Malware Analysis Report

2025-08-05 17:08

Sample ID 230331-v56l7add6x
Target Ransomware.Win32.Crypt360.zip
SHA256 f4d054949f5c075827e9e9d1ad82231adc9f0af9e64637927e967ffddf1116cc
Tags
upx persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4d054949f5c075827e9e9d1ad82231adc9f0af9e64637927e967ffddf1116cc

Threat Level: Known bad

The file Ransomware.Win32.Crypt360.zip was found to be: Known bad.

Malicious Activity Summary

upx persistence ransomware spyware stealer

Modifies extensions of user files

UPX packed file

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-31 17:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-31 17:35

Reported

2023-03-31 17:37

Platform

win7-20230220-en

Max time kernel

91s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

Signatures

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\UnregisterComplete.tiff => C:\Users\Admin\Pictures\UnregisterComplete.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\AddUninstall.raw => C:\Users\Admin\Pictures\AddUninstall.raw.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\MeasureGrant.raw => C:\Users\Admin\Pictures\MeasureGrant.raw.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\RestoreExit.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\UnprotectClose.raw => C:\Users\Admin\Pictures\UnprotectClose.raw.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnprotectClose.raw.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\UnregisterComplete.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\AddUninstall.raw.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\ApproveNew.png.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\GetAssert.tif => C:\Users\Admin\Pictures\GetAssert.tif.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\ApproveNew.png => C:\Users\Admin\Pictures\ApproveNew.png.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\ConfirmRead.tiff => C:\Users\Admin\Pictures\ConfirmRead.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\ConfirmRead.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\GetAssert.tif.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\MeasureGrant.raw.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\RestoreExit.tiff => C:\Users\Admin\Pictures\RestoreExit.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e075e974dbe5337acff06c176e5fd387015fe485a357a6b4f89f9910931c63bc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f" C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\e075e974dbe5337acff06c176e5fd387015fe485a357a6b4f89f9910931c63bc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f" C:\Users\Admin\AppData\Local\Temp\Test.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\HEADER.GIF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00218_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02298_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21322_.GIF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02097_.GIF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_F_COL.HXK.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL012.XML.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Concourse.thmx.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXC.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00068_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02417_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RELAY.CER.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR12F.GIF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239057.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.XML.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18203_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD11.POC.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18250_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.ICO.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00382_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXC.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_INIT.XSN.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!_INFO.txt

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\1171276415\__lock_XXX__

MD5 0fe574c7aaf126977323a73183012fa8
SHA1 138fcba62dc8902129d0c3b7396d2473fff29a28
SHA256 8e24af35368534edf3b55de27c9720493f0d308a5b0bdb65cafdaaee046e1631
SHA512 e732c977fc43fcaa63e4b2b841670af0d6559161a9f4b029d5b93a45c3a06f08370e232c9097c147d42af8e01a0cc829a7d51c6f5500d63f4a470039e2b58377

C:\Users\Admin\AppData\Local\Temp\Low\!_INFO.txt

MD5 022853382d3ae1aa270f0b1d180576e1
SHA1 ce52abfa258f53bef2947c1706f1e7777e11b4f2
SHA256 ba2ed3168905ea029f913b63d30f38afc2813ec08c744c6f164ee01ad4e9e38d
SHA512 87801a6db330981d1172ed66cda9a16bc05729614ecc826f334bb67e82dd399bc8c7f361ce52a973d8290588cffb6a9b88948132aa9a942761bfbb8944753228

memory/836-334-0x00000000011F0000-0x0000000001387000-memory.dmp

memory/836-1631-0x00000000011F0000-0x0000000001387000-memory.dmp

C:\Users\Admin\Desktop\!_INFO.txt

MD5 022853382d3ae1aa270f0b1d180576e1
SHA1 ce52abfa258f53bef2947c1706f1e7777e11b4f2
SHA256 ba2ed3168905ea029f913b63d30f38afc2813ec08c744c6f164ee01ad4e9e38d
SHA512 87801a6db330981d1172ed66cda9a16bc05729614ecc826f334bb67e82dd399bc8c7f361ce52a973d8290588cffb6a9b88948132aa9a942761bfbb8944753228

memory/836-1651-0x00000000011F0000-0x0000000001387000-memory.dmp

memory/836-1657-0x00000000011F0000-0x0000000001387000-memory.dmp

memory/836-2988-0x00000000011F0000-0x0000000001387000-memory.dmp

memory/836-5127-0x00000000011F0000-0x0000000001387000-memory.dmp

memory/836-8270-0x00000000011F0000-0x0000000001387000-memory.dmp

memory/836-10443-0x00000000011F0000-0x0000000001387000-memory.dmp

memory/836-12054-0x00000000011F0000-0x0000000001387000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-31 17:35

Reported

2023-03-31 17:38

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

Signatures

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\SaveDeny.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\AssertUnprotect.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\CheckpointImport.tiff => C:\Users\Admin\Pictures\CheckpointImport.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\RemoveConvertFrom.tif.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\ResumeGet.png.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\RemoveConvertFrom.tif => C:\Users\Admin\Pictures\RemoveConvertFrom.tif.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\ResumeGet.png => C:\Users\Admin\Pictures\ResumeGet.png.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\SaveDeny.tiff => C:\Users\Admin\Pictures\SaveDeny.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\AssertUnprotect.tiff => C:\Users\Admin\Pictures\AssertUnprotect.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\CheckpointImport.tiff.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File renamed C:\Users\Admin\Pictures\GetComplete.raw => C:\Users\Admin\Pictures\GetComplete.raw.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Users\Admin\Pictures\GetComplete.raw.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e075e974dbe5337acff06c176e5fd387015fe485a357a6b4f89f9910931c63bc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f" C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e075e974dbe5337acff06c176e5fd387015fe485a357a6b4f89f9910931c63bc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f" C:\Users\Admin\AppData\Local\Temp\Test.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\ui-strings.js.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\he-il\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_selected_18.svg.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOCRRES.ORP.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_empty_state.svg.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\ui-strings.js.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\ui-strings.js.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\welcome-2x.png.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\!_INFO.txt C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\gl.pak.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\tools.jar.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.360 C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\__lock_XXX__ C:\Users\Admin\AppData\Local\Temp\Test.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 20.189.173.12:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 133.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 97.238.32.23.in-addr.arpa udp

Files

memory/1120-133-0x0000000000930000-0x0000000000AC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1567250093\__lock_XXX__

MD5 6269828a455f5b2e470ab7bbf18a4a71
SHA1 1120a7b68cc3b8d4c38512f6f5b46cea1999115b
SHA256 7a2f326ca41dd6a595b9153391afca052b23ca5fa6827176d9f838f9abfd97bb
SHA512 e7e595e7a583d75df2f0b2db341e1165dce0ae0eef5c86b1395faa9a8209ae84e3dcd2fb312d84fc28dd1228500df8eb8f793a3498980c19c2e4fad6d2167376

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\!_INFO.txt

MD5 563ae203674920ff2bf1590d6fe6ab49
SHA1 5253e10862151145c7d65989acde853e86603a79
SHA256 fe763ae57fded8f889ff08cb4f42215be9cd081e61e1f52d91b3b9c6b2883d01
SHA512 7ef9abb94a9d45d600aecb274ea567d50321c8a9a0cabb560a0ba3636360421f0068fd70818ce7321294601a911cdc5f907e02d37b92a3cf95c71307e7e8354f

memory/1120-1308-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-1316-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-1655-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-2619-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-3778-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-5856-0x0000000000930000-0x0000000000AC7000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 460d7e35e626d6b4bdb5d036c62f2afb
SHA1 1a2f3ae4a09eae574aafc27afe2de171e0e5863b
SHA256 c545e9c063692010ff9c02cf9d39151971e213e626701cf5fe0e38f31974e8fc
SHA512 a216027ee7420c431eaae565083a9b370f261763c65ac17913860926a07d3d26d1cd1eec7c90dff1d308390d163baa5d15d287c9aa8ec402cf8075d33bf42f59

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 916186d46d7dc1d46961379ac3701eba
SHA1 651ca7b0c1599057ef5b1356bcd5ef177f36d8fa
SHA256 27f7ba5fcb8d4fa37e1019ebc93ec57c9f6d8baac09568517fccb849c3bcc520
SHA512 6d7e57aa19615fdc7e5bb268cc6584530ae3392269c652420620174122944aaa2888fd3279128e4fd989293d111a695e99533d8c3df3ca354d0b2d7bf1494d53

memory/1120-8524-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-11315-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-11576-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-13108-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-14686-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-17649-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-20410-0x0000000000930000-0x0000000000AC7000-memory.dmp

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{65949401-7B2D-4281-A148-DEA6D44CB2BC}\MicrosoftEdgeUpdateSetup_X86_1.3.173.45.exe.360

MD5 fca0dc08346e759d97f483db65da761d
SHA1 ade9e3bcaca722f4133b4a224a56e8ae5154c6ec
SHA256 b356de3e3786aca76e511a6468e3976ce608d1278decb1017e87d03d94626121
SHA512 7b428d87664461d92285ba883ce9e550becbf6a6f3e96691553bb09b6d6527a740f9cc8b5eaf9bc0312d95e1a08b7a393c3874acbdc1ae76defc5d37a243f5b2

C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

memory/1120-22906-0x0000000000930000-0x0000000000AC7000-memory.dmp

memory/1120-26653-0x0000000000930000-0x0000000000AC7000-memory.dmp