Overview

overview

10

Static

static

10

YashmaClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    299s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250210-en
  • resource tags

    arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-02-2025 12:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YashmaClient.exe

  • Size

    130KB

  • MD5

    6a5d6de74af2307b9ddb8e7e0a05aec3

  • SHA1

    a9bb545b11c8b4415359fead7a92ea848f508530

  • SHA256

    4e44d16e3c4274d3a49d8562299659b7177632e484ca7ba3c0d7a95bc44d686a

  • SHA512

    bffc0eed72576ac2b0d68410db02d76369bd937d9a4767cc0edd021343cf8f0a81af9813cb0038726ff61ac274f81ae4144f3717148807ba5973b7103408f8f2

  • SSDEEP

    768:w7zxAmCgnegjDho9Ws82FOfMCwRhOF15utoS:wNCRADq9W3cS/wCFLS

Score
10/10
chaosdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    defense_evasion
  • Downloads MZ/PE file 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\YashmaClient.exe
    "C:\Users\Admin\AppData\Local\Temp\YashmaClient.exe"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:696
    • C:\Users\Admin\AppData\Roaming\DDosYashma.exe
      "C:\Users\Admin\AppData\Roaming\DDosYashma.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:1036
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3772
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:3804
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:568
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:4552
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:3316
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1932
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1884
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2432
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3136
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qjg3MjNEMjItNDAwMy00RTM5LThERjktNUNBRjEzN0QyNjNDfSIgdXNlcmlkPSJ7QzA4MkRGQ0EtNUU3MC00NkQxLTlFRjctNjlEOTk3ODU4NThFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjRCREJFN0ItNDdBMC00MDFFLTlFN0EtMTk5RTY2RENGNzMyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjYiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDcxMiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjY2MDQzMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4Mjg5NDU4ODciLz48L2FwcD48L3JlcXVlc3Q-
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:1156
    • C:\Windows\system32\BackgroundTransferHost.exe
      "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
      1⤵
      • Modifies registry class
      PID:1784

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    Windows Management Instrumentation

    1
    T1047

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Direct Volume Access

    1
    T1006

    Indicator Removal

    3
    T1070

    File Deletion

    3
    T1070.004

    Modify Registry

    1
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Inhibit System Recovery

    4
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\read_it.txt
      Filesize

      582B

      MD5

      ed5cc52876db869de48a4783069c2a5e

      SHA1

      a9d51ceaeff715ace430f9462ab2ee4e7f33e70e

      SHA256

      45726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36

      SHA512

      1745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\YashmaClient.exe.log
      Filesize

      1KB

      MD5

      b4e91d2e5f40d5e2586a86cf3bb4df24

      SHA1

      31920b3a41aa4400d4a0230a7622848789b38672

      SHA256

      5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

      SHA512

      968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\b6715278-a4b3-4767-abd4-666964c739d5.down_data
      Filesize

      555KB

      MD5

      5683c0028832cae4ef93ca39c8ac5029

      SHA1

      248755e4e1db552e0b6f8651b04ca6d1b31a86fb

      SHA256

      855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

      SHA512

      aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\DDosYashma.exe
      Filesize

      130KB

      MD5

      6a5d6de74af2307b9ddb8e7e0a05aec3

      SHA1

      a9bb545b11c8b4415359fead7a92ea848f508530

      SHA256

      4e44d16e3c4274d3a49d8562299659b7177632e484ca7ba3c0d7a95bc44d686a

      SHA512

      bffc0eed72576ac2b0d68410db02d76369bd937d9a4767cc0edd021343cf8f0a81af9813cb0038726ff61ac274f81ae4144f3717148807ba5973b7103408f8f2

      Download Submit

    • C:\Users\Admin\Desktop\MeasurePop.html
      Filesize

      1B

      MD5

      d1457b72c3fb323a2671125aef3eab5d

      SHA1

      5bab61eb53176449e25c2c82f172b82cb13ffb9d

      SHA256

      8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

      SHA512

      ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

      Download Submit

    • C:\Users\Admin\Desktop\MoveUninstall.xlsx.5eof
      Filesize

      10KB

      MD5

      7cdeca1d5185540ed99e02d3e7adbf89

      SHA1

      f8ee40c98624ed5d8a6fa87a6982a72868926b9d

      SHA256

      acb78d163563cb4578a870a48ff763a8a1207b0df4932e7e092ca34c40b4c9ba

      SHA512

      05a9bb0f29fc2258fda24283594e81417325ab4e567fb63b74a212f0e9ab1daefee8b876f4299141413822d7c7a38129c0dba0b98e8a79e6bbd61b0dbe749145

      Download Submit

    • C:\Users\Admin\Desktop\RequestRestore.potx.p7dd
      Filesize

      256KB

      MD5

      1115452cdd4401608a73ceb2f873cb46

      SHA1

      214dfb12f5b5b94618e4e44bfb809933332e38ed

      SHA256

      a47aca2230adcc69492b4e045359eafa9b72204b6fb99453e07ca54dc838e374

      SHA512

      90447bb3854ae5c33e9eb0eed63c1d604fcad9ee772acf3da28281519a8a47b74ad7410c87b0b74aedfb607a8175a3bb9a73dad09bb7d946fb2e8acb431d17a0

      Download Submit

    • C:\Users\Admin\Documents\AssertRename.vsdm
      Filesize

      972KB

      MD5

      079265a6bed967854fb29dd84ce41877

      SHA1

      9b623464f74819238c4b606700ec8f34f4c2dd5f

      SHA256

      a5a3e6f86626a0c7650e7cd055d41c78cbab8e11390c336ac4f1e1b1247c85c4

      SHA512

      a100c86000fd3fb0726b13fc19c7244232b29024846dd4335fdc9146f256288aea1e8775dced44fd3d40b0a397b0b6f7673f2667eb1603bb93f28e7647ef4921

      Download Submit

    • C:\Users\Admin\Documents\BlockUpdate.docx.dc97
      Filesize

      13KB

      MD5

      5d3ff4ef197b1c0f08ca8c4cd4de7d58

      SHA1

      57122bcd227c649153921b1088cc1eeb33d35a23

      SHA256

      99bdfd102e012f2e0ef95f84b3ec6488bde14dfdd51e359c69b968378dab6b29

      SHA512

      87d47cf31622eb067e6c42bcb9a9339b9e947c157488aa9ab9274ea88d9bd857ff9ac366578f0c35f148fb9dda29c4b1b0dc9b523c53d6b782e6371b9c112edb

      Download Submit

    • C:\Users\Admin\Documents\ConvertToCompress.docx.blho
      Filesize

      15KB

      MD5

      846dbc0860dfd047e0011693cc82f038

      SHA1

      39ea3101fd0aa7885a6b0b39fd0b8b72f7310c79

      SHA256

      f1710a26ae6c585e84c20529f38560fb6ed1f975a21753cf63995ae37bc7b3aa

      SHA512

      abc7c817cadc72c05f5646cf7249004ef8ba846bf56804ea48271957b3a187ebda897f9a5f740e525663086e80214fc2cf13846e0128be296f6420e13a3801c9

      Download Submit

    • C:\Users\Admin\Documents\DisableUse.vst
      Filesize

      563KB

      MD5

      f5c3b10dad18909d81f692d1e8da8314

      SHA1

      d2d22eb2015572de73324b36a67f144068a3bfc0

      SHA256

      d3d8bd53ab4163eba0879b4bf71f5bcb849db0b83f3303c63bef8925ee96bd8d

      SHA512

      b72ed096c82f46fa5075cf460432e9d388895163a938be7507ab55bdec029b891aa19efc2d15d2a302e1548453d09a78de939d24b67031d8cc40aaaa17d0d8c1

      Download Submit

    • C:\Users\Admin\Documents\ExportUpdate.docm.jgwe
      Filesize

      819KB

      MD5

      3effdef1799d04bf6bb69cf49a3930a0

      SHA1

      63cc088ea3b8114c2245826f0484a2f511053312

      SHA256

      ec2c6fcc08d33a259e32c92d7ad7dc9a72c9e56c95172538703a7a319f2ef138

      SHA512

      50c35149b3ecac6b98056c74c8a22602e149a3f1c41c69aaaa93dc55b7f2516b2e33d9d4a490b63abd77b5e492e76597514b5514f8b34bbafe597c5dcdb9db3f

      Download Submit

    • C:\Users\Admin\Documents\GroupInitialize.vdw
      Filesize

      1.3MB

      MD5

      b578cb5ece03623e3ca397f5fd4f6e6c

      SHA1

      d580080183d60ad523fcf222439b4b076d66316b

      SHA256

      1cc02a72bb2c75527c33498f5e89d5ee564f8fdfd821ffa326ecfe74dbfd9011

      SHA512

      fe5af737369ee60ddfe5a46c121fa441ba3473c8803e91d1f3e9ea5a6855bda527e1b5bd6c1289aac5cc5b68419096573e7f3828dbe6aaa445da279c16089aeb

      Download Submit

    • C:\Users\Admin\Documents\ImportEdit.dotm
      Filesize

      1.1MB

      MD5

      0548bfa1af5d694608412e6c18dcbfe5

      SHA1

      c6ad71d47656f33af39234d2f634302175f97c42

      SHA256

      8672cee97c84ffe3f499ca80a01385fd0b0e27658d86d34af96c2d93586d6aaf

      SHA512

      25e7ef68a00fe8707bbcac3080ada81e3ffeb360574bc8ed5bb9467c8d81f8dcc7826d7280e368b71ec3dfb681845ad1877a6afe3d29cbd0923622dd4fc814a1

      Download Submit

    • C:\Users\Admin\Documents\ImportEnable.pptx.sqbf
      Filesize

      1.1MB

      MD5

      9688c41ca67628fd1614ce2b71316331

      SHA1

      b4f9c327d4c3e1d0536aff2ba766b8626bb02475

      SHA256

      720c67f0c454d4a5fb08f69fcc81d11c8f10f64a0509be7f591d1dab6f429582

      SHA512

      b699d5907f413a4aa87542009af66eab3a28a8b0d95c1b36445873628ae4f0f4e94677a82c834e1c5368c2ccc049bead8b94d89598fbf795fa4a9e9288215ae8

      Download Submit

    • C:\Users\Admin\Documents\InitializeUpdate.doc.7nmm
      Filesize

      1.4MB

      MD5

      7c8bab5dc822131599d027f4bad95218

      SHA1

      ec0fa0ed04b5e4ebb1ae3a5691d30697b3ddb104

      SHA256

      6db65bebfeedf32ea3a7db1e593c7994a16f646215dd0f545eff56e5dade646c

      SHA512

      20d404d6dafed89e9eba87de14d58422eeff1da4681d502849fb625a2b94bba8dfaddff758523c98fb40e7dce5bff9fd38dbc4e49310f4e0062d0c3b9b5de828

      Download Submit

    • C:\Users\Admin\Documents\JoinFind.xlsx.v7gp
      Filesize

      9KB

      MD5

      a26ce481905bb8bb899ef0abe42baa4f

      SHA1

      cfad8ff008a53129006fbb956b5d74dd7617503e

      SHA256

      214cc91d5ddefaac022c67f60fa55247dc61cc1fc22517fd6060ab0c4a05794d

      SHA512

      42805c2b475a9ec38cb68905135c6a004a3dd8b1b9686e5f348572d3981d6224ed02d6ca46708a68931c5985eb0c004c56330d2d012e92317c073f07adb8c952

      Download Submit

    • C:\Users\Admin\Documents\NewInvoke.ppsx
      Filesize

      1.3MB

      MD5

      fb742ac1f3fe3b54a376672a258d0b31

      SHA1

      31218307670e73453c081194dcfdd0c9dc17f25e

      SHA256

      3cd5730d92c7707bd3517feffc9e96a6e8f859e13a636bf2c289fa15ef028f29

      SHA512

      f1524a65bce71a512a82617907b2fc18ce40c82c691faa5425fe6e7c3c4be4e92500a84cb4740d1f6f856de664065c155a0be4710d48d1bfe2378a5ae1260a47

      Download Submit

    • C:\Users\Admin\Documents\OpenResize.docx.k1y5
      Filesize

      1.4MB

      MD5

      094ceb0871029a40b3c6d3e939da0140

      SHA1

      e1b82513b02497c5787a9bff347c2d61f0a5bbe2

      SHA256

      0d037a2e96fa19670366b284ae47894fd2f85afdecfb422e03422c0255083428

      SHA512

      de36f84ce3ca6da4e82d5083d6709a519c115cf3433354eacf0468454fc6285e53355e837d9d523b1a8896d52bdd8dc27988fe5f1c23aaa269129e53c2c3ae87

      Download Submit

    • C:\Users\Admin\Documents\PushNew.vsx
      Filesize

      614KB

      MD5

      5dc2bca125d3f0f013de180315f9adaa

      SHA1

      309ba5ebd668740183d33f7582e9ca24f1079d8d

      SHA256

      405fe5d729e56852701a4a3f859a8d08fd6364be169351492630f3f81de6147b

      SHA512

      d2ba79e7c8f24a86d1a9f86a18ff17831618348718fa3c0fa05757c8b129b51cb82b6aed33e983e8777457c10ef59ec1b4241ca45735e20e3c033966c7fca278

      Download Submit

    • C:\Users\Admin\Documents\RedoReceive.vsdm
      Filesize

      1.2MB

      MD5

      56a9cb05f338073c5aaf832d8e3bed0a

      SHA1

      6f1e437a4366be6a116687a93db27558d333f172

      SHA256

      f6ee2871ced48def6b72043c31fb18b3351af07c267ff9849f9d855059867af3

      SHA512

      e451443da27c194a7bcfb26f2d4a281361411171560d5a87003ae18388519fc190556615782e321bf7b40806bf8fae17048d04ec8f5cf52a8058738a240a4ca5

      Download Submit

    • C:\Users\Admin\Documents\RequestRepair.dotx.1hwf
      Filesize

      870KB

      MD5

      0391e3bb249e0efd72c15dfc886bf9bf

      SHA1

      6fbdcf33ae6996ad714cc4d10808f9d7f318dc59

      SHA256

      a3b43181c80b203d39525891679f171b9df8006c1964707df24684e5e031f699

      SHA512

      b56d216ed08db0348a8a62b8c3552b9d16a44528ab41afb74e0ba3c694397237b575b8eecb29fa95c88b1a89589ded9ff67c014b75c1395b204dedc65e2a971c

      Download Submit

    • C:\Users\Admin\Documents\ResizeUndo.htm.grnh
      Filesize

      1.2MB

      MD5

      c8b930cd0f1f0de49d0ba6f0d7d2d9ee

      SHA1

      8d0454f434ef81df0f4c3fdfcc103a8b5e4c7636

      SHA256

      15d7474a455750247926615879569971c6d6bb8206dea3767c21fc1a5e6982c9

      SHA512

      3fba847126159a4fd9f7bc7211e31d842316c98dd693537de2b4cb6b93d940a75541b812f13c2e5d7df468ed021883e42f18ce31d512a72fdf9512d878bbcfbe

      Download Submit

    • C:\Users\Admin\Documents\desktop.ini
      Filesize

      402B

      MD5

      ecf88f261853fe08d58e2e903220da14

      SHA1

      f72807a9e081906654ae196605e681d5938a2e6c

      SHA256

      cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

      SHA512

      82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

      Download Submit

    • memory/696-0-0x00007FFBEEC83000-0x00007FFBEEC85000-memory.dmp

      Filesize

      8KB

      Download

    • memory/696-1-0x0000000000B60000-0x0000000000B86000-memory.dmp

      Filesize

      152KB

      Download

    • memory/696-2-0x00007FFBEEC80000-0x00007FFBEF742000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/696-16-0x00007FFBEEC80000-0x00007FFBEF742000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2756-17-0x00007FFBEEC80000-0x00007FFBEF742000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2756-15-0x00007FFBEEC80000-0x00007FFBEF742000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2756-1192-0x00007FFBEEC80000-0x00007FFBEF742000-memory.dmp

      Filesize

      10.8MB

      Download