mafiaware666 | 096ef1633a1e4b28ea46406a6324998b5f4dc59f6596c3dfbe7d6ee403186733

Analysis

max time kernel
231s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02/02/2025, 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skull.exe
Size

1.3MB
MD5

3dce90e3a6daa8810d0dec78fd960e7d
SHA1

d44f4aa742092f33ec60264e15f09fd127a7bb87
SHA256

096ef1633a1e4b28ea46406a6324998b5f4dc59f6596c3dfbe7d6ee403186733
SHA512

bd68ff08882a61bbc4d51ca4ae2e055e20db853c79f6ea0dd5867e673af38785ddc4f992c1891ecf6d658bba89556b23797d708f3d7ca1da1eb4332f9a2ea84c
SSDEEP

24576:RTSTiRsBE12BIVpT2QhYpAILUo/g9QZqpMC3QVbIoTdWR8SfEuGujqZF13z8H81:RT7RseZDT2tSbvQsIbe8YVjPH81

Score

10^/10

mafiaware666 discovery ransomware

Malware Config

Signatures

Detect MafiaWare666 ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/964-1-0x0000000000B30000-0x0000000000C82000-memory.dmp	family_mafiaware666

MafiaWare666 Ransomware
MafiaWare666 is ransomware written in C# with multiple variants.
ransomware mafiaware666
Mafiaware666 family
mafiaware666
Renames multiple (60) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	skull.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	skull.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	skull.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	skull.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	skull.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skull.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133829615753026407"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
936	NOTEPAD.EXE
1904	NOTEPAD.EXE
4524	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1700	OpenWith.exe
4372	OpenWith.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe
Token: SeShutdownPrivilege	4596	chrome.exe
Token: SeCreatePagefilePrivilege	4596	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
1904	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
1368	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1700	OpenWith.exe
1204	OpenWith.exe
4372	OpenWith.exe
4372	OpenWith.exe
4372	OpenWith.exe
4372	OpenWith.exe
4372	OpenWith.exe
4372	OpenWith.exe
4372	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 936	1700	OpenWith.exe	106
PID 1700 wrote to memory of 936	1700	OpenWith.exe	106
PID 4596 wrote to memory of 4912	4596	chrome.exe	110
PID 4596 wrote to memory of 4912	4596	chrome.exe	110
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 2920	4596	chrome.exe	111
PID 4596 wrote to memory of 1092	4596	chrome.exe	112
PID 4596 wrote to memory of 1092	4596	chrome.exe	112
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113
PID 4596 wrote to memory of 4480	4596	chrome.exe	113

C:\Users\Admin\AppData\Local\Temp\skull.exe
"C:\Users\Admin\AppData\Local\Temp\skull.exe"
1⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
PID:964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UseDisconnect.wmf.jcrypt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb7ef1cc40,0x7ffb7ef1cc4c,0x7ffb7ef1cc58
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,8099884695634574257,8122354317707691901,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2220,i,8099884695634574257,8122354317707691901,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,8099884695634574257,8122354317707691901,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,8099884695634574257,8122354317707691901,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3420,i,8099884695634574257,8122354317707691901,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,8099884695634574257,8122354317707691901,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,8099884695634574257,8122354317707691901,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4512 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,8099884695634574257,8122354317707691901,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:2496

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2264

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4372
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WaitMerge.xlsx.jcrypt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\585f74cb-b9d1-4648-9f00-6ae157213dc7.tmp

Filesize
243KB

MD5
f90a6e16e0dce5d2987ba9b02b1ef7f6

SHA1
9d0702fe3dffc3e7c67fe0ffe09396c9c96543df

SHA256
072bfa455af86c9eecd8721157476e732c88ebcc5eef76617edaec95614741d6

SHA512
d59904046a59694b8b032ad3ac74e5ade19ad8b748fe5c9b1ae02b2f9fb0c40aeb7f5c66eeae2c9673cd5b9f9696766de9d79c8a4de888561ce6356fb1994205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
683039eb00b7cbf9847e33168d331e98

SHA1
fb1e1e864f246717535cb4d52734e2d4afdafad3

SHA256
3a01fba5770b849e591cff7e8a327e5195e514f69f332a0861b05b093f9d2276

SHA512
7cda042c017f66b1b785d25ba345767a2187ffc86bc827c318768556685063130b1bbe41c0b52aa4f0f7778ee3cf11c24b9b54d7e818bb5c14e532427d4dc31e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
512cafe04209c22f119b0063d096d253

SHA1
aab93104a410bcbdcde00e2e713bc79f7159559f

SHA256
ed8a44d31a48b5da8475ddaf00a1e856090e2892ef37f24c25ac7b3d90d0e55a

SHA512
53f7b8ced7faa2e431f9999183d945616a2d7a0ebf6299f96aba317a820499f570470ee7dd9479944dec6b608dd6712c0c1ae35f40c22426852f1ada3db0f31a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
51e630d5e587ba08e3c579363cf21bba

SHA1
d3901164ba33ff32da1530e402619b97933d4c7f

SHA256
4b6a800d4ce41797d5022f0513549f60a8b5b5fbd189475ca76bf1973f05a3b7

SHA512
82052ce526fe74999344d350ce43c5367a975b1bdf40d3da6d921a202aa4280fbb96baf5d023ae226f7a1a345d91c878bcf01b0ee50b4cbba8751abcd912b055

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
be45560aef8f269f9b4720559950346d

SHA1
a4035e65f760caa07c20099c20ac4f69e261084a

SHA256
530f4cece62cec557491e58e64fa2b856b3059e88e619f013f6590b209e00870

SHA512
736f4430025c320ea9ba6baa69f52ad02000ad8a79d7dee2c9683f2c8f7c081e6d28573d3be6ccd897bde5c1a839d1f6f70a41b92f402ac91a48f5dfa3ed125a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
26f808774a0e365d12b97eb8cd33ddf9

SHA1
5d5e4e84b5e347e89f002e828be83fb48ddf8c1b

SHA256
bccbb0be88ad8e8eb17f101626b1e397b05cf5b372ff387b378aaed988e72ce2

SHA512
f005e84cd0b49f5101c4c1cde0291e18884602b882b802705825685038f7d9430687483c0a9c32d05384601f380ae31c1ffa752551c49c7e579e8275c89a5566

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\Desktop\UseDisconnect.wmf.jcrypt

Filesize
799KB

MD5
984bfc002ef25ac12ade7e8174a727cd

SHA1
97c893dc78ed79b15ad859721d75d459b8f02a70

SHA256
4cc263813e1a8b46282bb56f75532586527a7d08ea284b8c84a3019b526962a1

SHA512
fce0cb176f76aeb7565269110ea144b792051df9294d1eca9a6e5dd534d6f1d38048f8cf3a78e61440e23a18cc0e76d9b105207680b17a46ecfa0ff40094fc34

Download Submit
C:\Users\Admin\Desktop\WaitMerge.xlsx.jcrypt

Filesize
13KB

MD5
00f6739182f892b2fcb8149c2595b3cf

SHA1
0a400c34b45e3b9878a4cd541c57e7712eadf33d

SHA256
f87e8e6357870e01af7772a0017e92d181b0fd058664a2318b95e85b0e2ac13f

SHA512
e46f52fc5f443e9cbd9c9c0b3e0e2c2eff948b98c834981b81973183df90089da690ebec58e9174440ab56302d6865932a010bad9721ae91c4310393a7d25681

Download Submit
C:\Users\Admin\Desktop\___RECOVER__FILES__.jcrypt.txt

Filesize
2KB

MD5
e7b2f70b0a66eac387d20bfa9ce95879

SHA1
fd1039428e694be368f9f500be175b1303680f45

SHA256
d55f9d1b14f036ba64b66408a0f699f963b37620928da00bfce536ce8d7efa59

SHA512
4b5d220179ff07818de893e474a69e94df91f807ab132fd5881f44a1634e637b5659ac86eeb09f782fde3638d5ad0b5f127502f1e6f5b2fe5834656bad11b3d5

Download Submit
memory/964-5-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/964-72-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/964-33-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/964-30-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/964-26-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/964-6-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/964-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/964-4-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/964-3-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/964-2-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/964-1-0x0000000000B30000-0x0000000000C82000-memory.dmp

Filesize
1.3MB

Download