Analysis Overview
SHA256
f4d054949f5c075827e9e9d1ad82231adc9f0af9e64637927e967ffddf1116cc
Threat Level: Known bad
The file Ransomware.Win32.Crypt360.zip was found to be: Known bad.
Malicious Activity Summary
Modifies extensions of user files
UPX packed file
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-31 17:35
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-31 17:35
Reported
2023-03-31 17:37
Platform
win7-20230220-en
Max time kernel
91s
Max time network
33s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\UnregisterComplete.tiff => C:\Users\Admin\Pictures\UnregisterComplete.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AddUninstall.raw => C:\Users\Admin\Pictures\AddUninstall.raw.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\MeasureGrant.raw => C:\Users\Admin\Pictures\MeasureGrant.raw.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RestoreExit.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnprotectClose.raw => C:\Users\Admin\Pictures\UnprotectClose.raw.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnprotectClose.raw.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\UnregisterComplete.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\AddUninstall.raw.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ApproveNew.png.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GetAssert.tif => C:\Users\Admin\Pictures\GetAssert.tif.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ApproveNew.png => C:\Users\Admin\Pictures\ApproveNew.png.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ConfirmRead.tiff => C:\Users\Admin\Pictures\ConfirmRead.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ConfirmRead.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GetAssert.tif.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\MeasureGrant.raw.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RestoreExit.tiff => C:\Users\Admin\Pictures\RestoreExit.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\e075e974dbe5337acff06c176e5fd387015fe485a357a6b4f89f9910931c63bc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f" | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\e075e974dbe5337acff06c176e5fd387015fe485a357a6b4f89f9910931c63bc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f" | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\HEADER.GIF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\TAB_OFF.GIF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00218_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02298_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21322_.GIF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02617_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02097_.GIF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_F_COL.HXK.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\button.gif.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL012.XML.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15276_.GIF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Concourse.thmx.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXC.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00068_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02417_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RELAY.CER.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_08.MID.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR12F.GIF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239057.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.XML.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18203_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL078.XML.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD11.POC.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18250_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.ICO.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_decreaseindent.gif.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00382_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14583_.GIF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXC.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099175.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318448.WMF.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_INIT.XSN.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!_INFO.txt
Network
Files
C:\Users\Admin\AppData\Local\Temp\1171276415\__lock_XXX__
| MD5 | 0fe574c7aaf126977323a73183012fa8 |
| SHA1 | 138fcba62dc8902129d0c3b7396d2473fff29a28 |
| SHA256 | 8e24af35368534edf3b55de27c9720493f0d308a5b0bdb65cafdaaee046e1631 |
| SHA512 | e732c977fc43fcaa63e4b2b841670af0d6559161a9f4b029d5b93a45c3a06f08370e232c9097c147d42af8e01a0cc829a7d51c6f5500d63f4a470039e2b58377 |
C:\Users\Admin\AppData\Local\Temp\Low\!_INFO.txt
| MD5 | 022853382d3ae1aa270f0b1d180576e1 |
| SHA1 | ce52abfa258f53bef2947c1706f1e7777e11b4f2 |
| SHA256 | ba2ed3168905ea029f913b63d30f38afc2813ec08c744c6f164ee01ad4e9e38d |
| SHA512 | 87801a6db330981d1172ed66cda9a16bc05729614ecc826f334bb67e82dd399bc8c7f361ce52a973d8290588cffb6a9b88948132aa9a942761bfbb8944753228 |
memory/836-334-0x00000000011F0000-0x0000000001387000-memory.dmp
memory/836-1631-0x00000000011F0000-0x0000000001387000-memory.dmp
C:\Users\Admin\Desktop\!_INFO.txt
| MD5 | 022853382d3ae1aa270f0b1d180576e1 |
| SHA1 | ce52abfa258f53bef2947c1706f1e7777e11b4f2 |
| SHA256 | ba2ed3168905ea029f913b63d30f38afc2813ec08c744c6f164ee01ad4e9e38d |
| SHA512 | 87801a6db330981d1172ed66cda9a16bc05729614ecc826f334bb67e82dd399bc8c7f361ce52a973d8290588cffb6a9b88948132aa9a942761bfbb8944753228 |
memory/836-1651-0x00000000011F0000-0x0000000001387000-memory.dmp
memory/836-1657-0x00000000011F0000-0x0000000001387000-memory.dmp
memory/836-2988-0x00000000011F0000-0x0000000001387000-memory.dmp
memory/836-5127-0x00000000011F0000-0x0000000001387000-memory.dmp
memory/836-8270-0x00000000011F0000-0x0000000001387000-memory.dmp
memory/836-10443-0x00000000011F0000-0x0000000001387000-memory.dmp
memory/836-12054-0x00000000011F0000-0x0000000001387000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-31 17:35
Reported
2023-03-31 17:38
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Pictures\SaveDeny.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\AssertUnprotect.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\CheckpointImport.tiff => C:\Users\Admin\Pictures\CheckpointImport.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\RemoveConvertFrom.tif.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\ResumeGet.png.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\RemoveConvertFrom.tif => C:\Users\Admin\Pictures\RemoveConvertFrom.tif.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeGet.png => C:\Users\Admin\Pictures\ResumeGet.png.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SaveDeny.tiff => C:\Users\Admin\Pictures\SaveDeny.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\AssertUnprotect.tiff => C:\Users\Admin\Pictures\AssertUnprotect.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\CheckpointImport.tiff.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\GetComplete.raw => C:\Users\Admin\Pictures\GetComplete.raw.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\GetComplete.raw.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\e075e974dbe5337acff06c176e5fd387015fe485a357a6b4f89f9910931c63bc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f" | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e075e974dbe5337acff06c176e5fd387015fe485a357a6b4f89f9910931c63bc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Test.exe\" b169ebacc1fdf8cb1c9ed4d8f083b48dc29218ea8c94090465563c3d36c3600f" | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\ui-strings.js.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng.txt.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunec.jar.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ul-oob.xrm-ms.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root.xrm-ms.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\he-il\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-pl.xrm-ms.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_radio_selected_18.svg.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSOCRRES.ORP.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_empty_state.svg.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\Document Parts\1033\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\ui-strings.js.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\ui-strings.js.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\ui-strings.js.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\welcome-2x.png.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\!_INFO.txt | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\ui-strings.js.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\gl.pak.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\tools.jar.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.360 | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\__lock_XXX__ | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 20.189.173.12:443 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 8.8.8.8:53 | 133.17.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 87.248.202.1:80 | tcp | |
| US | 8.8.8.8:53 | 97.238.32.23.in-addr.arpa | udp |
Files
memory/1120-133-0x0000000000930000-0x0000000000AC7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1567250093\__lock_XXX__
| MD5 | 6269828a455f5b2e470ab7bbf18a4a71 |
| SHA1 | 1120a7b68cc3b8d4c38512f6f5b46cea1999115b |
| SHA256 | 7a2f326ca41dd6a595b9153391afca052b23ca5fa6827176d9f838f9abfd97bb |
| SHA512 | e7e595e7a583d75df2f0b2db341e1165dce0ae0eef5c86b1395faa9a8209ae84e3dcd2fb312d84fc28dd1228500df8eb8f793a3498980c19c2e4fad6d2167376 |
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\!_INFO.txt
| MD5 | 563ae203674920ff2bf1590d6fe6ab49 |
| SHA1 | 5253e10862151145c7d65989acde853e86603a79 |
| SHA256 | fe763ae57fded8f889ff08cb4f42215be9cd081e61e1f52d91b3b9c6b2883d01 |
| SHA512 | 7ef9abb94a9d45d600aecb274ea567d50321c8a9a0cabb560a0ba3636360421f0068fd70818ce7321294601a911cdc5f907e02d37b92a3cf95c71307e7e8354f |
memory/1120-1308-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-1316-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-1655-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-2619-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-3778-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-5856-0x0000000000930000-0x0000000000AC7000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 460d7e35e626d6b4bdb5d036c62f2afb |
| SHA1 | 1a2f3ae4a09eae574aafc27afe2de171e0e5863b |
| SHA256 | c545e9c063692010ff9c02cf9d39151971e213e626701cf5fe0e38f31974e8fc |
| SHA512 | a216027ee7420c431eaae565083a9b370f261763c65ac17913860926a07d3d26d1cd1eec7c90dff1d308390d163baa5d15d287c9aa8ec402cf8075d33bf42f59 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 916186d46d7dc1d46961379ac3701eba |
| SHA1 | 651ca7b0c1599057ef5b1356bcd5ef177f36d8fa |
| SHA256 | 27f7ba5fcb8d4fa37e1019ebc93ec57c9f6d8baac09568517fccb849c3bcc520 |
| SHA512 | 6d7e57aa19615fdc7e5bb268cc6584530ae3392269c652420620174122944aaa2888fd3279128e4fd989293d111a695e99533d8c3df3ca354d0b2d7bf1494d53 |
memory/1120-8524-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-11315-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-11576-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-13108-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-14686-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-17649-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-20410-0x0000000000930000-0x0000000000AC7000-memory.dmp
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{65949401-7B2D-4281-A148-DEA6D44CB2BC}\MicrosoftEdgeUpdateSetup_X86_1.3.173.45.exe.360
| MD5 | fca0dc08346e759d97f483db65da761d |
| SHA1 | ade9e3bcaca722f4133b4a224a56e8ae5154c6ec |
| SHA256 | b356de3e3786aca76e511a6468e3976ce608d1278decb1017e87d03d94626121 |
| SHA512 | 7b428d87664461d92285ba883ce9e550becbf6a6f3e96691553bb09b6d6527a740f9cc8b5eaf9bc0312d95e1a08b7a393c3874acbdc1ae76defc5d37a243f5b2 |
C:\$Recycle.Bin\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
memory/1120-22906-0x0000000000930000-0x0000000000AC7000-memory.dmp
memory/1120-26653-0x0000000000930000-0x0000000000AC7000-memory.dmp