Resubmissions

06/06/2025, 14:39

250606-r1hssabj4x 10

06/06/2025, 05:05

250606-fqv5kswxaw 10

06/06/2025, 04:54

250606-fjmvmawwe1 10

05/06/2025, 17:23

250605-vyd9csfj4z 10

05/06/2025, 15:18

250605-spt74sen5t 10

05/06/2025, 15:06

250605-sg43cazmv9 10

05/06/2025, 15:02

250605-seepnsyyet 10

02/06/2025, 10:32

250602-mkxjsayzbv 10

Analysis

  • geolocation tags

    nanew-jerseynorth-americaunited-statesususa
  • max time kernel
    120s
  • max time network
    129s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05/06/2025, 15:02

General

  • Target

    2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe

  • Size

    148KB

  • MD5

    cb6845218d57d663976bf1fa2a4d6ddb

  • SHA1

    0635c1f6cece23efe1df63de9cb72715c123cbaa

  • SHA256

    7855bee142c5abc5a3aa7f58a6a43cfb85df05d94fbb3a07bfe83cb73cf81281

  • SHA512

    f0eff1a4c9a338ef2dece334d19fc9ef6ab421722e901ff0200de74e6df55594bca3abc43cebd0753fee47f71143e45097e74472b6e2b8b17e2bb28525ff5ea0

  • SSDEEP

    3072:46glyuxE4GsUPnliByocWepVfB4vN2H7/yXHKR9W4cn:46gDBGpvEByocWe3fB2NO7gP4

Malware Config

Extracted

Path

C:\g0Bwcr1Ri.README.txt

Ransom Note
******************************************************************************************** ************************ Your data are stolen and encrypted **************************** 1. How to contact? * 1. You can use tox: https://qtox.github.io/ send message to us. Tox ID : 465928E63E40E772C89D47543523651AA761E5CC0599ED43C0D6E3AE1EFB9A01C14457E1F32D * 2. You can send email to us, Email address : [email protected] Suggestion : Contact us in two ways at the same time, if you haven't received a reply to your email, please check your spam folder. 2. How to pay? * Contact us. 3. What guarantees that we will not deceive you? * We are not a politically motivated group and we do not need anything other than your money If you pay, we will provide you the programs for decryption and we will delete your data. * If we do not give you decrypters or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. * We attack the hundreds of companies and there is no dissatisfied victim after payment. 4. What happens if you do not pay? * If you don't pay, the data will be sold on auction platform after 72 hours, data will be bought by your competitors, and we will report your company fail to protect data as a result of a data breach to the data protection authority in your country, you could face significant fines. * Do not hesitate for a long time, the sooner pay, the sooner your company will be safe. * If you pay, we will delete data immediately, we can also provide you an paid hacking services. You can pay for the services after the hacking is successful. Please trust our strength. 5. Warning! * Do not DELETE or MODIFY any files, it can lead to recovery problems! * If you do not pay the ransom we will attack your company repeatedly again! *** Your DECRYPTION ID: 4DE13DAE43BC114D5B433ED86968E903 ************************ Your data are stolen and encrypted ************************** ******************************************************************************************
URLs

https://qtox.github.io/

Signatures

  • Renames multiple (552) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:3336
    • C:\ProgramData\AD77.tmp
      "C:\ProgramData\AD77.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AD77.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5260
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:5660
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{B6FCD673-B0DE-42C7-9576-DD6FE0652F92}.xps" 133936094306870000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4672
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2208
      • C:\Windows\System32\DataExchangeHost.exe
        C:\Windows\System32\DataExchangeHost.exe -Embedding
        1⤵
          PID:664

        Network

              MITRE ATT&CK Enterprise v16

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\$Recycle.Bin\S-1-5-21-779059454-4269757009-3780780039-1000\YYYYYYYYYYY

                Filesize

                129B

                MD5

                76c6c75f2a124c5cc85a4431715c0105

                SHA1

                ecd18a153b625b23c3871b13ecf779bf450889e8

                SHA256

                11c7b19b903b250f0a88afb9469665937a76fdf7780cb85e7e3c5d817e8ebe79

                SHA512

                0b3cd17e1dad7337efe245e036d5a3e8e831c1394bc461aecdb85a5b71bc806226e5a9733214a8d3157d51cedc9548d60582b091b9177e98e331cfef823b7a53

              • C:\ProgramData\AD77.tmp

                Filesize

                14KB

                MD5

                294e9f64cb1642dd89229fff0592856b

                SHA1

                97b148c27f3da29ba7b18d6aee8a0db9102f47c9

                SHA256

                917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

                SHA512

                b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

              • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

                Filesize

                148KB

                MD5

                2ce761c7fc887ee90b50d331dee7a31d

                SHA1

                d983bfa04fa109bf1e3b16bed3dccef94120bee5

                SHA256

                d48ab742bc817e8aeed1c4cef0224d88b6a1a6bc0eb93a06b56da92115a03247

                SHA512

                0b62a5692d2c94a287b685e5f7baed4b7f127c0e491606ad6e5e9b7217eaa74165549fafe448a32e745cde6bc57b930240c22eeb0b49358bc96e9bc4c8ce7aa3

              • C:\Users\Admin\AppData\Local\Temp\{1F5C4E08-6B00-445C-A043-AC533EFD519B}

                Filesize

                4KB

                MD5

                6ecc27f3487e4722ff8c07708888cd77

                SHA1

                82bd0c828fc8f14c4c0bd902a373ed49fc5f5e7a

                SHA256

                85a224036c24c34e16a7f7deb12f13d566af7bb953ad30adf7fc150e7f094145

                SHA512

                d1fd24bacfcc76512da7426f7862e0801b7555d1c62641297943225a81e7a38176e2653c3037fd816fbc8413ef05e35800681e521768445a36224bc0b685fe9d

              • C:\Users\Admin\AppData\Local\Temp\{4F4EBA4E-18DD-433B-889B-7A9677886BBF}

                Filesize

                4KB

                MD5

                a8e9afd68d0922b2e033dd3e6a259bc9

                SHA1

                06ba0a0e286047ecfe0eb9f8409489a05fadb134

                SHA256

                6d0c51a89f49391ab121d426495ab49d5e895d4d1d1ab8034cea6164e424c512

                SHA512

                a88b4c0040be25f91d451314d5d80d2ac01b1ac0d0098447f38e19e2b11af5b8589d388cf83f5b7c20e5dcf94574235bb3fe2220fff01416480ec119fb807e1a

              • C:\Users\Admin\Desktop\BlockExit.xlsx.g0Bwcr1Ri

                Filesize

                14KB

                MD5

                7a909737d4e2bb19be3c65fd1369bdd8

                SHA1

                860bbe66d7b06f2410ee3d4301e105a3e2793db5

                SHA256

                cb98c4fb56cf1f30113508618e139d11e4ce834ff45eab6f137012359a342289

                SHA512

                1603cc40989bb310a52aaa531bac9447b6840419310a26c4eb121c41d60d23ca6ac263964bd2bfb9ce44301b230372a74efe57427361eb553d85a2a2d50132ab

              • C:\Users\Admin\Desktop\CheckpointSubmit.001.g0Bwcr1Ri

                Filesize

                676KB

                MD5

                3d70cc4138aa34d62ff02511034ce20d

                SHA1

                8366936bdb5cccd563920661c706c4f73306f340

                SHA256

                ce3644873ed078d03dc816393b7de59a504cc986b30aa95c6568bce803308469

                SHA512

                8e09431d447f9f9fe70989f614c0fb0e8f96f49f4c2709883e0c709be6fa260766c45ab31e009b0c2ed534df20f1e6f0faf1109a5c59c854f9b4a48d969c93b5

              • C:\Users\Admin\Desktop\ClearConvert.avi.g0Bwcr1Ri

                Filesize

                749KB

                MD5

                5e241fc08783844ba8b53f56de968813

                SHA1

                150f01d88aeb2c610231f90a10192b82cdc2245b

                SHA256

                a241b5d0adc641c7d31339c1fcaf995a29306931273759e5cf4c3612f9beb45c

                SHA512

                17c328d9cfff3612983732c3b144bab171eb13b43b5fe00c713451f3965cd2aabd31938f661519808a40b0fa4837a41347d8f2f8a1dd114fcfe3d3f0a50de5e7

              • C:\Users\Admin\Desktop\CloseConfirm.xlsx.g0Bwcr1Ri

                Filesize

                12KB

                MD5

                786c0119208c247dede803372eeab548

                SHA1

                189e2e8215b29f3883f531ca683836be718f21c4

                SHA256

                86a8476a7bae978e99f619111ce7e062c2755cb35cb42a34f6a61664b0da4e54

                SHA512

                297c44f9e7877286b4d27bbd7e04d94fe415f4310afcd77870f0ee9e526adc7bb61038a398a55c7ec5a0a43e13ce399587b620f1fed7c0f0914b74ffec5d4399

              • C:\Users\Admin\Desktop\CompleteBlock.dot.g0Bwcr1Ri

                Filesize

                381KB

                MD5

                071cbb64e6960ef5531f18f84f7fad93

                SHA1

                615ca696a47feb6865a39e70d96ac2670969f286

                SHA256

                9d637b8f31db5e9805f7e59f726e81975a6b38d430c0f4823ffdaa720e07bd08

                SHA512

                55e9f8aae1275083a3455c8b79ca186e0136830869de40959076ff056ca6733e02e4e3804d24be44dbcd582732341431aa8532546711fe9822ad1a7cbc6d801d

              • C:\Users\Admin\Desktop\CompressPublish.TTS.g0Bwcr1Ri

                Filesize

                307KB

                MD5

                a0ba4089a15197049a073d94320835db

                SHA1

                ddfbda958cde7102f3b51e8dc1ef2f1917d25558

                SHA256

                f8b5465f11b81a635b9ec0dc525de84693740962fc18d5ae0037b00ef5f71eae

                SHA512

                7aaa232da4afffea8fb55b549c1e76c79f9f92177800d9d4f4a3185007d2995c1a07ee318ed8236a8da1c51712878f24babfa95769e18961131884c08e588f70

              • C:\Users\Admin\Desktop\ConnectComplete.mpg.g0Bwcr1Ri

                Filesize

                725KB

                MD5

                6b086dafa2066d119b387e50081fb09f

                SHA1

                bec56613e8b22e539cc6be4be63ebb75617421e3

                SHA256

                80240aa1ce99aa2252befd5e050a35b6a8e869a6aba4d525d092f67e3cff007d

                SHA512

                cf629a1183c064e27932c5757cea13f4f530d1ce17246e9a41a6f7ba7249211aeaab13269a9c124d44d7331fb54164444df3717edef7bfa651ba1e1851141846

              • C:\Users\Admin\Desktop\ConvertFromMeasure.ADTS.g0Bwcr1Ri

                Filesize

                651KB

                MD5

                9ea5264ee1bd663240bc2e6de327c99c

                SHA1

                8bce87e201255a4d8f8c6e78d9b3561ff163a641

                SHA256

                b20c0bf61fad1e44149a423afa2bb235673394270c211b00f6329489eb38637c

                SHA512

                fd2a556fb231418c72d56714dfed6a6d7517cde48a8d037218ce6f8a49e4a513cff4db4b73ee0745de687c421c22e24dfdea1af500587f1590d907e4fbfafbe1

              • C:\Users\Admin\Desktop\DebugCompress.mov.g0Bwcr1Ri

                Filesize

                1.2MB

                MD5

                b34b4b5f5754f7b2e665a24af19ca170

                SHA1

                d1c40ae4aaf1d48136a279e2141e7de927f040c3

                SHA256

                81e9292248145a563e1f106373da618bc013d75c60be11c3ec7523b0f269ace4

                SHA512

                b43ae8812c1914b340d6ec365d5fa14cb5e273db9b847c66e19df6c92866e644411cffefc64868487612e1a39cc3a5bc7197e02678729b0f5d821d40e995dae8

              • C:\Users\Admin\Desktop\DisconnectSelect.mp4.g0Bwcr1Ri

                Filesize

                626KB

                MD5

                275618cbc0b41227bb912f3f3aa1be79

                SHA1

                a3ee668f16ca7f549f6b80e8b8049d7338349e4e

                SHA256

                b4d1019641c02d8a6330a6536734782c434a490e2fe88b5ca73a1bf92eb543a8

                SHA512

                7da90e5df537d68ddd618b51e6048c6b039fc47dea58f67cb5cde3c49bb4e7d15bf9b03e80556568c072bd5362ff5716a26b42bc1bc5399e9080cd8581d991c1

              • C:\Users\Admin\Desktop\EditMove.7z.g0Bwcr1Ri

                Filesize

                356KB

                MD5

                3f968e5300a5739747abf96e7efef427

                SHA1

                01bf885f15e22cccc8a43201df4ffd1c088ef242

                SHA256

                3aea4dbbe307d1930c6d620657219a530d3801a2c77f1e9e2e0dbb4d3c28a4c1

                SHA512

                25f49552f1bb2e1efba9af405dd0817658d770cc8b612b9d341ec6bb6470ab67ddf1c9ce2afe190d73c90c231b5d3fee7b26836ccc7d1de3a363339147fa2a5e

              • C:\Users\Admin\Desktop\ExitSplit.vsdx.g0Bwcr1Ri

                Filesize

                798KB

                MD5

                9099e46eb4e27bf212809d61cf9fad85

                SHA1

                0aa363b421773149404d872d35ae4a75739cfad5

                SHA256

                e47d55320f645f4a33fa9b395a5f2939874e83aa8f991293ff6f0c3d9cb55f53

                SHA512

                89079dd9f07c50c78aeb5561fe0de598455626542e3963af6939d2454a7e5454836ec4acfc1a86e2567972ea3b9b2a1cf7ee3433ae5c37ed9d25ddda4346092c

              • C:\Users\Admin\Desktop\GetSearch.jpeg.g0Bwcr1Ri

                Filesize

                848KB

                MD5

                3c8b65d608a1bcf955d604366e662654

                SHA1

                bcdec13d3b7ed4a4b06aef50a4e4a3e8a88be07e

                SHA256

                6eec452829a5a7047af4231d8565259f8ed69fcf2fee096b86daa314fa8557e0

                SHA512

                9e165034423f6f2aaffe471e96f45574f6230f6d36150bcd8c14d891bafa740d356d64e4fe0b4cd3b69bed68d63d9b55217379addf210254823e5d604cad4344

              • C:\Users\Admin\Desktop\OpenRevoke.xltm.g0Bwcr1Ri

                Filesize

                430KB

                MD5

                e7188c4191718fb190d6448c81522536

                SHA1

                c00d50a9fe7128132ab5b9ca6bf816981a6b37db

                SHA256

                07e8df6165881d7d99b254857eaa709d72d7ccb5c189bd04cf049e42818ff688

                SHA512

                4b8651968eaeda1cdd2ec20310708e005bd7597c354947a2423203d8f498ce7da031b140fd88363dfc121143b9c825efa3122389ae36d09e3c6742d924392452

              • C:\Users\Admin\Desktop\OutExpand.m4a.g0Bwcr1Ri

                Filesize

                332KB

                MD5

                cda763fe75564b57b18562451c336d5a

                SHA1

                358a5ea6336eefd18b283e5eb4028eed4a1553a4

                SHA256

                714d7532d968b1473d5ffc1e15e57b46d97afb439232c6dda2d06612c41b6bc2

                SHA512

                cacb32991be0bf389e598d090f2457fc3af052a6e150bda7279d71b3e1184888fbf112b62ed80e886e9b2aa8fb079091bd81ce9b4dddb50846e171e33ee41878

              • C:\Users\Admin\Desktop\PopCompress.sys

                Filesize

                774KB

                MD5

                61a6c2fa4655f266b436bdd0ab65cce3

                SHA1

                c93d01fd916be4405973e5525c974a02ea887a77

                SHA256

                48f524770096362517b9dda05c166e93a44bd6847dae5b644fffe36ec4b99983

                SHA512

                690ed38f420d5228a9efc8bf9eac99cea7cc38ef8fce340e5e74cf8779d747f3bb7995213c0ba564dda337680f57ad40cd8a1c2518fbb165a8a27b7500590e2b

              • C:\Users\Admin\Desktop\ReadConvertFrom.xps.g0Bwcr1Ri

                Filesize

                528KB

                MD5

                36703a990d6ca5555068c6eaafe967ac

                SHA1

                c6f04caf91e66dba4738c066cd01e06875d323f5

                SHA256

                25f68aa25a7a80b73c8221d31fba7aaf7d4a0c13293933ecf5a91ada4f23240f

                SHA512

                c1fb55a325f8cf7b1d7a27d66b90c97549927b9b23f89eee25babc4a13d973cb07f283a3775c8708c95f103bb2931903b1fed81b9426946c5d92883084af5a70

              • C:\Users\Admin\Desktop\RestartUnblock.xsl.g0Bwcr1Ri

                Filesize

                479KB

                MD5

                b976999e67d6eebfc1321b4d0bfb8052

                SHA1

                2568ea81ef006b6cd8e290a3c353ea8da9cfaaac

                SHA256

                ac0f1ed9cdafd4b64680d98e455d4e36bbd9c516663a740e6cc08e506552ed11

                SHA512

                514f9ec44b3625b9e812319bf0f71724a94549d6c1afe97abe4807448fe9a751a4a41c620ff6de44f066ef0a10360392c2d45d31c46cf97cf304447cca56f6e2

              • C:\Users\Admin\Desktop\ResumeGroup.ps1

                Filesize

                454KB

                MD5

                088c0a6f889de2680658e0250151a3d7

                SHA1

                8c5e4b8effe7c0231ad3e083c49eeb0cc2cca127

                SHA256

                2202861c536f7f13260d1e51a49dff3461dd15962bfab4c516a522ddcf4ebb50

                SHA512

                82cb6b6014ced75b74930c2e6097541d190a179f826d5d8a8bc0e18b5b9ede7c62d76d37bde5d0727ed600828eed13732f35101704650e31df944f497a256564

              • C:\Users\Admin\Desktop\ResumeHide.wpl.g0Bwcr1Ri

                Filesize

                700KB

                MD5

                4d4ae6645ceb2eef673835bc75d0b5b5

                SHA1

                cd10cd34ed08f6b809b1ae9db41c03301b7067e5

                SHA256

                7a1b2da55f8858531129dbcee03b19364d7675b8f826302fcd816c3d8daaef0e

                SHA512

                1e442170143fbcd8698998b0ea8dee93a0a9a134eb1bd48ed243e7809b20c1d4a2b34e38a1132108156d1f783c480aed1ddcd7bfa6da8d4abe470be53caee115

              • C:\Users\Admin\Desktop\SearchFormat.zip.g0Bwcr1Ri

                Filesize

                504KB

                MD5

                9ef2c2d4528b89dbdd2fd74b4523bf1d

                SHA1

                e7cc2c82296822a0cd5f4fbca1f827043550e26d

                SHA256

                597a2982b90303f1ef33debf5d6b2e43a015b6a26b9ce02c880e1ff74effe41e

                SHA512

                44cce132c563f97deb5db6618506c155f2fb6d16d1deba58e8a249b73f2897cc594c7d9bb5a9f49d52202614722567200ab91cbfa5eb22d0d6ad915d40aacdaa

              • C:\Users\Admin\Desktop\SubmitUnpublish.nfo.g0Bwcr1Ri

                Filesize

                872KB

                MD5

                ee27b261c48acacbac70ebe419f7d82b

                SHA1

                bdcd304fe1f271ca4b6b439b54062d0c73f432d9

                SHA256

                f605dfb2637f9163c6ba91c1d7a2ef0cac7ea4ac00c92c2de73696dc956c8899

                SHA512

                9485c4fe2ebb5f5a9998aef42c0d528e6b1eb4ea7d6c82b9a6231b4b42219aa57bd3cbdfeee8b4fa31c755654580c9b857d785855cfed7d7ff216adca8630091

              • C:\Users\Admin\Desktop\SuspendRevoke.zip.g0Bwcr1Ri

                Filesize

                602KB

                MD5

                82d9e4ad4875a27ced03ff17a4825189

                SHA1

                46512494584e5c45cd123fba288817d7d5a9bd30

                SHA256

                8d252271e03e7471acc8b5b50a739f0e27a9824fb1b2ce77a67476d8ea8d9118

                SHA512

                2c02efdf6504b7b72ba19fb99ebf333bb469692565ecfee23eeaefaae43c2b7df43629805c5be544f92ee476f382293e809753522fbe2708a69cdc9625db6fba

              • C:\Users\Admin\Desktop\TestOptimize.emf.g0Bwcr1Ri

                Filesize

                577KB

                MD5

                84d6c9d6ce54656616242c270e79fbb8

                SHA1

                2664bfe3a80099d8b5e1a510c5af9659a6e841f5

                SHA256

                57310dadc0d420a680a816d4814ed92c7873017301b5183eb908c8cc5ebba0d8

                SHA512

                b6aff2cc5687ceaa2c330514b16d08daecf56fe70af22d427d155ada8852710f024ae93f13ba8ae90c7bc4ec0f70ee26792f203d6606ef7f9f7ca54b53ee6437

              • C:\Users\Admin\Desktop\TestSearch.bmp.g0Bwcr1Ri

                Filesize

                823KB

                MD5

                260935cbc7e0930d78ef7538349d7a32

                SHA1

                cc4e377e10d4a5c2ae38ce53ba948ec89780ec95

                SHA256

                1f644bb35987e8b631ec79c61574692f54b54fac1185728e0a005faedeb831cf

                SHA512

                6613739795e707fed0464b7dc990fffc4fbcf48604ad693b6fc2b981d518db1fc2b95f99d02892233171b644f98ed15072e7cd71c55f60bcf646b40c9d9ee2c5

              • C:\Users\Admin\Desktop\UnprotectResume.htm.g0Bwcr1Ri

                Filesize

                553KB

                MD5

                ed25bf6238a8c727f493f4e50ac56eb7

                SHA1

                cd2661e142f5cb7b59c6ecef07f360fc1c47ec6a

                SHA256

                0155ac777f140a8dad613ae39701b05b0e09ab5828e74c2f9e9d5196634d9842

                SHA512

                04f7fdd13bed6444fa9e1d23a00536c756959f929d0b5a7319750f8e812021b9b094943de2eb9c050ac68bf7d292781423bf572bfec0de65786e3891513b50e7

              • C:\Users\Admin\Desktop\WatchApprove.aiff.g0Bwcr1Ri

                Filesize

                405KB

                MD5

                5dbb734a3e2890367745c54c43831ccf

                SHA1

                09bba823cfdf536f37f998442bcca410d85a3a00

                SHA256

                4327268077a3347b6e2be6cd8fed5c8ecf822eac0f2de21b2df5cfad4683b3b7

                SHA512

                c685215d18ec3c2397eef5cfa10ea423c7ed62c1338d3b5c7472400c2da341953c462e5bc584fa2bd66785b60bb51c49cf51ff433c9446e2e4014480fba89cfc

              • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

                Filesize

                4KB

                MD5

                11be1d0c8df222e25fcafb3d89b37a39

                SHA1

                2ab7a78cbde7649faa7b6c76fc1d6fbbb0c596bc

                SHA256

                5c27e6be8c294e30d4ff5621bd4327f20af105adfadc16724cea047c27b3979f

                SHA512

                4fe4a87c6c6c11f1a4614dfbf6592edf220cff78fa85d50a16ea4bb043e8f7feb32e818de4b734faf7620142dcbef5a3765630e045f8e9da1c6eababff253065

              • C:\Users\Admin\Downloads\ApproveConvertFrom.wmf.g0Bwcr1Ri

                Filesize

                483KB

                MD5

                78178035a888be6b1f2090453e841644

                SHA1

                f1b1b90f7ca1bee7c0eb54fefdb957329183dc07

                SHA256

                85cf7b7bb1a2a19920447928c011046bc7887f46ea8e90d517340a950e76f2db

                SHA512

                b92759cf97baa1a3a120a6e2ac8be20c5cbbc42a6c7d65071736bc06f001abb93e2b9dd5ee1eb04157b5f3034e3e684e84a3aef8ea6aebcf06b59ee2312c8bb6

              • C:\Users\Admin\Downloads\CheckpointRemove.htm.g0Bwcr1Ri

                Filesize

                654KB

                MD5

                ab627b99598ba2c32ae8d368c6af0434

                SHA1

                c69d98d93b7e2676f48648e5d8b62fe97e698d0c

                SHA256

                b5c9599eb3e8b449e5699472f2e851256f36233f7e4a3ebf1661e24299d725de

                SHA512

                043846088cc639369d5e0f6950aca0a75f134d7e6e18d0363bef7739785b03ab355b373f65b21f0fba35dc70eafca713fe4859dd22ef02d3a0e6e680d4589e37

              • C:\Users\Admin\Downloads\ComparePop.MTS.g0Bwcr1Ri

                Filesize

                1009KB

                MD5

                c61d35902fe3d18880b7da9004fc1a1f

                SHA1

                593732f7ce53ae5a6f078a0fd5a2929e33bb4251

                SHA256

                d0fe0069f0e8f9a42dc127bc953effac61aab687518bab8c41403822cd27c0b6

                SHA512

                9b53c8a19e0ad939924d4a925f01075fa1ece3a1a7921ac2c7a3338c0f2adb899ea272f95600e823c09171a23599c3d10f72d51dd803deea650fef5ffd25d48d

              • C:\Users\Admin\Downloads\ConnectPush.mp4.g0Bwcr1Ri

                Filesize

                682KB

                MD5

                e52394839f6c8ad27abc8bec6661051c

                SHA1

                b23844a6b5f44d93e10e4c36034540597cb5d037

                SHA256

                2154294f16e9e88b0dfa8e416d818752b1918d0b72b6f43d629d1a5b2bafc2d8

                SHA512

                bd670c4e07ea17784f7a177694099bb46c7b85928039832e1be88cd7dcbbc3a348269cf062f9db4d8f596529642bb26f0c553325eab9b6cb166860bc58b3eb50

              • C:\Users\Admin\Downloads\ConvertInvoke.jfif.g0Bwcr1Ri

                Filesize

                298KB

                MD5

                4679c2129819ece063a929b3859301b7

                SHA1

                7df484c4b442cef6669cf885f37e74985cffeafe

                SHA256

                8b97819ad00b7256d7fa745230f4f4b8c905dc2a55094dd7b4b9d83bd8331360

                SHA512

                df95a76ccd1b970c22c6ddfbe98f087325c90513ac8714d97bef64ae91a52d2a81c77545da81eb2687a4f01ac0e8ba68a8e8487881bcc0ab1ed80680f9f74f64

              • C:\Users\Admin\Downloads\ConvertSwitch.shtml.g0Bwcr1Ri

                Filesize

                455KB

                MD5

                79019b3b923723a57e82609e24274893

                SHA1

                d768159a15031e4d5271b41940e32a0b35c8e516

                SHA256

                dd392bc0c5679fbd1e4602f712536365c3504445521aeb5bb345ecaf194bc2c6

                SHA512

                05665b5010c61c9a8077899f1b3665a65ec319e574929accdbc8bdf39ea064a9425bfbbc8684e186eb764089492e25b56f55fd96af3b5a1b7e9f7d88705ad2f5

              • C:\Users\Admin\Downloads\CopyDeny.AAC.g0Bwcr1Ri

                Filesize

                597KB

                MD5

                399ddcca56987db827deaa2c943d46cf

                SHA1

                a2109f33bc6269634bc6889ddd497acd5ff7e0b2

                SHA256

                372edac4f9e626783875ff9baa47ee0628d2cc785c1afade13decefcfd9e35ef

                SHA512

                fbfc1c59f6975701676bfb04077db2fda0ee4b0239bea294bf0ef8c39940ce5d7584c4013afae4406d7166b736c37653bb5beff37f3d2720547be304f8de3182

              • C:\Users\Admin\Downloads\TestBackup.exe

                Filesize

                583KB

                MD5

                4b18c5b5c550d253a222ccd21a464ac5

                SHA1

                162dc75092185bcd9958271716d61f8c47187b1c

                SHA256

                cf52560d6361c88c1abca7cd4cf28a1d235dfc5729f2968bf3a2e180dded4ca2

                SHA512

                f4952f8e940d8c790f045e2418e0114b9f01a4c50e614bab6c9572b330fd0f9c76caf9a7577d4e9eb95a9571c42c658f50eb58d4a90b067a7108fcc62d566d62

              • C:\g0Bwcr1Ri.README.txt

                Filesize

                2KB

                MD5

                86bd0f3ad38bc1df59ce0839508a5c2c

                SHA1

                5a4e946c016b4e1ec24307987c45ce38bb0330a5

                SHA256

                c4d3f5a6e6e53689de06fe38b8eb99edbe206e7a9946fc62a1ea9b182e8968ea

                SHA512

                e9f662aef9c1f13c3a26ab263790579879e0304b5a89675fd7765d5efdc3d46fc26a11c9310a6ba750b5ff6d3570c452dc3b0e6a1d5f0c2522a53aa69854e8f8

              • F:\$RECYCLE.BIN\S-1-5-21-779059454-4269757009-3780780039-1000\DDDDDDDDDDD

                Filesize

                129B

                MD5

                17310f2eec656e5b565d54589d0b9342

                SHA1

                f17705a588667470d4bf58dce4a5c5ce10c343d2

                SHA256

                41881dd1cdff914cc4612fbfe3d2aff5a9c9bea4882d766b86ef881b0aa8c1ee

                SHA512

                69c4e6725728b44db8767273d6c9d335bbab48e33fa1a24f3580db9eb23b9b56f1f5f0c72dde3f403a7bf044459d994470e4679c524f043fad24bdbba15652c1

              • memory/1408-0-0x00000000030E0000-0x00000000030F0000-memory.dmp

                Filesize

                64KB

              • memory/1408-1-0x00000000030E0000-0x00000000030F0000-memory.dmp

                Filesize

                64KB

              • memory/1408-3492-0x00000000030E0000-0x00000000030F0000-memory.dmp

                Filesize

                64KB

              • memory/1408-3493-0x00000000030E0000-0x00000000030F0000-memory.dmp

                Filesize

                64KB

              • memory/1408-3494-0x00000000030E0000-0x00000000030F0000-memory.dmp

                Filesize

                64KB

              • memory/1408-2-0x00000000030E0000-0x00000000030F0000-memory.dmp

                Filesize

                64KB

              • memory/4672-3514-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

                Filesize

                64KB

              • memory/4672-3508-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

                Filesize

                64KB

              • memory/4672-3511-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

                Filesize

                64KB

              • memory/4672-3595-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

                Filesize

                64KB

              • memory/4672-3507-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

                Filesize

                64KB

              • memory/4672-3506-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

                Filesize

                64KB

              • memory/4672-3543-0x00007FFE7A650000-0x00007FFE7A660000-memory.dmp

                Filesize

                64KB

              • memory/4672-3544-0x00007FFE7A650000-0x00007FFE7A660000-memory.dmp

                Filesize

                64KB

              • memory/4672-3598-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

                Filesize

                64KB

              • memory/4672-3597-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

                Filesize

                64KB

              • memory/4672-3596-0x00007FFE7CD50000-0x00007FFE7CD60000-memory.dmp

                Filesize

                64KB