer you. Sometimes you will need to wait for our answer because we attack many companies. Links for Tor Browser: http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion Link for the normal browser http://lockbitsupp.uz >>>> Your personal DECRYPTION ID: B7568014A48684D6D525F3F3722638C4 >>>> Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! >>>> Warning! If you do not pay the ransom we will attack your company repeatedly again! >>>> Advertisement Would you like to earn millions of dollars $$$ ? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for the access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. You can do it both using your work computer or the computer of any other employee in order to divert suspicion of being in collusion with us. Companies pay us the foreclosure for the decryption of files and prevention of data leak. You can contact us using on Telegram messenger without registration and text t.me/DeathGripRansomware Using Tox messenger, we will never know your real name, it means your privacy is guaranteed. If you want to contact us, write in jabber or tox. If this contact is expired, and we do not respond you, look for the relevant contact data on our website via Tor or Brave browser Links for Tor Browser: http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion
URLs

http://lockbitsupt7nr3fa6e7xyb73lk6bw6rcneqhoyblniiabj4uwvzapqd.onion

http://lockbitsupuhswh4izvoucoxsbnotkmgq6durg7kficg6u33zfvq3oyd.onion

http://lockbitsupn2h6be2cnqpvncyhj4rgmnwn44633hnzzmtxdvjoqlp7yd.onion

http://lockbitsupp.uz

http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion

http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion

http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion

http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion

http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion

http://lockbitaptjpikdqjynvgozhgc6bgetgucdk5xjacozeaawihmoio6yd.onion

http://lockbitaptq7ephv2oigdncfhtwhpqgwmqojnxqdyhprxxfpcllqdxad.onion

http://lockbitaptstzf3er2lz6ku3xuifafq2yh5lmiqj5ncur6rtlmkteiqd.onion

http://lockbitaptoofrpignlz6dt2wqqc5z3a4evjevoa3eqdfcntxad5lmyd.onion

Signatures

  • Lockbit

    Ransomware family with multiple variants released since late 2019.

  • Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs
  • Renames multiple (592) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 12 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\F-Secure-Safe-Network-Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\F-Secure-Safe-Network-Installer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Users\Admin\AppData\Local\Temp\installer.exe
      "C:\Users\Admin\AppData\Local\Temp\installer.exe"
      2⤵
      • Executes dropped EXE
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1336
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
        • Drops file in System32 directory
        PID:3212
      • C:\ProgramData\6974.tmp
        "C:\ProgramData\6974.tmp"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6974.tmp >> NUL
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2664
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:860
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{0C9BBBDF-AAF6-452A-9A4E-4E9350DE9A5B}.xps" 133691529276370000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:1448
    • C:\Program Files\Microsoft Office\root\integration\integrator.exe
      integrator.exe /R /Msi MsiName="SPPRedist.msi,SPPRedist64.msi" PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
      1⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:3764
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4532
      • \??\c:\Windows\System32\MsiExec.exe
        c:\Windows\System32\MsiExec.exe -Embedding 2EE772B073227412F897974B54688E47 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        PID:772
    • C:\Program Files\Microsoft Office\root\integration\integrator.exe
      integrator.exe /R /License PRIDName=ProPlusRetail.16 PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root"
      1⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:228

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1302416131-1437503476-2806442725-1000\desktop.ini

      Filesize

      129B

      MD5

      6a661c08da9cc6513b590672fe687e87

      SHA1

      652e4a80721689d4446026ce89dfbdd28fcbad74

      SHA256

      92d20469fbff3755b787619dada3f78b57c37e93a910e9b3cb46057f93f9a860

      SHA512

      7bfe29984b92a5f6104a22906d594fb5b7839f99ca32f7f7f7205209eae21441c0af0b7ff77047009b8527224ff1fe887ced54774a47d445d8961f440d01d8ab

    • C:\Config.Msi\e58f93f.rbf

      Filesize

      3B

      MD5

      21438ef4b9ad4fc266b6129a2f60de29

      SHA1

      5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

      SHA256

      13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

      SHA512

      37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

    • C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms

      Filesize

      904KB

      MD5

      0bf7335cbb575b762c212c30f8932387

      SHA1

      40de2c33db72f1a632e4353a023a83a299e61250

      SHA256

      b203912ee7f7e2df69d79d5ce29db4a3df0a185598986259ac849a39a56f715d

      SHA512

      9d5d8f66d9cf6f211706584b2ee1d6e73c270f2438503ac9b3c54d6ace581a910bb2d2598d24c97f8385edb6d7db4c8e85dfe39aa40cc2f4e8d396d1f3889261

    • C:\ProgramData\6974.tmp

      Filesize

      14KB

      MD5

      294e9f64cb1642dd89229fff0592856b

      SHA1

      97b148c27f3da29ba7b18d6aee8a0db9102f47c9

      SHA256

      917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

      SHA512

      b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{0C9BBBDF-AAF6-452A-9A4E-4E9350DE9A5B}.xps

      Filesize

      13.0MB

      MD5

      042520a05b341ef4dd494463b81fb81f

      SHA1

      14bc27426622775411dd69ad68f70c3d1eff2f5d

      SHA256

      d9a7d737659651265ad588f426bb415a41d0ba76a41f87ccdcfd5d5d24d1f72d

      SHA512

      f25fa459208b96bd943f913b0ba3c6f1306c1f78f766e4d94909eca82e2a437b1bf08e41467c98f71b6f92ac7d9cec463b9404c96c88b8c9c2333510b0e6f99e

    • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDD

      Filesize

      150KB

      MD5

      d057b5b43bf147a0538a67270f65baec

      SHA1

      71b07b538c4d6a410d65f2bc4b95377eda4b8cdd

      SHA256

      88a5e3140051010d6cfaf76888b2699eaa9fc986678596f1d7b427cc90f7f2a0

      SHA512

      82f98a5aa1d4346207a8fbc8c0ef6299ea81d100641a421e1eb5092a2495e668fb92cb2c389f3c3b4d438b6f200e951612132e6f1a12cd2b49ecda56372b7559

    • C:\Users\Admin\AppData\Local\Temp\installer.exe

      Filesize

      150KB

      MD5

      7e503c206e57f0295da017914a957d04

      SHA1

      96c375b9c57292db73c7ef2f2df16cf7be1604bb

      SHA256

      274844568a6a9ce334d71efeac21f528d7b54b2cd4377c978cc1270c6ad986c4

      SHA512

      cd4889ae107c54df854042e030eb431664d4db9d6dc908d1f1910ca49b89d247222f9d19440fcc2d9a120c95b56cd694750072ab9486eea961b8c33391344c1c

    • C:\Users\Admin\AppData\Local\Temp\{00810CE9-A64B-48FF-9DC6-8BA9B6A24EAA}

      Filesize

      4KB

      MD5

      3ea126b2a988107e96ebdcd22b29728f

      SHA1

      abf584f23c2d8eb96d6c84c9e831675f131bc1d1

      SHA256

      a6d73a8465c18dc39b37fe909993468091b4c225ed2038d0f43009e166147190

      SHA512

      202a31e4bf5a4a5cdc2a15279e2db5fb01f6a7c261053b56a75f545e15ac77756a36e7b7200b8b00605d7cd0eafcb103cc5fc5fc164290eef8e49a7521b9b1d8

    • C:\Users\Admin\AppData\Local\Temp\{79DF8BF1-78DA-43F9-A716-CFD9E9F4D06B}

      Filesize

      4KB

      MD5

      01b21a53b972f69d7de60d481f07b66e

      SHA1

      bec39f89e85fcf5cd6698b195b835b0756a9aace

      SHA256

      4e21873a7c283d83179e0228f95e3461f485adb0b68833a3405f33226e283162

      SHA512

      db6ca49b28fe92b10a742a26cb37da3b817e8cb90feb39a9749d422b2f754f6e4d8d90e66d5ba716c82cb335ad7a3c1b4d95f634bdec95441873797c71107daf

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      16B

      MD5

      d29962abc88624befc0135579ae485ec

      SHA1

      e40a6458296ec6a2427bcb280572d023a9862b31

      SHA256

      a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

      SHA512

      4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

      Filesize

      4KB

      MD5

      370760cad520c7b152a26214f047dd26

      SHA1

      7abd0c9c69033f9aeb34903b9f6a71e1f3a51069

      SHA256

      0b82a2e1915d699fdce977220422622883aab9a04d2a5643dbc1770e648460e8

      SHA512

      89d90f20501d85a3d599737530a72bffdb38726aff6486d46b89ca4e75eb47488057c222a912e59dafa8bc53e7f2425404cd7eeaccc491ef8f020d74d43af232

    • C:\Windows\Installer\MSIA5.tmp

      Filesize

      1.6MB

      MD5

      7573afb6916cdf6f38841142653ce591

      SHA1

      bff1cbdd58a25b3c9e5ebe5f5108f5cea8476ad7

      SHA256

      2c8d92f2434503abbd8372487ee84039c84f1244c86bc559cef483d24936acd3

      SHA512

      0a54e9eaa3009a8eb25c549683692d701c385487b7d3354b90e02d1211e80cbed82c0dbfda68f717a61ccdcedad88b7317cd2735e4140bd6ebea6eb09645e1b8

    • C:\Windows\Installer\MSIFDC5.tmp

      Filesize

      89KB

      MD5

      ee6243df5ea48d929da4790efeea45c9

      SHA1

      9c21d62d7ffca1c68e615eb57bcd5d4ad3d090db

      SHA256

      0503fcf7646daae6e5445d8c5f248384542d2eeab4c7d8ad3cd5a47759759a48

      SHA512

      283c6a7bf2bc0b3c2dced9ea7c763c71b6d68c57da6845985f8faaa9cb7649d945a3be2127bbc1e77be792f925e14cff191c9d6bdf821635d438f985feb7753f

    • C:\Windows\Installer\e58f930.msi

      Filesize

      13.7MB

      MD5

      988d663ba702ffe35f7f8080c83d2feb

      SHA1

      dbc3538e352831bec7c2e09ecd091f1fba34b62a

      SHA256

      b640c2c6e11ec5e31a255641f86b765ff5fe29d419de45b57510cf3eacf633b9

      SHA512

      25204f7649d928b3b6728317ce4b247d1f907e3a26dd49a096ad0d9ce41cfd5b0f512c9450fcca81b6d72a640815d9943931cb0084180e53ee201685f9f8f1eb

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

      Filesize

      471B

      MD5

      36328fca0a5d4b62657e7079a86fd60a

      SHA1

      da9b565df27d22b8a0ac9198d032aa54f0fe9b5f

      SHA256

      7de93512310a1c538f5a7feb7ad81f517df9e76c13a2714108af3304fbab0283

      SHA512

      897f3d2867428f3e0ae7ee584d7071a2c0c837fec9dddb8102d8d67c00fee3f637f0ef9018a5086864497ee1332d179676be48e006bed2e76c472ba4b165205d

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

      Filesize

      412B

      MD5

      ce68bd6202cdbe59e44624b7c8039e95

      SHA1

      27161c0b8d0d891390cceff3f09b0864971a4ec9

      SHA256

      1698bb13e09269625ede8e8ad9694f7c0d75f97f026a47a38e98557bf39419dc

      SHA512

      bfecfed870f3f49decfba180e7b623b5f71cfc66aa610758a91efbd686d47fcd75caaa7f2cb4687e31120cfffe158ab382a818a6bee017501dbf06af2a408ec2

    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db

      Filesize

      24KB

      MD5

      19789d6c5c539a4d6936f12c55f618bf

      SHA1

      a2837bbfebcece3c32c4d383f0595b371d6909de

      SHA256

      5f86c5504e785acadfc0043ea6fddd5772a190a8b5d1b7f13657fa5f42db7803

      SHA512

      ae4383fa59d4a69b3847bb09c7dfa9fcc1d9578db11bd63f0b9414a2156d38a343c911e8ec4969718ee145fcd37374fe655835a4082f8da307701d4e50dc019e

    • C:\wlJ8FiR2h.README.txt

      Filesize

      3KB

      MD5

      b9674de0868a93e9121bdb1d02d80130

      SHA1

      79d692fd03d3110a4358e2cc7442af9517489f3f

      SHA256

      9268d24e96639cf4c0e8d74f9769092b415015692ea528820faaded6fc5b052c

      SHA512

      b3264ad33eddedb2c18da883e2345247c762adc8a604991fce931cba06b86c361d23fa121e79d6c69948a2d5b9c1613139f401b971360d9d684abb5a61543c02

    • F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\DDDDDDDDDDD

      Filesize

      129B

      MD5

      75a14bdbe27e43edbd2f5a78794cc8e0

      SHA1

      cfc9627a5f97fa894339354fc7dc18f2da0de414

      SHA256

      cb266aa73577cb9f4e84d7480738a8558535e5ff5f2a3eac4a71a15539c03095

      SHA512

      e2eaa14752ac42ba1d29d7915af279b8315c391a0fb96f9d7004b2b88f5288c8fc91609993aeab37f2e06bb0ab5bf920dab0730a83c4c2dbf88da8922f149fb8

    • memory/912-5-0x00007FF748B70000-0x00007FF748CF2000-memory.dmp

      Filesize

      1.5MB

    • memory/912-2783-0x00007FF748B70000-0x00007FF748CF2000-memory.dmp

      Filesize

      1.5MB

    • memory/912-2838-0x00007FF748B70000-0x00007FF748CF2000-memory.dmp

      Filesize

      1.5MB

    • memory/1336-20-0x0000000000750000-0x0000000000760000-memory.dmp

      Filesize

      64KB

    • memory/1336-2785-0x0000000000750000-0x0000000000760000-memory.dmp

      Filesize

      64KB

    • memory/1336-2784-0x0000000000750000-0x0000000000760000-memory.dmp

      Filesize

      64KB

    • memory/1336-18-0x0000000000750000-0x0000000000760000-memory.dmp

      Filesize

      64KB

    • memory/1336-19-0x0000000000750000-0x0000000000760000-memory.dmp

      Filesize

      64KB

    • memory/1336-2786-0x0000000000750000-0x0000000000760000-memory.dmp

      Filesize

      64KB

    • memory/1448-2837-0x00007FF9F0AA0000-0x00007FF9F0AB0000-memory.dmp

      Filesize

      64KB

    • memory/1448-2803-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

      Filesize

      64KB

    • memory/1448-2836-0x00007FF9F0AA0000-0x00007FF9F0AB0000-memory.dmp

      Filesize

      64KB

    • memory/1448-2800-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

      Filesize

      64KB

    • memory/1448-2801-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

      Filesize

      64KB

    • memory/1448-2798-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

      Filesize

      64KB

    • memory/1448-2799-0x00007FF9F3310000-0x00007FF9F3320000-memory.dmp

      Filesize

      64KB