Overview
overview
10Static
static
8samples (2) (4).zip
windows7-x64
1samples (2) (4).zip
windows10-2004-x64
110d1a82f3c...61.exe
windows7-x64
110d1a82f3c...61.exe
windows10-2004-x64
1133dd26c0a...f0.exe
windows7-x64
10133dd26c0a...f0.exe
windows10-2004-x64
101ab3aad04e...7d.exe
windows7-x64
61ab3aad04e...7d.exe
windows10-2004-x64
11ad4c9e3d0...7d.exe
windows7-x64
11ad4c9e3d0...7d.exe
windows10-2004-x64
127cc1f6adc...35.wsf
windows7-x64
827cc1f6adc...35.wsf
windows10-2004-x64
835b7dbc8a3...31.exe
windows7-x64
935b7dbc8a3...31.exe
windows10-2004-x64
103716dc17e9...c6.dll
windows7-x64
13716dc17e9...c6.dll
windows10-2004-x64
35e94c0f064...2e.exe
windows7-x64
65e94c0f064...2e.exe
windows10-2004-x64
770f166f51e...ad.exe
windows7-x64
170f166f51e...ad.exe
windows10-2004-x64
193dc1dee6b...1a.chm
windows7-x64
1093dc1dee6b...1a.chm
windows10-2004-x64
10a37f77fafa...58.ps1
windows7-x64
1a37f77fafa...58.ps1
windows10-2004-x64
1b875cc39a6...395.js
windows7-x64
8b875cc39a6...395.js
windows10-2004-x64
8b906da71fe...be.exe
windows7-x64
1b906da71fe...be.exe
windows10-2004-x64
1bae7ee765f...c.docm
windows7-x64
1bae7ee765f...c.docm
windows10-2004-x64
1c3fdcec878...07.exe
windows7-x64
4c3fdcec878...07.exe
windows10-2004-x64
4Analysis
-
max time kernel
157s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2024 15:12
Behavioral task
behavioral1
Sample
samples (2) (4).zip
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral2
Sample
samples (2) (4).zip
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
10d1a82f3c458f2a84c28d6b01cab731904f62a1f0a07c3797aadaad05cf4a61.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
10d1a82f3c458f2a84c28d6b01cab731904f62a1f0a07c3797aadaad05cf4a61.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
133dd26c0a6bfbbbe309a845d6f0f382345bdb31595474eb57138ea34c4ddbf0.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
133dd26c0a6bfbbbe309a845d6f0f382345bdb31595474eb57138ea34c4ddbf0.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
1ab3aad04e0eb2c5a15d3e5a576cd3d3e6b1546852ea653cd4369da19a940e7d.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
1ab3aad04e0eb2c5a15d3e5a576cd3d3e6b1546852ea653cd4369da19a940e7d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
1ad4c9e3d0e04e7f1e32e196ea1e87ed64237485baab4cfa4b07eed44d4b347d.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral10
Sample
1ad4c9e3d0e04e7f1e32e196ea1e87ed64237485baab4cfa4b07eed44d4b347d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
27cc1f6adc3a24ab7dc29c38082e69b0e3993e8a88d91804f88282c240fcac35.wsf
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
27cc1f6adc3a24ab7dc29c38082e69b0e3993e8a88d91804f88282c240fcac35.wsf
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
3716dc17e97ffefeeec3508acb79e19beda5d030220c070f62309cafc7a3fac6.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
3716dc17e97ffefeeec3508acb79e19beda5d030220c070f62309cafc7a3fac6.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
5e94c0f064264dffaee5d98e03eaf558c5945475d38162aefc022abc1c4b682e.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
70f166f51e58ef7651a6e567404c71e499d9c2b6e01fc6ae176fd290e91f3aad.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
70f166f51e58ef7651a6e567404c71e499d9c2b6e01fc6ae176fd290e91f3aad.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
93dc1dee6b92da2fe38858162e039eb54ce5e109286432cb3a55c06818eff61a.chm
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral22
Sample
93dc1dee6b92da2fe38858162e039eb54ce5e109286432cb3a55c06818eff61a.chm
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
a37f77fafa3df072332dcf2b15d5d91182b3a1a430912e13320cd6148ca8f458.ps1
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral24
Sample
a37f77fafa3df072332dcf2b15d5d91182b3a1a430912e13320cd6148ca8f458.ps1
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
b875cc39a6933b5a96ec292403ea2fa59788658f825b7fd0b66bffc1a6b09395.js
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral26
Sample
b875cc39a6933b5a96ec292403ea2fa59788658f825b7fd0b66bffc1a6b09395.js
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
b906da71fe22e6e987afe2a70b14aa64cbff3b1049e7779db392b542856452be.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
b906da71fe22e6e987afe2a70b14aa64cbff3b1049e7779db392b542856452be.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
bae7ee765f1ec70ca4a9a734abecca822860c67ed6b42f8bab49ab2b34808eac.docm
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral30
Sample
bae7ee765f1ec70ca4a9a734abecca822860c67ed6b42f8bab49ab2b34808eac.docm
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
c3fdcec878ac032f4bb4c73a8ba9b08dd546e931d6f0f24bf905207501ba0b07.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
c3fdcec878ac032f4bb4c73a8ba9b08dd546e931d6f0f24bf905207501ba0b07.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe
-
Size
27KB
-
MD5
c07f470b64e08cbd00007511018aae5d
-
SHA1
8cc03df9554f3f2b88f9a416908aa2e35c0ef386
-
SHA256
35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31
-
SHA512
21472125818d699a7da51cb765f3364a1f8b696a4fdbb4f8c6d9572f49e3858fac84fe76d796d1488b64ecb590ad74b9db950071420815879408c6ca5e3a10f5
-
SSDEEP
768:lYIyiTHKDpYIvJbEoc59Rdh7dQV6kzZt5txJc49WQ:UimJbEj59JpQV6kzZ3Jc49Z
Malware Config
Extracted
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DECRYPT_YOUR_FILES.HTML
Signatures
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (994) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceYi.txt 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Java\jre-1.8\lib\security\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\ui-strings.js.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\Java\jre-1.8\Welcome.html 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud_retina.png.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\VideoLAN\VLC\locale\ach\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Windows Portable Devices\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files (x86)\Windows Media Player\Network Sharing\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\7-Zip\Lang\hy.txt 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\ui-strings.js 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail.png 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook2x.png.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\7-Zip\readme.txt.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Google\Chrome\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\56E2A4B9-1032-4F9D-AB9C-CE42FFD7B8FA\root\vfs\Windows\assembly\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-114x114-precomposed.png.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\ui-strings.js.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css.dll 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\Microsoft Office\AppXManifest.xml 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\Microsoft Office\ThinAppXManifest.xml 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Design.Resources\3.5.0.0_ja_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v9.0\9.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\Globalization\ELS\SpellDictionaries\Fluency\en-US\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Core\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Resources\3.5.0.0_ja_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC\Microsoft.StdFormat\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\PresentationUI\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\apppatch\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.Resources\2.0.0.0_de_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\diagnostics\system\Device\en-US\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xaml\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_de_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\diagnostics\scheduled\Maintenance\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\diagnostics\system\IEBrowseWeb\ja-JP\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Drawing.Design.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Services.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\PLA\Reports\Report.System.CPU.xml 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\dd3156eef1bb1556bc78b02b7fb822c1\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.SqlXml.Resources\2.0.0.0_ja_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.Resources\2.0.0.0_fr_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.Resources\2.0.0.0_ja_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Resources\2.0.0.0_es_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\caebd127a3cf1487868f8d282898dcc1\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W79a81d80#\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\diagnostics\system\Apps\it-IT\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Design.Resources\2.0.0.0_es_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\diagnostics\system\Keyboard\ja-JP\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\3ef04b2ab7a69aa8d90d3a62538479e4\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.Resources\2.0.0.0_fr_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Resources\2.0.0.0_fr_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Configuration.Install.Resources\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\diagnostics\system\WindowsUpdate\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b78cfccbd1eab27ca35b2ac67d102907\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Services.Resources\3.5.0.0_es_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\Registration\CRMLog\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\mscorlib.Resources\2.0.0.0_es_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\diagnostics\system\Bluetooth\es-ES\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Design.Resources\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\f5852c82815dea15df3feb0b6a3dfec0\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\PresentationCore.Resources\3.0.0.0_ja_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Services.Resources\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\83a3b8af1eee54050fa565ab6fc8e5d9\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Word.AddInProxy.v9.0\9.0.0.0__b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Data.Entity.Resources\3.5.0.0_de_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Transactions.Resources\2.0.0.0_es_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.Resources\3.5.0.0_es_31bf3856ad364e35\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Windows.Forms.Resources\2.0.0.0_es_b77a5c561934e089\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\GAC_MSIL\System.Web.Mobile.Resources\2.0.0.0_es_b03f5f7f11d50a3a\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\DECRYPT_YOUR_FILES.HTML 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2796 vssadmin.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3240 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe Token: 4294967296 3240 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe Token: SeSystemtimePrivilege 3240 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe Token: SeBackupPrivilege 2640 vssvc.exe Token: SeRestorePrivilege 2640 vssvc.exe Token: SeAuditPrivilege 2640 vssvc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3240 wrote to memory of 2200 3240 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe 94 PID 3240 wrote to memory of 2200 3240 35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe 94 PID 2200 wrote to memory of 2796 2200 cmd.exe 96 PID 2200 wrote to memory of 2796 2200 cmd.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe"C:\Users\Admin\AppData\Local\Temp\35b7dbc8a3f456bdafd02383b8a849a6f5fea5f541b3f0c8502e31c2370e8f31.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2796
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55fc6de48f8daef2747843818447db979
SHA1d8bf8b4811596f37023c73ee3c3873ba9969bfd3
SHA2560928285b5f9fc55f8cbf6253cc6e95447d370c91b407a21507f0b75b90424fd5
SHA512af37d73a51d48b9d07d253bc3f100a67a2724a99615ebc19fb0d55194ff183f5f2a95b9d27b2565876c0822f92ee7f4b286dd40716bf92e2a05f2f7ddac16b08
-
C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml
Filesize15KB
MD558714eb7ff4b649084bb5c49d8c823c3
SHA1fecab29d3d78a9e31c4c4d5157839441b8adb4c3
SHA256d54fe2399fa4ba5986811d55d4474889249123f40f36d850682cf4b7c50c1cb0
SHA512f5bc513c21f06c0b7e28b7c1ef9eebe423fda54f927c693296c0948600c427d160b553fae213f0a923e3c41eec69f3b65c0939bfa5678b3f2b5b6fe4f493b764
-
Filesize
5KB
MD5ce6ddd725b819a43517fe7d18353dec6
SHA18bbbf59a7f89c6acd1fe4473175f6b5c74f2e7a4
SHA256f64982b1e5778c2f32712c600800517ff2675428d449bb95a01fa2585c938b38
SHA51264276330fd3d63723b21e83ecd296c04a7cac89c3d659ca85ae721fb1bbf083a25a0988655af336709ea1618ce1306fd3477490409b3de5902bbe711294bad7a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471062776609623.txt.dll
Filesize47KB
MD55048b281201d68bb47f76cb69d27b1a4
SHA1ed1bc5d37fa3b2c70aa186cc286b2ebdf064e774
SHA256fa8fbee57263599cbf9f9171ccc60e4120a2e91f53d17d7c6347922c40b87166
SHA512439bbb5ffbdb1b452acff09e033f24bdb629cc197b93f44a0f8f528a7a4d7125966ced8e9a884d9ccdc5ba6ecee1789bc1adceff83fe87c1dd8a79f55cf448f8
-
Filesize
35B
MD5d41ac96c53b4fe0dfbe1b080649141c1
SHA1b4d75213c61646b5bd48eadf723542fa9aef8b00
SHA256325de85e48afabcc0d53d5f6d9371314d0ed6e46d91c271abceccca58cbbd238
SHA512a65c10d4face73078643ebc99c022a19a5944cef222c27739bc94456bd7601b5f118d4f2738fbc8374b8ad86c927fa0dcca7177fc936409f3000b7b58a6c1563
-
Filesize
81KB
MD510961b5899f613fb654d40b9e490043c
SHA1200c3d0996f52b5711625583b0fe30c738bb7a1e
SHA2562f5c6bce753d7741b5b8192ca5bb25eaaac804a0b9c08402ea0ce0f58a874182
SHA5124da495cfe13e068a66b3a8c6cdb4fac5bd2e221c3683c26e0848c679ec8fc34642819520fcc163fbeeb55407f3598b7954f945efbe7eab1387b8e7d6a09a0a9c
