Overview
overview
10Static
static
331318ee805...3f.exe
windows7-x64
1031318ee805...3f.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3403-3.htm
windows7-x64
1403-3.htm
windows10-2004-x64
1HelpButton.dll
windows7-x64
3HelpButton.dll
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 02:30
Static task
static1
Behavioral task
behavioral1
Sample
31318ee80570c7168708575f032ac63f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31318ee80570c7168708575f032ac63f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
403-3.htm
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
403-3.htm
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
HelpButton.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
HelpButton.dll
Resource
win10v2004-20240426-en
General
-
Target
31318ee80570c7168708575f032ac63f.exe
-
Size
257KB
-
MD5
31318ee80570c7168708575f032ac63f
-
SHA1
82a8589abd62b469c4ec3c454434a75a63f8b2c6
-
SHA256
849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84
-
SHA512
bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc
-
SSDEEP
6144:ewHysO+dCW3EWXJ44UMa6ZhZoXtMQJCIEFTcdGwJ:VO+EW3TXiNMlSXOQJpAcIwJ
Malware Config
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.txt
http://52uo5k3t73ypjije.7156et.bid/4DF7-C78A-9545-005C-9889
http://52uo5k3t73ypjije.8kcfnk.bid/4DF7-C78A-9545-005C-9889
http://52uo5k3t73ypjije.csv7o6.bid/4DF7-C78A-9545-005C-9889
http://52uo5k3t73ypjije.jal9lk.bid/4DF7-C78A-9545-005C-9889
http://52uo5k3t73ypjije.onion.to/4DF7-C78A-9545-005C-9889
http://52uo5k3t73ypjije.onion/4DF7-C78A-9545-005C-9889
Extracted
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.html
Signatures
-
Cerber 2 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
Processes:
31318ee80570c7168708575f032ac63f.exeDevicePairingWizard.exedescription ioc process Mutant opened shell.{066898BA-A6D1-3334-198C-AA4C4AD6713B} 31318ee80570c7168708575f032ac63f.exe Mutant created shell.{066898BA-A6D1-3334-198C-AA4C4AD6713B} DevicePairingWizard.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeDevicePairingWizard.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 31318ee80570c7168708575f032ac63f.exe Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" DevicePairingWizard.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4512 bcdedit.exe 2160 bcdedit.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeDevicePairingWizard.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\DevicePairingWizard.exe\"" 31318ee80570c7168708575f032ac63f.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\DevicePairingWizard.exe\"" DevicePairingWizard.exe -
Contacts a large (532) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DevicePairingWizard.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation DevicePairingWizard.exe -
Drops startup file 2 IoCs
Processes:
DevicePairingWizard.exe31318ee80570c7168708575f032ac63f.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\DevicePairingWizard.lnk DevicePairingWizard.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\DevicePairingWizard.lnk 31318ee80570c7168708575f032ac63f.exe -
Executes dropped EXE 2 IoCs
Processes:
DevicePairingWizard.exeDevicePairingWizard.exepid process 5080 DevicePairingWizard.exe 720 DevicePairingWizard.exe -
Loads dropped DLL 6 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeDevicePairingWizard.exepid process 4584 31318ee80570c7168708575f032ac63f.exe 4584 31318ee80570c7168708575f032ac63f.exe 4584 31318ee80570c7168708575f032ac63f.exe 5080 DevicePairingWizard.exe 5080 DevicePairingWizard.exe 5080 DevicePairingWizard.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeDevicePairingWizard.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DevicePairingWizard = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\DevicePairingWizard.exe\"" 31318ee80570c7168708575f032ac63f.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DevicePairingWizard = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\DevicePairingWizard.exe\"" DevicePairingWizard.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\DevicePairingWizard = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\DevicePairingWizard.exe\"" DevicePairingWizard.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DevicePairingWizard = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\DevicePairingWizard.exe\"" 31318ee80570c7168708575f032ac63f.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 ip-api.com 1057 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
DevicePairingWizard.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpD28D.bmp" DevicePairingWizard.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeDevicePairingWizard.exedescription pid process target process PID 4584 set thread context of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 5080 set thread context of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe -
Drops file in Program Files directory 16 IoCs
Processes:
DevicePairingWizard.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE DevicePairingWizard.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE DevicePairingWizard.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml DevicePairingWizard.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote.ini DevicePairingWizard.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.html DevicePairingWizard.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.txt DevicePairingWizard.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.vbs DevicePairingWizard.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.url DevicePairingWizard.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-manifest.ini DevicePairingWizard.exe File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\# DECRYPT MY FILES #.url DevicePairingWizard.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BLANK.ONE DevicePairingWizard.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE DevicePairingWizard.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE DevicePairingWizard.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.html DevicePairingWizard.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.txt DevicePairingWizard.exe File created C:\Program Files\Microsoft Office\root\Office16\OneNote\# DECRYPT MY FILES #.vbs DevicePairingWizard.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\DevicePairingWizard.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\DevicePairingWizard.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 224 vssadmin.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2480 taskkill.exe 3312 taskkill.exe -
Modifies Control Panel 4 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exeDevicePairingWizard.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop 31318ee80570c7168708575f032ac63f.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\DevicePairingWizard.exe\"" 31318ee80570c7168708575f032ac63f.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop DevicePairingWizard.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{37345610-6239-7F1B-59F5-99D852E1D980}\\DevicePairingWizard.exe\"" DevicePairingWizard.exe -
Modifies registry class 1 IoCs
Processes:
DevicePairingWizard.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings DevicePairingWizard.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
DevicePairingWizard.exepid process 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe 720 DevicePairingWizard.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exetaskkill.exeDevicePairingWizard.exevssvc.exewmic.exetaskkill.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 540 31318ee80570c7168708575f032ac63f.exe Token: SeDebugPrivilege 3312 taskkill.exe Token: SeDebugPrivilege 720 DevicePairingWizard.exe Token: SeBackupPrivilege 3552 vssvc.exe Token: SeRestorePrivilege 3552 vssvc.exe Token: SeAuditPrivilege 3552 vssvc.exe Token: SeIncreaseQuotaPrivilege 2880 wmic.exe Token: SeSecurityPrivilege 2880 wmic.exe Token: SeTakeOwnershipPrivilege 2880 wmic.exe Token: SeLoadDriverPrivilege 2880 wmic.exe Token: SeSystemProfilePrivilege 2880 wmic.exe Token: SeSystemtimePrivilege 2880 wmic.exe Token: SeProfSingleProcessPrivilege 2880 wmic.exe Token: SeIncBasePriorityPrivilege 2880 wmic.exe Token: SeCreatePagefilePrivilege 2880 wmic.exe Token: SeBackupPrivilege 2880 wmic.exe Token: SeRestorePrivilege 2880 wmic.exe Token: SeShutdownPrivilege 2880 wmic.exe Token: SeDebugPrivilege 2880 wmic.exe Token: SeSystemEnvironmentPrivilege 2880 wmic.exe Token: SeRemoteShutdownPrivilege 2880 wmic.exe Token: SeUndockPrivilege 2880 wmic.exe Token: SeManageVolumePrivilege 2880 wmic.exe Token: 33 2880 wmic.exe Token: 34 2880 wmic.exe Token: 35 2880 wmic.exe Token: 36 2880 wmic.exe Token: SeIncreaseQuotaPrivilege 2880 wmic.exe Token: SeSecurityPrivilege 2880 wmic.exe Token: SeTakeOwnershipPrivilege 2880 wmic.exe Token: SeLoadDriverPrivilege 2880 wmic.exe Token: SeSystemProfilePrivilege 2880 wmic.exe Token: SeSystemtimePrivilege 2880 wmic.exe Token: SeProfSingleProcessPrivilege 2880 wmic.exe Token: SeIncBasePriorityPrivilege 2880 wmic.exe Token: SeCreatePagefilePrivilege 2880 wmic.exe Token: SeBackupPrivilege 2880 wmic.exe Token: SeRestorePrivilege 2880 wmic.exe Token: SeShutdownPrivilege 2880 wmic.exe Token: SeDebugPrivilege 2880 wmic.exe Token: SeSystemEnvironmentPrivilege 2880 wmic.exe Token: SeRemoteShutdownPrivilege 2880 wmic.exe Token: SeUndockPrivilege 2880 wmic.exe Token: SeManageVolumePrivilege 2880 wmic.exe Token: 33 2880 wmic.exe Token: 34 2880 wmic.exe Token: 35 2880 wmic.exe Token: 36 2880 wmic.exe Token: SeDebugPrivilege 2480 taskkill.exe Token: 33 1708 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1708 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
31318ee80570c7168708575f032ac63f.exe31318ee80570c7168708575f032ac63f.execmd.exeDevicePairingWizard.exeDevicePairingWizard.exemsedge.exedescription pid process target process PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 4584 wrote to memory of 540 4584 31318ee80570c7168708575f032ac63f.exe 31318ee80570c7168708575f032ac63f.exe PID 540 wrote to memory of 5080 540 31318ee80570c7168708575f032ac63f.exe DevicePairingWizard.exe PID 540 wrote to memory of 5080 540 31318ee80570c7168708575f032ac63f.exe DevicePairingWizard.exe PID 540 wrote to memory of 5080 540 31318ee80570c7168708575f032ac63f.exe DevicePairingWizard.exe PID 540 wrote to memory of 4880 540 31318ee80570c7168708575f032ac63f.exe cmd.exe PID 540 wrote to memory of 4880 540 31318ee80570c7168708575f032ac63f.exe cmd.exe PID 540 wrote to memory of 4880 540 31318ee80570c7168708575f032ac63f.exe cmd.exe PID 4880 wrote to memory of 3312 4880 cmd.exe taskkill.exe PID 4880 wrote to memory of 3312 4880 cmd.exe taskkill.exe PID 4880 wrote to memory of 3312 4880 cmd.exe taskkill.exe PID 4880 wrote to memory of 1020 4880 cmd.exe PING.EXE PID 4880 wrote to memory of 1020 4880 cmd.exe PING.EXE PID 4880 wrote to memory of 1020 4880 cmd.exe PING.EXE PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 5080 wrote to memory of 720 5080 DevicePairingWizard.exe DevicePairingWizard.exe PID 720 wrote to memory of 224 720 DevicePairingWizard.exe vssadmin.exe PID 720 wrote to memory of 224 720 DevicePairingWizard.exe vssadmin.exe PID 720 wrote to memory of 2880 720 DevicePairingWizard.exe wmic.exe PID 720 wrote to memory of 2880 720 DevicePairingWizard.exe wmic.exe PID 720 wrote to memory of 4512 720 DevicePairingWizard.exe bcdedit.exe PID 720 wrote to memory of 4512 720 DevicePairingWizard.exe bcdedit.exe PID 720 wrote to memory of 2160 720 DevicePairingWizard.exe bcdedit.exe PID 720 wrote to memory of 2160 720 DevicePairingWizard.exe bcdedit.exe PID 720 wrote to memory of 4448 720 DevicePairingWizard.exe msedge.exe PID 720 wrote to memory of 4448 720 DevicePairingWizard.exe msedge.exe PID 4448 wrote to memory of 4532 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 4532 4448 msedge.exe msedge.exe PID 720 wrote to memory of 760 720 DevicePairingWizard.exe NOTEPAD.EXE PID 720 wrote to memory of 760 720 DevicePairingWizard.exe NOTEPAD.EXE PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe PID 4448 wrote to memory of 3736 4448 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f.exe"C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f.exe"C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f.exe"2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\DevicePairingWizard.exe"C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\DevicePairingWizard.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\DevicePairingWizard.exe"C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\DevicePairingWizard.exe"4⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\bcdedit.exe"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\# DECRYPT MY FILES #.html5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffe82946f8,0x7fffe8294708,0x7fffe82947186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,17570285293211992023,11857198873313781623,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:16⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\# DECRYPT MY FILES #.txt5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://52uo5k3t73ypjije.7156et.bid/4DF7-C78A-9545-005C-9889?auto5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe82946f8,0x7fffe8294708,0x7fffe82947186⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\# DECRYPT MY FILES #.vbs"5⤵
-
C:\Windows\system32\cmd.exe/d /c taskkill /f /im "DevicePairingWizard.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\DevicePairingWizard.exe" > NUL5⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im "DevicePairingWizard.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\PING.EXEping -n 1 127.0.0.16⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe/d /c taskkill /f /im "31318ee80570c7168708575f032ac63f.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\31318ee80570c7168708575f032ac63f.exe" > NUL3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "31318ee80570c7168708575f032ac63f.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x240 0x3381⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b0eaa8e9a82b385f52e1e334adbb562a
SHA1dbbd4ba99d2ccf10998d85388d0db35dc73fd487
SHA256402245611dc99e86b7d2212aa7f041999cfd77cb3ed4d8d8fd7471908a9af972
SHA5123d6fddc0d30fe6f3243742f77e95057ed928778e49124bf8fbf34362f74d15681eb75da90a92c2e96c1225ecf4e012335faba1d687ad9618a6908ec5bdfdebbf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c8a9d47d21de8409aae0a2dc74930382
SHA18e45be80504b451ef6691fb21012f944ff411cad
SHA25611c32c70286501bf60b9005c9dba770afaa6541056bb772d9e96e55af59ef3a3
SHA5121ae4b0d848df85b80dea57d07e6b6b2ebb385d03ad1f28866b79db48068efc4a2d8dd6e3298fd55b0202854dfaf515c9831c353e70d6d658251d25fe1b254985
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a3742aa07b505feb5787dc75b9ea63ee
SHA198229631457eabd547da49a200830b14735ce16d
SHA256213e050c88372bf34586d931154215d1a06e6c9ce8ff54a42efb9ce5712d0c1b
SHA512de42d406b14270aaab84ee60f60fe8097c33c0af952f17000de39f267a71f0561199601d3389a317512efc5a55001a3dbea38efc2cd6cdc96497e0132bcc2a52
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\79ZXHV21\json[1].jsonFilesize
297B
MD5bd0c2d8e6b0fe0de4a3869c02ee43a85
SHA121d8cca90ea489f88c2953156e6c3dec6945388b
SHA2563a3e433f615f99529721ee766ad453b75d73fe213cb1ab74ccbb4c0e32dcd533
SHA512496b1285f1e78d50dd79b05fa2cbf4a0b655bb3e4515646be3a7c7cdf85d7db6ab35577aa1e294f3d515d707ca341652b5ae9d4b22197e4480226ef8440294b6
-
C:\Users\Admin\AppData\Local\Temp\nsj4392.tmp\System.dllFilesize
11KB
MD56f5257c0b8c0ef4d440f4f4fce85fb1b
SHA1b6ac111dfb0d1fc75ad09c56bde7830232395785
SHA256b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1
SHA512a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8
-
C:\Users\Admin\AppData\Roaming\403-3.htmFilesize
1KB
MD5c7df00e9e0609d4216bb7404dd9c12ee
SHA13aac5a61dc12fcf9fd23280d8fc6361ef734c524
SHA2569fa88627e300794f3f5f657aed1a58a447d4cd5ce6989d49d62dca9507c3d9de
SHA51287427aca49cf20aa8d36541f589940b23e42d60eda72965f75ebdbb8342a19198c8625b8d4f9c71b4444d14ca99816d314991ff1e870da3437cbc15453d8e47f
-
C:\Users\Admin\AppData\Roaming\ChiPollywog.9mWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\HelpButton.dllFilesize
68KB
MD527a5e7b6a25949beeae9d66ee66759b4
SHA1c98d27eb5421cc0e12f1736d8cb6da952df25635
SHA256ca1469a748c0805bedaa6bbcf87cfea1772a004ce5fb1ef1e5f62998874d4851
SHA512426dd583044d651b790e006189d2ff42dcb883851dffa61cef2b4badaa43fde5a718e8ec4415ac928a39b81a6507ab54d2a1d0842bfbec4db89656478b610bea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\DevicePairingWizard.lnkFilesize
1KB
MD5b8f50c1e0130d987e2fa24b98e767ff3
SHA17530179db24996861a9004812708caf52a3b1007
SHA25634aa884b78162850f967056ff336d413916decf1b4adbb30b0480e9f0fe29d85
SHA512f799c4094410d2ede0a60b0ef8dd694181ca46b961a7f28d8872bcc7bdc34fa0fd7544c8c9decd643e3565f66a2c3727efb03c708aa179872b68e4d6c42a619c
-
C:\Users\Admin\AppData\Roaming\Phenothiazine.aLpFilesize
4KB
MD54cd6691685530a80f97c5633b75a8d81
SHA1a2d8a60847c6a4c0df2e87ac5964b98806d3a2e7
SHA2561e8ea471a61594fbf877acc9c2cc26cccf2eb6bd1da7c7dd803a1b154d632c6c
SHA512d05c9d9c870c885cd7a964e669f775e5e4c9da99cd97cc1509f7e08af61fb13d97688f337fe5b9ac6c9c3c6cd14c95df4689b2715fdc531eac3d58133fbe2c48
-
C:\Users\Admin\AppData\Roaming\eclipse.plugin.provider.xmlFilesize
1KB
MD587f4b46178654be7ccb843cf1b804c5b
SHA1e0da17528b1f2b08ea98260d6fcaa992bad8bd9b
SHA256ff17bd4e299ecc5e16df5f699b382df4f8603d62b4bb7f09b9cc101d34ebd1af
SHA512510c0bd9ef0798135bf07139713fdd5bf2dc19dcc08b21bbd86d4bc9a67695e1356ee0fdbbf7255e21976ffc4bbc5fc021e6d55ccd963ca2563287eb84df1cf7
-
C:\Users\Admin\AppData\Roaming\eclipse.plugin.provider.xmlFilesize
914B
MD572d925da1cf45aed93d045853a5281a8
SHA1354dc025c187395a741ff630aaf6ca9ddf2d0d47
SHA25619c79b8b4731e5a4f1bff40db16c6bae24fc7d299243a45ccd8998290247413d
SHA512685081bd6829d3f825f2b50febd0df1c0db602bc9ea68c425b9bcc07b59e3860b91fbe918f485ac650cfbc14ea08f00dd98ad287d013190af829813122572c68
-
C:\Users\Admin\AppData\Roaming\{37345610-6239-7F1B-59F5-99D852E1D980}\DevicePairingWizard.exeFilesize
257KB
MD531318ee80570c7168708575f032ac63f
SHA182a8589abd62b469c4ec3c454434a75a63f8b2c6
SHA256849b68c42ca9935f63aea47b02a730b64d0dcb9897e589fee3f64175bc592d84
SHA512bd0e851945ad1b2fd726976e5f03f4fad934f598cb8d936c59922afeb8e2cb575dc1a20a008bede70db26f4d6a91eb73d822539c59da7f5975e4244bc65440bc
-
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.htmlFilesize
19KB
MD513a1fad9f600341da47937615ee76ba4
SHA17f27f3321870886f2f7e1a9abab864699d87ea3a
SHA25641544ab28688aa0a900d3c2f7258c21a74b9c8452b8c8863eb39c7e0f78e82a5
SHA5124d377a3cd7544b327ea8741dddf1729bc22a4273cd1b15d651538b64c59d840ca3de310c67e60645c4a993583c96b1436fb987eb5f2e4877ef5d5f9fcb8e5852
-
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.txtFilesize
10KB
MD56dc03875a40438925ac5cdb439c3ef73
SHA1e333f63b95a7fe96b5e6e49258db05c03f629a20
SHA256e393b9e8991d8a900c691752ef8eb030646043173fe165b8d180c240e8b88597
SHA51229fba80f945a0428cd1f945831148c55629a91e8ca396cc7f6657a29558022a8f0b41ce0425ae8953cb3a9e8a0d7ecc3d6bd27a018c626a614be8256feb6d782
-
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.urlFilesize
90B
MD5a104c9362cb8462fac8763991bf1a190
SHA17fbda138861604b19774b694d4471e205207f90d
SHA25607abe08e72cb304ea7bb966e10c839529f72629c69e8c6bb70c32df0692983fe
SHA51268b4114ad3c8cc58d0a71b869aa16eb5121d0905bd71ef09e38f776b2bee5bd463dc7e1b157b4ba0eab4f7ff8e03bd910fccd2f93048eb690d1cf8c919fd22af
-
C:\Users\Admin\Documents\OneNote Notebooks\# DECRYPT MY FILES #.vbsFilesize
252B
MD518d46f5d8ebd3c7d6df0c7a8fd1bd64d
SHA1aeb8407457434aabce2a4c2f95fe305c5303f929
SHA256ceb35b75d397b07c84dfab3a28189e9431bdf80ec99ab65f9ccf01986bd4a8e9
SHA51235fc759be0dee77eb9e39350873c24d9693cf6f370f171814e2ce6250ea814fea8a0887442ebae9077d6e9ff81ae7034faa0afcb080401a7d4ac384d2ba42d65
-
memory/540-16-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/540-18-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/540-19-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/540-20-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/540-23-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/540-25-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/540-33-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-898-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-913-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-73-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-581-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-886-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-889-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-892-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-895-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-63-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-901-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-904-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-907-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-910-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-916-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-919-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-922-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-925-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-928-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-931-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-71-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-70-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-960-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-961-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-67-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/720-60-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4584-13-0x0000000003010000-0x0000000003022000-memory.dmpFilesize
72KB
-
memory/5080-54-0x0000000002370000-0x0000000002382000-memory.dmpFilesize
72KB