Resubmissions
29-12-2022 04:20
221229-eyjk3scc89 1003-12-2022 20:59
221203-zs4z2sec45 1027-11-2022 10:11
221127-l798qahd89 1026-11-2022 11:26
221126-njy7naea9t 1026-11-2022 11:26
221126-njvjgaea8y 1026-11-2022 11:25
221126-njsd4sbb98 1026-11-2022 11:25
221126-njj3qsbb88 1026-11-2022 11:22
221126-ng1byaea3x 1026-11-2022 11:17
221126-ndsgxsdg9y 10Analysis
-
max time kernel
492s -
max time network
492s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 20:59
General
-
Target
af95f41f73e451c4d1f5fd8acdd0c863.exe
-
Size
1.1MB
-
MD5
af95f41f73e451c4d1f5fd8acdd0c863
-
SHA1
55c03b064063d15af1eb9bdb766bd90ec9b6f8c4
-
SHA256
2bf85967fb9126459be466a7ecbdbaa32bd1ec69e6cbee24a295852fff807b05
-
SHA512
f50d479038f16a60b0ef4f8670d0dcbf7016c96ef12fae08bc9448fed2d61a679844815c48c2b1a65464ba71c006d9ae63c2baf47c7ee3398323ed3077a31bb3
-
SSDEEP
24576:mRBrzwX0YmJI8DRnCD4jtnT8Q1r0ly78ipwR7H:gJzdnm4lT8Q1r0pieR7H
Malware Config
Signatures
-
Detect Neshta payload 62 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe family_neshta C:\PROGRA~2\MOZILL~1\UNINST~1.EXE family_neshta C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe family_neshta C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE family_neshta C:\PROGRA~2\Google\Update\DISABL~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE family_neshta C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe family_neshta C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE family_neshta C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe family_neshta -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
af95f41f73e451c4d1f5fd8acdd0c863.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" af95f41f73e451c4d1f5fd8acdd0c863.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" msedge.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
XMRig Miner payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4832-136-0x0000000000400000-0x0000000000871000-memory.dmp xmrig -
Executes dropped EXE 5 IoCs
Processes:
af95f41f73e451c4d1f5fd8acdd0c863.exesvchost.comsvchost.comsvchost.commsedge.exepid process 4832 af95f41f73e451c4d1f5fd8acdd0c863.exe 4232 svchost.com 1532 svchost.com 5104 svchost.com 1852 msedge.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3582-490\af95f41f73e451c4d1f5fd8acdd0c863.exe upx C:\Users\Admin\AppData\Local\Temp\3582-490\af95f41f73e451c4d1f5fd8acdd0c863.exe upx behavioral1/memory/4832-135-0x0000000000400000-0x0000000000871000-memory.dmp upx behavioral1/memory/4832-136-0x0000000000400000-0x0000000000871000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
af95f41f73e451c4d1f5fd8acdd0c863.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation af95f41f73e451c4d1f5fd8acdd0c863.exe -
Loads dropped DLL 2 IoCs
Processes:
taskmgr.exepid process 1400 taskmgr.exe 1400 taskmgr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
Processes:
af95f41f73e451c4d1f5fd8acdd0c863.exemsedge.exesvchost.comsvchost.comdescription ioc process File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe msedge.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe msedge.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe msedge.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE af95f41f73e451c4d1f5fd8acdd0c863.exe -
Drops file in Windows directory 9 IoCs
Processes:
svchost.comsvchost.comaf95f41f73e451c4d1f5fd8acdd0c863.exesvchost.commsedge.exedescription ioc process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com af95f41f73e451c4d1f5fd8acdd0c863.exe File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com msedge.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
chrome.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 7 IoCs
Processes:
af95f41f73e451c4d1f5fd8acdd0c863.exetaskmgr.exeOpenWith.exeOpenWith.exeOpenWith.exefirefox.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" af95f41f73e451c4d1f5fd8acdd0c863.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings firefox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 480 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
taskmgr.exeOpenWith.exeOpenWith.exeOpenWith.exepid process 1400 taskmgr.exe 4860 OpenWith.exe 1348 OpenWith.exe 1472 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
chrome.exechrome.exepid process 4696 chrome.exe 4696 chrome.exe 4696 chrome.exe 4156 chrome.exe 4156 chrome.exe 4156 chrome.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
taskmgr.exesvchost.exefirefox.exedescription pid process Token: SeDebugPrivilege 1400 taskmgr.exe Token: SeSystemProfilePrivilege 1400 taskmgr.exe Token: SeCreateGlobalPrivilege 1400 taskmgr.exe Token: SeBackupPrivilege 3368 svchost.exe Token: SeRestorePrivilege 3368 svchost.exe Token: SeSecurityPrivilege 3368 svchost.exe Token: SeTakeOwnershipPrivilege 3368 svchost.exe Token: 35 3368 svchost.exe Token: SeDebugPrivilege 4012 firefox.exe Token: SeDebugPrivilege 4012 firefox.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe 1400 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exeOpenWith.exepid process 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 4860 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe 1348 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
af95f41f73e451c4d1f5fd8acdd0c863.exesvchost.comsvchost.comchrome.exedescription pid process target process PID 668 wrote to memory of 4832 668 af95f41f73e451c4d1f5fd8acdd0c863.exe af95f41f73e451c4d1f5fd8acdd0c863.exe PID 668 wrote to memory of 4832 668 af95f41f73e451c4d1f5fd8acdd0c863.exe af95f41f73e451c4d1f5fd8acdd0c863.exe PID 668 wrote to memory of 4832 668 af95f41f73e451c4d1f5fd8acdd0c863.exe af95f41f73e451c4d1f5fd8acdd0c863.exe PID 4232 wrote to memory of 1400 4232 svchost.com taskmgr.exe PID 4232 wrote to memory of 1400 4232 svchost.com taskmgr.exe PID 4232 wrote to memory of 1400 4232 svchost.com taskmgr.exe PID 1532 wrote to memory of 4696 1532 svchost.com chrome.exe PID 1532 wrote to memory of 4696 1532 svchost.com chrome.exe PID 4696 wrote to memory of 4248 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 4248 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 2188 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 1392 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 1392 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe PID 4696 wrote to memory of 64 4696 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\af95f41f73e451c4d1f5fd8acdd0c863.exe"C:\Users\Admin\AppData\Local\Temp\af95f41f73e451c4d1f5fd8acdd0c863.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\af95f41f73e451c4d1f5fd8acdd0c863.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\af95f41f73e451c4d1f5fd8acdd0c863.exe"2⤵
- Executes dropped EXE
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /41⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskmgr.exeC:\Windows\system32\taskmgr.exe /42⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exeC:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exeC:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a9834f50,0x7ff8a9834f60,0x7ff8a9834f703⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --field-trial-handle=1636,18115018393737348902,6328894427895180485,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:23⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,18115018393737348902,6328894427895180485,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1812 /prefetch:83⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,18115018393737348902,6328894427895180485,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:83⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --field-trial-handle=1636,18115018393737348902,6328894427895180485,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:13⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --field-trial-handle=1636,18115018393737348902,6328894427895180485,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:13⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --field-trial-handle=1636,18115018393737348902,6328894427895180485,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:13⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,18115018393737348902,6328894427895180485,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4388 /prefetch:83⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,18115018393737348902,6328894427895180485,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:83⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,18115018393737348902,6328894427895180485,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exeC:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exeC:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a9234f50,0x7ff8a9234f60,0x7ff8a9234f703⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --field-trial-handle=1920,16493440604035614559,14436802467114878976,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:23⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,16493440604035614559,14436802467114878976,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1980 /prefetch:83⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,16493440604035614559,14436802467114878976,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1996 /prefetch:83⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --field-trial-handle=1920,16493440604035614559,14436802467114878976,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:13⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --field-trial-handle=1920,16493440604035614559,14436802467114878976,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:13⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --field-trial-handle=1920,16493440604035614559,14436802467114878976,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:13⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1920,16493440604035614559,14436802467114878976,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:83⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1920,16493440604035614559,14436802467114878976,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:83⤵
-
C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1920,16493440604035614559,14436802467114878976,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Google\Chrome\Application\chrome.exe2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\regedit.exe2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -url "C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.0.470630871\1912916654" -parentBuildID 20200403170909 -prefsHandle 1692 -prefMapHandle 1684 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 1776 gpu4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.3.159633585\1508853358" -childID 1 -isForBrowser -prefsHandle 2392 -prefMapHandle 2376 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 2476 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.13.442180156\428306635" -childID 2 -isForBrowser -prefsHandle 4288 -prefMapHandle 4280 -prefsLen 7599 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 4308 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4012.20.1913715410\766589393" -childID 3 -isForBrowser -prefsHandle 4964 -prefMapHandle 4960 -prefsLen 7599 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4012 "\\.\pipe\gecko-crash-server-pipe.4012" 4976 tab4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\vcredist2010_x64.log.html1⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXEFilesize
328KB
MD503c9fe645898565980885e63ccfbc782
SHA163077e3e80bedf6fb6c4860fe8c500964386adfd
SHA2569b249c71b492e5d2438217ef296ee1b52ba4922502f023391f29d56214199759
SHA512a3ef8bdab7e92c9d3115884500a4f421329f6ccaf3d13343c8bb0cc202c996407495478d072e2ce73a2c639b47fa64be84c99aeea733a35ae90825101fe8876d
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXEFilesize
86KB
MD58e9c8cd4a707e2a433bd61719370969f
SHA19d373c9be88cadd855e8e4bc35188f81bd86290b
SHA25694830b3c45a33d365c5aaca38b6e9b4e0dfb8287deb8b3b10fc82c7e39e2a916
SHA5123dbabbf46af602563f7852f04262c0dc71c994f62cc1cca5e8adc96e1f91afaa73afed1b563c90fd743d74b444a67e189573e447445a081cd88fe05062a8445b
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXEFilesize
5.7MB
MD5f484efbf4c131fd2120b7d4d711b3774
SHA179276829311ece83b06b2fcacf540b480a01034a
SHA2563ab9094cdcc6265ef5bae67776c6e5ebbff1b5d154a03a1d097e17fa46e2c94c
SHA5122dcfc6dec93cecf6719fe8f58f7a948b898567ced9ccf7ce2c3f105dd6c4396295f1d43c8437a785aebe3c3e221ed1175c4c95180551316f197334879a8f1858
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exeFilesize
175KB
MD5f8017ab86799265c9ce5ff9b55b6f647
SHA1416ae961e02730e6d17ae01b64e6059c0ad1c023
SHA256be2e9bf71e7f951a880eee556b067f06ecb8eb1695e57df43a46f5c3bc0de418
SHA512e6350732c371e17bad7525aec19015e9f79f6bbc7a1551ad9dceb94f601509fbc96c47e6fbe96f8af0f28e5cbe919d7da3062fc0757f673cd294dbf8f34757d2
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exeFilesize
9.4MB
MD53b7fcc7373e3d5c2007996ebd010a203
SHA1e79d388d5dd0b0406de84e2dd5a9bc4011131a41
SHA256466acf28ba1e897c446bba2c9201f1ae4dde47ec7cec5e2b4ab2b76dc0dc74ec
SHA51267520b31aa11ff71faebfbc90c82d6b75fe1527be95a32b787132fee0fabbababc18784ca706935ed211af8e2322f49a62a0f9061528951f180489640646e1d4
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exeFilesize
2.4MB
MD537aed6e3520d5bfe9515b2eacfc73b82
SHA110925882f1ee9ea467004272faab8306ac130c3f
SHA256586a48774c8d2b6e78c6b7b7b8028351e367c617eb78191f3db7e4796993194a
SHA51253e99c4f00daef1bb6b63e735f6182e2f0e866d2de73fb5e981e42f4fc2dd704c3152c2f1fe7a27bedf8aabbf7316911d48c948e64988bbd2f3e98a5a03a3349
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXEFilesize
183KB
MD545a97e882183467971471ac3707e0632
SHA13b03e8910b5ab7bba43d06113378da5e5f4f7be9
SHA256d730dad3b114b0f88d1df020382951cbe6da5c7bf88229d8e501a82377475459
SHA512bcba1fb26c258c66af99f67471767e42d7dc27a7a4d30192a407de5b17902479028c579290f02c4db17ecdb3c7d2511f91a9973f29f22cade39818c5ea043029
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exeFilesize
131KB
MD54e67cbf4438790d1973e43411c00e752
SHA1e61497c467bdf6ed9c3abdc09477bbd46f823f6d
SHA25664faca220338cec5780c92184393773defabcd7624b6a3d7663aad2c8935c1ae
SHA51246b358ba2633198c1974afe075174bd3bc20bb397fa7242dc247cd98f3acb48d48c5bff7b411acb4b0a70a782a1a7be2b6a0eb205f7e296f60714f99e473d75d
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXEFilesize
254KB
MD5204b51c41c95be9a792db853cd294c34
SHA1bf51f9054a356fd7d61b981ea27ef16f06a45861
SHA2563e0426ac24c276fe09c180fbc079f9b03016c2e3bf3ef4d54de27889273f1934
SHA512c1fe5078927d8cdc706fc54f4f7cc23f8363584d51e00d560d0020f3b7569758dcb2a4e078a5af9535150287986cd8de7cceee67897753d511f35ee7f5b2ebd2
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXEFilesize
386KB
MD5ba044ef0a93b54a95ff52dcdd6343440
SHA180550ef5b36c93b394ed0f0c2f88d9cf47742dd3
SHA25694cfb869ef5cd3155a3a806f544d21679efd4f31504e52f219745b5bc045bb80
SHA512f781ed58eb28c86c9cceccbcafdf2a21dba2c434d97950c445e0b74ac2af28bc583077e522a8c5f8a5222ce1a9760def5599a219e748a42b66135029b759a53e
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXEFilesize
92KB
MD5201e36f674b20e0017d4ef81c56567a4
SHA1994840857b611f241d8c9bd19286a8573e9cab2e
SHA25666245db0b6f3d2a6ea78b06b89f345c4216499f8b55345376b529064ed0dfce0
SHA512ad7267e9c1726a10b5fea007e881b0e6aeab84c9c964590d65a2991a8b416ba2ce8d1a776bd3f78f0e06f099107439bcba62f0d7bf6d5674e26ae04ecd604481
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXEFilesize
147KB
MD5da5dd73b6140040dc9b557696df857dc
SHA1951dc29122c38fcc90dc9476b70a6a08e776e797
SHA2567d3a4c797dc662e909eaf850eccc97703b5bec7b5d6bd18d1e6bb983540fef86
SHA51276014ee7e4a1348d7efa9b28a087d4fb714429abeddb89d3d3c66c577afc9c49546338c179b2f4bac03e87be99f3839d95587a16f2e097a1053cc6e4500f70b9
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exeFilesize
125KB
MD5f40de4781af262a3934176c4633f5ed0
SHA1e624dc4658ac8161c609dbe80bec0d4b794ae756
SHA25655ae7eea46637a321e94bdc6cd47decb09abcad6c9573f3fc7225c63b8ab8b81
SHA512c327d5942ba4446251aa36805b594090c97a7b89176bacba4738948686a7574ef8f86817e4d5c9cf1be9cfea0c43621dc611949e40c996bdf26dd63310e9306b
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXEFilesize
142KB
MD5448eb4da0f05118714d48e08f1153031
SHA15df31ce1de694680b7e15938a778b73380915c50
SHA2565761a644189f89d013ad0d0827daaa4a7610fae0d64fdff483f633fddc5934d1
SHA5128311f854ea7bd02d1b5dfdac9a64082320e61393ed34a0b6282580b12b4e0d263299db47a1f240614522cdb24e20ad7adf7679a7d526369fdd0d61150fcf5cfe
-
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXEFilesize
278KB
MD5d5a6a4f58ea3dabd28fa1e0e3baa649e
SHA1dfa2036a9d5c635c6955932eccc5e57df0d41d26
SHA256c12335f77318b88473b5ab357bca03e3e8d096525a286e1fd3816686be2738c7
SHA5123929af4a3b2870c463000ac0b12255feb6efa75d3ae621aff6961cd0dd755ef7f8f0e4b00e23a9bcb8851c1b71e2924a3368fad476c3618a3946e606187af43b
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXEFilesize
454KB
MD5cf4c5e8616e58f519476a682820cee24
SHA171152f179ce07d3376c9ff0977e8605e4c84b8c8
SHA2562040daf42a397de8e210b8ab58653ac98d3e7941abeb0f05b4f7ff904479751f
SHA512d67fa0aa115d3e2653e6a5d66caf0349adad63db79ca13e75b0ce2a9a80c3694d374cc563379bf00eb0418fec1890a5502408b9a62c6b9c6b59e89db47c1c266
-
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exeFilesize
1.2MB
MD588b5577382b2d80f3e2aaa758584739e
SHA106e09454b154410c1a533180a53ee65a3562d246
SHA25609b47e9b50ef074905f1857d693a0330e34b2d070bd264170de34de684d39810
SHA51218ac5732b020220853110eefad59e2de8b9b984226a817a7ca298803665172a22abf8dc7fb81e4632bc26f92c43c8461ea004d710db90b00d56588c38871fb6b
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exeFilesize
466KB
MD501cc5734972fd1b591cf405d0b3e49e9
SHA174acadb28eacfe09c37b1aac4adbe8b5438cc25e
SHA25609210515f90b64671f29bba282809c1b97338b7930b6cfacfa3befd42017eb68
SHA512abb7d58ab241a198427165701480f4b8e4ba79911630fc7254cfd5d3d0593efe92ce6776a7d8cbd6d46a883026edf2fc4ae4c6227910ddb31da69f34fdf8e9f2
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exeFilesize
942KB
MD5d4cffaa4779d83ce6ed6a03c1f3af77d
SHA102459ef6108f53c48e734e4ae3f9ba242290e499
SHA256e7000102345932d66c7f5c0a185b2e238690f945a3a5ed7b295e7b90803bef4d
SHA512cd61a628f54fc2cf617cf4fcccdc0f77c44c490b85fdeef5c8ba98e429dbbb30e8c8e640ea2a798fde34de868042960eae9b235eaa9e05f656f5e8e9215fe0e6
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exeFilesize
623KB
MD5fa8d7825c3bc985e0353e50e0e0429ce
SHA1a1cc455a919ce77c3dc5db37e133108891351b76
SHA256086bedd1a70323a79259e4c1f11930e2fb1ae7e99e38d88fcd83337c62168bbe
SHA512d30259d4367c2c832387d900a0cb7c8bcfc9f73478c5f080fc0a1bab45dea0a20590c21b7d45da28b79db91e0524c89839e1d07fe044b714dfe0417a41d9d60b
-
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEFilesize
121KB
MD5f54de6066cac1a0954ff19f7928eb5de
SHA1fd19985484fdd59302f826f82a8b4ca57b78e479
SHA256bb1efd8a2e77f5b89422c2eafc70cfb402d941d924c0433c245484a146ed0762
SHA512b811c95144e338048e05052cabcd4cc7dcc389f23c90719007c059c266f6dc0d9bf4e5c9c69638f8c88337721e21f4276b3d2a61f1bfcad0a81aa0c815a87df9
-
C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXEFilesize
138KB
MD5a4d547bfd5b6c8ee9b534e1afeda0ea7
SHA1b71df9b296d78f69006c574544ef7be1eae86f2c
SHA2564e96c031cae19f5a02e4398909e380469f88edff8951a9d9676b340c133bfc91
SHA51228438489ef1ecdf8851f61ef62ccbe9916029e27eb7fd6aa83e2baae8a08a73aedc1941d6abbe425548c62ba43353a28aaf9d057bd16a89101c4b1f077d4f394
-
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEFilesize
217KB
MD5b26753cabb652a4cb4f79a5f7ba276b4
SHA1e465f383bab4347d37536047a4dd34f13bbd7ab0
SHA256a979994804d1176f9f125ef60dd95b2b9d39c1d5d0e5febfdc8076cfe33a0514
SHA512764cfca90eda90c8f364b16ad2752970923faca912caa23a367a0145aebd5d239721295131ff8bdc68cdb16206cfebbb8161ea50ef0047274fef2cec6d624d23
-
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEFilesize
138KB
MD587108d0562afe7133c92be9c412d03e5
SHA1b2fcd89062a37a3964e0d70ae1af5085bc400bc9
SHA2565483eaacc79cfb1b1c2aae66e78a86d4fbc426a1687d6050aec055e88ba254b2
SHA5120103119eb0b0f6124314c8b5f39bbb05fc6c5e05b0e3e3b85477b27810bcf3694bdc12d839abf2d864abc59b90c4d81181ee9f5666e745643ebb33c4e7b6edfb
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEFilesize
191KB
MD5750ab1a5d47d985812a8d4b48d4439ac
SHA103178bc746d5b3da9e8c8a727837a77b0cbce2b3
SHA256386348ff6979eddda1000033469187af66de5fd93f31b97c81f65be8d2d42bcc
SHA512eaa07d7e84cab5a53f71b18bebf8c92c1abdabbbde20162489f9b7b95ec64dbc50c52ee4c8968a564d0cd565fba33766c6244eed5b384e86057f29bed26ace91
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXEFilesize
251KB
MD5e999a43878a626415ac041919ea4d59c
SHA18052ca01a6ffe4f087a4861e9e0a7d6480ba93c4
SHA2562ff3ed4c4d873490f96df98be389b92a873ed1e98d2c1a4495424ddb33c4eaf9
SHA5124ca07819cc7535c01b339c265ee94aabd29658e3fa0313f94bbc435e32d71d55d407e23798d3fbab8b9fa552ce2a07b27d0331102e39fb425abd4205bd1a0919
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEFilesize
326KB
MD59eb9ab30a5c6d5a6b60482c681e82fc2
SHA1986585605ee92aae97114a21b414d26aa546f445
SHA25627bbeea532560f8d5342f8e436ae824ebc3e3c27c515308829bc6a6bf0fd5c73
SHA512a8842e9206f0bc423cf961894b1663e3a5b4d59e02cfca78a90d3608f783b922514c2a0bad74861fc32488ab107b72efef1db9ed474fbdce4f4f3a91a9f1c61f
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXEFilesize
404KB
MD54d1016f810204533581f6482a79fe045
SHA11f679968c82a0dcfccde1f72a0ab313a04bf6057
SHA2568285f7471f0e8f96425fe9c198fa82b44729a8655980f08744d1b111ed460669
SHA512b002d164f4c1a55a13e2f14cc40b420a4364cfa91cb4f8f6db1990ec702f434444eb51e560c81a39e30b113af84e698e6bea8fbcd0ed302165aff1692cfc4de5
-
C:\PROGRA~2\Google\Update\DISABL~1.EXEFilesize
191KB
MD5750ab1a5d47d985812a8d4b48d4439ac
SHA103178bc746d5b3da9e8c8a727837a77b0cbce2b3
SHA256386348ff6979eddda1000033469187af66de5fd93f31b97c81f65be8d2d42bcc
SHA512eaa07d7e84cab5a53f71b18bebf8c92c1abdabbbde20162489f9b7b95ec64dbc50c52ee4c8968a564d0cd565fba33766c6244eed5b384e86057f29bed26ace91
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXEFilesize
138KB
MD5c2bcef611c7d06bc3964ff4f5887f3e9
SHA15987a33288eea9dbbfa9637464d89f0ac7976bda
SHA25680910fec58ca2401aaea3d7f2682203fa76af7bf22c27caee9018024f10d3995
SHA512e13bff1ca2dc9f3821cfe6ed7e49af3caa324f3cea759c8b079b2d7130a75542bf9e625fd82a617bd61b8ad0b100fbf6336d309d739e382c0de9a97e0ed4eadd
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXEFilesize
138KB
MD575c5758312212bdcfc5a9c9d2bcf3af2
SHA14cf1e5769e1d2219184d1ec30068a47765871bd7
SHA256e04a13fc8107acdbbfa9ba1b9ce9001a3ceb3c1220a93e5b550f9b2a9446fab5
SHA5121c7354f8b4c625e000acfb275fea953c7e726c2ab5046e0eac3250b1daf8ad524c3122d6de247d9fe648f169a2209e4c9f6c0623ffbf540d4c58bb6efb10fafc
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXEFilesize
1.6MB
MD5a4b6a54888acf6c8f631b418b91bc4aa
SHA18e58c849078ee33293d00308b94e0b656925ba17
SHA256541de2f347a2c830b6b2f198b341671e8701ff10b9f9b5554c14bc6149085352
SHA512e19bdaeec3ab4cd1bd7cb2150383b075402c2dc702a6891001e01589c4629474e66eb81e80500b04172dbfefc9b247361e875c424bf5a4be53d8f995fdb6f382
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXEFilesize
241KB
MD5641bb408d6af3cc421bf79ea4073796b
SHA120e05a47bff0995f2aaa5d33fb8e6a619a4ea39c
SHA2567d5fd1a22f75ed3a322998f059b5e4390275e28a2b3f76f3b2d391d222e98805
SHA51241d26f2a8e55469e7271be652b37973be3630cc0c1164ab1c063819f435c1656f2246e6c5788a51b09cea15876a43e2a52a70583920f6d339b2e11853903fde4
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXEFilesize
287KB
MD5abadbf1a1235e9b0496c34ea69f2a5b2
SHA16a91e38158a5e188b50cbf08125879f6bce830b3
SHA256284de5838dd8a441570b5334d0da1d0eadc8934392e24725655b609303a82326
SHA512a488c99e3ac7d44c363a35dd9beb2e6911715ffe1caa9b2bb72fae73f84300f4453a21739e599d55b251c1e9591bce272ffd0c2713e5369d936ccd9a36ba9129
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXEFilesize
244KB
MD545112e79a2fc9d1b06238b94b17df018
SHA18be14ffc579f31b8d971753b048cf03bcc059242
SHA2569977dae68c309ba9a8ce305274a8b13424b016d43566c02627d4de23da225c3b
SHA512d0c38d0fa4cefcf15d5c117d5ea811c13fa0a4fabfb8ad7ac61776c9dbf368e249b1993dde398edf3239e2dd1bcadc691c0b1376f7d3eb52b6b336fb935e1455
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXEFilesize
211KB
MD5a34d5ddf42a3ee72092f5ca075c21a62
SHA1df78f7bed8b405b6706ebd7451fc33c51be3c7b4
SHA256892d644ad04095d0c0e6bce16b2e70d30d3a8ecd0418367986c781edf726854a
SHA5128e85c4b1d696f52cfc7fa5b2df38d37533d32955f19ded84ff60bc3d2a7f747a8953ea72736e052f9b0b00e0169a4774a06e84e4f570e028b1c57bcd1e746ca3
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXEFilesize
1.6MB
MD5a4b6a54888acf6c8f631b418b91bc4aa
SHA18e58c849078ee33293d00308b94e0b656925ba17
SHA256541de2f347a2c830b6b2f198b341671e8701ff10b9f9b5554c14bc6149085352
SHA512e19bdaeec3ab4cd1bd7cb2150383b075402c2dc702a6891001e01589c4629474e66eb81e80500b04172dbfefc9b247361e875c424bf5a4be53d8f995fdb6f382
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exeFilesize
250KB
MD5a24f9db40799146548de2eacb613cd13
SHA1b53ac09068c9d5574846310d7316df9b23384bd0
SHA2564a86da5a1f7a6b179049eca0a8b328d68f5572132269e0fb30b9108ff09b785e
SHA5121bd8b557ddd930ee75b08730f07d58c478f1c471c444e3ddd54d71ce2d52d702515e0e667d522bb769abce9dbb387777813282d97dc8db6c4f658014facef0f4
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXEFilesize
509KB
MD59b40e034072394ad5b034f87c9b05a34
SHA1aeef82808cad32a447f9e8bd9e66e31311314151
SHA2563adfd54448644d57ad5b676fe493e8be1473cd8eadbda67adb36622696cf16cf
SHA51244714652c33b7e0ac614121c5bffa97c6ffb6734de36388f18021ddb48d7057ed42b080ab0dcaf7e6c72c9c3cf8f47b6975627b3d7bd0195b26a739119672124
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXEFilesize
138KB
MD5403e8a7da1e5fcbf52abec563d509274
SHA120094d289cb41136412b3db0be6f6107c99abbc9
SHA256c2bfffc9c23373afe5aacaaacdd09d1b196348b36eb070b48defbbe9ff2d5962
SHA5121b65ebbe521ea112d4520f26100bf5f55a2515914a6856a9e48f4113bdc67a02d78927c469b11f7a7bf01deb438eeddcaf7017fd4db3251b23739c1ab386ccc4
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXEFilesize
1.6MB
MD5432803177a63cdc39a6870304897bd11
SHA190e1cf3a37c564e9664bcc6d51cfb92a7c4df8a5
SHA2567b78d7d4e2877e9e63e5f25051efe113cdb72a677a039fe0c9122e29e4da539f
SHA5128b4ec3ebcdc2fef436a6dc4579f1561616ad8ac13aa8cfe351a16c1e66eebaa74f8d0bf4dce8e77d585f1f020da226bef63c5c0236d51497a21b87bc68aeb03b
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXEFilesize
1.1MB
MD5209cd0f387223622ef35f4dcf7b4cd09
SHA1be8db1f1d7e2dc3f94749217760fe201214bcdc9
SHA2562213abbff75623a9fce6d16150c54d5e9181b1dcb07e781d68252f8b264790b5
SHA512046bc5884e23a0a040521155fd73c1ba0e68f91493b2072db3f30568ddbc318cca1b59311154d5c2582dab3f2aad7e949b18cac51ca918603593e0bd450595ea
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exeFilesize
3.6MB
MD5346e41febc9b174c4bf4be79ae797187
SHA14ca5f97aa20893f26f5b24f002852ce908b5f8c4
SHA25648140a692f6107c3ba885b2b5acfae3781438793c9f6a77be6d969901083ea22
SHA512a5b16075dcd53da094f1117afe003e92e2ccf92e44446bf93d1293baa0122940d61f402c32486f60c04db7c75249a6f8679d25706ec6c1f0da8ab5cff94abc1c
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXEFilesize
1.1MB
MD5056072b204e89662d096abb68a99340d
SHA1d3cbda99cce85e83ab5f43432b4e28f60115980b
SHA25605e6d0b930651a33d654be8e7c39d1c4a088a5f8a5d29ca7973a697bf912669a
SHA512bc6bf04b1a47dc136d2af411ff51cb9c2c974a453f54c176709163cefe19b0286e97770909fe79ff643b8623afd0595abed892ffe63251ac4d838303f5d11777
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXEFilesize
1.6MB
MD57b881e2ea22a04e21109d0a5666f0108
SHA19af4c47be7c26cc414de72459f6ae66ef267ab2f
SHA256b67fcd6cd6862ddef5eb07141e260ac9946d76e710065e9a9c7cc59d7ad1a5e6
SHA512865a0aa850c40ce442e1ca01149b86b96fa724cbd0b533b96f0cbe156834b3df997eac0943654a48b69befa37e6ca77e07060182f8326b0bfc2b2300642bd65d
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXEFilesize
2.8MB
MD5d147820b2592f86ed1f4cb2f3eeab201
SHA1b94fe328bdcf495131fab803f350a39a24a73bf3
SHA2566dbc1368bfa7e0558b0b82d3ba1cf3cfce1813dd6e72b568378990f5ae641489
SHA5122637356dfa7692c09b232d2a72b63b79bb5eebb8dcc910e5ab62ee664261c91b27d252bac0889dbac840727582a1f6627bf07d6faa41352f96568bf56fbd3556
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXEFilesize
1.3MB
MD583171af8e4a6e1213a602e8ae9375b05
SHA101f2e3f85c91ac64d7890def3f49495e47c461ac
SHA2565770078903c37fce8fa48b859b5d783e48dfc7e255de541708acef56e07aadc2
SHA512a56fcc3f07c875e7af718b434dcbf5c118e7164987a7e5c2027565b1368cb6330581af514ed157dccd91df546f4a80704ba6416d4eff057a0a7bcd1511bd865c
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXEFilesize
1.1MB
MD53789e63c163c79fc6c80bd88918be7c3
SHA16a12a75bf204cf935e7ab891a093ee752bcbb394
SHA256d135c1cd376e372ebaf4d247e868ba4ec1fd99797fc22bbc6f95d8309288cf58
SHA512566157595a4a1d6071d5ce65412b82a1c92ccbd2c23818165a2657524685d315a9c19e5f3bb44ea9b0743e6bfbd4a4825ea480735f32734ccee2334bf7650c57
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exeFilesize
3.2MB
MD5bc5c0185e133aa7b7d4ebe98a2c78c82
SHA101620e1f3914f3ada48a7d8cd9249b328f1071ae
SHA2566ad9b79c7ff501ac212a5590780104487ef2caec14effcac1decc2faefb64b3a
SHA5122440aba9f354fd1c2f9c0a2a3360ec29b42c7324cf3a76bd4821fa969b6fdd6e927f46069268a5438ef4bdafb7e48c751fe56176548300e50836103f4b8eeac8
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXEFilesize
1.1MB
MD5056072b204e89662d096abb68a99340d
SHA1d3cbda99cce85e83ab5f43432b4e28f60115980b
SHA25605e6d0b930651a33d654be8e7c39d1c4a088a5f8a5d29ca7973a697bf912669a
SHA512bc6bf04b1a47dc136d2af411ff51cb9c2c974a453f54c176709163cefe19b0286e97770909fe79ff643b8623afd0595abed892ffe63251ac4d838303f5d11777
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXEFilesize
1.1MB
MD53789e63c163c79fc6c80bd88918be7c3
SHA16a12a75bf204cf935e7ab891a093ee752bcbb394
SHA256d135c1cd376e372ebaf4d247e868ba4ec1fd99797fc22bbc6f95d8309288cf58
SHA512566157595a4a1d6071d5ce65412b82a1c92ccbd2c23818165a2657524685d315a9c19e5f3bb44ea9b0743e6bfbd4a4825ea480735f32734ccee2334bf7650c57
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exeFilesize
3.2MB
MD5bc5c0185e133aa7b7d4ebe98a2c78c82
SHA101620e1f3914f3ada48a7d8cd9249b328f1071ae
SHA2566ad9b79c7ff501ac212a5590780104487ef2caec14effcac1decc2faefb64b3a
SHA5122440aba9f354fd1c2f9c0a2a3360ec29b42c7324cf3a76bd4821fa969b6fdd6e927f46069268a5438ef4bdafb7e48c751fe56176548300e50836103f4b8eeac8
-
C:\PROGRA~2\MOZILL~1\MAINTE~1.EXEFilesize
279KB
MD50d5c7c124c94f4fad10d08f740152734
SHA1936e817860884ea070cdd783c165a0b02b01f1fa
SHA2566b5173bb8c1712af7fa2fd13db85cfc156a97a85a466748459ae75eb1a659d51
SHA5121491bd81e9ec8dabdfabb2590a6a9c9e966b11d41a1ef34747c9b76724d6b6dcaa8f013cee5f46242980b1368932e457411a5a905c1011b9125f0b8f5b8912f8
-
C:\PROGRA~2\MOZILL~1\UNINST~1.EXEFilesize
129KB
MD56e6aa99a00b77d4567c945a839c12fd2
SHA1e56423616febfff2df8352e8c59f065ae6bd4294
SHA2565ffe95a720a6bfaa1889b40982a0fa3aee965506099a77d9ddc82fce7877ed8b
SHA512e622c46c129472cd5eb17a7bad39e60a2a799d6a7bddad483b46a46e8192aafaeda4b4f43579a337a62dd2637060835cb69222be853248d4fc6fbbf56c567fc5
-
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exeFilesize
494KB
MD5f361b7d397f6863f1d474b291fd4adbc
SHA1fb893a01b3895fdb00d635b8312ff3d8321bfcbc
SHA256108b5d0e137ac7a3ff61686af1b2e6427edd6370b1a74b9085acfd516380ac38
SHA5129ad3af7d7be666fa911a932d2e1147741825606fba989959469a982b5c253b83c617cd40e13bb4ab83e22e68b21f6b3f45ceaf47f8bc0122b280f67e54ec2df2
-
C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD5b69b69630d8b4fc37144297e6dcf582e
SHA19989fed76eaf04c6cb185b6cc0ee8742fbd990e1
SHA256449e5cc0c1102039c2d378ffda26a9c4cea100b2ff65e6ffc6f1881f463f53b8
SHA512f6dada5440d6efcd678d0ecdfc05d232d6b4c08235b36af277b18612c57306c9467c5d1de7263025e62615b39e6fc5f7d478af085b97d099c00ae780843f3985
-
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
485KB
MD519f5b6c02e0389e9cdf078827f962c21
SHA1ead0dded0e551c7ec8bb49cdcbb2b5a2a738b304
SHA25617c2e49d650c482e3afcd501bba89cc845631dd0221b9cafa84579c7571c44f5
SHA51229bd42893e888fa4431b7a0e0fb661fbc8b738e662e5434e97a36895c329e78fd5f005b2d41656f2a5c09a5b12c2223b9bf01d7eff0b53a24d1e4c3040f19a20
-
C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
674KB
MD57dd33f95054dfa248e657a93e5021102
SHA146f11e22a2417e7b314d929871a164c196f57429
SHA25631154df2623fd14a37381074f4dc59aea254f78b9ff67ce53901ae631c3ee687
SHA512d04309647ac5360f4641f039f5539a713ab1b03965b9be2809b7ba478eafc5a4a95f93634590d315b718065285d65a1eb3d169446d03cf6020ca95b9484f10ef
-
C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
674KB
MD5c85d0cf5e309608f3d6312c2fd94645d
SHA1fb4759b4fc726abf032cb76c290048aa9475fd57
SHA2561e2973dbec8a730c869a4fc08ce40e2c085a3aadd69f303b57531c329d4e3e33
SHA51284c4d7751c34e42c23f8dd1ca7bc78350dda4f0bbfce4a1dd72780da0b020f01c66862f491b61019a210513030edf0439fae5aedeff84cbf3d3c634beff7f169
-
C:\Users\Admin\AppData\Local\Temp\3582-490\af95f41f73e451c4d1f5fd8acdd0c863.exeFilesize
1.1MB
MD580ff3475582de86c9132364ac9f973c0
SHA1cc1f51b642d6cf47ee809d1015f174a0adb06841
SHA256612aa000654882bbb324a233f7599cb4e1eb6fa74c9c29f8cbcd49f158c0d214
SHA512a65374d87bd1bae1a106c423dffd91936892cb76ee0dace833e600baaef65f06c865811ba3882aa7b69033b127355fed2d3770d81f2efe5c6ef954aaa5be72bf
-
C:\Users\Admin\AppData\Local\Temp\3582-490\af95f41f73e451c4d1f5fd8acdd0c863.exeFilesize
1.1MB
MD580ff3475582de86c9132364ac9f973c0
SHA1cc1f51b642d6cf47ee809d1015f174a0adb06841
SHA256612aa000654882bbb324a233f7599cb4e1eb6fa74c9c29f8cbcd49f158c0d214
SHA512a65374d87bd1bae1a106c423dffd91936892cb76ee0dace833e600baaef65f06c865811ba3882aa7b69033b127355fed2d3770d81f2efe5c6ef954aaa5be72bf
-
C:\Windows\svchost.comFilesize
40KB
MD5e447742ae8ee748c0f006ea365567a6f
SHA15ae6c369ad4c15a9303ffc619b623d006f4f5afa
SHA25616e1e29b4f9a1520a62db1fa7af8aa42602c6c66c77413eab1d02a282c3faf5c
SHA512febb37249c5997976237859af0eedf126c2cc69c9d1f90c437587e1dac60a6521f05fdf8c21409c5f4b68d9137316ddfb3ec36a618dddf6e7784d27f89b39f07
-
C:\Windows\svchost.comFilesize
40KB
MD5e447742ae8ee748c0f006ea365567a6f
SHA15ae6c369ad4c15a9303ffc619b623d006f4f5afa
SHA25616e1e29b4f9a1520a62db1fa7af8aa42602c6c66c77413eab1d02a282c3faf5c
SHA512febb37249c5997976237859af0eedf126c2cc69c9d1f90c437587e1dac60a6521f05fdf8c21409c5f4b68d9137316ddfb3ec36a618dddf6e7784d27f89b39f07
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD55ce69f805465e414ef77eddd1e1545c3
SHA1c75b9aaa991e0bb4e36c3dfe39bece0ad4ff94c3
SHA2564c7aefa002379dd66b943d023b2c1bbe906d3c97d7b1cb968cf3ba37c04ba41d
SHA5121fff62b5a9711238e5384da9bef9bdbe705f81c967a4de81b81576a23f017ce657cad878cbb550ccaba51571ffa8b0776892ba7532151135b10e481a7a9dc894
-
memory/64-206-0x0000000000000000-mapping.dmp
-
memory/308-218-0x0000000000000000-mapping.dmp
-
memory/480-239-0x0000000000000000-mapping.dmp
-
memory/736-214-0x0000000000000000-mapping.dmp
-
memory/824-208-0x0000000000000000-mapping.dmp
-
memory/1392-204-0x0000000000000000-mapping.dmp
-
memory/1400-139-0x0000000000000000-mapping.dmp
-
memory/1636-222-0x0000000000000000-mapping.dmp
-
memory/1888-233-0x0000000000000000-mapping.dmp
-
memory/2188-203-0x0000000000000000-mapping.dmp
-
memory/2568-227-0x0000000000000000-mapping.dmp
-
memory/3092-231-0x0000000000000000-mapping.dmp
-
memory/3708-229-0x0000000000000000-mapping.dmp
-
memory/3832-216-0x0000000000000000-mapping.dmp
-
memory/4044-223-0x0000000000000000-mapping.dmp
-
memory/4068-220-0x0000000000000000-mapping.dmp
-
memory/4156-219-0x0000000000000000-mapping.dmp
-
memory/4248-201-0x0000000000000000-mapping.dmp
-
memory/4344-212-0x0000000000000000-mapping.dmp
-
memory/4540-237-0x0000000000000000-mapping.dmp
-
memory/4632-225-0x0000000000000000-mapping.dmp
-
memory/4696-200-0x0000000000000000-mapping.dmp
-
memory/4712-238-0x0000000000000000-mapping.dmp
-
memory/4792-210-0x0000000000000000-mapping.dmp
-
memory/4832-136-0x0000000000400000-0x0000000000871000-memory.dmpFilesize
4.4MB
-
memory/4832-135-0x0000000000400000-0x0000000000871000-memory.dmpFilesize
4.4MB
-
memory/4832-132-0x0000000000000000-mapping.dmp
-
memory/4884-235-0x0000000000000000-mapping.dmp