Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

26/02/2025, 16:43

250226-t8l7aawtcw 10

Analysis

  • max time kernel
    383s
  • max time network
    359s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/02/2025, 16:43

General

  • Target

    c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe

  • Size

    483KB

  • MD5

    53717dc73f61b0f9551cb62d6fca2e4a

  • SHA1

    1ca9304e86632b147852767c85c57e08bdfc8855

  • SHA256

    c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028

  • SHA512

    ae6ff8377d89cd3d1686c5a6bd7bb398bb975e4e52f7db5fbb0550783d77648558f03a13a9751d0cb6ed993621b12980d54777385802dd4c014ec22ae8d33552

  • SSDEEP

    12288:WcvbX8rMmSZJ8t9ZITyDpFGIOyA4muT5WFExk8y:/zMr1SZJ8t9ZITyNzOt4dVy

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\sTKqsCQG_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdeeAdEbdd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS10SnVObzhRV25WOG11bHVrUkx6aHMzSGtQUU5VSVcwaVR5Vmh1bWhaOXVnQ1pxci82Q25sMlFybkNFRVBsT2gxdnRhclVwekR5MWNRbEVydis4ZzJ1ZW5XN21QY2V6ZGZNai9LeU05ZFJtL21oTWxWUVJFSmJUYUVDV1FCdWlPbVNBR25HajRvN3FUNHozdWxDMW11R3JpTjZQNy95L2QraTZVWDFzUzZQbDJyWURjNEFXNjBBUXl2cjFIcTh1VUNLMnkwbGFPOU5BNFhWenl2NTg3WXYvWmh1ZFgwbjdnSC9RUzBKK1NZdmlYL0E4V0tsbTBUN2pmRHlhNTlDREJIeEZyUmpZUTI3YWlVRUFCQldFSW1pWGk2L0tVbWF4WU5BM1oxVEZlRCtiNDFHQStBbUR4ZDhKNzlqR1VLYmltbnhIT0xJamxIRGtYczdmVWlwbUZJT1RydndheHM0N0ZnTkoyZzV5ZDQ0ZzdLMUVFd08wYjlBV2kyK05yRmdUVnpOcG9wTU5Ia3dnOGFkZk9kYWRyblp5VmxRQ1dEVjBaWHZrYnpZMWFHNXd2Lyt5RWFlKy9kbkxTZkJTc1BVdnZqOHBReGJtUUt0U2tvUGU1ZlA2YVhNMkM3SnYxZFE3QkRVdmtnRU5VV1dVOGVhVkFGNW44RFNjc0hkWFBzNHIzN1BhK29nRG10N3dNYW1XK2R6NzJBTS91RThVK2REeXpSYm1VWk1mMFduZnZuQjc1Tzd3R3BCTnJ5eVFiUm44T1MrYmxqaDJ1SVk1TTNuTEwxNUNRNHhweGxxLyszVGt0d1UyZ2JtaHFUL2RxS2xWSVFVSVpsdUIyZzJSbEhVbnVlQzdDOVJaeVRySTN5OHpQWGl6enFqNktqQUdweW9KLzNpcElWRlRHVUVTOTZ1QmZpdXJYWUFld1R0a2pSb0RZQ2hzd0RxNC9RYUgxNE42VENnWlhLcE1vSW1pSWJyTGlqRGwxa05oSzlubjRXSGJTK2tDdGFRMlB6SVBrVTFVZDltM1dlZGkyQ0Mrdng5RjFOWDl5WTM3cHduZWFnYXIzNmhNelloT0F0aEoxejNSYnFWOG8xUnoyM1pDQzRwSkZidnRCV1ZrZ3hJL3ZZZzQ5T0dmWHUzOFJDNGI4RGUzSUg4UW1WOGNHZHJWakRnNEJQYnRiRE1CbGprbDYwbDhuRVgySnJVZ3RBUXNIOE1kTVVkL09HazBEREk3MzZJOHBmVzA0NkUvSWtrUzFiQ2tUMk9tSmp3NzZpOUI4ZU1JdkE5VEExcGRQMVJ2SkhVQ2RlVjVIRzlpTTMxQUNUZndmRzk2STJBRXVCVGhjaEIyY0VBYWNVUmEwczVUMFJ4ZGdsRDlEbWdpS0J3OG9zdkYvQVg1S2lYT1FYU1NDb01TU2ZJOGtNeVZIR2g3L0NmelJVRHlORncxYWJPRGhMVFhvSEtIYXY4VUhFbHc3bERLT0J6cU9LaXBKeEhnSjVEdDZJdk5pVUxUVG54NGwxSTQ1SnN3VHVaaEdqMzlOWEZxb3NaU2NkM1M3Y2tXS2s0eE1GVnJlRGh4eFJJRXZucnlwUkxqUXU3UElJcklGMmw3M0tkSXNZaU5GVElqaWNiQUFuVHM5dCsya1pWVUgwOHlBT09wb0t6TlJEcHZQQUVuNURjODRsbi95WTdUU0lsU21hT3lqdDdzYzJDcW9YUjR6Y21OdTBreTBkNnIxbDVoRXUxNmJ1ZjZoSjdZKzZGUHQ2WUlnOHI1UkhnYUpIN21VQk1pdDZDVVljYVAydFcrSm1BVEc1bU9kMkRIRGVUYUVxOXkrKzZjTWtyVC9vWm0vbEc3d1hiWnRvcGJuSU9RcU5tbnlTTGNiTW93Z1RPMm8wajRQaE5KZGh2dS9zUklCK2hpTmJhT3Q0Nmhxa0JRWXZ1WEU3b2U0QXkraW9rRUR5SXVOMHNtZlR1TUlNaitRU2hxT1I1ejBaVE8wbmJ1eW1aZHZuSTg4YU96N3VoNmVLUWFYa1BWVGV0ME4rMEs3V0ZmOVdxbndRNlRNckJ5VTNFWFM3bkxTeEFGQWVtM1ZRV2dpMHhuQnNVdzhEOWFlcW9BTnltTUIrMHNaYjAycUd3WHNmbDQxdGNZQjRQajJMTmNIb01RNjRLem9saFp6WUhIQkN5QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * sTKqsCQGItbYx3Mq1czrqVYWb
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Admin\Desktop\sTKqsCQG_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdeeAdEbdd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS10SnVObzhRV25WOG11bHVrUkx6aHMzSGtQUU5VSVcwaVR5Vmh1bWhaOXVnQ1pxci82Q25sMlFybkNFRVBsT2gxdnRhclVwekR5MWNRbEVydis4ZzJ1ZW5XN21QY2V6ZGZNai9LeU05ZFJtL21oTWxWUVJFSmJUYUVDV1FCdWlPbVNBR25HajRvN3FUNHozdWxDMW11R3JpTjZQNy95L2QraTZVWDFzUzZQbDJyWURjNEFXNjBBUXl2cjFIcTh1VUNLMnkwbGFPOU5BNFhWenl2NTg3WXYvWmh1ZFgwbjdnSC9RUzBKK1NZdmlYL0E4V0tsbTBUN2pmRHlhNTlDREJIeEZyUmpZUTI3YWlVRUFCQldFSW1pWGk2L0tVbWF4WU5BM1oxVEZlRCtiNDFHQStBbUR4ZDhKNzlqR1VLYmltbnhIT0xJamxIRGtYczdmVWlwbUZJT1RydndheHM0N0ZnTkoyZzV5ZDQ0ZzdLMUVFd08wYjlBV2kyK05yRmdUVnpOcG9wTU5Ia3dnOGFkZk9kYWRyblp5VmxRQ1dEVjBaWHZrYnpZMWFHNXd2Lyt5RWFlKy9kbkxTZkJTc1BVdnZqOHBReGJtUUt0U2tvUGU1ZlA2YVhNMkM3SnYxZFE3QkRVdmtnRU5VV1dVOGVhVkFGNW44RFNjc0hkWFBzNHIzN1BhK29nRG10N3dNYW1XK2R6NzJBTS91RThVK2REeXpSYm1VWk1mMFduZnZuQjc1Tzd3R3BCTnJ5eVFiUm44T1MrYmxqaDJ1SVk1TTNuTEwxNUNRNHhweGxxLyszVGt0d1UyZ2JtaHFUL2RxS2xWSVFVSVpsdUIyZzJSbEhVbnVlQzdDOVJaeVRySTN5OHpQWGl6enFqNktqQUdweW9KLzNpcElWRlRHVUVTOTZ1QmZpdXJYWUFld1R0a2pSb0RZQ2hzd0RxNC9RYUgxNE42VENnWlhLcE1vSW1pSWJyTGlqRGwxa05oSzlubjRXSGJTK2tDdGFRMlB6SVBrVTFVZDltM1dlZGkyQ0Mrdng5RjFOWDl5WTM3cHduZWFnYXIzNmhNelloT0F0aEoxejNSYnFWOG8xUnoyM1pDQzRwSkZidnRCV1ZrZ3hJL3ZZZzQ5T0dmWHUzOFJDNGI4RGUzSUg4UW1WOGNHZHJWakRnNEJQYnRiRE1CbGprbDYwbDhuRVgySnJVZ3RBUXNIOE1kTVVkL09HazBEREk3MzZJOHBmVzA0NkUvSWtrUzFiQ2tUMk9tSmp3NzZpOUI4ZU1JdkE5VEExcGRQMVJ2SkhVQ2RlVjVIRzlpTTMxQUNUZndmRzk2STJBRXVCVGhjaEIyY0VBYWNVUmEwczVUMFJ4ZGdsRDlEbWdpS0J3OG9zdkYvQVg1S2lYT1FYU1NDb01TU2ZJOGtNeVZIR2g3L0NmelJVRHlORncxYWJPRGhMVFhvSEtIYXY4VUhFbHc3bERLT0J6cU9LaXBKeEhnSjVEdDZJdk5pVUxUVG54NGwxSTQ1SnN3VHVaaEdqMzlOWEZxb3NaU2NkM1M3Y2tXS2s0eE1GVnJlRGh4eFJJRXZucnlwUkxqUXU3UElJcklGMmw3M0tkSXNZaU5GVElqaWNiQUFuVHM5dCsya1pWVUgwOHlBT09wb0t6TlJEcHZQQUVuNURjODRsbi95WTdUU0lsU21hT3lqdDdzYzJDcW9YUjR6Y21OdTBreTBkNnIxbDVoRXUxNmJ1ZjZoSjdZKzZGUHQ2WUlnOHI1UkhnYUpIN21VQk1pdDZDVVljYVAydFcrSm1BVEc1bU9kMkRIRGVUYUVxOXkrKzZjTWtyVC9vWm0vbEc3d1hiWnRvcGJuSU9RcU5tbnlTTGNiTW93Z1RPMm8wajRQaE5KZGh2dS9zUklCK2hpTmJhT3Q0Nmhxa0JRWXZ1WEU3b2U0QXkraW9rRUR5SXVOMHNtZlR1TUlNaitRU2hxT1I1ejBaVE8wbmJ1eW1aZHZuSTg4YU96N3VoNmVLUWFYa1BWVGV0ME4rMEs3V0ZmOVdxbndRNlRNckJ5VTNFWFM3bkxTeEFGQWVtM1ZRV2dpMHhuQnNVdzhEOWFlcW9BTnltTUIrMHNaYjAycUd3WHNmbDQxdGNZQjRQajJMTmNIb01RNjRLem9saFp6WUhIQkN5QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * FbRCDPj48VJdpT0sD8uT1fh3xIhI
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Extracted

Path

C:\Users\Public\Pictures\Sample Pictures\sTKqsCQG_readme_.txt

Family

avaddon

Ransom Note
-------=== Your network has been infected! ===------- ***************** DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED ***************** All your documents, photos, databases and other important files have been encrypted and have the extension: .bdeeAdEbdd You are not able to decrypt it by yourself. But don't worry, we can help you to restore all your files! The only way to restore your files is to buy our special software. Only we can give you this software and only we can restore your files! We have also downloaded a lot of private data from your network. If you do not contact as in a 3 days we will post information about your breach on our public news website (avaddongun7rngel.onion) and after 7 days the whole downloaded info. You can get more information on our page, which is located in a Tor hidden network. How to get to our page -------------------------------------------------------------------------------- | | 1. Download Tor browser - https://www.torproject.org/ | | 2. Install Tor browser | | 3. Open link in Tor browser - avaddonbotrxmuyl.onion | | 4. Follow the instructions on this page | -------------------------------------------------------------------------------- Your ID: -------------------------------------------------------------------------------- MTgwNS10SnVObzhRV25WOG11bHVrUkx6aHMzSGtQUU5VSVcwaVR5Vmh1bWhaOXVnQ1pxci82Q25sMlFybkNFRVBsT2gxdnRhclVwekR5MWNRbEVydis4ZzJ1ZW5XN21QY2V6ZGZNai9LeU05ZFJtL21oTWxWUVJFSmJUYUVDV1FCdWlPbVNBR25HajRvN3FUNHozdWxDMW11R3JpTjZQNy95L2QraTZVWDFzUzZQbDJyWURjNEFXNjBBUXl2cjFIcTh1VUNLMnkwbGFPOU5BNFhWenl2NTg3WXYvWmh1ZFgwbjdnSC9RUzBKK1NZdmlYL0E4V0tsbTBUN2pmRHlhNTlDREJIeEZyUmpZUTI3YWlVRUFCQldFSW1pWGk2L0tVbWF4WU5BM1oxVEZlRCtiNDFHQStBbUR4ZDhKNzlqR1VLYmltbnhIT0xJamxIRGtYczdmVWlwbUZJT1RydndheHM0N0ZnTkoyZzV5ZDQ0ZzdLMUVFd08wYjlBV2kyK05yRmdUVnpOcG9wTU5Ia3dnOGFkZk9kYWRyblp5VmxRQ1dEVjBaWHZrYnpZMWFHNXd2Lyt5RWFlKy9kbkxTZkJTc1BVdnZqOHBReGJtUUt0U2tvUGU1ZlA2YVhNMkM3SnYxZFE3QkRVdmtnRU5VV1dVOGVhVkFGNW44RFNjc0hkWFBzNHIzN1BhK29nRG10N3dNYW1XK2R6NzJBTS91RThVK2REeXpSYm1VWk1mMFduZnZuQjc1Tzd3R3BCTnJ5eVFiUm44T1MrYmxqaDJ1SVk1TTNuTEwxNUNRNHhweGxxLyszVGt0d1UyZ2JtaHFUL2RxS2xWSVFVSVpsdUIyZzJSbEhVbnVlQzdDOVJaeVRySTN5OHpQWGl6enFqNktqQUdweW9KLzNpcElWRlRHVUVTOTZ1QmZpdXJYWUFld1R0a2pSb0RZQ2hzd0RxNC9RYUgxNE42VENnWlhLcE1vSW1pSWJyTGlqRGwxa05oSzlubjRXSGJTK2tDdGFRMlB6SVBrVTFVZDltM1dlZGkyQ0Mrdng5RjFOWDl5WTM3cHduZWFnYXIzNmhNelloT0F0aEoxejNSYnFWOG8xUnoyM1pDQzRwSkZidnRCV1ZrZ3hJL3ZZZzQ5T0dmWHUzOFJDNGI4RGUzSUg4UW1WOGNHZHJWakRnNEJQYnRiRE1CbGprbDYwbDhuRVgySnJVZ3RBUXNIOE1kTVVkL09HazBEREk3MzZJOHBmVzA0NkUvSWtrUzFiQ2tUMk9tSmp3NzZpOUI4ZU1JdkE5VEExcGRQMVJ2SkhVQ2RlVjVIRzlpTTMxQUNUZndmRzk2STJBRXVCVGhjaEIyY0VBYWNVUmEwczVUMFJ4ZGdsRDlEbWdpS0J3OG9zdkYvQVg1S2lYT1FYU1NDb01TU2ZJOGtNeVZIR2g3L0NmelJVRHlORncxYWJPRGhMVFhvSEtIYXY4VUhFbHc3bERLT0J6cU9LaXBKeEhnSjVEdDZJdk5pVUxUVG54NGwxSTQ1SnN3VHVaaEdqMzlOWEZxb3NaU2NkM1M3Y2tXS2s0eE1GVnJlRGh4eFJJRXZucnlwUkxqUXU3UElJcklGMmw3M0tkSXNZaU5GVElqaWNiQUFuVHM5dCsya1pWVUgwOHlBT09wb0t6TlJEcHZQQUVuNURjODRsbi95WTdUU0lsU21hT3lqdDdzYzJDcW9YUjR6Y21OdTBreTBkNnIxbDVoRXUxNmJ1ZjZoSjdZKzZGUHQ2WUlnOHI1UkhnYUpIN21VQk1pdDZDVVljYVAydFcrSm1BVEc1bU9kMkRIRGVUYUVxOXkrKzZjTWtyVC9vWm0vbEc3d1hiWnRvcGJuSU9RcU5tbnlTTGNiTW93Z1RPMm8wajRQaE5KZGh2dS9zUklCK2hpTmJhT3Q0Nmhxa0JRWXZ1WEU3b2U0QXkraW9rRUR5SXVOMHNtZlR1TUlNaitRU2hxT1I1ejBaVE8wbmJ1eW1aZHZuSTg4YU96N3VoNmVLUWFYa1BWVGV0ME4rMEs3V0ZmOVdxbndRNlRNckJ5VTNFWFM3bkxTeEFGQWVtM1ZRV2dpMHhuQnNVdzhEOWFlcW9BTnltTUIrMHNaYjAycUd3WHNmbDQxdGNZQjRQajJMTmNIb01RNjRLem9saFp6WUhIQkN5QT09 -------------------------------------------------------------------------------- * DO NOT TRY TO RECOVER FILES YOURSELF! * DO NOT MODIFY ENCRYPTED FILES! * * * OTHERWISE, YOU MAY LOSE ALL YOUR FILES FOREVER! * * * 5
URLs

http://avaddongun7rngel.onion

http://avaddonbotrxmuyl.onion

Signatures

  • Avaddon

    Ransomware-as-a-service first released in June 2020 and currently expanding its userbase among criminal actors.

  • Avaddon family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (185) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe
    "C:\Users\Admin\AppData\Local\Temp\c14dd4a0831ea2548e1ddfd54b9704fe8ad0057924ede041c8c064b66690a028.exe"
    1⤵
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2084
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2584
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic SHADOWCOPY DELETE /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3048
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:644
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2152
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ExportExpand.ini
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2984
  • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    PID:2456
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.0.1812637439\350464105" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1108 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb588858-d20e-4f7a-a14f-07e21550f71b} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 1328 96f7358 gpu
        3⤵
          PID:1464
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.1.1327887083\1211869202" -parentBuildID 20221007134813 -prefsHandle 1524 -prefMapHandle 1516 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6019cacd-ff4d-4e4b-9d4e-89a3a5af5452} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 1536 3f31358 socket
          3⤵
          • Checks processor information in registry
          PID:2068
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.2.555724917\2137735544" -childID 1 -isForBrowser -prefsHandle 2032 -prefMapHandle 2028 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20ec9e64-76b8-4c50-b0af-6676640db48a} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 2044 9663a58 tab
          3⤵
            PID:2712
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.3.1904360990\22985687" -childID 2 -isForBrowser -prefsHandle 2780 -prefMapHandle 2776 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8a9654d-480a-4a3c-8597-8be5c9e5be96} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 2792 f62558 tab
            3⤵
              PID:2236
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.4.1680907015\1106675734" -childID 3 -isForBrowser -prefsHandle 2948 -prefMapHandle 2944 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1085a47c-2759-4732-92a3-8c4e6c0cb5bc} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 2960 1cc3ec58 tab
              3⤵
                PID:2160
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.5.6569758\374832677" -childID 4 -isForBrowser -prefsHandle 3744 -prefMapHandle 3752 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ae980f-0c5a-46d8-80ff-8dd98d7df6c6} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 3764 1e4fa458 tab
                3⤵
                  PID:764
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.6.2126801721\396264429" -childID 5 -isForBrowser -prefsHandle 3876 -prefMapHandle 3880 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9037fd50-3df4-45d2-80f3-9c0e22f2fd21} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 3868 1e4fb958 tab
                  3⤵
                    PID:2796
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.7.1638212248\2057383142" -childID 6 -isForBrowser -prefsHandle 4052 -prefMapHandle 4056 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 772 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11757abd-372f-431c-8203-f5e1bf6c1f35} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 4044 1e4fc258 tab
                    3⤵
                      PID:2288
                • C:\Program Files\VideoLAN\VLC\vlc.exe
                  "C:\Program Files\VideoLAN\VLC\vlc.exe"
                  1⤵
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:1632
                • C:\Windows\explorer.exe
                  "C:\Windows\explorer.exe"
                  1⤵
                    PID:1060
                  • C:\Windows\system32\AUDIODG.EXE
                    C:\Windows\system32\AUDIODG.EXE 0x52c
                    1⤵
                      PID:940

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhg31lui.default-release\activity-stream.discovery_stream.json.tmp

                      Filesize

                      37KB

                      MD5

                      6d326c251ec643967688362179355f42

                      SHA1

                      54b3113773517de1126e7d13fc17a135068a7982

                      SHA256

                      1ce92c365b91c73a3340403fbf4ca4c77518bb1748223987941b62540fb536b9

                      SHA512

                      ec359c662133900d7c3938365c5fa070afaa829ecdb8a438ddc46bfe3b6ec6df35239068dc3e74e4b5565f67e226d76ce8d707dd5fa5d6310576b5c2afbba4b1

                    • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

                      Filesize

                      3KB

                      MD5

                      8ab0ea64ff6193d6da9a1604e6354d34

                      SHA1

                      f518af675bbb9c7a3bc4be310827b739d3fa8b0b

                      SHA256

                      b03567bda740abc3dd1d613fd2d5b82f0e3dbc44ae5a741d79fc0f790e26bf78

                      SHA512

                      293b4054940e48b587883ba905ed5b9559d8f516ae47a4c9631bf4dac35e5a68878e44907dbf4933765c8b0071f4bd4aeaedeb50d25e930f8cfb981582e6a22c

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\db\data.safe.bin

                      Filesize

                      2KB

                      MD5

                      a306f92c258edc75d7c56b736debfb6b

                      SHA1

                      eeff1ec31cc15d9463421961741748379524bb20

                      SHA256

                      e6fd70d782a6a58d08a25ee2b3991ca10684a88beef560d861714eb5231824ea

                      SHA512

                      1e4cf666e84f972ebdb6a8c9ceb55a8e41936665431611a8466d3d68db2e976a4000322dd4098661ba53de3c46a52146e812daa0eb589ec8fbc233b4f54fcc3d

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\4a7b0d02-d0e7-44b1-b9ca-3be5347d371c

                      Filesize

                      11KB

                      MD5

                      4e1cf12223bfd8b17416a18394f7bac3

                      SHA1

                      7eccef9f5abb25f1d978c3bd7268865e22d717d1

                      SHA256

                      210c6bb22c9f0799859dcfcbc9646e283ec661ea12ea48d2f88ed47942b99480

                      SHA512

                      d6b434eef5e43f183d053cca4bd534006c177ba05217922df4fc76f5f09ab9923de3d11ed3165aa94b9c714b7f4da53ad5ae187bc7f863258a692eed717ca3c3

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\datareporting\glean\pending_pings\856d3839-d937-4798-8a2a-3d21fb0909e6

                      Filesize

                      745B

                      MD5

                      70c161f082af8593868bc534ffd962e5

                      SHA1

                      ba9f9bbb774a8394165b336e47f8c6bfdf94fe20

                      SHA256

                      9e923260d20da359f129a01a8dea94ce7a0405b03a87c877c8041fbf4fde0031

                      SHA512

                      dcae0df01ef1d5045e26a0a316350acf19c83319a1ca3690b39464cc0d15aa74bf9903bfa2e087e3effc6ce30748fc4fcf79c0206b4b798bb815100dee42276f

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\prefs-1.js

                      Filesize

                      6KB

                      MD5

                      397651259378ba87c6e3003aa6b127b3

                      SHA1

                      21ecd80ad76fd85b679b610cf70277890f959d7b

                      SHA256

                      799720d18be0845ce6dbd1ada05be0c751c75438a292089a54d43f2c5102d8f3

                      SHA512

                      7d2d7e6f1bf9066ce66c551952973346e132744b5ce3e99f811d58c71dcd574efdf4f6c0eeabc64d1334354eb59a576228c8f7a01234dd8d8fbf4671ab0fe121

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhg31lui.default-release\sessionstore.jsonlz4

                      Filesize

                      830B

                      MD5

                      71ae2ebd53989e9418c1bd1ea8d11d25

                      SHA1

                      79231b8e5028a0ddec25442c395a3611a80fe79f

                      SHA256

                      0b5cecaf0aae4ef2d02ce9110d3bf293d6aca18efdfc7ae4e446049fa2a35037

                      SHA512

                      4ea351f38c36112ddb668e1fa299ab849dcbecae4765bed49cc7b301451c15ae3469b343dc9e0712f22acb7020ebb84adad6dc824e13b78d5b1894dea2a25c2b

                    • C:\Users\Admin\Desktop\ConfirmClose.mp4.bdeeAdEbdd

                      Filesize

                      1.2MB

                      MD5

                      33ac35ce040ca8510eb9a5e0242b6a6c

                      SHA1

                      cfda5a1fe2cdd72a5ba069d8608c047567a64cde

                      SHA256

                      93d4969109d1ee5b566b05807eabf0b9caa14a20db7d66f40dc2ab5588f66885

                      SHA512

                      2b083efc5714a17c3fc63731a3da1d2e39be93c9b78637106ea75c7ba09b0afa5d91d4168790beffdcf15b1309cd68cecb5a3e5529455d4d2525ce3c1b2925ea

                    • C:\Users\Admin\Desktop\CopyApprove.xlsx.bdeeAdEbdd

                      Filesize

                      16KB

                      MD5

                      32807025639731d5eeeb01c274eeb173

                      SHA1

                      6b44add5b246a08b8fed362295811827d4a98aab

                      SHA256

                      b36b750f63fcddb9c5e73e2db68447c0a8f154b4f5d4e293742bdc2580ec14cd

                      SHA512

                      2bf00b083b0a396377faa579c1126258c9e584ab5b4e93f4f24636d12afa01eb12011ee44b18b0adf96de07cd52db092e42dba59cf79d9f7994756004f6d8f7a

                    • C:\Users\Admin\Desktop\CopyFind.vsdx.bdeeAdEbdd

                      Filesize

                      640KB

                      MD5

                      56be571327b8f7d07a4fbb3690c4cda7

                      SHA1

                      98ddc4cc7a88f5156392ba83703129d464891b0d

                      SHA256

                      5435f0df2bba428492ae01bbf378a655f3e9f453a23949fae128b4f6199136a0

                      SHA512

                      a95b3bce553f9ca24eb22f25d0cfd68f119ab890cc3fccc66b53582d37838d8221c8a435658c4593de9f29f7fd4171dc292c3e14159c3d632327dbb209508826

                    • C:\Users\Admin\Desktop\EnableEdit.docx.bdeeAdEbdd

                      Filesize

                      24KB

                      MD5

                      487b6086b84ed0eb1fb02fca9f87e6c6

                      SHA1

                      ddf3f2d81a9f96277773115fd4a24e0e95132075

                      SHA256

                      86df16e0aca60057b2826771527a8b843e05152f0691a929d65d678231fa21c6

                      SHA512

                      130691aab2b2fdd5528eb9977d6274d5f80761b017f31cae5a223ec82b58719e5c572005a888acf8299c4e93dc2fe130b21a9ad60205299bf47a296dd8ed62ce

                    • C:\Users\Admin\Desktop\ExportExpand.ini

                      Filesize

                      463KB

                      MD5

                      cb1078a401cb7b4e5e9c14f792ac5198

                      SHA1

                      463917f950f4b2b1d3267736d4f3584b5d747d6f

                      SHA256

                      6cb830238aa3250f442fa75c9de5acfe7ff1c4aa06c07c64e669b965eb932971

                      SHA512

                      52a5c17dd20fd7f75e50172452e178bafba09bcc5434e2db9b2b53cfe4a960de5c611769097ca37cbb76bd1a1f406693167ae570362d1a82f230e2a589576d9a

                    • C:\Users\Admin\Desktop\HideShow.shtml.bdeeAdEbdd

                      Filesize

                      912KB

                      MD5

                      0fffd6c3fcebb0bd90b4f1f144be5677

                      SHA1

                      a001092ee0007ecc8b7dfc6b9479ce6efd856f58

                      SHA256

                      995a5cbef109f9398a7254c4a29aeb9f492f955ef5c9ecfae3786e76747a69fc

                      SHA512

                      101b894281f6cddb83bcbbc5a952714cf8368ece9487d228fb3f12adcd4a0af935d429d0fe1cc80985f5678b74c6d84ab0b0dcad75ecccb598a948ce1df76733

                    • C:\Users\Admin\Desktop\InstallSet.docx.bdeeAdEbdd

                      Filesize

                      24KB

                      MD5

                      720de65aadb1d8abe7fa176ae75a0470

                      SHA1

                      135e563e55b9f84633f7e86aff4b25441f6ed0f9

                      SHA256

                      366d6630af7a057775d5265d211e59c155b4819482eba607cb589e35b70ad1eb

                      SHA512

                      772a102652d8e67a981f2fb8942fb0d352f6aa22bb90100497b1cf0ea483eacbc440ffb6ec7c48496ea3ea8f70a1a803dcc34fa9ec0418d69ef1c028c12452ed

                    • C:\Users\Admin\Desktop\InstallUndo.ppsx.bdeeAdEbdd

                      Filesize

                      1.0MB

                      MD5

                      2bf7d69528824b72beddc56507f6ba21

                      SHA1

                      19d9d8121f6ca6ad0c056f25b00bd80820f55414

                      SHA256

                      ed85242153896d75330082a0b8487faf839ed6615b9c88a8a6920e07b29f1573

                      SHA512

                      340cb3ab00ba8ea2157493ba7073d9fbfb01b5df22c678e77746bd47903cfe5935339e3a64b5de5ec23f3a67776b5689b00078d0d8a2c95c846f7b6f5bf5ab25

                    • C:\Users\Admin\Desktop\JoinMount.TS.bdeeAdEbdd

                      Filesize

                      552KB

                      MD5

                      d6341d5e608cfb198297f5f2dc1756f3

                      SHA1

                      58081dc48e18fd79323ca3cf96591ab989cd790e

                      SHA256

                      788e6e7bb096f0e24dcfafb4e2c4630868f4800940b3184644626d3751966421

                      SHA512

                      ca8a46ad44f7e17ab075dc8ceaecb79778934c87d95dc886828259c1eebc52a97e3b49925971edfae62b8565044581c4bbac07b61934663d8b906bfe59d7aa47

                    • C:\Users\Admin\Desktop\MeasureSuspend.xls.bdeeAdEbdd

                      Filesize

                      952KB

                      MD5

                      b48ad3323e37633ecbd855f8c76f1e5d

                      SHA1

                      0617d00734e5aa5f3e66a28ccbf31279f091ca20

                      SHA256

                      a8e249dabe30919d67ca31ecff059f872223bf3d22e04589f4db300aaa0c0c0b

                      SHA512

                      1354fb8d44f498095e4ab516f89204488b631fda69d8ee06128ad53867b33d1bc67ea1502f840c682f51a359861a319a97a82d6c7be8d3badf05548b423eb4b3

                    • C:\Users\Admin\Desktop\MergeUninstall.edrwx.bdeeAdEbdd

                      Filesize

                      728KB

                      MD5

                      b1f123e9a9797859e6f3b0fca4899b7d

                      SHA1

                      03c9f35270987d5724b56de99f569b87d6f6b12f

                      SHA256

                      92cf49d3e46fb2224433268b05de502a9b843b373f883d37d451724e6a993db4

                      SHA512

                      1ce54df2d2950d1a7432dd168cb1d784fc9096a5997d30ee7d7b1842c14c3484c70d9d52335c5d5347dc7b657b8c60fe88c8b6fff5633bc202e0645c1543779b

                    • C:\Users\Admin\Desktop\OutPublish.ttc.bdeeAdEbdd

                      Filesize

                      824KB

                      MD5

                      1c462e8a5e28188c08de9cb86d2938fb

                      SHA1

                      88321217a39d5ea2cf819aab61e5e4959592f088

                      SHA256

                      4b933a23ef72b8baeb804227e87aac852a3da6169a162a075bbe945ea0d4bfd0

                      SHA512

                      82eb5dacae5c214db1efad5ac190f7ced35f890e14b9608a429e29003a1583fc831fd171d29052e161575c2b102f134200ced481aa924a6b7207b96b873180f3

                    • C:\Users\Admin\Desktop\OutSearch.emf.bdeeAdEbdd

                      Filesize

                      1.8MB

                      MD5

                      de0e2a966395dfde685d185aaf8c0e94

                      SHA1

                      1eea7705971053ee5361a0eeb2654231dacf1408

                      SHA256

                      106613ce0fbe07136cae1c729a9adf21f897581fd118dd24f71fddaa872c7952

                      SHA512

                      e5b740531a35f315a23e1cccd2d08446207415596fefb6547d6c92d3d89d9b4e722bcd4cdcffa75307c47542c2c0d34fa43203803d49949b3f512e2677ccd816

                    • C:\Users\Admin\Desktop\PublishOpen.xlsx.bdeeAdEbdd

                      Filesize

                      16KB

                      MD5

                      7bbecf69ce0646582db8701d637a4b9d

                      SHA1

                      7dd7ee865add80844fa95d2ff8427f1c51b69020

                      SHA256

                      80b56324780975b4c1532700351094ba1e00aa17d6edb3691a3f78a90ed721a3

                      SHA512

                      9c7708b3db9699cbfb44178bc5b85e550f1399a7d0fa7f7c2540b505646cc5b97adeb42c7236ea6a31b54e9ea5ecd21f4a62a6ec9a1a5cdcc3275182fcbfc9d1

                    • C:\Users\Admin\Desktop\RemoveApprove.csv.bdeeAdEbdd

                      Filesize

                      688KB

                      MD5

                      d50cefdec3f59bdc8ba6966aab69aed0

                      SHA1

                      45eb2c263ee75b7a8821a50bcbf8e24478f083e6

                      SHA256

                      158fe7582fb940cc67418f1b8267539f9ce73c2c3548f2f363fa4742b94bb478

                      SHA512

                      e333274752a4593de7d8fd8246d134246f2855e55a29c0961152dd753f10e17022d77ad16877a244c6bf3e1ace7bd3614750323dfbf9b4b08613aed301195170

                    • C:\Users\Admin\Desktop\RepairImport.7z.bdeeAdEbdd

                      Filesize

                      1.1MB

                      MD5

                      629661b5ef7a398921f7c42958bd40ea

                      SHA1

                      526a6c7bd8256cc1812dd37eed4a24880bd336fa

                      SHA256

                      98b3cb96d901c8dfd41c4f462a47125723e59c44aed0e1005820cde4be469230

                      SHA512

                      297af510ae99d4cbf7056f8b49040386236169d21f6dae43c1656f556fd9500961e8479583c8009933b9c6f574dd7a6957a7edd7e3e3c5cd1bdeb95a9e297db1

                    • C:\Users\Admin\Desktop\ResetRead.dot.bdeeAdEbdd

                      Filesize

                      1.1MB

                      MD5

                      e790e6f573ad70fc8e95cb51ee75b036

                      SHA1

                      87ee455d2f685716d22a6ebea7908d89318ce709

                      SHA256

                      73882f4a278a89a15cc508cbc194a68049695404459a0a5ea03655aa8c245db3

                      SHA512

                      611da27941ea836241addb512256a5c6382a49adf65a2c5a66249f378eb167f1c3a62fab6020933802377a41bc803ff9187e64da0fdf46d8f248c657d281212f

                    • C:\Users\Admin\Desktop\SelectOut.rle.bdeeAdEbdd

                      Filesize

                      600KB

                      MD5

                      bed53e7a32be3163d70fc14d5e57dc9d

                      SHA1

                      903bec494bd1f8022670040da5ac571689424951

                      SHA256

                      418e6e6cf25e75b5ade6212fb8c32f2f40f4dfbc31b60ee1d4aadbf38f806696

                      SHA512

                      0f3de7e33f23628b8bc3aba801156539bf4e4560270db914276c4df0f6e9a687dbcbf839ab98765c218548d4755c20b136eb9453689ea4796c377400c26f1d55

                    • C:\Users\Admin\Desktop\SetResolve.asp.bdeeAdEbdd

                      Filesize

                      512KB

                      MD5

                      7d7232d5c4deea818246082e49f1ec5a

                      SHA1

                      836aa5e31c534af01a73d283da4cb6358c6c6b85

                      SHA256

                      57fa8dc3a7a13a4fb11dc72827924176c95f67a6c9d3b32627e00bb06649e58f

                      SHA512

                      f042dfe36960a39bd00987ccfc3e4ccf5d114cb71f4f0e9fe6e3d6bfa9231191b11475477d690045b23ed3f52ac5c8466afd4ab08ecd8dcd64d67324d11425b7

                    • C:\Users\Admin\Desktop\SkipRedo.csv.bdeeAdEbdd

                      Filesize

                      864KB

                      MD5

                      cfa75870e59cd106f524314e2740e0e0

                      SHA1

                      0dd9dc14a90b14bafeed214965fb8bb2040d6b62

                      SHA256

                      f9372d95bbaad32e264bf0d694a82ca0f8472f84c5c6b26e06df4101c60cc6de

                      SHA512

                      ebe4cceb8c45c5f85c77b84fcee79ed1da859cd7f975bacd1c0f4e1580b6b385e1c5bb11add4c1d026e0c97f5fdd7ba0b91a90993a389a5bd969f86aeabf06b3

                    • C:\Users\Admin\Desktop\SubmitStep.easmx.bdeeAdEbdd

                      Filesize

                      1.2MB

                      MD5

                      5987eada6a8713c7cecc43e4ea3ecffb

                      SHA1

                      8e98df45b9eaed65b0589415c74be49b063fc3ec

                      SHA256

                      69a7e3c06d3f43d0142a91946fabc3a00c31c7e2a029b212740e6460469b4476

                      SHA512

                      d62e98c0fe037936608ceccf87101bd26ab4af30ec82a3bde664fa440d6597cc2ab195fc69fda509078298a8920328b240a10dfdcb97d76034614de937a31ad8

                    • C:\Users\Admin\Desktop\SwitchRename.3gpp.bdeeAdEbdd

                      Filesize

                      1000KB

                      MD5

                      678320505e5e405f9602cd1eb499a86e

                      SHA1

                      93cd1a53baa781fc6573e6d01320752690119ea6

                      SHA256

                      3585dac229d6fb3070c887283e019d4c2ca402bea5265f7d4c5f229666c7013d

                      SHA512

                      96f49d7d4cd49575776a0c6d96c558bdb6f3cca244db5c5b66d592166a327728e4e8acc0265912d71de24d7537ee1d897e0ef9405498c230b6ffb4b8c041d9bc

                    • C:\Users\Admin\Desktop\SyncCopy.gif.bdeeAdEbdd

                      Filesize

                      776KB

                      MD5

                      0ead8a1002831527160aa1ea57a399a2

                      SHA1

                      313dc48c2db23aac072b06c53990f5baac6a8eb4

                      SHA256

                      f92bfbbbed00c7a49c6880bf454fb5261eba423658d87702cf286aedc61d1614

                      SHA512

                      0f5b5f25e9a646481eb4dadab7e0192afdd00db1c6a51180b12a6e8c8ace240d34d2fbc119308271edc38c01241ef9ac48dabc1715a7f14577f933260fb4415b

                    • C:\Users\Admin\Desktop\TraceDismount.docx.bdeeAdEbdd

                      Filesize

                      24KB

                      MD5

                      77a60ffbf78378a2948e578ebca6cd28

                      SHA1

                      09051219b3a70e8fee1d2012ba0fbdeea91c7ddd

                      SHA256

                      554d8d79487178be93e4c7d03d74c06f0dcea425fd49fb5c440429a6fa2bbaab

                      SHA512

                      967a3e8a727b83aeac2a86aabf493bc6aaf85ad10511fbb02edaecc0a6ecbf89adef60c5b2b05ed01b989b6a0931c287ccb8088e3f062e1179d2bd3d73767548

                    • C:\Users\Admin\Desktop\TraceRevoke.eprtx.bdeeAdEbdd

                      Filesize

                      1.3MB

                      MD5

                      6dd5e3c1c87d6cd30a4b5b6e3c86ea46

                      SHA1

                      a73be370d02c198c7f0d5a05a22068f2b29df04f

                      SHA256

                      747f474b087c3cd31eaf27fff2d33b8c24845303b6cd3c4f018af711b9fefdac

                      SHA512

                      c594f52092bb487a42e7083f71a5e1758aab58a498ae209c75a8572d9e504a772114b4bbe6f5d6df7effb3b121ad9fc1e1273a57b56d57f52462334f5ebfadc6

                    • C:\Users\Admin\Desktop\WaitUnlock.3g2.bdeeAdEbdd

                      Filesize

                      1.1MB

                      MD5

                      750ef3c77f6ca195a3b26830181ff06d

                      SHA1

                      f9f05db4fabe7e0a1a5ae4259634c729a4298a4c

                      SHA256

                      42587246ad3529662c713c8b815b53cf4c4ebf84ddf1c843c3c9a0d0fda5f1e6

                      SHA512

                      c50ef9b69aaf51f43902dab73c8637281d8b6b3de5cc3e4b8faa5d57be73f8734b22078550aa558a996df2fa6595e154f6947717305de13b78888cabf2a6dd84

                    • C:\Users\Admin\Desktop\sTKqsCQG_readme_.txt

                      Filesize

                      3KB

                      MD5

                      4846c60a76b560ad21c8e8c7f1b7ad16

                      SHA1

                      c447025923196fbc6ad483c38e94a12250ffd69a

                      SHA256

                      6e26845f5dafbeb23ce84681f9f8bd0ae35aea927bac267d63bd82629799bd66

                      SHA512

                      6aa598ae75f208d6871250633a0d26725aecc8ea88c580a3ca86d6a7651b4b502988d6d5be8e4256398a219221e48832bbc60b4703ce3392b1687f38e89710e6

                    • C:\Users\Admin\Desktop\sTKqsCQG_readme_.txt

                      Filesize

                      3KB

                      MD5

                      c2dd7c88747c2501fbcff15db56929b0

                      SHA1

                      59cdff2db83aac8ea72f9e1eed4e4523eff307e1

                      SHA256

                      432513a69208142a82ff807366bc1fd6bcaabac268c91681309c256510904707

                      SHA512

                      3fd93451e56cbe01529faaa3beb66cbfd3f66a1d4d63e03c973a7ea33330f430c0fcdea62f3fc7d0108d41ff3ab4ded79e5db0bea229d51f1dace50d2c9ef9e9

                    • C:\Users\Public\Pictures\Sample Pictures\sTKqsCQG_readme_.txt

                      Filesize

                      3KB

                      MD5

                      e266fca027accc9934a10313b42030c1

                      SHA1

                      2cb44833383bc28734b11011e70660b4a42fefbb

                      SHA256

                      cd74245a80b54aace595868458ea319bbb4cfe106541decaf7dc36f0ae38ec71

                      SHA512

                      8f094972dc08922216948dc9dfdf0d904cf3a7d237934d01de2bf2e8b40bffdb749ae5e26780a6dd97a098c80237616462251359d7dcd944c55ba7351730b68c

                    • C:\Windows\System32\LocalGroupAdminAdd.log

                      Filesize

                      15B

                      MD5

                      e89c001fb4d9e08cc7072ce774cdb999

                      SHA1

                      796d1a40d539ba1bcb187e848f74b690ec15a08e

                      SHA256

                      87713e954ae3003e8746c6707de610663b566ac47a3a9c14bcf0b24f48cd0fa7

                      SHA512

                      9c0056685e19ef8ee568031043a5630ef13ab6e2b934e25735b114790b1fae21eb6b00ca534f6f1353da068896ef63d76cf5b9525a8713c2f566a7519959efe4

                    • C:\Windows\System32\Local_LLU.log

                      Filesize

                      50B

                      MD5

                      563c3703a9b57cc9b370a76d6173d09c

                      SHA1

                      8cbbca5e8a8f863299de71faf86ea8087c54b401

                      SHA256

                      30c4b1b1bac993998256fdd787ecccb7bb27800a2656deaa3896acb708af17dd

                      SHA512

                      04306687d032b91bd2564b82d83ed7d48bec480e449f954634c2e91f2eb3ca0c5d9714f0ecba8391bd61bf27f0e6c55e4105c39a0a6f74ac7723e14237607d8f

                    • memory/1632-750-0x000000013F1C0000-0x000000013F2B8000-memory.dmp

                      Filesize

                      992KB

                    • memory/1632-753-0x000007FEF4410000-0x000007FEF54C0000-memory.dmp

                      Filesize

                      16.7MB

                    • memory/1632-751-0x000007FEF73C0000-0x000007FEF73F4000-memory.dmp

                      Filesize

                      208KB

                    • memory/1632-752-0x000007FEF6E60000-0x000007FEF7116000-memory.dmp

                      Filesize

                      2.7MB