Resubmissions

06/06/2025, 14:39

250606-r1hssabj4x 10

06/06/2025, 05:05

250606-fqv5kswxaw 10

06/06/2025, 04:54

250606-fjmvmawwe1 10

05/06/2025, 17:23

250605-vyd9csfj4z 10

05/06/2025, 15:18

250605-spt74sen5t 10

05/06/2025, 15:06

250605-sg43cazmv9 10

05/06/2025, 15:02

250605-seepnsyyet 10

02/06/2025, 10:32

250602-mkxjsayzbv 10

Analysis

  • max time kernel
    124s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/06/2025, 17:23

General

  • Target

    2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe

  • Size

    148KB

  • MD5

    cb6845218d57d663976bf1fa2a4d6ddb

  • SHA1

    0635c1f6cece23efe1df63de9cb72715c123cbaa

  • SHA256

    7855bee142c5abc5a3aa7f58a6a43cfb85df05d94fbb3a07bfe83cb73cf81281

  • SHA512

    f0eff1a4c9a338ef2dece334d19fc9ef6ab421722e901ff0200de74e6df55594bca3abc43cebd0753fee47f71143e45097e74472b6e2b8b17e2bb28525ff5ea0

  • SSDEEP

    3072:46glyuxE4GsUPnliByocWepVfB4vN2H7/yXHKR9W4cn:46gDBGpvEByocWe3fB2NO7gP4

Malware Config

Extracted

Path

C:\g0Bwcr1Ri.README.txt

Ransom Note
******************************************************************************************** ************************ Your data are stolen and encrypted **************************** 1. How to contact? * 1. You can use tox: https://qtox.github.io/ send message to us. Tox ID : 465928E63E40E772C89D47543523651AA761E5CC0599ED43C0D6E3AE1EFB9A01C14457E1F32D * 2. You can send email to us, Email address : [email protected] Suggestion : Contact us in two ways at the same time, if you haven't received a reply to your email, please check your spam folder. 2. How to pay? * Contact us. 3. What guarantees that we will not deceive you? * We are not a politically motivated group and we do not need anything other than your money If you pay, we will provide you the programs for decryption and we will delete your data. * If we do not give you decrypters or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. * We attack the hundreds of companies and there is no dissatisfied victim after payment. 4. What happens if you do not pay? * If you don't pay, the data will be sold on auction platform after 72 hours, data will be bought by your competitors, and we will report your company fail to protect data as a result of a data breach to the data protection authority in your country, you could face significant fines. * Do not hesitate for a long time, the sooner pay, the sooner your company will be safe. * If you pay, we will delete data immediately, we can also provide you an paid hacking services. You can pay for the services after the hacking is successful. Please trust our strength. 5. Warning! * Do not DELETE or MODIFY any files, it can lead to recovery problems! * If you do not pay the ransom we will attack your company repeatedly again! *** Your DECRYPTION ID: 4DE13DAE43BC114DE0C44091FEA9A540 ************************ Your data are stolen and encrypted ************************** ******************************************************************************************
URLs

https://qtox.github.io/

Signatures

  • Renames multiple (738) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
  • Modifies registry class 7 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 55 IoCs
  • Suspicious use of SendNotifyMessage 48 IoCs
  • Suspicious use of SetWindowsHookEx 47 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-06-02_cb6845218d57d663976bf1fa2a4d6ddb_darkside_elex_lockbit.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:6968
    • C:\ProgramData\ACFA.tmp
      "C:\ProgramData\ACFA.tmp"
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\ACFA.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2112
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:6772
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UnblockConvert.fon.g0Bwcr1Ri
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:428
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:428 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:828
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UnblockConvert.fon.g0Bwcr1Ri
        3⤵
        • Modifies Internet Explorer settings
        PID:5416
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:428 CREDAT:82948 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4192
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\UnblockConvert.fon.g0Bwcr1Ri
        3⤵
        • Modifies Internet Explorer settings
        PID:5156
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:428 CREDAT:17422 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:4712
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:7028
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{F40B738D-F6A2-4CBF-A318-E03D7902DC98}.xps" 133936178299520000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:4560
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\g0Bwcr1Ri.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:6136
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5360
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte38b3576h3ebeh481dh82dfh86b80ecb88c2
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulte38b3576h3ebeh481dh82dfh86b80ecb88c2 --edge-skip-compat-layer-relaunch
        2⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of WriteProcessMemory
        PID:4276
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffbe807f208,0x7ffbe807f214,0x7ffbe807f220
          3⤵
            PID:5116
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1824,i,16139162175447492870,10226350970931436109,262144 --variations-seed-version --mojo-platform-channel-handle=276 /prefetch:3
            3⤵
              PID:4356
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2144,i,16139162175447492870,10226350970931436109,262144 --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:2
              3⤵
                PID:1356
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2628,i,16139162175447492870,10226350970931436109,262144 --variations-seed-version --mojo-platform-channel-handle=2648 /prefetch:8
                3⤵
                  PID:7020
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3248,i,16139162175447492870,10226350970931436109,262144 --variations-seed-version --mojo-platform-channel-handle=3024 /prefetch:2
                  3⤵
                    PID:4296
              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                1⤵
                  PID:1172
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
                  1⤵
                    PID:3832

                  Network

                        MITRE ATT&CK Enterprise v16

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\$Recycle.Bin\S-1-5-21-3690492401-2005096563-3427069815-1000\DDDDDDDDDDD

                          Filesize

                          129B

                          MD5

                          f8008199aa1693800d7ea2de0130a238

                          SHA1

                          da272b7214912d9e70c80799835f97014c213ea9

                          SHA256

                          6a4e81f196ab01b055fbbcf92fd32c9a4fd128cb1379c7e08a3056420e5b41f0

                          SHA512

                          b4591a893c99fc940ecd62b197b1d7c8b976242802da12261d9343e68c0dbb10b1481131f3933063815636aa34508b73e3220f948df503956032dfca31c4feb3

                        • C:\ProgramData\ACFA.tmp

                          Filesize

                          14KB

                          MD5

                          294e9f64cb1642dd89229fff0592856b

                          SHA1

                          97b148c27f3da29ba7b18d6aee8a0db9102f47c9

                          SHA256

                          917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

                          SHA512

                          b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          280B

                          MD5

                          48a81770d5aeaecbd866bb88e8388a08

                          SHA1

                          570fe9d7317f684b1cc924a6658c390cd59f5a08

                          SHA256

                          8ee5f3f288720cf7cc646b3de310d5223eddea57cb110e46b2ada68f5192d49e

                          SHA512

                          e0512c4856c5ff162be64a3069000bd939754aa1b5f52ce68c361f02d168a6734f9be511c0185efdc94d9550fd542bebc8b3a94d3eed58743602ad5dd8d6be8a

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                          Filesize

                          280B

                          MD5

                          c793e3a252a3212c090bb7c5c5fe903f

                          SHA1

                          061d0ca52594c6f85a89f8cabc1cad95058f7aad

                          SHA256

                          7dbcf8030a90ebb299d8c8b4cfd972aa64f5671e9482142399b860a4c33579ec

                          SHA512

                          cc559d3ea0fe36fe7415743366b932c8c08881e59412902a696a921bfd0ddc27b193ce9755de28c0fbf747a5036fed2f159a05643d3939f38739718f8306f3f8

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

                          Filesize

                          2B

                          MD5

                          99914b932bd37a50b983c5e7c90ae93b

                          SHA1

                          bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                          SHA256

                          44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                          SHA512

                          27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

                          Filesize

                          69KB

                          MD5

                          164a788f50529fc93a6077e50675c617

                          SHA1

                          c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

                          SHA256

                          b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

                          SHA512

                          ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

                          Filesize

                          61B

                          MD5

                          4df4574bfbb7e0b0bc56c2c9b12b6c47

                          SHA1

                          81efcbd3e3da8221444a21f45305af6fa4b71907

                          SHA256

                          e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

                          SHA512

                          78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

                          Filesize

                          2B

                          MD5

                          d751713988987e9331980363e24189ce

                          SHA1

                          97d170e1550eee4afc0af065b78cda302a97674c

                          SHA256

                          4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                          SHA512

                          b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                          Filesize

                          6KB

                          MD5

                          86c99b8afccfc483fd87ecc31bab8b3c

                          SHA1

                          937f99ca75ef8e8d0adb82f3f27b3ba2e445c0d2

                          SHA256

                          df98671c3a61911033018d848f953c8ad038acb6739e6e31af6ba1c6bd2c9a50

                          SHA512

                          a479b7f36429ce813d2353dc57e0987686b7602a6035308e65966ec9aa15d9e798167d1cc2f378b66e4066bd8b8686ebe19a793f0afbd07c6534923393851485

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                          Filesize

                          26KB

                          MD5

                          74f514ebebb3081b0fc80b05f500cfc2

                          SHA1

                          21dbefc42d93be3325db32d318ddd87ef1eaf7d7

                          SHA256

                          2bd1133d98999753efc4acb0ae908521700180ab70dd777f78c554335837c960

                          SHA512

                          1eefff53706fc3db8e512aaf4eb38e5d4e70045256edf803ea6a6d0f5a0676473498b3902f73418a11b143c35433d745c88efc4a8ae31e2d118b3a6f9539af57

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                          Filesize

                          6KB

                          MD5

                          ea4a4ab2b337ebda3973411243adb1f9

                          SHA1

                          3e2add2988940c1c4b0638603d76134bd7ba1191

                          SHA256

                          bffd36ebd945b21bb585052b1769ac98d19544fb2d8da88317bda87921d9dcea

                          SHA512

                          4a209289746c373d277f207975e703009a46d7245ee4e5a186fda92655ff72fcbd28af72ac892c8fe943a17b0a1335eea682123c02cdccc109c23eb465bbc8ff

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                          Filesize

                          8KB

                          MD5

                          3d59a7a7dd336d17c08049ac5d18bf91

                          SHA1

                          959f90559156c0749031f960f4123f6d7974b10b

                          SHA256

                          2d7622a710e4b38c9ad035c0e03e1457fd7976e369909f114b104ada295240e3

                          SHA512

                          876102b7c370519c1a7b243fa910771702d84192009294021eb1291210faaeff4c7dc61f894657e80ab837299e9e4378186ababa1795f2f2566c71a0d69de547

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                          Filesize

                          8KB

                          MD5

                          09b5270d49c82f975d41f0e3977c8a80

                          SHA1

                          9cd6d5dbffbeaf9bcce3f430198bf8e842a559e6

                          SHA256

                          fe0580bfc563f280798c2b444687833205e1380911c544dabcba9915ccfe0bb9

                          SHA512

                          48d14571588464d484795130a8ceab7fafa1a93d8564604e534eab4fa7e7a9761d1bc99d95914f6235018e35260e8275b880f9ef5bd6c123053ec841a40cca62

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                          Filesize

                          7KB

                          MD5

                          edc363d5b8852cccc3a76dd7b22720ec

                          SHA1

                          5de31814110949f1571f3237b01e9878442f9013

                          SHA256

                          37da76d7dc1757df79a99bd9e425534b404b5b81574d73d1a184a24ce0e03105

                          SHA512

                          ce24b0c949c073a9388dcfd478ec5018e4851d8752c4610a24fa3f87076da654df411f966180b96ea4d8f4ea9aa1ea2e35a241c8ebc4214971dbb4d1596d0fe4

                        • C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

                          Filesize

                          148KB

                          MD5

                          c93e74b58eeedeac87069a71a82e3e35

                          SHA1

                          917dcb5269f06846c2498fdbe4cecc5381c8c518

                          SHA256

                          f68fc128d1f6edc32b7f197d4c6f12612b61bdd577e925f4144ca31e079c06bd

                          SHA512

                          e27923def864d30d1defd6c4ec964614cacb5fad1408ddf647156d881d0b97e55e6b0d8f12fbeb440681d056166eb601856dba44ba0c1ce9447bee105cb47693

                        • C:\Users\Admin\AppData\Local\Temp\{5E4DCBDF-2501-4795-959C-B13FA77EF069}

                          Filesize

                          4KB

                          MD5

                          2e0269261ab561a714795dbbc5087d34

                          SHA1

                          4ca3ca5f18262f1a9d23f632e85dfc769795ee72

                          SHA256

                          9c205706b40031955dbb563a750513b147d44e41075e31e6e244adfcef0a056b

                          SHA512

                          1150e20a3a73696236862ffacd5886f709514aaee7343f0d50a57aab9f05dfc33a4607d432d1409f23220e2bc80fb3653e955500eee8ff183b8f41bc91872d69

                        • C:\Users\Admin\Desktop\UnblockConvert.fon.g0Bwcr1Ri

                          Filesize

                          280KB

                          MD5

                          571be6b0cc3f9925b5406d745c00aafd

                          SHA1

                          8cbdb897745da5b63e5df9c102f85c9aa558c4ae

                          SHA256

                          b470af2bc316cb307a23e508f16e1b7d32dfc01359d447ba107ce8a6e8a786a4

                          SHA512

                          06d7c7d742dde942c9a1f0e8b31714fb4631d70116245105705c4ee581b17e9d34304bdee0e8bf89bb28832a5c02255d35685e87aa9d8278ab098488093a4f51

                        • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

                          Filesize

                          4KB

                          MD5

                          65b2ae940c01f1c146c17ccd0897bcab

                          SHA1

                          cbc31b705b3ccd55d8e621862b672c51913dc420

                          SHA256

                          571296047d80fad967f339c6d39e7a10286229273673b6f5dd4b2648b7cc5de0

                          SHA512

                          a5fd82cda46aa66cc641e38a358dbaeb20c8b389a880c7785540a31a36ac9b1e2c03ee2968f4e5b25240d820dea9b7a44e74bd9414e2d3b6fbdf6558a69ecede

                        • C:\g0Bwcr1Ri.README.txt

                          Filesize

                          2KB

                          MD5

                          33c2afb337470ad896e1d8939697f638

                          SHA1

                          284d35006b8b354893937379614dcdc0395aac9a

                          SHA256

                          77772f2d06ef5c429daa23ed978184452dd49a3f95b6ca0ab6a9b1800ea39218

                          SHA512

                          81a2d0a0a7968edbcd99097089ebb70b967dff1fa63f10efe83d5103a8537b4d79e429bd12c0bb73f54b760813e3567205f15a515665d93ebb1e2111ff540c6f

                        • F:\$RECYCLE.BIN\S-1-5-21-3690492401-2005096563-3427069815-1000\DDDDDDDDDDD

                          Filesize

                          129B

                          MD5

                          57dd99d9f712f6fdf9f12c3894de7f58

                          SHA1

                          8e8562ea771497e228939e1d0d8e3bfd567cb52b

                          SHA256

                          eec4599ecad546cde9c781f5a5bcc802ec664b610d4e1d03732d26f4e33263c5

                          SHA512

                          61059cf046eb6695f65f8894b3316f6f118c55c8904f1600fa3557ede248abb153e4163da076538fa65e3208882f154cffa20a8d26b95a30de5ef25a36f14c9e

                        • memory/4560-3790-0x00007FFBC7910000-0x00007FFBC7920000-memory.dmp

                          Filesize

                          64KB

                        • memory/4560-3791-0x00007FFBC7910000-0x00007FFBC7920000-memory.dmp

                          Filesize

                          64KB

                        • memory/4560-3876-0x00007FFBC7910000-0x00007FFBC7920000-memory.dmp

                          Filesize

                          64KB

                        • memory/4560-3875-0x00007FFBC7910000-0x00007FFBC7920000-memory.dmp

                          Filesize

                          64KB

                        • memory/4560-3826-0x00007FFBC5820000-0x00007FFBC5830000-memory.dmp

                          Filesize

                          64KB

                        • memory/4560-3793-0x00007FFBC7910000-0x00007FFBC7920000-memory.dmp

                          Filesize

                          64KB

                        • memory/4560-3827-0x00007FFBC5820000-0x00007FFBC5830000-memory.dmp

                          Filesize

                          64KB

                        • memory/4560-3878-0x00007FFBC7910000-0x00007FFBC7920000-memory.dmp

                          Filesize

                          64KB

                        • memory/4560-3877-0x00007FFBC7910000-0x00007FFBC7920000-memory.dmp

                          Filesize

                          64KB

                        • memory/4560-3792-0x00007FFBC7910000-0x00007FFBC7920000-memory.dmp

                          Filesize

                          64KB

                        • memory/4560-3789-0x00007FFBC7910000-0x00007FFBC7920000-memory.dmp

                          Filesize

                          64KB

                        • memory/4876-0-0x0000000002C50000-0x0000000002C60000-memory.dmp

                          Filesize

                          64KB

                        • memory/4876-1-0x0000000002C50000-0x0000000002C60000-memory.dmp

                          Filesize

                          64KB

                        • memory/4876-3774-0x0000000002C50000-0x0000000002C60000-memory.dmp

                          Filesize

                          64KB

                        • memory/4876-3773-0x0000000002C50000-0x0000000002C60000-memory.dmp

                          Filesize

                          64KB

                        • memory/4876-3772-0x0000000002C50000-0x0000000002C60000-memory.dmp

                          Filesize

                          64KB

                        • memory/4876-2-0x0000000002C50000-0x0000000002C60000-memory.dmp

                          Filesize

                          64KB

                        • memory/5360-3886-0x000001E72B3D0000-0x000001E72B3D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/5360-3887-0x000001E72B3D0000-0x000001E72B3D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/5360-3890-0x000001E72B3D0000-0x000001E72B3D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/5360-3891-0x000001E72B3D0000-0x000001E72B3D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/5360-3892-0x000001E72B3D0000-0x000001E72B3D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/5360-3889-0x000001E72B3D0000-0x000001E72B3D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/5360-3888-0x000001E72B3D0000-0x000001E72B3D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/5360-3881-0x000001E72B3D0000-0x000001E72B3D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/5360-3882-0x000001E72B3D0000-0x000001E72B3D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/5360-3880-0x000001E72B3D0000-0x000001E72B3D1000-memory.dmp

                          Filesize

                          4KB