3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8

Analysis

max time kernel
18s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
Size

30KB
MD5

184a6edc0d24ab53d1d29ffb21af8f9e
SHA1

c276a9561856bba4ace807936f81ea4d04004340
SHA256

3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8
SHA512

646c6c91c0d19d24ae6b5a14d6f536073285505e4c057e52d572911360b825088e4a23e6c1f91b329a7c87a7afb6ac2dca8fb5a5f3aeaba8b74d3529252a92c9
SSDEEP

768:K0n6bDOYmtMd8bNN2WrATHL4Aicb81uEGTh:KZOY1d8bNNpK0ANEih

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Program Files (x86)\info.hta

Ransom Note

<html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>ALL YOUR VALUABLE DATA WAS ENCRYPTED!</div> </div> <div class='bold'>due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'><[email protected]></span></div> <div class="bold">Write this ID in the title of your message:<span class='mark'>92773AA9</span></span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'><[email protected]></span></div>

class='mark'>[email protected]</span></div>

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
3560	netsh.exe
1892	netsh.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ransomware.exe	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ransomware.exe	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\info.hta	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\desktop.ini	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\PushSet.m3u	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\StopSend.wmf	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\info.hta	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado26.tlb	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadomd28.tlb	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\info.hta	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Adobe.Reader.Dependencies.manifest	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\info.hta	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\DebugSync.css	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\he-IL\ReadMe.txt	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\EnterComplete.dotx	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\RemoveLock.snd	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\info.hta	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\ReadMe.txt	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\StartConvertTo.doc	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\libcef.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tipskins.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\SendRevoke.vssx	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipTsf.dll.mui	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2432	vssadmin.exe
1152	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2440	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
Token: SeBackupPrivilege	1228	vssvc.exe
Token: SeRestorePrivilege	1228	vssvc.exe
Token: SeAuditPrivilege	1228	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 3640	2440	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe	27
PID 2440 wrote to memory of 3640	2440	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe	27
PID 2440 wrote to memory of 1840	2440	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe	25
PID 2440 wrote to memory of 1840	2440	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe	25
PID 3640 wrote to memory of 2432	3640	cmd.exe	16
PID 3640 wrote to memory of 2432	3640	cmd.exe	16
PID 1840 wrote to memory of 1152	1840	cmd.exe	143
PID 1840 wrote to memory of 1152	1840	cmd.exe	143
PID 2440 wrote to memory of 1892	2440	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe	24
PID 2440 wrote to memory of 1892	2440	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe	24
PID 2440 wrote to memory of 3560	2440	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe	23
PID 2440 wrote to memory of 3560	2440	3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe	23

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe
"C:\Users\Admin\AppData\Local\Temp\3979075beb631bed161b65765318d2b6ee80f9505f8711b6e49f14b4a773c3b8.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SYSTEM32\netsh.exe
  "netsh.exe" Advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:3560
- C:\Windows\SYSTEM32\netsh.exe
  "netsh.exe" Advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:1892
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /C vssadmin Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3640

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2432

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
1⤵
- Interacts with shadow copies
PID:1152

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4528

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3412

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4208

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1580

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4340

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4224

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2820

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1152

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1832

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4396

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1444

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4896

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4280

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4228

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2308

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:548

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:224

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2352

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4500

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3444

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4928

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:940

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4712

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:288

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2960

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2408

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1896

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1656

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4640

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:684

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg

Filesize
711B

MD5
572d1ad529a3bb6be03d169b24255e64

SHA1
c1ec76f496a324c5ba2d2b367e6e1c6de10df9ea

SHA256
f8b181a3a454f6ec0320f04eca49d6a19191793da9b4bc0f2d2af5f196b82ecd

SHA512
91838c4d5a9fb270ef68996b6f1f5a87c6ee8b1e5ccb13f9da914242f320ff46bc0dd840e2602551f2570b7e5b7b1014a20ff77eac1a47c4a42fdd1fbac691dd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png

Filesize
683B

MD5
725057296d436efb5e29268867ac3e71

SHA1
8760628013d3c4f4a07f769677d4f38ae48dadab

SHA256
e3ad91c37e639d8f0b1b1dd3e08440bedf9d2450e02cb963a96c637e4e89b76f

SHA512
d3a219cdb32fe40f7e707ddf78aa8dd802ec5023c25de8cad5a5013ed621362f670e35c6a4480b94c12469866efe1fe686a3f8784c5453789fdef3681ca2c760

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png

Filesize
445B

MD5
0154f8c256a76bfc0cbd519eaca00f87

SHA1
60780e2ae1212d0069acc9da8665ea5afd9b71f5

SHA256
fbc3c385189ac206c6518bd50f7bdbfa1320a3c0a3be8ea5373ce9fe011f65a4

SHA512
948f6fa6cbd233a82d016f6cd55652996e19ade40a440aaffcc5f6517b2e0b675efff21d459ccb3b245bd92dff2d543c0988c6be762ccafc548dc5fee64b0134

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png

Filesize
611B

MD5
5168675384d20ce22d5d07ce4510edda

SHA1
80fb70e44a620510d91ec1e9295329ddaec64473

SHA256
9236444ee66cddf4af3b64e4bd428b25df9d4255a7c87b6d004a436ca2359b4d

SHA512
594bc5bc8561775cc6f8b6103c3596c73a676e53c4a323d16569ccbcdc4b22f3e6bf0f2bcb58c49402c0d0480b327a99ce5d1aee09f6fedd547dd7d50a73a8f8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png

Filesize
7KB

MD5
536b8eb054bbafd30940963498551dd7

SHA1
f705cbae551467cef6242f1bdd37d164fb702fcd

SHA256
0e654ddc6404c762c02d448533e359e2a6e8fc030025a1b2a3dabe2bd017ab3b

SHA512
dcd3c43538b52423c1dc333d4570c26dead89a0705626675892f5ac3a09a3deb2867863427e2568f3e9f39a8d4141441823752a9b5526d344c2d95ed898c2b31

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif

Filesize
7KB

MD5
171cfbd2c8d90982917f1d5937d58b35

SHA1
3fc8be2930fd5c1457f93516d89ce5dfeac9f353

SHA256
3ccfc7e69a75692af0e499fd4e77630d376ca53214fd68525aa859bbe82995d7

SHA512
09f4facb8b50a7ac3811e95c313b01be061120e20286097314d977744424165b26d28454655cc6150a8d50677b2b5be245a5989d2f3ae302ca2d17d6b5788957

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

Filesize
15KB

MD5
22b22ea69922649e3edb560387a02a6f

SHA1
c9a3e0c8e4c2280a82ddd9e6190ec6baf5e4cee6

SHA256
d7e41c839c52d4b7613821efc65ee6b531131a20417844c315ae1c9310baa47e

SHA512
166914a1974896901213b9ead8337a241b655c7fc84b3d488b58b4c9f17c556e5ccc014e8ecdd81b421a7157f487bdd267135cb1ca7dd0ad6479792e938b5f4f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png

Filesize
8KB

MD5
0a8126750f4d8aa95a644be49ed51acd

SHA1
17ebdc4bd8582d32d4493806d63cb1d9671f7993

SHA256
a39528c20e740a2cbe38b8bd84a73dc8feae7a6c7f77a636329a0497108b19a5

SHA512
884b6fbe631802b292f09cc44872d45b0f166fd5f230609f4f48ecefe13baf32ab187e2692f2ff9441eda023a00c98859a789495bef2402deddbcbbb497a8b04

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png

Filesize
17KB

MD5
449436ae45b7099c569b7efc84ab33e0

SHA1
14ed550c5e53f6023a1abd9f7b05d10581eeec0d

SHA256
480284aec838c1aaf50023c8a79f7f1b11ff083479659919f7c0894b187f2cc2

SHA512
08a5c56067b608c328fff194f31c83d10c73404e0d12a9762ac91ec15fa6a0219ff0f2caaeafbe93dc858b845e56a5a81345a16667b4ae7150f36538317341da

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js

Filesize
1KB

MD5
785f4f36597ff113fdc7ed6bacb58d24

SHA1
943378248e92f510cbef32b9fd91778fa27b1e97

SHA256
781940054ca401b7567fe838bf6506855a4688a72b0f9d2c617b15b23b03ef69

SHA512
f2fab6376042b002f278a8e3657432c0b24b63690aba43d938b73a87fb4d97a74d3cb90fd3fcf59a72993fa1736dba461cc71f9e3a2c2573b779e62991a3f7b5

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt

Filesize
32KB

MD5
1e7329b18ddef7b8e528e704060f5c5a

SHA1
1a205361ffc54a847034b3f4e15f224e40f3ed7d

SHA256
bf93d5aabaa1a7ef58f53b6e3a31771434c79838bc25c1ee702d76f027564c41

SHA512
4b23556eecad5e1ec1887acbc7aae984e5f923d84977e5589696e18b6c2e9078201c927842d6b1d61c35b7a53532c57091d4d61d62675eb31e94cb6503b7dd17

Download Submit
C:\Program Files (x86)\ReadMe.txt

Filesize
1KB

MD5
ab7aa2f504896352492a77f40a207d7a

SHA1
57ebfad83d938455d05a011ceba42073dab8e214

SHA256
f27776ea6374c783a92a568b81615a3e50e7f6e925388bcf5f6425e900162faf

SHA512
de742b3375d44104de7a777c855fa5e3131fc006fa99af7e2d350c2330044d7cc139b2db016a98d2d6b23fc020f39115abab75c5d891ea50e601c93f7495b0a4

Download Submit
C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll

Filesize
558KB

MD5
ba5177b391c42f492f5689b346955057

SHA1
11f313e07b07edb77a805cccabcab0e2c76d2686

SHA256
c614cf2eee998d4880c6b0b466f37fd05844b510f6529dd6ab29953d702d2f41

SHA512
50d1439f17f05f8f2f542eed161b3f4d8b6a0c1f140f85c0920609030bc5234c0b383a2c0d5950e8dbd2cb4978bb1cab7379d08887d08f5a11b012deea9fde62

Download Submit
C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll

Filesize
95KB

MD5
c932b449c1ba52e128d698d99c05e6a7

SHA1
3f8ed3572d2065982ad684a85de4faab844ff48a

SHA256
5621050b3a9138e5a5c060dfec940df396ffc198e7bd6675e006a4e9327da417

SHA512
09b11e1cb360514b8267a91be244a902c23dcc700eebee598e17908cc77b99f1719efa02f50e5e2f7a39ad3a48d480c7f88720d944142bd681b4e8dd23a59009

Download Submit
C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll

Filesize
36KB

MD5
a6e67c7e7efe0cb2a3d597ba037fd83b

SHA1
5d140b2dcc42cfb2734d8f8a005a29d780592cdc

SHA256
ab2afb525fbc1cc7429dc3ba46377a68ed9af3f478ccf9399280dbba087f5a6b

SHA512
f2f94a67e00791e893e32cf3744cdbc669b60510f581c6207333acb982cb05f8a4fa250bf9e9120b4de3814c97bb6dfde02c60ca431547a97e05e8d595d7e816

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif

Filesize
153B

MD5
f6644c9f9fda9698355b2a5317194f18

SHA1
91dcaf0675ed7b0e0e1108203c3d433895762113

SHA256
202924b7ddfe051da2e7b12608417d6bbf33ad7a1cf7169137a41497eb8b995b

SHA512
97a9da22537e46f16b74489b33e4fbd2815b3514539112c5b48e391bcad37cceffe3c79f61d859ee309c78370e891db52192beaf61cd708f801eae535d5a85ff

Download Submit
C:\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs

Filesize
381KB

MD5
4a35c3e6671cc4d54de4aaeec826b134

SHA1
c60c12cab76fd94fa06fa861a9a05b7555d67161

SHA256
0f68d877b80f2b28f087ad799b42347c31ea1febdaec67c71ad1337c7bbb76f2

SHA512
2b9b80afe15ef46a91b79b608583b552bbe05c8d3ceb866d955f192812bbf971d99a7cc3d434929a094b97383a83d83a5a581048cc667c88f33ffe1f00c7daec

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs

Filesize
381KB

MD5
d90b6dd17d1f74bfbd732ff0c2378388

SHA1
7cd3106aa1dfc4d16abbfd9cf879ba0f181d0542

SHA256
b575f18a90155a3a31d24d3141d9444eab4c2532919af9efd7615737feeff684

SHA512
44522cde7a68a941f234a920c920286f2fd1f9075e800be54856288850262c1b24d4e31a598747236000b5c6b1a00a1c08545b262f43f3300e76a6971157dd6d

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
140KB

MD5
8c7a42e91ce398875b5ba79f48ba0983

SHA1
dde8cbf62def9b4e6f364d6488893e0216edc62a

SHA256
697e5671a198dbeb1b060b40d2bed8a2c6b847045748ec5af8a095fd4775c1d6

SHA512
46eb4c7bcc74ce3b97617be5d8abc56f404dc906d2c14787acb0c54870a50984ebe2d56ecef89c9f6d3caa1e47af3a530681f247c24e0e7dddeae515f155fe13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT

Filesize
16B

MD5
04c5305f6ea36187237405f1bf7b5847

SHA1
476fc702b23ad08a9668cd2c5aeea49514d5301f

SHA256
014579d243eef683d26d4ccfb31882aeb7cc522ce683ffa7b34b0706d301519f

SHA512
cc2cb8892a8c53a1d8648b0872fe4c81939d587b94ca01bba1138852a385fefdce4b6a66fe14960f1ac2adeeeac020f176477cad4ddebe9cc051311b319971e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\data_2

Filesize
8KB

MD5
77aeb6a9fda5448e8596fab5c2c2ead8

SHA1
608ec0bbfbd51a4d054bc88d9736ff677eb84e2e

SHA256
ed80fb93a57ee48bb035ca29c7ec06a4b16f16e0f22129ec7c0c85145e9ee4d5

SHA512
59c423be41e7d7507b2836b78b649f12896a712a6a89479f21246ddb022d0c014cc6a335b00d9e2db4f49ea4daf9ccb4560e47b0d32c31ab1aa8817adb052878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

Filesize
8KB

MD5
a58f848f1823edc8349b65ce3487e215

SHA1
7d972937c2a99a8c6759e024437e7a88916f51eb

SHA256
011481333d5c2acb5b605d97c6c40c55f11366c5d932a58be245c8634e1d0e18

SHA512
13c38ac7ae0660748c8d4b3aaf1aca781e175d997ad864b9af5ed95b50c4328021ccccf0d7e7f1844c7056b2301258af3fc0178f11a5ea7073f9db1cff7dd912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
272ca3bc7898fb4b57f2a7297f394e82

SHA1
e4b589c21cbc22a4698cc25d2756016f1937873e

SHA256
6a82562984684db05de11d195be97f78f9e135a22793adb0ec6a02c573ccff57

SHA512
528d511c87bcb63519835b69617925cee719202e76f0ef3fd57df8009f2e71103ff77621af5769356f8f1849f091a0e2aaf2bcec7e6576093a2e01e03a3cbbfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

Filesize
8KB

MD5
e00beb78408a598fe9c269c4f3250517

SHA1
50b5610a41406d7728d92c76fcbd16e1f2c01b76

SHA256
36c9ae16be179d3a68f0200eb835f4e51e45a90c17e3d93488c327c33116016d

SHA512
972033c524e384739e56f26541c01604a9bdb2497154c21c903cafbe44ad117acf77e2ed469789542260d5c4911c9ea9219db2399d3934ad9e1a82659bd2ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index

Filesize
24B

MD5
24cf048802e3b3a33db59a47ea1c7adb

SHA1
a4b6852b7a4e17e130f715fbbf4266cea2138e4d

SHA256
bd1aad17b4d900fe36eac7f6659d83181b304ee88361543a3337a9146a04be71

SHA512
ac1ca4360ebfa93a88935545171e6a2d44fa97d1aa77d4c41c591f5a5fd6e1edb1f9c84be37b0a0ede01abfc7fa02020f4b3b9a44527562978c6cc50a2097e8f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}

Filesize
36KB

MD5
9143d3667d14acf6008b5d07aaf89d70

SHA1
e4d6924026658c19fa71d342c8304c2230a37162

SHA256
926c1b1ce6bef079f8bd12ccc7a2ec3ed881f3d48df702418dc18aa30de1b904

SHA512
c4d11c8f6337ac5c28bf16eb29c341539749ac52ccb952e7075bd0b7604b7fad03d17d1f6715edd2be471bd99fa47be5423a33df2323fa48b916a6890a888912

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc

Filesize
36KB

MD5
60bbc0ad379e64d65ee413132c730a5a

SHA1
8a373e1f5b6c50a845bb0c8eb36bc5fa63854ac4

SHA256
fd16f892849876f367af856105865b191849b4a012e7b4d9ab335a279406a3d4

SHA512
8adc2ac9a43996a6c8bb2bc3d6e5a7a668ad6287ff74001ef13cfa04353dea54dd684f47dc4e49c0a8464f9a3ce40fa4b1f017c2ac6cb4d363cec8695db3a133

Download Submit
C:\Users\Admin\AppData\Local\Temp\{38B8877F-0033-4481-8A5A-C2B6D83B0036}.png

Filesize
5KB

MD5
00e5fcfd833151f7cbde607e2f7afeb4

SHA1
55839875c0947aafebff53d22ccc5dad29fe3563

SHA256
b80192aaabe007baecd0603e3ce183e9d554b8a6b0411d20716acfa086ae3035

SHA512
f056777a1987c3becdc217bdc2d82e6aa41086d38fddaa45c42f1726b6f7b7616a10918081650e825a724464ef148b669bc258d38a62e0de8642e2607a0b0de7

Download Submit
memory/224-12088-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/288-12589-0x000002B9F9C30000-0x000002B9F9C50000-memory.dmp

Filesize
128KB

Download
memory/288-12596-0x000002B9FA000000-0x000002B9FA020000-memory.dmp

Filesize
128KB

Download
memory/288-12593-0x000002B9F9BF0000-0x000002B9F9C10000-memory.dmp

Filesize
128KB

Download
memory/760-9198-0x0000021BADAD0000-0x0000021BADAF0000-memory.dmp

Filesize
128KB

Download
memory/760-9195-0x0000021BAD3C0000-0x0000021BAD3E0000-memory.dmp

Filesize
128KB

Download
memory/760-9193-0x0000021BAD700000-0x0000021BAD720000-memory.dmp

Filesize
128KB

Download
memory/940-12273-0x0000018989470000-0x0000018989490000-memory.dmp

Filesize
128KB

Download
memory/940-12271-0x00000189894B0000-0x00000189894D0000-memory.dmp

Filesize
128KB

Download
memory/940-12276-0x0000018989890000-0x00000189898B0000-memory.dmp

Filesize
128KB

Download
memory/1152-9181-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/1580-8349-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/1656-13415-0x0000000004570000-0x0000000004571000-memory.dmp

Filesize
4KB

Download
memory/1896-13030-0x00000263211D0000-0x00000263211F0000-memory.dmp

Filesize
128KB

Download
memory/1896-13020-0x0000026320BC0000-0x0000026320BE0000-memory.dmp

Filesize
128KB

Download
memory/1896-13026-0x0000026320B80000-0x0000026320BA0000-memory.dmp

Filesize
128KB

Download
memory/2440-2-0x00007FFDCF590000-0x00007FFDD0051000-memory.dmp

Filesize
10.8MB

Download
memory/2440-4-0x000001D41FD10000-0x000001D41FD20000-memory.dmp

Filesize
64KB

Download
memory/2440-1604-0x00007FFDCF590000-0x00007FFDD0051000-memory.dmp

Filesize
10.8MB

Download
memory/2440-0-0x000001D405680000-0x000001D40568E000-memory.dmp

Filesize
56KB

Download
memory/2820-8886-0x000002C6ECD70000-0x000002C6ECD90000-memory.dmp

Filesize
128KB

Download
memory/2820-8882-0x000002C6EC7E0000-0x000002C6EC800000-memory.dmp

Filesize
128KB

Download
memory/2820-8877-0x000002C6ECA20000-0x000002C6ECA40000-memory.dmp

Filesize
128KB

Download
memory/3444-12257-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/3624-12380-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/3940-12574-0x0000000003F10000-0x0000000003F11000-memory.dmp

Filesize
4KB

Download
memory/4340-8862-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/4500-12103-0x000001696A6D0000-0x000001696A6F0000-memory.dmp

Filesize
128KB

Download
memory/4500-12105-0x000001696AD20000-0x000001696AD40000-memory.dmp

Filesize
128KB

Download
memory/4500-12100-0x000001696A710000-0x000001696A730000-memory.dmp

Filesize
128KB

Download
memory/4640-13443-0x00000202E49D0000-0x00000202E49F0000-memory.dmp

Filesize
128KB

Download
memory/4640-13448-0x00000202E4990000-0x00000202E49B0000-memory.dmp

Filesize
128KB

Download
memory/4640-13454-0x00000202E4DA0000-0x00000202E4DC0000-memory.dmp

Filesize
128KB

Download
memory/4712-12395-0x00000205C3360000-0x00000205C3380000-memory.dmp

Filesize
128KB

Download
memory/4712-12393-0x00000205C2D20000-0x00000205C2D40000-memory.dmp

Filesize
128KB

Download
memory/4712-12391-0x00000205C2D60000-0x00000205C2D80000-memory.dmp

Filesize
128KB

Download
memory/5056-13008-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download