jigsaw | hxxps://github[.]com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware[.]WannaCry_Plus/Ransomware[.]WannaCry_Plus[.]zip

Analysis

max time kernel
503s
max time network
497s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
04-06-2024 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry_Plus/Ransomware.WannaCry_Plus.zip

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4120	2184	OfficeC2RClient.exe	89

Renames multiple (3251) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe

Executes dropped EXE 2 IoCs

pid	Process
2044	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
3536	drpbx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe"	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	jigsaw.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	drpbx.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	drpbx.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
69	raw.githubusercontent.com
70	raw.githubusercontent.com
64	raw.githubusercontent.com
65	raw.githubusercontent.com
66	raw.githubusercontent.com
67	raw.githubusercontent.com
68	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\AppxProvisioning.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deCP6-pipelineconfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MP230\CNC175FD.TBL	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\license.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG5300\CNC1754D.TBL	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMF07-PIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0LXPM0-PipelineConfig.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0NXS90-PipelineConfig.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngeclv.inf_amd64_5626f47f96e3c55b\GEclVB.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrccl1.inf_amd64_dfe2d643f3e20cd0\rcusbbidi.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnxxcl4.inf_amd64_51802a081cf64b2b\xrP6PP-pipelineconfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MG3100\CNC1752D.TBL	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX330\CNC1737D.TBL	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms007.inf_amd64_445baef28ad35ddf\Amd64\MSPWGR-pipelineconfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX340\CNC1741D.TBL	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0NXS60-PipelineConfig.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\en-US\lpeula.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncacl1.inf_amd64_5cab2573ec016b93\CNN08CL1_bidiwsd.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsacl1.inf_amd64_8adcb7af71f53089\saBP6-pipelineconfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX870\CNC1743D.TBL	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\uk-UA\Licenses\OEM\Professional\license.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBXADPIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prndlclw.inf_amd64_22943612af676c5d\DLclWBW.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\license.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\xpsrchvw.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBXAIPIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\license.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\lpeula.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\license.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBME0A_200-PipelineConfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMF01-PIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prndlclw.inf_amd64_22943612af676c5d\DLclWB.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prntscl2.inf_amd64_710ef19434c930a9\tsunicl2PipelineConfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\lipeula.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\en-US\tokens_TTS_en-US_david.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\lpeula.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMF03-PIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMF0C-PIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deactcpip.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0LXPS0-PipelineConfig.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMM0B-PIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prndlcl1.inf_amd64_dbe82d5f3b18ec9a\deSP-pipelineconfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prndlclf.inf_amd64_efe1d550b7437499\dlclfxpscolor-pipelineconfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnecl2.inf_amd64_fdd93c90b4633940\nehb1-PipelineConfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX890\CNC175ED.TBL	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\license.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMF08-PIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBX9WPIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNB_BIDIUSB2.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnepcl2.inf_amd64_5940f4dc3bf9366e\EP0NXSB0-PipelineConfig.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrccl1.inf_amd64_dfe2d643f3e20cd0\rctcpbidi.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrFFPSm0-pipelineconfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\lpeula.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnxxcl3.inf_amd64_0fb0ea0c17a53da0\xrOFPSm0-pipelineconfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SysWOW64\Speech_OneCore\Common\tokens.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00j.inf_amd64_2b730d5c3b5d1ba1\amd64\MX430\CNC175BD.TBL	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbrcl1.inf_amd64_205cfd311a6b4e83\BRIBMF0D-PIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBX9OPIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prncacla.inf_amd64_65d72b0cf837d4c1\Amd64\CNBXAGPIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngeclv.inf_amd64_5626f47f96e3c55b\GE-XPS-pipelineconfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkycl1.inf_amd64_d830c6577c8a2c44\kyw8bidispm.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\desk.bmp"	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_contrast-black.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\tmi.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-colorize.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.contrast-white_scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-24_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\LockScreenLogo.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorMedTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-white.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-36_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_altform-unplated_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\fo_60x42.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.4_1.4.24201.0_x64__8wekyb3d8bbwe\AppxManifest.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_2017.113.1250.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\remove.svg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_opencarat_18.svg	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\starttile.smile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\WideTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\logo_retina.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fireworks\Fireworks3.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Popup_shadow_3.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\example_icons2x.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close2x.png.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\AppxManifest.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-60.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-white_scale-125.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close-2.svg.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\AppStore_icon.svg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\SwipeTeachingCalloutArchiveImage.layoutdir-LTR.gif	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-140.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookWideTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyFolder_160.svg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\gameEnd_background_symbols.jpg	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\PlayStore_icon.svg	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\PlayStore_icon.svg.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\mask\1s.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\MedTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\plugin.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5478_48x48x32.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp7.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filter-disabled_32.svg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\Weather_TileMediumSquare.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\Logo.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lv_get.svg.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-GB\doc_offline_getconnected.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\sunec.jar	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\bg3_thumb.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\tripeaks\Low_Altitude_.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proofing.msi.16.en-us.vreg.dat	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-60.png	drpbx.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_prnbrcl1.inf_31bf3856ad364e35_10.0.15063.0_none_227086ff215129d5\BRIBMF08-PIPELINECONFIG.XML	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\TextureBitmaps\bltissue.jpg	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Goal_6.jpg	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\manifests\BuiltinAgaveCommands.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\cache\Desktop\2.txt	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.15063.0_none_5352ed23f360146f\tokens_enCA.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-netfx45_iis_schema_update_xml_b03f5f7f11d50a3a_4.0.14917.0_none_80eba5d8ae796ff4\NetFx45_IIS_schema_update.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..ore-files.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_7cef9576aba6c593\Rules.AD.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\cache\Desktop\3.txt	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..speech.0407.cortana_31bf3856ad364e35_10.0.15063.0_none_003813c013e88afb\tokens_deDE.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.15063.0_es-es_c69ac091d38b8bed\Report.System.Memory.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windowsdx..xperience.resources_31bf3856ad364e35_10.0.15063.0_es-es_fcd92280574ae774\resource.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Game_Menu.jpg	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.15063.0_de-de_1dde8db4e4868e83\Rules.System.Performance.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_prnfxcl2.inf_31bf3856ad364e35_10.0.15063.0_none_e92a895ebb3ab394\fxhb1-PipelineConfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clientexclusionlist.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\PLA\Rules\es-ES\Rules.System.Memory.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..ore-files.resources_31bf3856ad364e35_10.0.15063.0_en-us_da6cc293b8adbd8c\Report.AD.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_prntscl2.inf_31bf3856ad364e35_10.0.15063.0_none_f306128d36a6f85b\tsunicl2.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bitsdiagnostic_31bf3856ad364e35_10.0.15063.0_none_5d5fd9ab5d619ced\BITSDiagnostic.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..che.desktop.cortana_31bf3856ad364e35_10.0.15063.0_none_d2e87c3d4b5230ae\AppCacheMetadata.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.15063.0_it-it_fb4e47a35c2b9a7c\license.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.15063.0_de-de_1dde8db4e4868e83\Report.System.Performance.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.15063.0_en-us_c6cf63add3649a48\Rules.System.Configuration.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.15063.0_none_15e137df821b01cf\ipcfg.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.15063.0_de-de_088c8a71d56e1f60\lipeula.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\HoloShell\appxblockmap.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_69523690c65da24f\Report.System.Disk.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kerplugin.appxsetup_31bf3856ad364e35_10.0.15063.0_none_c030e40bb1424ba3\AppxManifest.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.15063.0_none_50bfec2eff22eeb0\ipsjpn.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\ImmersiveControlPanel\Settings\AllSystemSettings_{253E530E-387D-4BC2-959D-E6F86122E5F2}.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\34.jpg	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\AppxManifest.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.15063.0_en-us_0d9bfbee7ca99c5b\lipeula.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-provisioning-core_31bf3856ad364e35_10.0.15063.0_none_c8e2de6b6854073d\categories.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.15063.0_none_5eb55a9a4356bc39\DefaultLayouts.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-appx-alluserstore_31bf3856ad364e35_10.0.15063.0_none_d8cba76c786568bd\AppxProvisioning.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Applications\Microsoft.WindowsAlarms_2017.203.236.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\PLA\Reports\it-IT\Report.System.Configuration.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-desktopview.appxsetup_31bf3856ad364e35_10.0.15063.0_none_9990abebb85f13a5\appxblockmap.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_10.0.15063.0_es-es_0f863ffa8deb0811\OOBE_HELP_Opt_in_Details.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.15063.0_es-es_c69ac091d38b8bed\Rules.System.Diagnostics.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.15063.0_none_e7edc57dddbcc561\img7.jpg	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.15063.0_none_22a2eeffb0510686\boxed-correct.avi	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-l..-volume-enterpriseg_31bf3856ad364e35_10.0.15063.0_none_a7c12164160f0b65\license.rtf	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..ommandline-adamsync_31bf3856ad364e35_10.0.15063.0_none_0336a632576fedf7\MS-adamschemaw2k3.LDF	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-t..textservice-amharic_31bf3856ad364e35_10.0.15063.0_none_1aa2bb84bd618262\TableTextServiceAmharic.txt	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appsdiagnostic_31bf3856ad364e35_10.0.15063.0_none_ebbd6e3af463cac1\AppsDiagnostic.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_69523690c65da24f\Rules.System.Diagnostics.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\StoreManifest.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1251.TXT	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.15063.0_none_e7edc57dddbcc561\img10.jpg	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.15063.0_none_149aa50c07625ad6\ContentDirectory.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_prnxxcl3.inf_31bf3856ad364e35_10.0.15063.0_none_90ae3ecb57aa891b\xrFFPSc0-pipelineconfig.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Premium_base.jpg	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.15063.0_none_688980fe0ef48d36\MicrosoftOffice2013Office365Win64.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_10.0.15063.0_fr-fr_69523690c65da24f\Report.System.Diagnostics.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-tabletpc-inputpanel_31bf3856ad364e35_10.0.15063.0_none_22a2eeffb0510686\boxed-join.avi	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\WinSxS\x86_netfx4-groupedproviders_xml_b03f5f7f11d50a3a_4.0.15552.17062_none_c8462a5be02a43fc\GroupedProviders.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\Spider\Goal_1.jpg	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1254.TXT	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\PLA\Reports\de-DE\Report.System.Network.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
File opened for modification	C:\Windows\PLA\Reports\Report.System.CPU.xml	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\TileWallpaper = "0"	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 20c4bab897b6da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 99ed83b897b6da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 57655bb897b6da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{21B9DA6B-770A-4417-97A9-C9BAC808BDD2} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packag = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify.	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.Vipasana.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
456	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2676	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
2676	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
2044	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
2044	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
2044	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
2044	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4120	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	firefox.exe
Token: SeDebugPrivilege	2220	firefox.exe
Token: SeDebugPrivilege	2220	firefox.exe
Token: SeDebugPrivilege	2220	firefox.exe
Token: SeDebugPrivilege	2220	firefox.exe
Token: SeDebugPrivilege	2220	firefox.exe
Token: SeDebugPrivilege	2220	firefox.exe
Token: SeDebugPrivilege	2220	firefox.exe
Token: SeDebugPrivilege	3428	taskmgr.exe
Token: SeSystemProfilePrivilege	3428	taskmgr.exe
Token: SeCreateGlobalPrivilege	3428	taskmgr.exe
Token: SeManageVolumePrivilege	2996	MicrosoftEdge.exe
Token: SeDebugPrivilege	2732	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2732	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2732	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2996	MicrosoftEdge.exe
Token: SeDebugPrivilege	2996	MicrosoftEdge.exe
Token: 33	3428	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3428	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
3536	drpbx.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
2220	firefox.exe
4120	OfficeC2RClient.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe
2996	MicrosoftEdge.exe
4120	MicrosoftEdgeCP.exe
4120	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 4812 wrote to memory of 2220	4812	firefox.exe	73
PID 2220 wrote to memory of 4212	2220	firefox.exe	74
PID 2220 wrote to memory of 4212	2220	firefox.exe	74
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 4424	2220	firefox.exe	75
PID 2220 wrote to memory of 1528	2220	firefox.exe	76
PID 2220 wrote to memory of 1528	2220	firefox.exe	76
PID 2220 wrote to memory of 1528	2220	firefox.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry_Plus/Ransomware.WannaCry_Plus.zip"
1⤵
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.WannaCry_Plus/Ransomware.WannaCry_Plus.zip
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.0.1610156938\107459541" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1712 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52f8321a-660f-49a3-9bc4-179dc30b0950} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 1812 281e1ae7158 gpu
    3⤵
    PID:4212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.1.1473420811\1220075874" -parentBuildID 20221007134813 -prefsHandle 2160 -prefMapHandle 2156 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f523059-ef91-4646-ae3e-081c61b724bc} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 2172 281e1a03258 socket
    3⤵
    - Checks processor information in registry
    PID:4424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.2.1848918220\2064261287" -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 2764 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca0a0d29-4600-4dd3-aa88-3397ed488b85} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 2856 281e1a57158 tab
    3⤵
    PID:1528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.3.264786634\447257431" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4da4408b-678c-46eb-bb95-4a9617859ecd} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 3644 281e626ae58 tab
    3⤵
    PID:1252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.4.1854007806\2000079389" -childID 3 -isForBrowser -prefsHandle 4660 -prefMapHandle 3912 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9dc1a16-870d-4cc6-bc66-ccd186a3518a} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 4668 281e8968258 tab
    3⤵
    PID:3700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.5.991858034\1930132153" -childID 4 -isForBrowser -prefsHandle 4764 -prefMapHandle 4768 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8a445fb-dad9-4a12-92fb-f133b1ae05d7} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 4848 281e8968e58 tab
    3⤵
    PID:2388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2220.6.1406736181\466943455" -childID 5 -isForBrowser -prefsHandle 5080 -prefMapHandle 5076 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {953955b3-cb2a-4a0a-bb1a-5bbd2f29befc} 2220 "\\.\pipe\gecko-crash-server-pipe.2220" 5088 281e8a9d258 tab
    3⤵
    PID:3344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1824

C:\Users\Admin\Downloads\Ransomware.Vipasana\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
"C:\Users\Admin\Downloads\Ransomware.Vipasana\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676
- C:\Users\Admin\AppData\Local\Temp\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe
  "C:\Users\Admin\AppData\Local\Temp\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GQXEN.bat" "
    3⤵
    PID:3008
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:3144

C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe
"C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe"
1⤵
- Adds Run key to start application
PID:2992
- C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
  "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Downloads\Ransomware.Jigsaw\jigsaw.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  PID:3536

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Recently.docx" /o ""
1⤵
PID:2184
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
  OfficeC2RClient.exe /error PID=2184 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of SetWindowsHookEx
  PID:4120

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4380
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SearchConfirm.sql.fun
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:456

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\99b056f035f94798ad32d19d787dac9f /t 3532 /p 456
1⤵
PID:3004

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3428

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:4212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1076

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun

Filesize
720B

MD5
75a585c1b60bd6c75d496d3b042738d5

SHA1
02c310d7bf79b32a43acd367d031b6a88c7e95ed

SHA256
5ebbfc6df60e21044486a5df3cb47ccdcd7a4d5f197804555715ffd9bf6c5834

SHA512
663a302e651b9167f4c4e6ae30028307b4d8da0dda3a0e5fd414104951d50419862fc9396c5b39fe5c4b696efd3efbf0b575688983b1d341f3ef38becf500505

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun

Filesize
7KB

MD5
72269cd78515bde3812a44fa4c1c028c

SHA1
87cada599a01acf0a43692f07a58f62f5d90d22c

SHA256
7c78b3da50c1135a9e1ecace9aea4ea7ac8622d2a87b952fc917c81010c953f7

SHA512
3834b7a8866e8656bbdbf711fc400956e9b7a14e192758f26ccf31d8f6ab8e34f7b1983c1845dc84e45ff70555e423d54a475f6a668511d3bcbdd1d460eeb4b0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun

Filesize
7KB

MD5
eda4add7a17cc3d53920dd85d5987a5f

SHA1
863dcc28a16e16f66f607790807299b4578e6319

SHA256
97f6348eaa48800e603d11fa22c62e10682ad919e7af2b2e59d6bd53937618f2

SHA512
d59fa9648dc7cb76a5163014f91b6d65d33aaa86fc9d9c73bf147943a3254b4c4f77f06b2e95bb8f94246a982ea466eb33dac9573dd62f40953fd23de1c1b498

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun

Filesize
15KB

MD5
7dbb12df8a1a7faae12a7df93b48a7aa

SHA1
07800ce598bee0825598ad6f5513e2ba60d56645

SHA256
aecde4eb94a19095495d76ef3189a9abd45bcfd41acbed7705d22b4c7d00aa77

SHA512
96e454ebb4c96573e8edc6822290c22d425f4c7f7adbab35e6dc4b3ce04a5916ae9254c2c312c98299835ecbf3c5aa95da2939b8408ac25fbae44ba87a3795dc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun

Filesize
8KB

MD5
82a2e835674d50f1a9388aaf1b935002

SHA1
e09d0577da42a15ec1b71a887ff3e48cfbfeff1a

SHA256
904372666ca3c40f92b20317d92ca531678958affbc34591401e338146fe0ecb

SHA512
b10a8e384d0bd088443a5085f5c22a296f6f4d295a053d4526690ba65846e887daec47d01cf18fdf1160db98061a8b7c4040de56e6e604451a821fadccf32698

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun

Filesize
17KB

MD5
150c9a9ed69b12d54ada958fcdbb1d8a

SHA1
804c540a51a8d14c6019d3886ece68f32f1631d5

SHA256
2dee41184747742fbdc527b2023d67fecec1ccdfdf258439a06cd75d4fd33f43

SHA512
70193ee6f0919eb14311f43b5a5da041deacb568db55fc43290ee76e17af902ac468435b37a150630ea3b7871c724073915ae5dcba3c301ac42f2d68dd598e2f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun

Filesize
448B

MD5
880833ad1399589728c877f0ebf9dce0

SHA1
0a98c8a78b48c4b1b4165a2c6b612084d9d26dce

SHA256
7a27d891097df183fbf0031e3894bdac0ce77aef15d666ddd9f6a04e9836fb27

SHA512
0ddf247892a72a390437390d535debf6e41d12e51b31eb4f0353b710ec380c5fbc531a48e76935088063a41aca843287d3def9c1cd46be05b8dcb69f5017a464

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun

Filesize
624B

MD5
409a8070b50ad164eda5691adf5a2345

SHA1
e84e10471f3775d5d706a3b7e361100c9fbfaf74

SHA256
a91790b778026db625c9dedfe1c6d94b884818b33d7977e86b2f9c2f3c500796

SHA512
767a75edd37d29b3433040ce21cda849cd11ba549f27581f7edc6416c433ba7047c56908d40956422393ab0f35ede61617d4bd2aad0bde3d1ebd276584c858c7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun

Filesize
400B

MD5
2884524604c89632ebbf595e1d905df9

SHA1
b6053c85110b0364766e18daab579ac048b36545

SHA256
ae2facd997527426fc4def82e0db68be29b44499bfff86a28c36f7c31b177d4f

SHA512
0b506397627823a1768796129c6b37d146821471b89338b5f2d0fd3aea707fd46a8e197ee0e298ddfb3b50eef0a0b064946006346b060f733ef19cbd5d24fc90

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun

Filesize
560B

MD5
e092d14d26938d98728ce4698ee49bc3

SHA1
9f8ee037664b4871ec02ed6bba11a5317b9e784a

SHA256
5e8ec278a273be22199884d519a79f748801baa3a45b76e57569fdfffe96e7fb

SHA512
b2fcb5d46339cdf6b5a954f2a083cf913779e57cb6e8699bc5da1fba1c370c41117b7ddefb50075622067eb7b02a20268bc047171bd883bcda4a497c2ec64ea4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun

Filesize
400B

MD5
0c680b0b1e428ebc7bff87da2553d512

SHA1
f801dedfc3796d7ec52ee8ba85f26f24bbd2627c

SHA256
9433084e61062d2b709c1390e298ddaf3fb0226656662c04c0b7026a44dee750

SHA512
2d1399a6bf225b048d2b12656e941ad912636acae2dec387f92f33ac80629a1e504bca63580ba73a8ed073788f697274d5eb76ea1b089f0555fd397a8f5cbbff

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun

Filesize
560B

MD5
be26a499465cfbb09a281f34012eada0

SHA1
b8544b9f569724a863e85209f81cd952acdea561

SHA256
9095e9b4759e823e96984981af41b7a9915a5ecaa6be769f89c13484cef9e0f5

SHA512
28196e5de9670e9f63adcf648368bd3ea5926a03e28a13adc2fb69c567fba2f84e4f162637c487acb64eda2e30993f849806f2313820ba693c7e70303542d04f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun

Filesize
400B

MD5
2de4e157bf747db92c978efce8754951

SHA1
c8d31effbb9621aefac55cf3d4ecf8db5e77f53d

SHA256
341976b4fe312824d02512d74770a6df9e1c37123781655532bd9cd97ea65fa9

SHA512
3042a742c38434ae3ee4fe10f7137462cdebad5cae0f9a85fb61063d15a30e1b54ac878b1af65f699c6ca1a9d2c3e58d245e54bdebfadc460cbd060836734e11

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun

Filesize
560B

MD5
ad091690b979144c795c59933373ea3f

SHA1
5d9e481bc96e6f53b6ff148b0da8417f63962ada

SHA256
7805ac9d0e05d560023e5aabed960d842e4f3ec2aa3db45a9cfb541688e2edb1

SHA512
23b4c799a7b25f70962e8dd0ec7286ba7150053cab7c88f5fb1efc1095c2987bd6f3572e7fb3ee4b2238958e52a763de2c84a74615df7a6d3a19a034584fd687

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun

Filesize
688B

MD5
65368c6dd915332ad36d061e55d02d6f

SHA1
fb4bc0862b192ad322fcb8215a33bd06c4077c6b

SHA256
6f9c7ebec5a707de439e3fd2e278fdfa07a39465d56157b70b24f091509bf76f

SHA512
8bb9a7690aeb3c0b9e14e1a6ebc5741536d354cf2324fd74ee0c3e4ef511718f7795039a94c8d2df94b6e6d0fb1762191cb649089d1def12abdf34003f0cdd0f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun

Filesize
1KB

MD5
0d35b2591dc256d3575b38c748338021

SHA1
313f42a267f483e16e9dd223202c6679f243f02d

SHA256
1ca0cfc2df0354c8d886285ae5e743d9c7cc030e1afd68ac113c0f2ce43ad5fa

SHA512
f6c58c27bbde7508a866bd0e7fabadb13a4f020378cd8b8cfc0c9fa23f645d811d6cdea04b81afdf30c064c6248152e74b3e6a78ec7a3d1d19037a0db8897d7e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun

Filesize
192B

MD5
b8454390c3402747f7c5e46c69bea782

SHA1
e922c30891ff05939441d839bfe8e71ad9805ec0

SHA256
76f8ed1dd50e50c7d62b804a0d6901a93e5534787d7b38467933d4c12ce98a0d

SHA512
22b26c62473e80d17c1f78df14757ccfb6c7175faa541705edc153c02baa7ab0982b5daabe8dd2c8c9efb92af81f55ccaeeecffe8ed9a0b3c26e89135ca50923

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun

Filesize
704B

MD5
6e333be79ea4454e2ae4a0649edc420d

SHA1
95a545127e10daea20fd38b29dcc66029bd3b8bc

SHA256
112f72ef2bc57de697b82b731775fba3f518d1ae072120cd11b732bf4a782e36

SHA512
bed5906c7373814acc8a54c1631428a17f0aa69282920447a1575d8db826afd5dab262301dc6da610ff8bb81d24ec6babd3d9fb99fd6945f1aca9cb9c76ec2c9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun

Filesize
8KB

MD5
3ae8789eb89621255cfd5708f5658dea

SHA1
6c3b530412474f62b91fd4393b636012c29217df

SHA256
7c5b1d8469e232a58359ccbcb89e619c81c20e6d2c7579e4292eb9a19849bc5a

SHA512
f6998dbae1a2fa56f962045261a11a50b8e03573d9d4cf39083da3be341cc104e0ecf5908076f03961bcdb1356d05a7450d69940ec3aaab73623a6fe180e7051

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun

Filesize
19KB

MD5
b7c62677ce78fbd3fb9c047665223fea

SHA1
3218c7b6fd8be5e0a8b67d3953d37d5dbd0c71d8

SHA256
aa638be6e1107ed1f14e8430abedd6f6d0a837a31b1b63e6a7741d6d417eddc2

SHA512
9e0cc29835845f2a0260a6989c1b362bac22a8e0c2825bc18f1dde812ce7868503881d2deaf951429a80b5017b6ce31e785ff524883e08d730aa38b36a2fb074

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun

Filesize
832B

MD5
117d6f863b5406cd4f2ac4ceaa4ba2c6

SHA1
5cac25f217399ea050182d28b08301fd819f2b2e

SHA256
73acdc730d8a9ec8f340c724b4db96fc222bb1eaf836cec69dfe3fab8d6ac362

SHA512
e10883029c1e0fbc64bec9aac0a6957a8499af255e1790843717212077926474e02b2870c5dd04b057c956b97ad4bb1747fe73e731ea61b891f4b38dd80494d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun

Filesize
1KB

MD5
433755fcc2552446eb1345dd28c924eb

SHA1
23863f5257bdc268015f31ab22434728e5982019

SHA256
d6c290e942ee665d71e288229423a1f1866842988eac01f886910b0ec383aa9b

SHA512
de83b580ce27012a7677e1da867c91e2a42dbc6b5872dcf756ace51c2862801814665ecca997171f2e550e8b9a3de19994d2516a4e5d4d57e16c7b4b823236c0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun

Filesize
1KB

MD5
781ed8cdd7186821383d43d770d2e357

SHA1
99638b49b4cfec881688b025467df9f6f15371e8

SHA256
a955039cd9e53674395f4b758218e4d59c89e99a0c4d2a909e49f6008b8f5dd4

SHA512
87cb9c4288586df232200f7bbacee3dee04f31c9444902dd369ad5c392d71e9837ebf8b3bb0fcb4a5db8a879cf757e97ce248939e3316c6bf3a3fe7cbe579534

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun

Filesize
2KB

MD5
51da980061401d9a49494b58225b2753

SHA1
3445ffbf33f012ff638c1435f0834db9858f16d3

SHA256
3fb25ddd378ab756ec9faa56f16b76691cf6d9c7405bb9a09ce542a6f5b94e44

SHA512
ecc5eb2a045ce2508d461b999f16caba6cce55aa0c00b34bd73a33e0458795f93a77caff5026212912684164057be016f51dc57ec83821c2a1f2e27417c47b2c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun

Filesize
2KB

MD5
2863e8df6fbbe35b81b590817dd42a04

SHA1
562824deb05e2bfe1b57cd0abd3fc7fbec141b7c

SHA256
7f1238332901b740cde70db622abcfb533fc02f71e93101340073552f4820dad

SHA512
7b2d95465ea66951ea05c341549535a0a939d26dbde365b212e3983e4047fa6912c37d737cb8054c41bb1a7d92586d968a0154c666572a70ebc59a4776897f38

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun

Filesize
4KB

MD5
79f6f006c95a4eb4141d6cedc7b2ebeb

SHA1
012ca3de08fb304f022f4ea9565ae465f53ab9e8

SHA256
e9847d0839d3cf1039bebdc49820ee7813d70941347ce420990592e5e3bd998e

SHA512
c143a4cf1ccfa98039b73214978722408188535ee4aa3dac08a34760b94bdf6d36ad0ff0de893da5b17fd69c96a6dfb25098ab7fec219fad1a77532113d0353e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun

Filesize
304B

MD5
b88e3983f77632fa21f1d11ac7e27a64

SHA1
03a2b008cc3fe914910b0250ed4d49bd6b021393

SHA256
8469b8a64e80d662eec71c50513f6d295ef4a3a9992763dbcac9d81253cef9d5

SHA512
5bf93d4f4250ca96169f3d27d4e648cc5d6e00b7558a3ef32e07edcbae36dadb8008d7ba5f83ac3ed812b72c9d52730e866191b4de7a339df57b5697e00df50d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun

Filesize
400B

MD5
f77086a1d20bca6ba75b8f2fef2f0247

SHA1
db7c58faaecd10e4b3473b74c1277603a75d6624

SHA256
cf10d2a22b638cf0978cf30ecaf39ecb5bb0e3ad78cd920afa433ad60cc1290d

SHA512
a77a897c0b41f4052cb9546d4cfd6e0856b288b6b8583a86d6c7e79059a05b19cc2593599251581e79107235e9d5cd589c392bf490452be04ff57e944cd19df3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun

Filesize
1008B

MD5
e03c9cd255f1d8d6c03b52fee7273894

SHA1
d0e9a9e6efd1746bc9ccb4eb8e7701c1cd707e2e

SHA256
22a34c8321384fc7682102e40d082e7812232a9109e4d4e8fa2152fda3f260f6

SHA512
d4bd002197b725316e1f1f2dd0a70ee44a82a53ac0dafa8c6b1166343adc406e147d0c4cca30d65a32aa545f1b327c6b69c0ec1d15330af48a6faa234dc4b5ac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun

Filesize
1KB

MD5
62b1443d82968878c773a1414de23c82

SHA1
192bbf788c31bc7e6fe840c0ea113992a8d8621c

SHA256
4e96529c023168df8dde241a9acdbf4788ea65bc35605e18febff2b2071f1e24

SHA512
75c8604ea65e0cdd9ea74b4802930444dd16a945da1e7f0af4a9a3762259ee9eb41ea96973555d06f4814ee2f6b73ab662c6b314b97876e9628fa5d4536e771c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun

Filesize
2KB

MD5
bca915870ae4ad0d86fcaba08a10f1fa

SHA1
7531259f5edae780e684a25635292bf4b2bb1aac

SHA256
d153ed6c5ea8c2c2f1839f8dadcc730f61bd8cd86ad732bab002a258dea1d037

SHA512
03f23de6b0ae10e63c41e73308b3844d49379c55d2df75fa1dc00771b26253d832c21081d8289f04260369df996e31273b7c0788cf3b5c78a27ec909f14a283a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun

Filesize
848B

MD5
14145467d1e7bd96f1ffe21e0ae79199

SHA1
5db5fbd88779a088fd1c4319ff26beb284ad0ff3

SHA256
7a75b8ec8809c460301f30e1960b13c518680792e5c743ce7e9a7f691cfafc38

SHA512
762d499c54c5a25aba4357a50bb4e6b47451babeda84fa62cfbd649f8350bca55204ad002883b9147e78dda3dbabaae8da1dc94b716204226bb53326030772b7

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

Filesize
32KB

MD5
829165ca0fd145de3c2c8051b321734f

SHA1
f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e

SHA256
a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356

SHA512
7d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun

Filesize
160B

MD5
580ee0344b7da2786da6a433a1e84893

SHA1
60f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e

SHA256
98b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513

SHA512
356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml

Filesize
20KB

MD5
1e885981b97b8b408d6e3bb2afd5b767

SHA1
b6eb713c27e5c8620cb4cf7f23ad385e3bc211da

SHA256
bff090c7904373cb6975f748360d2e90afe90d8f0d9f5ca14a0dcdcaecfa9bc7

SHA512
23d26e042528e96427f858f5b8da89dd8a5992c8a6db867c1274219db44134895249c2c682e346fe39d69af4ca56eec794fa5bc2e6c18754bab6399e2390b68c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml

Filesize
3.4MB

MD5
475505d1d76e773024e9ef3a1729d0f8

SHA1
5ae44d551f5a77e2d49b44b29bb4404a06253c8f

SHA256
ba90b099573cad5682caa3e1908e9d5fbb396fd6bce13b4e4b712ffbccdc5ba2

SHA512
2f3deb3a8a03130478a89dafd9b34a439868c257adcfe7cbcc7bac440c14b7b7aaefec073906f808089f3e2ef56d17d1fe70cc64730330cc40f4d3331f8fc615

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserDeploymentConfiguration.xml

Filesize
20KB

MD5
f43ca75624587bfd6e009d766c55ad48

SHA1
0865a7d8a3327ebb9f55a0e19bfb7e8e94e4065f

SHA256
421ba2c5982e7057f93f8dafe80cc2040e3615006921380f923e9048d25c018d

SHA512
9d881f286ef346b2b2fa2a2c0adbec0f32d80ae849f8c1d833e9ab89bf7489ca61492d93409604e9fb587f116937ad3069f0e1dd9dd096e96457d6f8d5a56c75

Download Submit
C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml

Filesize
2.1MB

MD5
ee3230e203e373c2b7fe4d1a00c295d2

SHA1
c49a729a29cbcd0dc1c8678daaab07c9d84b469d

SHA256
35517054ad5b574b240439a7b13de0296b8edc83a3d48e04916169e887e2e86b

SHA512
28fd87c9ef935048d36b961939011ef10f6487858678552598137cfb5bda778f61c7aee42da9a299a809760da68010388fe6679b55b9719ad3b8ce3d2b4ddf04

Download Submit
C:\ProgramData\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.BasicAttractLoop_8wekyb3d8bbwe\Microsoft.BasicAttractLoop_8wekyb3d8bbwe_License.xml

Filesize
22KB

MD5
8afa9fa703b7a6069367537350136e00

SHA1
ed10fdc9864eaa01cf3cfa3091d14c5f39d41a6a

SHA256
6f8d88f86e7d6cc0f0031fd77b7a9dc7627c88e3a78cb03fcd57d10aa895caa0

SHA512
a9b78aa4fb0ec4b1966731d6b92d4d20db612459692687a3930dc035902ab7f28cd2533de63f94c8c2d0b91967adb5c487ec0e5911b47ee801d4f9e137edae28

Download Submit
C:\ProgramData\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe\Microsoft.MicrosoftRetailDemoProvisioning_8wekyb3d8bbwe_License.xml

Filesize
22KB

MD5
f29c70eb1d9471a8ef4dbe4b39230071

SHA1
1be67ebab08a9c9354234aca8f2a11a3e1183bff

SHA256
5f603621642540c9eff8466eda73005c795d988801b3e839493aecbb5a15d04e

SHA512
768433a07e4df839b8705ea2b3fb96dae77f96556cce149d9693245afd1bae37f0535924b0f7b98cf5b44ecd953b68dd60bd9060509edd8b5a0f9f2a2069250a

Download Submit
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe

Filesize
283KB

MD5
2773e3dc59472296cb0024ba7715a64e

SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859

SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7

SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\container.dat.fun

Filesize
16B

MD5
8ebcc5ca5ac09a09376801ecdd6f3792

SHA1
81187142b138e0245d5d0bc511f7c46c30df3e14

SHA256
619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880

SHA512
cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules.xml

Filesize
98KB

MD5
ddd2ed7a1263bd60e2cd1a6da7b8dd8d

SHA1
55e4a17a58952df778914864f17537a6f9285e4c

SHA256
ee6204f7b5fa119f2e9828e26a37d5281e3e6ce4ff51a8cc56d0294f44b16947

SHA512
0bfa03e5d3d51b43c03c515e229110e80db34f490c2d0572fe640440fe3d2331c165088a060126a4df26d3d0979187abdc4d2580023323421056fefdfb2b83df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db

Filesize
24KB

MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\doomed\29261

Filesize
17KB

MD5
3c87cc5d3e189abce4c17c2e91bb79e8

SHA1
0b833d70c7e165f6adfe68c402a09307b53722f1

SHA256
9459cf769c5ac49e6c648cbd455961fdf3a019408fc57a87502af6ad9a829fbb

SHA512
2c1e4afea73b941538c9884352d28a223ca8055610b226e48e2fa162993e5cf719e926fa9f334eee389c74d4b523f6b751c853c5648a2f90fa8a3bd05995d137

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\jumpListCache\mLwnf5m+XXYZG7Ch42tPPg==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Packages\DesktopView_cw5n1h2txyewy\Settings\settings.dat.fun

Filesize
8KB

MD5
f22599af9343cac74a6c5412104d748c

SHA1
e2ac4c57fa38f9d99f3d38c2f6582b4334331df5

SHA256
36537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65

SHA512
5c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\User\Default\DOMStore\O9JD87LR\www.msn[1].xml

Filesize
19KB

MD5
55e1f99c78c14cc37f10440e1a75bbb9

SHA1
7fb36b91d58d818cddbe8cacb5b466bff1c87ba0

SHA256
21d20b492acd6af3c89c49234a72f26774403468f88efe73286d83659b00eace

SHA512
18ee718c83cde35690da7a21bfd734e447ef2a8d6ad9c7604262b46f899c858734b468c78ec608c0f379059a165c891eeda42b12e4acad8341ad3a05258a0e39

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RN86XJ4R\microsoft.windows[1].xml

Filesize
19KB

MD5
a7b526a4cf9a4a9e5a9f74c7b1bb76e9

SHA1
a82adaee485e8e8d66066da6f870de7d6ea9b05c

SHA256
1b8b6754929175d61e49d8fa1e392de0fc910637a6b39ced3079b26d18247e45

SHA512
2646ac6bac566007eedf8922870e3ccb4a558547dbb9402d972ba6afbfccaf2c0de846c128c035cc30b80c63ae2ced480fbcac115c0218ef2f7397f7c9aed871

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VU5W00WI\www.bing[1].xml

Filesize
19KB

MD5
de66ffd466e959f9378c1dcb1c417cf3

SHA1
2afc7e61882a06b8f6201a0455ca88a4e0d8b08d

SHA256
69a583afe061e5ad3a0f5197d8e0c635dd80b968b15f700eb685a1fd85f00fe6

SHA512
2bd6c6d7ed74e964580d9bc7447352ba1043848df8e33f00f4aa016f4b5af1f0301a894fbfd57cff4eb96e3fc3b72451547b07abfb22ff0e8cb724d10846e159

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fb7f1438-ad65-4a31-825c-f3873a3c5a50}\0.0.filtertrie.intermediate.txt

Filesize
34KB

MD5
57df93f7cb536a6e5603064cfd308cdb

SHA1
80c1bf43275372e771079e53c7db47e6104b9437

SHA256
c43b3485e5c8d52db14b86ac619e7638478134c1b322b0fa0a17c74d6a1fe3ea

SHA512
01ec9c709da86954416f5e2d6ca7125206b1c6191602d370a562d486e38999d2c1e212cef746c2603bb4ff8faf38de4c6b734622bf0d5d064de746c56e02700b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fb7f1438-ad65-4a31-825c-f3873a3c5a50}\0.1.filtertrie.intermediate.txt

Filesize
19KB

MD5
bd8876bfb548a491bb848ef51a6d68ca

SHA1
0021ba51d95e43e8a9ccfae676a2bec2df674797

SHA256
83c4c4bbbddce9554911e8063336f7b81417a6d2b1ad94cff26946d7647d70a6

SHA512
acbf9bf18c503c89180212b93911abdbd29be7457ff71f538cd86fcbdcd61654ab9e41cf46d651288cd5d48d284688032055abcb342793b38ba12e90164498d0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{fb7f1438-ad65-4a31-825c-f3873a3c5a50}\0.2.filtertrie.intermediate.txt

Filesize
19KB

MD5
815a7b6074ab722287f6e7bdd687f498

SHA1
d75d6fe09b869583d1213526e52a005641644c18

SHA256
fd8977b36cca24b5e00bf6d6c3b2cb4531adc49002ba7238441a900208cbc0f4

SHA512
746e36ea6d75890fa5f65d4cd5cf22176ceda8679b9e9afc5be49e3294039da34be1c84f4eb8039125626cdd68d4f7a0280908adf18f0390edef02caba2cb39d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c5462599-f600-460d-ad90-559c10878390}\appsconversions.txt

Filesize
51KB

MD5
1d4b885f7cf324f40f36a5b986f49ae7

SHA1
bcad47abe91cbee5e06ec991b5956daf75d4b708

SHA256
0b3399c93425c670b4a123c0bc50ba3e2b68ab5340d7f6baacff48a7e607eaf4

SHA512
277547ec3ff4f660366f0892a1a20c77a6c23fd16d2217ca823b716c0f14f9244623ef095d436fbbb92b8e53d820ec69418098f80ddb9b307620a2336d07fe48

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c5462599-f600-460d-ad90-559c10878390}\appsglobals.txt

Filesize
369KB

MD5
48da131809ba9a44b34cd3e7e499657e

SHA1
a9a07bb478871a004d8805cf9af1aa76bf64c070

SHA256
272d0d6343abca87ca93b4d1855f1a5a9969af896e17bc9257f71f8f8005ccde

SHA512
a30453dc7b5896cc6a08412eaea6c629a42e62006b81dc735d33b1a647c6b12e2787461ad07e456eeb4c04b584d4ec701397b7b33509e9db813b905a37bd991d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c5462599-f600-460d-ad90-559c10878390}\appssynonyms.txt

Filesize
99KB

MD5
4b520fa643dc62ad60f725240cf576bb

SHA1
2066cdaa2997732542b5ad3049a878eaaa73d165

SHA256
0fca8bc7786417249e73564e7af7dc30731f275950d8538c08905135a764abbb

SHA512
032b4e14e81b4de762b13689ee58ad28e79b3fcd99f30bb7d5282666c3830ff957176b0abe7143d10342057fb9cb8b89db6f49ead88e5d188fefa84c0311a346

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c5462599-f600-460d-ad90-559c10878390}\settingsconversions.txt

Filesize
51KB

MD5
2b91288f85fdf5261beafc0e9d1f8d59

SHA1
d75bec0528695c53b48d8928901f7c87cb4de0a4

SHA256
cf57b15a10d224da6cdba33104faa212b045f7c594899f5b4c3cc4b2d690ca90

SHA512
a448c2ada1fa7f516e22a4bbf010abef39c23204edf6920ffeef3b541fe3f43c40c8885d369f48bdb331afd15d54e9bd9c266e68f02ba513b0513939c5b05f34

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c5462599-f600-460d-ad90-559c10878390}\settingsglobals.txt

Filesize
59KB

MD5
531f8403a7c50e38d4717ac58bba9245

SHA1
081bf30a1b748dbf155b84eaa578f0f8eb32bb22

SHA256
62a356853982b0826edc9b1ee2c36d8f8ed7dba8d3d954b0f7d8c13dc8afa0de

SHA512
d9e75b8f587d14f54b2a4d711eea3f2bc9f8ee16b0f8a03f88425b4ea6630d78136bb2c00f270516ca4b9731146383c8099de98caee70401de9e343dc0d818a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c5462599-f600-460d-ad90-559c10878390}\settingssynonyms.txt

Filesize
94KB

MD5
ce5db0290267c92fc3ec071bc6b9bcef

SHA1
9855307e62546644bbea585ac97d9af716aa7815

SHA256
7bcd71f0edaf9c9c001108f4b131c87276341d7fa8eb7f2e2f9b772d7d1742c5

SHA512
e47112f2bb3e106d6d2d9d51e0c296cd348c3164c4622bfb56f5ddd5af40d7eb265444c59a95691ac3af062b10c982de85150816155985bc54e05b85c2fb3928

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567067466654771.txt

Filesize
103KB

MD5
e7a2183d57cb6a329a7cd356728ac262

SHA1
b8eef64374baf741f10832a78557857654d8e506

SHA256
34c17f3e1532ec07e05a98859809051df6ba55f34cbb1d375d8878127ddfba89

SHA512
b9168536fcb1f748cd199c569615128a120693f83182118a471563738e4342be26d87b75519940bf29ee63ba954260c2bbbc671d1957518d2790534e88db931c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567067473113341.txt

Filesize
103KB

MD5
6c1ddce2bded68a221ec059d8e77748e

SHA1
f03c09d047e7c93acaa5342f8b4e542c6d5b2319

SHA256
7f044ab80680a537011ede485b8b9d03b12aac79eb950c295e958959e27b24f0

SHA512
4fe3d634088383dee99262e1774a7c5c5147493288cb70e9abdf9ad1d933b04cffdd44d3357b34dfb5b9fa08ee69dd56d690c4dbadc86c3a683ec99e0d5b6cee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567068168931334.txt

Filesize
105KB

MD5
560fa664df7ebab6e1fafd1ca1e3073e

SHA1
81b307af2f69243cebab7ffdaefbb4e39e6cc795

SHA256
a61f8ea513ce7ce0cd83ec4a17f93f0c716ee3197577450bd511aa2e2d792db3

SHA512
9aa69433070ac5b4b2eec9f2d51666f1146a24947678db4a6f6d601e0bf1efba5dc9d41a79b65d3a9dbc879c7df91d44783cb7ea0871fbda581407ad8fdfad22

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567068611127398.txt

Filesize
105KB

MD5
d7d780b6fe4cabe66949a8daca471fca

SHA1
957b37bf8bef5efccbd5f89c2181e87f96e961c1

SHA256
f925e76ad2b117dcfbda1f10a7241f281fa79e9cf079c9ff417ba18948f6b128

SHA512
6e41b48604290d3c7b99af330a3f950c27f5e9ca4200b9714a7e6abc288127ca8a97be8ae0907d08ee253f0a6b578f2ce075a190408497fb3044781e1fbb6a29

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567069045812189.txt

Filesize
77KB

MD5
213b598d2a0f2a2dd6701df39c9cbc59

SHA1
2cdb917a3224b88928035fdd136cd3b201a1b6f8

SHA256
ff0c81bdb6af1bb9a543e97c9660c61c699f8d84b49bc450cb10badfd84c42f3

SHA512
3d4dc6154db3f8c5063d14f430a7c7dd4f4eedb5f70ea6146f79e0584e4e714882603c885247acc2aa5ccd85713df6117f00addd9f8b6d739f29e7b80e73ff33

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567069046601425.txt

Filesize
77KB

MD5
ad54fd6bcda4319a002b06ef81e454b6

SHA1
6f376a3803d514ad844d372cd21e626020e1f6cc

SHA256
9f1faf0342ddcacd2d7c8b9db3de95ec8b7d5be14f830cf55535a73b1131bd21

SHA512
da8e37e5d011260d369d7149275e966691a4255b7d3f0ac14c92c5694a95f285ee1711c462d9dcac2d8b2474643c601d630e09a254ac7c7848c65cacad629241

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567069111021030.txt

Filesize
77KB

MD5
ec34c78175663a4fb366c3c95c872833

SHA1
10825edbdb60d4c8ad793c813a101498626dc5e3

SHA256
0cdb3f37ccf9c1b4c0b0b1d71617f73cb6b4e6f038a790de9d059a84ce50f3c0

SHA512
dee6f24101ad6312301027b734f8a48fc960e9dda0cfb57011107928468b02f1abd9ebd33915611ea16bc5a34d1f013867efb6611fb5b078c9819169f8ffa2a8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567069154241285.txt

Filesize
77KB

MD5
13caf3d453006f785ab2017266822c0b

SHA1
c32d7a7d277939f5a80037695818d4736f55928b

SHA256
395a89a741fa0b3d08bf0cf1680c0240f0b3d3c0150ee949fc428e176ee0e3ae

SHA512
dd03dc94db030ede8f937977c313fd548fb37d6b2c8cf6826193d69443967e0ef15a28470a7877035fbc253c4e2a7ad2c8a6b9515a6e3fcf361acdd1ebfbe46f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567075293693573.txt

Filesize
78KB

MD5
1b114ce589187b3334721d0365a6d4d2

SHA1
48e51597fc2fcbedcbab04ea75c609074e15df1a

SHA256
d24ab97485eb1a66fd7a4ec2a900fb2c1c43aa0c05b8a63bd28eef1971f0dee2

SHA512
995749625d7b6645f1e09518e24b5a0cb087a67214e2a76ad370b6f694a9a6c286ce8af4fb7c70214792a9739b16a39582b7ccd5d0b5c7d06878418797b4a637

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567075731407361.txt

Filesize
79KB

MD5
3abe397a294768a69e70bd5c93bc50fb

SHA1
f209efa292b09428ee1d9f734bc4718567ad3a2c

SHA256
882bf308fcb7562a7456762aecdf1c019dce07b084ef13a80058ef72cbd6a882

SHA512
5481943c517f4afe92fe6ee992a4f87dde372e3d9cccebc7c6ceb3a31d61e6b38e53f15d66ab31d08f5e3c5e13e88d4b8c2e87a697c02c8fd354d31d62900d31

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567076108285244.txt

Filesize
85KB

MD5
81d12416b136461b69b83b33ed8549ec

SHA1
1bcc6c268df927bc8ec537cd99d134d74e9e7451

SHA256
c6d9244ff948229fb671357f3805e47abed57584b94a2c553d25906c23aea083

SHA512
d68237adfafdc29c963ce3f7ee010fcb914c100d5d4380611101dcb03a2f4a1c0977dbd30adbe05f7818106106b5d838efb92e5f926f729d668cd6da7875b771

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567076671400498.txt

Filesize
96KB

MD5
6bb6c4b21accf91816c00f878794d058

SHA1
5c7269ea9013bda47f60980b4e593b6c730be082

SHA256
b4d242a7604d730d53691b248bcefb713f0f6a8976008c761794a1df689bb4de

SHA512
1eaf1fbc8b6dd3f8a2f430f434606402ceb2998b9cf43992d235c58f056e75f85baf6b8dd2601a25eae7586a6158043b4e09cd26ac02f7d83c30c86aebc64b9c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567077355854971.txt

Filesize
96KB

MD5
70e63fe19bd0653770ee55dab5478d90

SHA1
c10ccc8d686632372b18fb5db29fefd4d4aad0f7

SHA256
ddb03f2a6769fbda4c4e1cb025284f7e10cef7e7d7f65696483e1df0f2cb5f34

SHA512
32a7c3fe2232351aaed2975488b8d0c80111917abcc1c4ab421e2552bd008cee667f308b07226f96e13dd30d22542d26dd6cc2ac55099ed647db7989205bc04c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567077421784453.txt

Filesize
97KB

MD5
1d7ec0e0f2607773fcdec213619b6e90

SHA1
5d28f4dd1c994525c0a5cf5cde17dae6de106ea6

SHA256
585d63f1b5479ea13b6162fb86dba0dc4dbf06136c4371ef1a67b2775db1aa8a

SHA512
4fff0798b6ef61c01d2fd481f5201286773f8690f086278bee5a96baa895a770d57a45d4a1f81c19bf0e489509f16af2bc37f4cf51c6fbc8cf43b81e50a4e73b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567077722094788.txt

Filesize
97KB

MD5
474fe6f10d01180e2946d8d9dfe463ff

SHA1
5ba08ff629c8e2724ca7b725965caa1c15657bb6

SHA256
74207742f0481afd8717dec1de08176208e4b26c0a07f07d0053fee78a4cbb04

SHA512
ff66a6c778328a1c8252f252b98bba1f6e61ac41c97c6608eb26112c804596bc283ae73db46ca773414e9a4bf274791f6dcff48e952da43603359dfb90df2dee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567079126118172.txt

Filesize
100KB

MD5
7d9a8028e9d608f05ce36302b0f103a2

SHA1
dbfcea745b59b818b3b213340f6504c5877eeba8

SHA256
07ce2011b33a0fd25be6dad74afa3bcb8640c38e465d6f0e4a01538cd99d0963

SHA512
d745ac055c22a0c00c3017c87f203784bdb1d4b8b50fbd00e1f536381b6a160ba9ba2237b1d132a037618361863b63cfb1bca30e1bc17026bcd091a1dc5cdb02

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567079424663800.txt

Filesize
100KB

MD5
74ea69bdd83196f2e3381a4190c534ce

SHA1
b6bddb93bf5f636449395ae77ad49160154d3ae5

SHA256
eca92b688ae0b9ed33b587263763d9468396024dd2174c7422a42de335a5055e

SHA512
28fe6de5c30df8757bf4ec12703947bf49f7190795bce18dcab98d34cefcd55f6084ce6b4ac48cb1092709b18b04c18b46c19bc3a11416c2a4c86fd2dc3d55fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567079737472354.txt

Filesize
107KB

MD5
1c1e29e8378bf752a910dc316b65556f

SHA1
3d9127d54ecb60dd27f575e4f783908e3bbf45ab

SHA256
7d11b3cd52a535f9cbd6b209290d8173e9b08e112d41fce081a25d8a2ad0afd0

SHA512
b292b4965de358247297c2680a582db1619d15d9ff3c80c41ce8728ca830495b072cb9da4bb0d65ef9c721e6a843519a84f4e81cd1c2dea58ee139b999970dce

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567080155598308.txt

Filesize
108KB

MD5
fc12601776dc489086ca76a930cd0b3d

SHA1
79a1649284dc333f97ad6e3cdbcead1303cb764e

SHA256
cf933cf2be561727dcb2406710cca49a066551d47f179b59e3a863d87faf2e7f

SHA512
664bfc143fa49374fb2b11dbe99cfc0d27242900e774f6a91b8b18142c6a072598512b9ab51cdcf1e138fed2116bbb99968f30a9e147ea08016973b4b4b6bfe1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567080454810812.txt

Filesize
108KB

MD5
298e4e9f1861ddd5ed97823e56c03560

SHA1
b4a7856bee0e453f6e76a54c20235436c6349824

SHA256
85c194cb11147b19453d3a5e60878066a7ae0a052b5894a5052c0521990ee694

SHA512
c4b15d1457b7bad997578f62bd686433d685c79a3945bc13e3039007bb1217a247b33ba31abadbdd066daef9c7c0bd29000b3ef8491e28d2efe1f9940b93e30f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567082663844361.txt

Filesize
108KB

MD5
987dab03a6ba1a90da4931b4738a5da1

SHA1
09dac53008e215b6843ccc04b3c1728ffce12edb

SHA256
5b0082ed7e48bc7aa9148d4ceedd251b6fac0a94858bc5341c3209ec6dbbf6d5

SHA512
7fc6cfb252dd1616460ee90227a4f7558e125e1cb9b840d307752397ce2cbb8e8c64b80ffe969998216f3977fece5d20b697c3ae72cb19922bc99e39476e6f6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133567130470189804.txt

Filesize
108KB

MD5
adcde3d4035c0d9394d46250079e226b

SHA1
a97d97f174aea98fcc76a11c1c91ed64f7387ab0

SHA256
b23557ca0abfc7c267faef001781acb1d22ce7975de27ccf6b6d4646c12da47b

SHA512
dea67f8edd002eb10b50525cafec37dce18386fe40c74ec6b4f1d52090ff11850b17d778a535fdc4bee6ff15b74aca0c22f2a93de61bdb65d39dcb208e002af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe

Filesize
370KB

MD5
2aea3b217e6a3d08ef684594192cafc8

SHA1
3a0b855dd052b2cdc6453f6cbdb858c7b55762b0

SHA256
0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

SHA512
ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQXEN.bat

Filesize
309B

MD5
5dcb61cdba24951fa4883ec9d5b74c06

SHA1
ae16d61c9dce4388199204cdffc2a02267cb5ac5

SHA256
4890d179eb80dffa4037619d4aceb4e36e19e84a46146361e0c6c7227f730858

SHA512
89bd2cf83061b2afd205ac24bc5403265f5c23d0cda0b81a7c2bb7899e5ef4cb075ae28c6b59418f1f9eeac299ffece32b78efd34726cdb2f835c5d1644e046f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\AlternateServices.txt

Filesize
453B

MD5
76529c665f2304dfe7ff68b60bcd40d0

SHA1
59aff30728383571ea545adea3b28cecc91dcb8a

SHA256
cd90183397d2c3a04505f66249c9bc7674a3d3d23ac5d4a04c6d108acd9a46f4

SHA512
a858bd6a95130897c0438b1f4767098f6753262dee9e430e7f6e387d4ce175836bd7fc2f1d8674688ea6c61c4fd2ec443f315eb91158fc5c68c72d22a8625127

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\SiteSecurityServiceState.txt

Filesize
732B

MD5
30e0fada0251bff0a9e96dfce4e1940b

SHA1
09302417acc24e455eb7cd40ded1e355da2428be

SHA256
8d8ac4ed32e1a15af06539b831273289f78bb1a04412782ccacf5374230e3963

SHA512
4955fee71ac0dd346905bb40cd4a7b79db2e7a97dc063b35fa85d656fbec187f08349b1b89f67e107e5616ccee6f1011d6ed8e499d18bc6b9fdca86edc5b472d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cert9.db

Filesize
224KB

MD5
164ed141e80b63420acc17cddd722865

SHA1
ada69668f29572ef4d1d643f4d6ce92a3db6e448

SHA256
ad3564e71593a346e6e37ed874976fc889a11ba61a48602e68c89a5c9fcb04c0

SHA512
930363e7fa2c31cbba2945c25605509dc2cb46f890572a3eda3f8b4f4499ed0aa55d17932e04e8d5c1facf9fcbe1a649cf64deaf00d4a3fbafbbbe92cd5db354

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f1689d567636892bb4199b05a9bd8e14

SHA1
928d149e67731583486bce43b48e0443d888a7c7

SHA256
dfd248ff5d787028bddd2fa6f181a2bd1bc0c4dc8752264535ce984df5f5d28b

SHA512
d692907e7e2bfcfd6a40d74fc888bfd8f642c10707d7788da6910a4aaf60034ef893380897832980aa84aa0f63319b183aced3aeb402abfc05b60c476c4f6d44

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\309b9cd8-43ee-4dc2-bb66-6f1bf637593b

Filesize
746B

MD5
697dd66e6f3ffe56907f4c93cbeae703

SHA1
83e28510d539105ca59cc09b0f0ac3fc676f5ae2

SHA256
30bbeacad21ae170a6c5b9b6bd7f9b6d34badcc8df8afcc286a32dc30f98fc18

SHA512
5bbfa7a9b39f23ab87045b02f74d5e8e92255629b3033d569a84b23ddfdf3070d6930d3c55178c1a4c751d2f51c897001011bf120073bec2bdefbecbd5ed0096

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\fedc06ad-486a-4d9a-ae82-3726649a9439

Filesize
10KB

MD5
5f48d6a970caa75a378f8b2ae353d4cf

SHA1
6d54eee8d1e575ab80ab24217fe8bbbb6fcaf68e

SHA256
bd56c22d02d9897b87d1cd3833d4acd8a4ead97669e3e210268fc7b01c3bdd03

SHA512
39e36060f1778b255687628058c02d0e91fc955c4474bdfe301a9321ec22729a0b1211e7d0f2ed6728a67e15d57546813e7e72837dbb00092c8fe7af69f3c05f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
19KB

MD5
50895af1d38a4b785e6625e9ea120dd2

SHA1
6b5a58b22078913d91c63c5a2d29143f22188c5e

SHA256
28b134d57a53d7a7992813edee8123ce9b199bcbd1f511778be3df8136cfb64e

SHA512
dd0776da081939c9da307441a007be78ebfd6f355b20184397f9037394622b985c27773714fdf3d70fb0e6ce1d0005baedd0b55aaada31b1557be39878bb0b65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

Filesize
6KB

MD5
b675c0a20f1b5f9edc2955327b46d33b

SHA1
1e2011a375492704e05b20dcd45a524c054bb129

SHA256
612ce7d5bb44baee0bf487ea47346ea6ff70de651f0271c21568d891132a9598

SHA512
5c7af27a1b6b92c3ed751c401311b6bb59468c53f200d9c394f660ddd9a659b6df5305402750b53515f23aa919d61169c20223afc9b870a3a2b040f40bdb6412

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

Filesize
6KB

MD5
84474c64bb31814a2213ffb5477c5b40

SHA1
fcb3346bc0f0d49dc1b4972b50db09401164dcd9

SHA256
c37ce395c29c78f92cb342237f9fbf8f65a7c8ef4dcc7ae9c60dd9d784f2075c

SHA512
bd6a88a947082a4fbe158cc04accb0dd1ace567cbefa6d2d0de563dc8f58bb063151626c7cc85b2cc25457d0d16ca2088c0473663330fb7be8e031f23eae1954

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

Filesize
7KB

MD5
ae74de9d1262e0681349dc4f3cf7076f

SHA1
8260bc07703207655441cd64881e3c4639e17607

SHA256
1961e00cbf64115dc900ea74256bba351e10694ad3789685705df39ecac3253f

SHA512
79d6bb133920db11920d01b1344ff31c1de58e4ddb929acdc44f23330110f6ebea0c7630ed64ba25d8b892c23da9c146618aa46119b6ba973a0357ad5bf873b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js

Filesize
7KB

MD5
8d2c7b9b63cbbc98e2060bdd25f7d410

SHA1
fff534299da6fde1b06ddcb3146b9d716ea4903f

SHA256
c933f23e654981b80ff192f0d990b4ccd54b46063843b0ccc4672f069c56e841

SHA512
d69fef3dd99d074c31b4423a39801098f655182866bfe5ecdc4bfefcba7bf3ab9571b9ce5d57c660c0a41d28eb64446bbb3393bd42b27767de077634d30f448c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js

Filesize
6KB

MD5
2be77b1d5631775f9e1789d7a6812851

SHA1
40e017353d9416e4e7f876e1eeebfbf5137c33bf

SHA256
483ef9d8f85bcf6c17589cd0e65bf46eb36a267c4750778d29d654387913938a

SHA512
5947606d22c2f3e3c3872c10a9233762a700ab9538f8fc82f7cb33c33bf7366651cf7648fb45b64808479152020b63856654cfea3e2d8d8beeb91bad771365be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
1b2a57f14150835e0c962f0d46da6df1

SHA1
b7955275453f593e6d9a8a36e8c94ce915cca5e4

SHA256
d738d89c367bf1e6c6323b833180fccf257fc9472cc3c19aab30363c723961ad

SHA512
36c37f92df292b8ab2cd7891ab92c6043b9ece03975bd35ca06a769cb8122edb87c92af27042b7e4b6ae95016b70e909b6d52010c19a4180a5f1b82b9614e8b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
33f331be99b6ba759283df612be54276

SHA1
146b80875dface29cdba9c53163af455583b4d29

SHA256
5a28659b7499a2fc9c9a8c6aa03035b30d8f89e2315c6c4c223b1b67c5b76c9f

SHA512
c83253efd2fc507654a0ce720b276c15eb36840a444d758b9dec28080cd34d13873fdcef4a53e62cd2d2bd36c06d389aad2e268d95e84c27a9fb95fef0a1ae2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
37cbbdb10ff58f789f5b362da9c8d7fb

SHA1
b619528c6d260295211cdd8409bf18f566ab13e9

SHA256
4c69366fdbc6b85b0df7a86c5029dbd1ccdd6c7434c3b56dbe61be754eb5872d

SHA512
c064518bf137a8f8fec3ed600ac02490a26c393276e85475d7844c500c471edef2d0f8d285cc97f06bd5a91bffbc37327848b8c875caf2d471201be85d4d9763

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
543730ed5aa920b81cde6368e9dac26f

SHA1
ce22a595227ef56de63dda9a181f18845a4dfb67

SHA256
bfb147017350ff534b6f16f607273ea19b5a45f3236948e7215b1f116fe91e74

SHA512
528ecd3d09ceb9ce76b7e5224d2875ac1c4d44efd3b4dd908d91466044d6fc186364af781b07c04dd43cf0c8b333dc2159e9e9a5e7f6921173a92616647c964f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c41440651e2475b8ea0d54de63adbf98

SHA1
885bad678b1965cd3d70f73babddd554417755d9

SHA256
e837a1ed781d5657f2e7e00c2bf97432e6ec20759e094d6c63c10ac60df6bd82

SHA512
fddf7a072bde905ecca5f5ac13f3e8eac0a92b57ff4bddc04a916888fc8cf410b47d4cad1f55dad728eb11e07d06b68fc10b7316318f2d4c27654983485211ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c7fb8494cc53e83be5b595c9129a5aad

SHA1
924de44a9770a7ecf24c9c9bd4ee2c8c8ddc16e8

SHA256
e18bf1576332c00981b6875c5b84f1f41503f06589ef80f6053abd6b30831271

SHA512
25a409ffd5f5df571eb8dcd3a4197a1bb3c8ff54fe5ccc6f2118b8509e35377f11b1367271eb4235d40a77bc6645a3bf6a9800cdd93a6959a8cc589f30390a9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
52f594b4b9b93c1feb632d248b376b35

SHA1
432bb415243c591b475ab20050d2cd013a43889b

SHA256
0e0d771561daeb6b2ab8a7f26e7ec42ca142bb021ece80c9084331849bb5a56d

SHA512
404db809b18fc99eaefe753d705e4c53820ae6d2c46729ff7f59398e4a7916471f86dba96221c96e318ec685a50b9d26255f61817cda117f6f4084f88bba0d5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
5b302c260dc63db64c114d85e5fe3847

SHA1
c23948ed20f8ded3a2e1af54b43d04b4fab6c695

SHA256
0cc7474ceacab11e84c452b62ee901a754b70dcf21b33245f8631b7ba633fa0b

SHA512
65d271f988c7a6fa4c6c5e32e831f07d1711fce6de6905b3e8cabd9ab17ed79ae0f7f2dd1b1b063951c3baaa0a6f781d60f2bab8eb973ff2c609903b9c18fc53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
131dc301f865ab135d53d836097f8ab6

SHA1
6553dfccb1c5329c2937c41baf5edf83a47fd85c

SHA256
fd1f5d5423af8579ed783b3c6ebca8e2c0642f407535552cbcbaa7ec441646b4

SHA512
29934de25e70ae81fc5bf0995502a1c3e5b6c207ee5f8fc70af65fc2b81d31c3112b91acd890ec0aa6c9f5e494b93c3e9d3d2a86c9668eee8bb8c1fc8f9f1638

Download Submit
C:\Users\Admin\Desktop\SearchConfirm.sql.fun

Filesize
582KB

MD5
a650e42ff0f281a3d234ccc767bfc1dd

SHA1
6ac0d158053f02cf74ab3fb3b84ebb5cae5c5e5a

SHA256
2c49f896eba25a6a96e2e108cb4a069e431c1907460221c0f01358d1bbf472b5

SHA512
3d50214579200c8b2c69fd124607682d1949c9f241a11072d418ea194c71aff6b1c61225c79379f70e43d72365f1d834a55c4b63416ceedcf16747fa28136af0

Download Submit
C:\Users\Admin\Documents\Recently.docx

Filesize
30KB

MD5
70371a96465900ad39dff1c18ac78baf

SHA1
7aaf558cfaca2a9b9f5ff4c899f80a2edf124471

SHA256
a6ecbd097a7f4bfe34b37d6ca7408fe03437ae2a9de5b8e1ae325cf892e44b3d

SHA512
d4acb5a020dce22865d79563235d839f2ece373c229ca502548f93089423814666920a1413ea8ce7afd9462a323402bfd3e3cf4a36518207bedd085f9f29a1a4

Download Submit
C:\Users\Admin\Downloads\Ransomware.I2GAOykD.Vipasana.zip.part

Filesize
79KB

MD5
30375abc91fcf4adc356ec28f9e01f02

SHA1
2d05ead8dd5bce8e4cb5582880a6fcd1dfe35e40

SHA256
c818146b0d9ea3d74deef2c57b0a8cf8abb1575664b58d0881627eb3ccae0aaf

SHA512
c2335314bdc08494da98709de95f1949fa2fea5426b65e8aa0f7c93c5316edb9f15375ef482ed901c1eee4c259c19d0d71f20af7ad16ed56221804e04f147a4b

Download Submit
C:\Users\Admin\Downloads\Ransomware.Vipasana.zip

Filesize
638KB

MD5
8d2c4c192772985776bacfd77f7bc4d9

SHA1
3b923b911d443e321e551f26c9588b16a994d52e

SHA256
1733b199a7063443c167e3caeae7dda2315f590341ea2152a9b132e1ad8e94a8

SHA512
6c24f2fe498cf38e3f3d66b62915e6fbc8c2746a1d4c3c3de270f994b02e1369b9540099c12d150712574ececbe63c8c9f28877d8aa4557fbbb7890d5a0de6c1

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip

Filesize
2.3MB

MD5
5641d280a62b66943bf2d05a72a972c7

SHA1
c857f1162c316a25eeff6116e249a97b59538585

SHA256
ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

SHA512
0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

Download Submit
C:\Users\Admin\Downloads\Ransomware._5z6lniU.WannaCry_Plus.zip.part

Filesize
124KB

MD5
d1b541b6b0237b6f1b2c13c165078699

SHA1
cb3aa6f4130b6304e64269b74ee869d517b42fd3

SHA256
ca8c6fbb440c4a4386db1549a3216279c19c1e12b8fe7f4728c86a8052676dfc

SHA512
e53ea2c68f219b44fa6fec51eeb77aef248ba4e49df843f39c8fcaca37671241739daf94cee57f5b6ae56a503b5ac282b88e5e293bc7bf2196141b211b932adb

Download Submit
C:\Users\Admin\Downloads\Ransomware.uiuh9Qcm.Jigsaw.zip.part

Filesize
239KB

MD5
3ad6374a3558149d09d74e6af72344e3

SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620

SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

Download Submit
memory/2044-2377-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-1033-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-3696-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-1653-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-6116-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-6107-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-1903-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-1507-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-6106-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-1429-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-2543-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-470-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-2610-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-2718-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-4794-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-780-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-2760-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-3021-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2044-1290-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2676-465-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2732-6216-0x00000204A9370000-0x00000204A9470000-memory.dmp

Filesize
1024KB

Download
memory/2732-6200-0x00000204A9270000-0x00000204A9370000-memory.dmp

Filesize
1024KB

Download
memory/2732-6169-0x0000020494D00000-0x0000020494E00000-memory.dmp

Filesize
1024KB

Download
memory/2732-6168-0x0000020494D00000-0x0000020494E00000-memory.dmp

Filesize
1024KB

Download
memory/2992-1584-0x000000001C4C0000-0x000000001C98E000-memory.dmp

Filesize
4.8MB

Download
memory/2992-1583-0x0000000001830000-0x0000000001868000-memory.dmp

Filesize
224KB

Download
memory/2992-1585-0x000000001BEB0000-0x000000001BF4C000-memory.dmp

Filesize
624KB

Download
memory/2996-6163-0x000002262E2F0000-0x000002262E2F2000-memory.dmp

Filesize
8KB

Download
memory/2996-6164-0x0000022636020000-0x0000022636022000-memory.dmp

Filesize
8KB

Download
memory/2996-6128-0x0000022630E20000-0x0000022630E30000-memory.dmp

Filesize
64KB

Download
memory/2996-6145-0x0000022630F30000-0x0000022630F40000-memory.dmp

Filesize
64KB

Download
memory/3536-6123-0x000000001BF10000-0x000000001BF82000-memory.dmp

Filesize
456KB

Download
memory/3536-1792-0x000000001B090000-0x000000001B098000-memory.dmp

Filesize
32KB

Download