Analysis
-
max time kernel
397s -
max time network
398s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-03-2024 00:50
Static task
static1
Behavioral task
behavioral1
Sample
JigsawRansomware.exe
Resource
win11-20240214-en
General
-
Target
JigsawRansomware.exe
-
Size
1.5MB
-
MD5
7c85ceb084b23493a6ef7fc94a25451a
-
SHA1
973b492ce9420184ac1922c1cf933c5e4e400270
-
SHA256
2488fac944393b2110bc68adf52434c6b1d0e85f70925f34c7728c124d63bf1d
-
SHA512
b27a7e8c87fc6102e67e384e166e336a971c8f850641445036e4e8c05f8d30c0a9506bfa95dbd664a7dc43b296b3ebd8c0e15351b320413e40bb9ba3a5c42956
-
SSDEEP
49152:X70nS4pfVkqgy6r3a+kqXfd+/9A9TVanieKd:X7K5JEyUa+kqXf0FoVW
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 3160 420 OfficeC2RClient.exe 82 -
Renames multiple (1474) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
pid Process 4516 drpbx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" JigsawRansomware.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 7 pastebin.com 87 pastebin.com 88 pastebin.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\es.txt.kys drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintMedTile.scale-400.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-white\FeedbackHubAppList.targetsize-16.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\LargeLogo.scale-100_contrast-black.png drpbx.exe File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.kys drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-96_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.scale-125_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\StoreLogo.scale-150_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg.kys drpbx.exe File created C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.kys drpbx.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.kys drpbx.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunmscapi.jar drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-80.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-32_altform-lightunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Icons\StickyNotesLargeTile.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-36_altform-lightunplated_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-64_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\PaintAppList.targetsize-24_altform-lightunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Date.targetsize-64_contrast-white.png drpbx.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png.kys drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.42251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppUpdate.svg drpbx.exe File created C:\Program Files\7-Zip\Lang\uz.txt.kys drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateAppIcon.altform-lightunplated_targetsize-32.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-400.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-96_altform-lightunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-60_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\MapsSmallTile.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchAppList.targetsize-30_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-72_altform-lightunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsAppList.targetsize-40_altform-unplated_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherSmallTile.scale-125_contrast-white.png drpbx.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\VisualElements\LogoCanary.png.kys drpbx.exe File created C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.tree.dat.kys drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-60.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailSmallTile.scale-400.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCacheMini.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-32.png drpbx.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.kys drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-100_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-400_contrast-white.png drpbx.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.kys drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-lightunplated_contrast-white.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.kys drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt drpbx.exe File created C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.boot.tree.dat.kys drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GetHelpSmallTile.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-20_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-400_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.113.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-24.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-64_altform-unplated_contrast-white.png drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png drpbx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2567984660-2719943099-2683635618-1000\{2F5B9A3D-022B-4A55-8EB8-DF2B54CE34B4} msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1456 msedge.exe 1456 msedge.exe 3712 msedge.exe 3712 msedge.exe 4828 identity_helper.exe 4828 identity_helper.exe 4036 msedge.exe 4036 msedge.exe 1488 msedge.exe 1488 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe 880 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs
pid Process 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe 3712 msedge.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3160 OfficeC2RClient.exe 2664 OpenWith.exe 2664 OpenWith.exe 2664 OpenWith.exe 2664 OpenWith.exe 2664 OpenWith.exe 2664 OpenWith.exe 2664 OpenWith.exe 2664 OpenWith.exe 2664 OpenWith.exe 2664 OpenWith.exe 2664 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1196 wrote to memory of 4516 1196 JigsawRansomware.exe 77 PID 1196 wrote to memory of 4516 1196 JigsawRansomware.exe 77 PID 420 wrote to memory of 3160 420 WINWORD.EXE 85 PID 420 wrote to memory of 3160 420 WINWORD.EXE 85 PID 3712 wrote to memory of 3872 3712 msedge.exe 89 PID 3712 wrote to memory of 3872 3712 msedge.exe 89 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 2224 3712 msedge.exe 90 PID 3712 wrote to memory of 1456 3712 msedge.exe 91 PID 3712 wrote to memory of 1456 3712 msedge.exe 91 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92 PID 3712 wrote to memory of 2320 3712 msedge.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe"C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\JigsawRansomware.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4516
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\New Microsoft Word Document.docx" /o ""1⤵
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=420 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=12⤵
- Process spawned unexpected child process
- Suspicious use of SetWindowsHookEx
PID:3160
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8e3893cb8,0x7ff8e3893cc8,0x7ff8e3893cd82⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵PID:2224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:82⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:3276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:2456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵PID:2492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3884 /prefetch:82⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5304 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:1812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:3820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵PID:1448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵PID:988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:12⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:12⤵PID:3296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:12⤵PID:3704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:12⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:12⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:12⤵PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7672 /prefetch:12⤵PID:5368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:12⤵PID:5376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:12⤵PID:5516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:12⤵PID:5524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8344 /prefetch:12⤵PID:5972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:12⤵PID:5980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8644 /prefetch:12⤵PID:6140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:12⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵PID:5848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8592 /prefetch:12⤵PID:5944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:12⤵PID:1668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7784 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:3168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8856 /prefetch:12⤵PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8792 /prefetch:12⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:12⤵PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8390847790452033939,6702660143942692523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:12⤵PID:4524
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3916
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:8
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.kys
Filesize32KB
MD5aec7bd7c96948d97d13c7df53988e89c
SHA17b906b88009e7509324ae92dc8a32ae4fb38626c
SHA25615fcb7c77cf60f287e9c81ec8053a9cdd1aa8bc0413734e8a1499a9de635c6d0
SHA51227d12f825c16d1d5349f53a23d57f71eb8d4534a1ae4af2c4eead9cda09a4440dadc518a8887a3ea818494cb6319fc82ab8147cdb85958e9b344400b7d6b2803
-
Filesize
160B
MD5000e8c41d4a15fb34d0be0dbb56e3778
SHA100c4eae64ee6239d7c65d819c6ce1ac329224f8c
SHA2568bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28
SHA512775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af
-
Filesize
1.5MB
MD57c85ceb084b23493a6ef7fc94a25451a
SHA1973b492ce9420184ac1922c1cf933c5e4e400270
SHA2562488fac944393b2110bc68adf52434c6b1d0e85f70925f34c7728c124d63bf1d
SHA512b27a7e8c87fc6102e67e384e166e336a971c8f850641445036e4e8c05f8d30c0a9506bfa95dbd664a7dc43b296b3ebd8c0e15351b320413e40bb9ba3a5c42956
-
Filesize
152B
MD50a2c024521939ccced50f4ab9c5eba1b
SHA1afc62ec5bbd13e68a98a55bf2e9f174160a5cdcc
SHA2560ac4b1e07f628ff619a14d3c6fd3386bd2ede4f2b3da69f66dda2e85fbaad8d8
SHA512873eaa7c7e3fb235fa138e6f09add2634f4bbae745d40aa4dbbc87ab327cbde4829502960826e019a5dba2b42510b1c3e5a890169d94fd2559c92bdffaaac01a
-
Filesize
152B
MD55e7d0bd2949d93e07876050ac9345c99
SHA1db5ea53837db107257a5b70f4d5999311502058e
SHA256686fa836f7c7a5d806285cd038e89958310f3af03d62f93bf7aed8ad1d2bb5a6
SHA512d9b4aaa4dd1880ac7571b61fc289cd29359aaee84f5d8a58bcc25ca7e53a5e81b35337d5108a441f852ebcce7f65cae8101b54c672f1977a574882fa52405904
-
Filesize
152B
MD5571304966b9b90e53cb0db553e877651
SHA1f7bfa708b5c43c6ec043bedcfc55383553874ca0
SHA256193a6272dd535dedb2611a47b182c99cec0da6d51c2c9567c356818290ba76c0
SHA51293a5c8ffc9dbd67f4f8e2fcf7b8d69cd049757e3dec6ca2b3b03a411e7d1f3218d6d72ee23268009afa694ac91d2ffcbf1dc3a31ae11e960804ab5a9e529a565
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
134KB
MD533c3c5540b1ffdb273fa38d95c93f6bb
SHA1e6b411b5a3276c6b483a6058b40f2f9f66eefc7d
SHA25600dabee38833f18a2441d66a948ffe1f7ccb235e1627df88997861daf0adc842
SHA5128bf6b090f82c16966c88108d30589e625c4e7746335c75623555bd1a129d53883e8a979484a86c0a1555d9e19dab0ef0d4bb09d1ca8bcda532c912778e1314dc
-
Filesize
242KB
MD51062cd5142317e4fa358b3927b51fca9
SHA15426e16ba5796fcc278801c60c4d0ab5c67ad381
SHA256bdd9ca6f3470feaa6f6f8c820007c8c178f280e274fdd1fc0f70828bd3ebda1d
SHA512dbf51e3de71ff8026768845393bf12321600a33052da6bf3d01a91d0e219f6521bcae9c72f51974d98f09a2c85c2d183c263a005265a7e4c323c8b2409e5e878
-
Filesize
263KB
MD53e4a0ce60ef774a371322c5c67243ae1
SHA1072cafc1b7d5bdf3f27751d3abb6e868271476bb
SHA2562b5ab4aa62e03347e8b37460ccf322a4d08f697d04a191a7812d9c7ad59c53b0
SHA51245cd6396c661fa380327236f07fe3ffe62d692ff5d1eb33c450375f1693c7467b01c983ae41763dc7558d0f142726df08d1b2d1a19bb960dd89864b2233d77ca
-
Filesize
16KB
MD549295de6ccd23cf80b6418a2d209868f
SHA142a955b4560bb22cb9b5b39577f7a691ea345018
SHA256d5a29c73c6200af2ed6918a61106e649b92098ecd476830d725ed4d2ea5a8efa
SHA5122954ab185fd84a08933bb6e79d91e301021fce4e632b477e765c172cacf72913561e101ed2f7e66bfbdc5946b35f2b63eb2b6f878e0afc9d26ffe71ee112a1c0
-
Filesize
62KB
MD5cfa020ca66c38d717fe9da70815165d8
SHA1127b15a0d8d5dc35996f9892bdd34b9c118b146b
SHA256d840f4248e17d6c34e790cfe150d81bf6d6db3fc0fa8d82c36029e63db0df303
SHA512d77a02f6e92ae56f7c17426d507bd61493b4ad11b3d664aac5fd08b9d91b3b06813aca72ced00030731ca39d602e670501713657f3d6cda21dcd7fc9721726de
-
Filesize
31KB
MD5c58b2cdc4b2aca6d0b2c5b3cab3f8bbd
SHA13d22bb3caa7a2f4e4c58f496671c87f038641dd7
SHA256453190c377780c54c85af5ed4ead80ac2d1dc805c7e5bd5e0c2a836f938e214d
SHA51209277e9da5da3c0230c037977762d6a60668279cacf98cc28d40b1376b4c26209dc03ebe8a402f5242351e23c4d054098ce25b3f97f8d78853a0c02ebd848418
-
Filesize
27KB
MD5bffb059f66bf71c890cc5b5ae438989a
SHA1e13ab1e1accbf64e3e430f02f7c10ae09d413ac4
SHA2563a87dbcf5afda3daf93b5be8979affc5ed1a14c1050e004cf4c8897f2d96bd64
SHA512cc7a0e52bc9278d4e69923eb6ead9da450144797c5aec7bb479cd68203221320341e271f2be120d7fabd6b8a9d0ecfe48c870c7eb18fe687d96dbb20ede9488a
-
Filesize
38KB
MD51e27020d1f1fc37a09229e0c8a360366
SHA1da6e4288df8b0ecb74e83e68da625408e3ef880a
SHA256099e1fe8662b0bad5b78d2ac1ed3fe2979a0604ea14d1db62d6b82242d71350b
SHA5124631ca8af0929cab74758dca2f10b4298a4429a10086bbca4f7f1c9080d9c730db58ca29342bde8197e5cb8c0c4983a0c1c553faacc3839cd4ba0dcdd611f615
-
Filesize
257B
MD5a1f7b75f625d8c83c86ea182b58c19ab
SHA1aae3b85a23ccd95850a564a0a952cf512887bae8
SHA256e00be1725f30b95a3b901ef2de8af7f1c417f0b4cf7714cb103918c8437c4372
SHA512db7f31b3ca7d8b0fa3803ec54fcf3948baa475c98e3ffee3c93980c0cee37f7cccb2e3e7a95b5a475fa994378e28166abebfc650d7373e0cda17f0d084d510df
-
Filesize
38KB
MD5349e9e55bba975dba627eb5fe7f038ca
SHA11f2c1bbd3d712a5b91290f596a58a9e1747437cf
SHA2566f2f3213b359803efb14d6048b09350d681d77973083539cf9a10359da13596b
SHA512771306ab62f3f57df27e244fe806e4ce6fa81899dca413a68ee5e6c641380e9c313848b8cbe68b26f60ba7506c5c60ce56045ac7bc16dc6b8b163cd3d86831c1
-
Filesize
38KB
MD54c0ad5a996dacf7546e4369cbe180018
SHA18962e7c26c341431ed0ef29d22fca59f257b1708
SHA256495f945b4150831ff5c5f17e3cee93a12529a4e20504cc40a513b6a25bfb95ff
SHA51240ee3f9373d1bfb53e8017902c8df2b0f981234dd26b8c9ab60ebcef0117e565d2e3a2e0a921ef3df89a408c0ae3e0a54a920904d5c5270dd800e23ffec3c6f8
-
Filesize
544KB
MD576155b8645f55d69c4b380e2e4898f0d
SHA17eb6fee42b5eb605ba647636a7dd2396c42d6bf6
SHA256eb1e93dcfd44445f13119382eb314e27d9640bf7c774a8798e4be0c390a46e0a
SHA512b86ebb9b21510122ea887eb14b8384c10681cead4f823c709408378728829ffe6383c4b9fa1c18cff30b8824cfd17ad7fcd62e70f20425b1e97f65d54b0d70e3
-
Filesize
42KB
MD59404a22b405b929cb2f52db4649cc1ed
SHA1814f29f3b130c7fdb73c96498f6015f02a71a679
SHA2565f2a9080ae695fcb54638e52c4f2b2862bc09888127d69dc16b80e4fbbf9c847
SHA512a3cd0e437bd193c4b987c37048c847b7d2cac2e824892c0604a764b88a09ee8334f7a408ed82eea8d13d9ad7d3367f761616218f92a463cb10e41253741e6f40
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5484e306ee4a9c12c46f21b78b8c96719
SHA1f7b13864d6f4308e154291ef5b83382bfd654a62
SHA256eefae852422c80697fafc2713e0ae16f94f65f4959d38f6bb7f19283c6a3730f
SHA5121bc36326db9f9372b811ded366ee5b082b397a86490a775543412bede7615f1f1352b7c79e46cfa2e4183f8cf5660c4a8be335e61edcb4eab8ca695731ec0878
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD53e178256260f46e70dea94c04b1422bd
SHA1f376053012b4699c83a2abd18b008648ac94cecc
SHA256ebd53f5403b19407c80cab0cc094ae7be1f92e8cbcd956b9335245fde8373397
SHA51298f348f8d95c35a7902472a895685f8ebb25dd84780821a86493609e106e186ca264c318c6d41273651e617f6dc4053be8e7cab741adfc6a900bcc4582c2901e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD52060c4a09d3c76d74c3685b6552e540e
SHA145a5d15818243c7ee86c40203a1d0613a6791ce5
SHA256de2fd557fb018cf4598f758fe200e2d29b8e83de771dc9b74e115ef7f7d48ae1
SHA5120941e9e73102a4a1f8421b83a9ccf42128d96d5fe20b1a865bfe00fc115dde6b302c036ae83d43b66b90f5f02e32a3dc91cf1858e5945c67f4d66f659c373674
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5be334f62cf513c3e4f528763a268e1ce
SHA11f431ec654ae67492150239e6012796b741e5bdf
SHA256935c41374942d9b6c9a3ad09237b014dcc2fa6bf3e411ddaee4ba9d50c918e5d
SHA512a781999e3b3ac8ef86605eed3a21de536379736e17bb3aa3bf3c8f057f3dad232b7c885ab6a18e3e46bcf75c60dda8d786a93fdd196bbb018fe46cd1701e9644
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5f15bec5ee0095dcb513afa542bd3cbd8
SHA17f904db2d0182227e39566915ab5671f8f01901c
SHA256307e34c66e558c2b6df49d59e83a4b8fba012227e354b025d5ee62c57f42d784
SHA51284b973da919e5452aa032bb992bca2d2c30cda7c31ed67f7f8040f8e367616f2fc9184626a1e4482095912843e3073d5ebf669d0704bb9250431c08caa09a54e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5f5ad21d190afe2b28117594b997257a7
SHA148d32992036b60ad112a3f1a602b60cbbdc0769f
SHA2563bbaa3a35ba92a1ebdb19d065f38eb2594d3fb3996e42da093614ba6f9bc78af
SHA5125b3d43ad1a4b5fdf85d8aa68984421cc3479827ac466d2bb129b55839e6e5ef39cef507fb05a1a83b61104f633d05e41b3a65922510ce7d3311377b424ad06ac
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
8KB
MD52989629272ee416b393129aa451131c1
SHA128507e1f4cabee0995ae8a92e02825a315d18974
SHA256bd8bba8087a102b6c26deb4dfb81b588f4b3e7f490f5f403f26b1a3730548c33
SHA512ff49ffca6a6a85b589006c845e3353a3a5446ffc2a1528ee9d63de13da9a68ede2c0add141ee1fc4d78041e6b28f69456554e633d5f0f95bc6eab831f673a3a2
-
Filesize
9KB
MD5edb8f3cd6a1a92e5cd4620892f6540e3
SHA13db0119d4d73bde6a4ce317ac2f69c2031df4154
SHA2565138dfbc88f3c5dd4682a6e2459044087cbd339c3b1f2aa11c2db05ac92c4e0a
SHA512185cf8669b0ed0601b0efa1e6bc49cc1e281f4ee9b50a83abb0d65c5018637178fa95f09f80fb18e0c3033386e042fc4a0ab1f0bbbd15b8b5f90d98fbb8ab9a1
-
Filesize
5KB
MD52801d4c200390608f61c6a0e9bbaca11
SHA12c34164201f6cd8784e11386b35e2f5cbc68e0e7
SHA25682c204f15d1c95c55da6af3bd410f1fcc5ea5b6af5e06b6aaf32981ca62f9ba0
SHA512815f5e178298f67744ca0df86203aec8c7170fc46bfc639f8592b3f959230be0945500435ced6fa1420d6c31e6d4e033b41390de8069e9c0d14475c684987ba8
-
Filesize
12KB
MD5ee6db29c791d9836701a2db99faec299
SHA1104cd0c78d9b2134ecf10afd465e726c85695499
SHA2564576cc263895f38ec9da9903f2d86e0d0afaeb534f30aa65fc39f9260e2eb8fc
SHA512a18ebfe9ff1c0d5b2d8f3c8866c9e802b2a156591fea6fa6b8f77f40072b79523853843ed6f256e895e948f89f61be4cb7872eb4d69db43485f24ee515c97a9c
-
Filesize
11KB
MD56841f8280d47d72b66975d7d7b67126a
SHA1359354d26388be79d769bbdcf9002af0fb563bcc
SHA256f7df05bd2ea33f00a81b8811496196fb558ea54ff9138f1070614987fae8fd09
SHA512f57e91f4d5df7e801a05c1fb3e7cc5ac1bd53e41e19a547cac19f4e84ccae2782cc72192630c9737db3b2efaf19264400f69c3ac5bc29d0d62d269897e0f2dbf
-
Filesize
4KB
MD540698a0cfda05feafde801b77607842d
SHA129a6092a64c634ba49e06d80a98e33272d124834
SHA256fa05e6ca0f55b09a2bf215e961541daf74b3472959a447ef6a52d127f6240cf2
SHA51238c1d4430e5c7e7ad205725b5961df4e04fa5012b793f68cfa6d2b3d7e2aa8f18c5ff5fbcb62c926d4896ab41621511cf50c68644c7116983e2267ef88db6676
-
Filesize
12KB
MD5687b94f3080565b28c88f20f1a955e88
SHA110880b99fcc2ab71d960cceb08cae1cbe705fa6a
SHA2566194a7250a627614366a5b9efc753e84515b865e70c99c6803d23577f13043f0
SHA5125ab94f142489417cc005dfe3355d8df340989c731e0f18bfeda65fd1a2ee91ccf3f387a81613961d78ec43335db937a3a8f9d32f1505832fdd66cc9ad2999ef3
-
Filesize
25KB
MD50ba15f72ffb0a37243558588d3e78221
SHA1814bdfffd723f7de9f8d6d6a0bc8d85a9f275cc0
SHA2563d0223e1f8bb35870db41872cfbbe467f65bf9a1208dcb4d4ad874e250ccc10a
SHA51202b168ef9cc226a08955092173c3745a55b28faa438b8152acb90d3bc1d9f433de7d8341def8b452db1986392a59cabc7c69689ad00825c58371ca78021183be
-
Filesize
3KB
MD5bad44c37891028374ff45d0c60828e07
SHA156b4a7e90aae337583daa6b3c237f3c48af2d2b5
SHA256439393204225b4e836be1989bb1af926246c77ccff8d82c242629b5bb3807735
SHA51206000ef85fb68a01db3fe739d18372de7ad045a72702e6b467b23245ae867bbc75b1270cf414b18187eae079b8d79cb065bf860e25a7413e1b1e0e29980db272
-
Filesize
3KB
MD5ca0b223889a1384f27b408576b12a819
SHA1cf8b6db1eda7306d2e77396ab8c54b6237031cb8
SHA256c56a88bbdc8d5c5f46318fe696d4e5d55c39dc4a5914dfd009a84effeeeb1fec
SHA5122be9ee75f2443ce70502700f68b399940fc1023dbd8a7a19b1e5bd882acce478ecb9dd45b5e5e42a9416ba78eb666b671394cb575b6d199dd0e140b23c671bf1
-
Filesize
3KB
MD58a21391a76fd8e4ad880e68fa97d2c77
SHA1b5b98f32acef5a907d95823bd6295cefba7d0c03
SHA256d05888f2774f855647f44f28e0a5075f8e21fa8e520d87b70507fff56817bd73
SHA512a06903924c6a309a63e8e97020bc47946b1d00be1a1f890a7fe9d729b7758fc655d33459e6a0dff1f3e5bb39b5bbecf9b04db1e8a97dc82c664ea943b72eea98
-
Filesize
3KB
MD57f37f17c5fb2b9be23a09156fa7ea6b2
SHA12db48fe188886e51f4e19905739f2514f6de6cfe
SHA25637f5c67e4b107e6113fcf0fcb1ad0d379454a8a0212332771fd7486703cba522
SHA5126448438f129a77c5a08f2b8aa221b109eb54d7c0722c30fcd4b7d67d4ce8dbbea9e67395f84eb54a3982649a4f71296caee1b7f75711a828044328d7b58ca51c
-
Filesize
3KB
MD583078c4f39d23186a006ca824f319556
SHA171d9861200b7a37d7eb74364fe19bfa231229867
SHA256f98f98f3ca537abac355063e177e9ff5de68ef0b37e844d05a4c7c67e00b6891
SHA512bfe941bc22d4135a200b3df908e00488d8f4f2ed4b2de58c66d4e5652e29aada89b36a56022345ef41f820aa6329fc5bcd0374895ba6031e16c3f0bac1a29e4a
-
Filesize
1KB
MD5cd7d4696419c4fae82d4e1d689727db3
SHA18f20620a2a52211698710a894ae93f604a5a1f71
SHA256011657d0d5261021245d1cd8b5825b4f429b50069ed2a68583eaa7f4bdfab245
SHA5120569444f3dc69f3802919cc5363eb51af3c802bfb74871078bee275a4552dcaa0d956c1e5729d7841afedd81d5bda754729361f3a7e2d49631e9ae7b87416c49
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5cadc7fc1d27b21c9e0f7b1b8277526bb
SHA1a55ed68a69838147697875aa8ea14df9b30559fe
SHA256c4db3e76737ebf0d91321e799f111845b5d59e29c0eb55b7ce76ec87217bb49a
SHA5120261929605ba539cb813f03721f978ad62e96d87e5d789b9cd35860fa75141316b1d08c3003c4813b849e4a3c4861474ae835826252f09e8a165c56d5710b2f6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.kys
Filesize414KB
MD5dd0b4b7b3fb915b71e360d3d2661b024
SHA1db3f5c6d6e2f7ca9a3342986e70587754f27ef63
SHA25602ed354adf28f74366deb921b9f9e50ec98632aac9e2cdf618079b3ef154db50
SHA512d989c537f005b7a51f2560f66f21bbeca4864fd2994d6aab5f640a72fad1bb110895f1098caea71c8d1602e2d90e9ffac1a7b606a0c15b96d4439d1efaa6156c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.kys
Filesize8KB
MD5420960c4b17842a24bbf117222c60e47
SHA14e2f5bc3a3fe7da4ea60dfaae851b1b88e48751d
SHA256e94c37d7dc8dd954bfee8e340abc882bc361baf0d3771ed442ed625a3bcb0174
SHA512b42f16f6fca9b66d49a2ad7c80e56c51e04d023a4ae50e984dbd267e204682ecbb929fefb5c7ee67775597773b08b6bd39416f13b87f1782cf8c5d553ecd7ce5
-
Filesize
16B
MD5cfdae8214d34112dbee6587664059558
SHA1f649f45d08c46572a9a50476478ddaef7e964353
SHA25633088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325
SHA512c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84