jigsaw | 5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037

Analysis

max time kernel
99s
max time network
462s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe
Size

676KB
MD5

c1ed709a4375516d25889357d0660f00
SHA1

3f16cd69f3772b9aa51ff2b528f95227e7caed6f
SHA256

5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037
SHA512

215cc02a53e3d0eff52f511c516fd5d87726926984e84cd18a7b35c3783792a0ee050e736f2c72bc28d42f1975bb6314d9f0f9e28766839db257c7c500c81ac0
SSDEEP

12288:CDWaTyXxfuXcaUl32k9ozkqkArFWt86fS9Cx6XK:CDWDfhai32k9631rFHYS9h

Score

10^/10

jigsaw persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\chrme\chrome.exe

Ransom Note

MZ��@�� !�L�!This program cannot be run in DOS mode. $��PE��L��^��"�0�� @�� @��O�� p�� |�� H��.text�� `.rsrc��p�� @��@.reloc�� @��B��H��pP��]��:��<��{�� *{�� *V(�� }�� }�� *��0�;��u�� ,/(�� {�� {�� o�� ,( �� {�� {�� o!�� **� ut� )UU�Z(�� {�� o"�� X )UU�Z( �� {�� o#�� X*0�X��r��p��%{�� -&+��o$�� %{�� -&+��o$�� (%�� *{&�� *{'�� *V(�� }&�� }'�� *��0�;��u�� ,/(�� {&�� {&�� o�� ,( �� {'�� {'�� o!�� **� i��u )UU�Z(�� {&�� o"�� X )UU�Z( �� {'�� o#�� X*0�X��r9��p��%{&�� -&+��o$�� %{'�� -&+��o$�� (%�� *6((�� (��*R((�� o)�� (��*z,{��,{��o�� (*�� *2s+�� }��*�0�� p��(,�� (,�� s-�� ro��p� ��r��p��r �p��r/�p��%~��(.�� ~��(.�� rc�p��~��(.�� ~��(/�� -~��(0�� &��r�p��2��r��p��(1�� r��p(2�� *6(3�� (��*z,{��,{��o�� (4�� *�s+�� }��(5�� s6�� (7�� r/�po8�� *�(3�� (��{��~��o9�� {��o:�� *�~��,*(S��-*��(��s ��(;�� *(V��**z,{��,{��o�� (4�� *��0��s+�� }��{��s<�� }��(=�� {��o:�� {��s>�� o?�� "��A"��As@�� (A�� (5�� m�� B��s6�� (7�� sB�� (C�� r;�p(D�� r/�po8�� s>�� (E�� (F�� *6(3�� (��*�0��(W��oG�� +b�(H�� rY�p(I�� (J�� ,%{!��oK�� %rg�p�%�oL�� &+#{!��oK�� %ri�p�%�oL�� &�(M�� -�� o�� *��oz��z,{ ��,{ ��o�� (4�� *�0��sN�� }!��sO�� }"��sO�� }#��{!��oP�� (=�� {!��oQ�� {!��oR�� b��%{"��%{#��oS�� {!��oT�� {!��sU�� oV�� {!��rq�poD�� {!�� R�� F��s6�� oW�� {!��oX�� {!��sY�� oZ�� {"��r��po[�� {"��r��po\�� {"��o]�� {"��2o^�� {#��r��po[�� {#��r��po\�� {#��o]�� {#�� o^�� "��@"��PAs@�� (A�� (5�� R�� F��s6�� (7�� (_�� {!��o`�� r��p(D�� (a�� r�po8�� s>�� (E�� {!��ob�� (F�� *6(3�� (9��*0��(c�� (d�� (e�� (g��{*��}o9�� {*��o:�� {)��rg�po8�� {<��~��o8�� {<��of�� {+��og�� {+��($��o8�� {+��of�� {,��of�� {-��of�� {/��of�� {.��o:�� {0��of�� ("��, ��(#��*��0�'��~��r7�p(.�� (J�� ,*r=�p(h�� *�0�P�� (W��oG�� +"(H�� 3�2rY�p(I�� (i�� X (M�� -�� o�� &��*�� /<��LL�$��0��~��rC�p(.�� (J�� ,(j�� *sk�� (J��K��%(l�� om�� (��+oo�� +(p�� oq�� or�� &(s�� -��o�� ~U��%-&~T��k��st�� %�U��(��+(��+(h�� *��I�$m��f(w�� %%ox�� `oy�� *Roz�� r[�p({�� &*�0��~�� {)��~'��o|�� r��p(I�� o8�� ~'��X�'��~'��o}�� X.*{*��o:�� {<��of�� {+��of�� {,��of�� {-��of�� {/��of�� {.��o:�� {0��of�� $��*��0�� (N�� ($��(O��Zi~��1Y{.��o~�� {,��o�� {,��(�� o�� {,��r��po8�� r4�pr)�p(�� &rY�p(\��(T��+F1"{,��(�� o�� {,��r=�po8�� + {,��(�� o�� {,��r��po8�� #&{,��r��po8�� {,��(�� o�� *��#��2s��o;�� *��0�� ~$��1B~$��Y�$��~$��<[ ~$��<]{/��(1�� r �p(1�� (2�� o8�� * ��$��#��?~%��l(�� i{0��(1�� r�p(I�� o8�� ~%��X�%��(#��*2r?�p(�� &*2r��p(�� &*2r��p(�� &*2rU�p(�� &*z,{(��,{(��o�� (4�� *0�b��s+�� }(�� (�� s�� s�� })��{(��s<�� }*��s�� }+��s�� },��s�� }-��{(��s<�� }.��s�� }/��s�� }0��s�� }1��s�� }2��s�� }3��s�� }4��s�� }5��s�� }6��s�� }7��s�� }8��s�� }9��s�� }:��s�� };��s�� }<��s�� }=��s�� }>��s�� }?��s�� }@��s�� }A��s�� }B��{2��oP�� {7��oP�� (=�� {)��o�� {)��(�� o�� {)��r��p"��pAs�� o�� {)��(�� o�� {)�� sU�� oV�� {)��r��poD�� {)��s6�� oW�� {)��oX�� {*��'��s>�� o?�� {+��o�� K��%r��p�o�� {+�� sU�� oV�� {+��rA�poD�� {+�� s6�� oW�� {+��oX�� {+��r��po8�� {+��-��s>�� o�� {,��(�� o�� {,��(�� o�� {,��t K��sU�� oV�� {,��r_�poD�� {,�� s6�� oW�� {,��oX�� {,��r��po8�� {,��o�� {,��(��s>�� o�� {-��(�� o�� {-��(�� o�� {-��, !��sU�� oV�� {-��r��poD�� {-�� s6�� oW�� {-��oX�� {-��r��po8�� {-��o�� {-��)��s>�� o�� {.�� o9�� {.��*��s>�� o?�� {/��o�� {/��(�� o�� {/��o�� {/��r��p"��$Bs�� o�� {/��(�� o�� {/��, ;��sU�� oV�� {/��r% �poD�� {/�� Es6�� oW�� {/��oX�� {/��rC �po8�� {/��+��s>�� o�� {0��o�� {0��(�� o�� {0��rO �p"��@As�� o�� {0��(�� o�� {0��/ ��sU�� oV�� {0��ry �poD�� {0�� s6�� oW�� {0��oX�� {0��r� �po8�� {1��o�� K��%r� �p�%r �p�o�� {1��(�� o�� {1�� sU�� oV�� {1��o�� {1��r� �poD�� {1��og�� {1�� Xs6�� oW�� {1��oX�� {1��r� �po�� o8�� {1��.��s>�� o�� {2��(�� o�� {2��(H��o�� {2��sU�� oV�� {2��r� �poD�� {2�� s6�� oW�� {2��o�� {2�� o�� {2��o�� {2��7��s>�� o�� {3��(�� o�� {3�� -��sU�� oV�� {3��r� �poD�� {3�� s6�� oW�� {3��oX�� {4��o�� {4��(�� o�� {4�� sU�� oV�� {4��r� �poD�� {4��@ s6�� oW�� {4�� oX�� {4��r�po8�� {5��o�� {5��(�� o�� {5��rO �p"�� As�� o�� {5��(�� o�� {5�� sU�� oV�� {5��r$�poD�� {5��}s6�� oW�� {5��oX�� {5��o�� {5��r:�po8�� {5��,��s�� o�� {6��o�� {6�� 1�� K��sU�� oV�� {6��rb�poD�� {6�� s6�� oW�� {6��oX�� {6��rp�po8�� {7��(�� o�� {7��(B��o�� {7�� sU�� oV�� {7��r��poD�� {7�� -s6�� oW�� {7��o�� {7��o�� {7��o�� {8�� 4�� -��sU�� oV�� {8��r��poD�� {8��og�� {8�� s6�� oW�� {8��oX�� {8��r��po8�� {9��o�� {9��o�� {9��(�� o�� {9��rO �p"��pAs�� o�� {9��(�� o�� {9�� H��sU�� oV�� {9��r<�poD�� {9�� s6�� oW�� {9��oX�� {9��rJ�po8�� {9��/��s>�� o�� {:��o�� {:��(�� o�� {:��rO �p"��pAs�� o�� {:��(�� o�� {:�� sU�� oV�� {:��rh�poD�� {:�� s6�� oW�� {:��oX�� {:��rv�po8�� {:��o�� {;��o�� {;��(�� o�� {;��rO �p"��pAs�� o�� {;��(�� o�� {;�� sU�� oV�� {;��r��poD�� {;�� 6��s6�� oW�� {;�� oX�� {;��r��po8�� {;��0��s>�� o�� {<��o�� {<��r��p"��\As�� o�� {<��(�� o�� {<�� sU�� oV�� {<��sB�� o�� {<��r �poD�� {<�� [��s6�� oW�� {<��oX�� {<��r& �po8�� {<��o�� {<��2��s>�� o�� {=��(�� o�� {=��o�� {=��(�� o�� {=�� V�� G��sU�� oV�� {=��rl �poD�� {=��y$s6�� oW�� {=��oX�� {=��r| �po8�� {=��o�� {>��(�� o�� {>�� ;sU�� oV�� {>��o�� {>��r� �poD�� {>��og�� {>��o�� {>�� s6�� oW�� {>��oX�� {>��r� �po�� o8�� {>��3��s>�� o�� {?��(�� o�� {?�� "�� d��sU�� oV�� {?��o�� {?��r� �poD�� {?��og�� {?��o�� {?�� s6�� oW�� {?��oX�� {?��r� �po�� o8�� {@��o�� {@��(�� o�� {@��rO �p"�� As�� o�� {@��(�� o�� {@�� sU�� oV�� {@��r� �poD�� {@�� s6�� oW�� {@��oX�� {@��o�� {@��r �po8�� {@��5��s�� o�� {A��o�� {A��(�� o�� {A��rO �p"�� As�� o�� {A��(�� o�� {A�� sU�� oV�� {A��r>�poD�� {A�� s6�� oW�� {A��oX�� {A��o�� {A��rT�po8�� {A��6��s�� o�� {B��o�� {B��(�� o�� {B��rO �p"�� As�� o�� {B��(�� o�� {B�� sU�� oV�� {B��r��poD�� {B�� s6�� oW�� {B��oX�� {B��o�� {B��r��po8�� {B��4��s�� o�� "��@"��PAs@�� (A�� (5�� (�� o�� j�� s6�� (7�� (_�� {B��o`�� (_�� {A��o`�� (_�� {@��o`�� (_�� {?��o`�� (_�� {>��o`�� (_�� {1��o`�� (_�� {9��o`�� (_�� {:��o`�� (_�� {;��o`�� (_�� {=��o`�� (_�� {<��o`�� (_�� {8��o`�� (_�� {+��o`�� (_�� {7��o`�� (_�� {6��o`�� (_�� {5��o`�� (_�� {4��o`�� (_�� {3��o`�� (_�� {2��o`�� (_�� {0��o`�� (_�� {/��o`�� (_�� {-��o`�� (_�� {,��o`�� (_�� {)��o`�� (�� o�� (�� r��po�� t��(�� z�� s6�� o�� r��p(D�� (a�� r �po8�� (�� (�� (�� &��s�� (�� !��s>�� (E�� {2��ob�� {7��ob�� (F�� (�� *��0�'��~��i.+�(Q��s��&(�� &��*��##��(�� *�~C��-r2�p��(�� o�� s�� C��~C��*~D��*�D��*j(<��rf�p~D��o�� t2��*j(<��r��p~D��o�� t2��*j(<��r��p~D��o�� t2��*j(<��r��p~D��o�� t2��*j(<��r��p~D��o�� t2��*j(<��r��p~D��o�� t2��*V(<��r4�p~D��o�� *j(<��r\�p~D��o�� t2��*j(<��rj�p~D��o�� t2��*j(<��rv�p~D��o�� t2��*V(<��r��p~D��o�� *V(<��r��p~D��o�� *~E��*(�� *VsL��(�� t��E��*��0�x��~F��r��p(I�� s�� o�� (�� r��po�� ,o$�� r��p(�� ,o$�� s�� zr��po�� r��po�� r �po�� r�po��+*0�e��~F��r(�p(2�� s�� o�� (�� r��po�� ,o$�� r��p(�� ,o$�� s�� zr��po�� rJ�po��+*.rZ�p�F��*��0�M�� -(I��(�� &*9��@��r��pr��po�� (�� ,j(J�� ,bsl��(�� (�� o$�� }V��(�� m��s�� (��+� d(�� X ,d2� ,��(�� -(i�� 3~ ��~��(�� &~��,(�� *~�� ~��,B(,�� ~��(�� (.�� ~��(b��(�� ~��(�� ,*(�� (�� ,*~��(R��,(R��&(�� r��pr��po�� (�� &(�� *�(�� (�� ,*(�� o$�� (0�� &(�� (�� *B(�� ~��(�� *��0��~��-(�� ~��(e��sk�� %~��(�� or�� &%~��(�� or�� &%~��or�� &oG�� +(H�� (/�� ,(�� &��(M�� -�� o�� (�� (�� r��p(I�� (�� s�� r��p(�� o�� , o�� (U��&�(�� *4��[�l�$��Q�)z�� 0��(Y��s�� (�� ~X��%-&~W��p��s�� %�X��(��+o�� +o�� rY�p([��o�� -�� ,o�� ~G��(J�� -~H��(��+~G��(�� *��:�W� ��0�9��sk�� ~G��(J�� ,%~G��(�� +� or�� &X�i2�*��0�s��~��r(�p(.�� (/�� -(0�� &rR�p(.�� s�� rj�po�� ,o�� r��p(.�� s�� r��po�� ,o�� *��1� >� ��Z� g� ��0�p��sk�� (E��K��%(l�� %r��p�om�� (��+oo�� +(p�� oq�� or�� &(s�� -��o�� rY�po�� &*��2�"T��>�sw��%}c��*0�H��s�� }g��(Z��{h��%-&��s�� %}h��~Y��%-&~W��q��s�� %�Y��(��+~Z��%-&~W��r��s�� %�Z��( ��+~[��%-&~W��s��s�� %�[��( ��+~\��%-&~W��t��s�� %�\��(��+~]��%-&~W��u��s�� %�]��(��+~^��%-&~W��v��s�� %�^��( ��+o�� +!o�� (]��,~H�� or�� &�&��o�� -�� ,o�� *��0��-= ��0�Q��(W��oG�� + �(H�� (I�� %(^��(i�� &��(M�� -�� o�� ~G��(i�� *��*��-8��0��~��, ~��o�� -r��po�� , �_s�� r��p(�� o�� %�N��(�� o�� (I�� (_�� ,o�� & ��(i�� & �**(��-�8e� ��qq��w��$��0�n��o�� -�bo}�� Yo�� s�� r��p(�� o�� %�N��(�� o�� (`�� ,o�� &��(i�� &��*��(�� 2R� ��^^��b�j�$��0�i�� s�� s�� o�� s�� io� , o� -�� , o�� ,o�� ,o�� *��(��)�!J� ��9T� ��K^� ��0�i�� s�� s�� o� s�� io� , o� -�� , o�� ,o�� ,o�� *��(��)�!J� ��9T� ��K^� ��~~��r"�p(.�� G��sk�� H��*0�"��,3�~��(d�� &(c��(c��*��~��-*(,�� ~��(�� (.�� *0�#��~� rN�po� -*(�� o� *�0�#��~� rN�po� -*(�� o� *^o� ~K��(f��&*2s � �K��*.sj��T��*( � *^o� o� {V��o � *.so��W��*2o� o� *"s� *Jo� o� o�� *o� *6s� s� *Ro� o� ��j�*o� *z(�� }_��(� o� }a��*��0��{_�� , ;��*}_��s� }d��{d��{b��o� 8��{d��o� }b��{b��(� + �{d��o� X �i2��(� o� ��{b��( � �(� o� ��,\}e��}f��+5{e��{f��}`��}_��*}_��{f��X}f��{f��{e��i2�}e��{d��o!� =!��*��L�.z�$��$��{`��*s"� z�0�<��{_��3{a��(� o� 3}_�� +sw�� {c��}b��*(}��*{g��*BSJB��v2.0.50727��l��#~�� #Strings��,>��#US��Q��#GUID��Q��#Blob��W��? ��3��k��j��"��/�� C ��3��* �� J��}�� e� �� \�� 7��j�Vj��#j��j�2cs�y�� j�tj��j�qj�mj�pj�F��<c��y��]j��j��j ��$��A��u� ��>�� t��e�� =��$c�� c�P�� *�� c��A ��c��i� �� ]��?y�� f �� j�?j�� j�<j�1��+j�� j �� j��j��j� j��!j�~jc��(j�� j�� bj�tj��F ��`��[ ��G��j�(�� j�# j��j�5j��j��j�Q j��j�j� j��j� j�@j� � �� t ��j��j�3��`��V��a ��M��M �� :��=��=��mzM�� z=��_z]��z]��z]� ��e z]�$� ��z=�C�:��=�C�;��E�K��A=�F�N��<A=�G�Q��A=�G�V��A=�K�b��=�N�i��3 ��Y�O�i�!�J��=�T�i��=�V�l�!�J��=�W�n��r��=�_�w��[��=�g��! ��Y�i��7��%l��!�Fa�!�be�!�Fa�!�Ue��{�S��S��S�0

Emails

[email protected]

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Renames multiple (721) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	chrome.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows defender.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Wddf\\windows defender.exe"	5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_contrast-black.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-30_altform-unplated.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-150.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-72_altform-unplated_contrast-high.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ImmersiveControl_Button_Click_Sound.wav	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-30_contrast-black.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	chrome.exe
File created	C:\Program Files\Microsoft Office\root\vreg\powerpivot.x-none.msi.16.x-none.vreg.dat.WNCRY	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCWhite.png	chrome.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png	chrome.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml	chrome.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png.WNCRY	chrome.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	chrome.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\officemui.msi.16.en-us.vreg.dat	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\StoreLogo.scale-125_contrast-black.png	chrome.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml.WNCRY	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40.png	chrome.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml	chrome.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.WNCRY	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-30_altform-lightunplated.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-150.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\WideTile.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100_contrast-high.png	chrome.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-white_scale-100.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-unplated_contrast-white.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\iheart-radio.scale-200.png	chrome.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-125.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-125_contrast-high.png	chrome.exe
File created	C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.WNCRY	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchSquare310x310Logo.scale-100_contrast-black.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-200.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileSway32x32.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-2.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-64_altform-unplated.png	chrome.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-100.png	chrome.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml.WNCRY	chrome.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management-agent.jar	chrome.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-400.png	chrome.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-200_contrast-white.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomSetupDisambig_DeskScale.jpg	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-fullcolor.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-16_contrast-white.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-400.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20.png	chrome.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	chrome.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.scale-200.png	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-72_altform-unplated_contrast-white.png	chrome.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.WNCRY	chrome.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-72_altform-colorize.png	chrome.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.WNCRY	chrome.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx.WNCRY	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 5068	2252	5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe	86
PID 2252 wrote to memory of 5068	2252	5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe	86

C:\Users\Admin\AppData\Local\Temp\5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe
"C:\Users\Admin\AppData\Local\Temp\5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\chrme\chrome.exe
  "C:\Users\Admin\AppData\Local\chrme\chrome.exe" C:\Users\Admin\AppData\Local\Temp\5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.WNCRY

Filesize
720B

MD5
6ca3c948e7d757d06a347cbbcd938435

SHA1
24f90deea92cbcd9c8272e0b7dc712107d2183ca

SHA256
9153202b6d3713731916df3192f6e89f6914fdf73103de398d46403ea4fa1ed1

SHA512
e5889822093c9446186c7dbf6b0092c9dedc47c90ae17afefb99fba7f963d59a141a9c1fb9f00df2c1188d857c50a83c03f7531c8884c6a48a144e1205a59bac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.WNCRY

Filesize
7KB

MD5
a612a1ca153321e1315bf7138deaede9

SHA1
5e257b4da48735a9d7b7075dd333255d9da40fe3

SHA256
9c02e675fae520439d2e17d611dc6495e45c7647912a292ed9c17553212cc896

SHA512
3784f749f4b190d5a0c00537c9f54272db5cdbff03e1b32e68fe7b343931fb72f97394bde519b7a9ecdd68baa15744dd2e03dad9039a822129242a02ba8419f2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.WNCRY

Filesize
7KB

MD5
d7ea380bbee72d80570c20e28d919434

SHA1
f37de5d4974245ad3d0fdd6ceb0b21ea151e0df8

SHA256
3b603fd9bebbf580eba7bdfc1c856eb34a537c2e4fa04aab954310852526ec06

SHA512
87b59fb1a33f56e5272500505a64b3a39848bad5705fa88933d4f86d878d8e7bdb032e39f4cd9f24efc09434de91d79c97423f153ee02f4da51787021b82fb30

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.WNCRY

Filesize
15KB

MD5
ff77ad92a36c43545035d2c7a1258d25

SHA1
0c6cdca6665bfc477b9db0eb9524683315a4a38c

SHA256
c3efa3f75f083944951058f20ad6132f2beb697051a682445f15d557841298e1

SHA512
a9dbb93c0900b2daba7c11609db904ec47d9aa0465445299b231073c9f4b73ae7f5411ad024b702e5398cb5d4c59182cb6cd6133734fd3b9de7783b4064cf51f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.WNCRY

Filesize
8KB

MD5
f6958603232ceac6f500a8147b1a59c0

SHA1
7532583168b31f67384d463c84d20224c13b8269

SHA256
7f59c6901e9498857d618432e8191244ca2956566b605a6164c003cea1867b51

SHA512
4b7883b78dbc48a3c8bd2d76ccbda645c69bcfeaccc8ae18594a05f3650ac2ca63d473c9487031022c25a4666f7a9e4497725c612e879ba41d64cc03a7fbe58e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.WNCRY

Filesize
17KB

MD5
f7a793ddcadefc367b1a95fc750eba3a

SHA1
63dc5cbfc85ac29b5b22b7b6c9b455f993b2105a

SHA256
0bf61c63acca0596fea352f3bf5275b67e15d670e84a01710d1de977f4170b36

SHA512
a7874de092872472b0023057ffdf33b43d05ed1a36e76ec1accaa3a84145b914867eca9a0fa773f578acfdcbc5b327b812e98eece0fb4db57a4bab9633deb6ec

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.WNCRY

Filesize
448B

MD5
ce3c3fcd1b6e5b2b5a232e0dc54481e2

SHA1
516bcd881b43af22276c2434df876781e6f5b2ab

SHA256
7b909b99e65750fead9082c88b96a47f549f6069ffe9b504fe5de4f780ae96db

SHA512
2bbdbf6bd9f8979115c841f54c21a885d9493f0d559da83103af37d460e65eca015e7393a3cd74e051091d8446631d61ec6d77b59bb91d4d9f819285f473b6ad

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.WNCRY

Filesize
624B

MD5
02ae5e4ff5e6b03d9a80eb59ee809b71

SHA1
5c051db3f0d3ade84d734dd7801c62e21e37675a

SHA256
a8f8862233a8fcf75a959e98fdb94f88d3240f44aafb3bff128078243cead012

SHA512
8e9f53075ffc0f57e85d5ee2d0adb2197117ca95dfbdcf9cbb267968ce373bed98f7642135dd83c59e27456d3ee7126ba339caf9cf6559708ab7d5ed058e680a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.WNCRY

Filesize
400B

MD5
0f91902056860423a57179f4b0b2de88

SHA1
7068dda4aedc111503cb4904b304fbd5255e55db

SHA256
f4b53909d47ebf968166f8b8e952506d9207fbb11e23c7ddb80dfe347dee145f

SHA512
b5fdf6c672bf63e9e7a30e4eeaa0e830104c0e8a58ae785431cdf225ce09ba1489b3d93337886f9c15824ca4b83d5d0d997c8a3f39143fc967a2a2c666470da3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.WNCRY

Filesize
560B

MD5
f056b50930cd41153d3262d5aaaf8649

SHA1
4e535f397cc1f05d29a59b6dd221e4602bf1b801

SHA256
dc61d8c7cd557ce8101d129fa13b6af01ed24fdbf8b0683eb7cbec9610b781a4

SHA512
bf9969f52baba022f2e6438759bf68a25e4b34e82cd60bf915f795db643e31e85f7e5f2ae404010da090cd7f673e038a4e6bc153498c3f0f4aa2864c9cf5aeaf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.WNCRY

Filesize
400B

MD5
07dfd980ab32a8e99eb8235be35988a7

SHA1
2f294fdb28d55b7a9ea07c9af1b3c74515feb743

SHA256
1e5ffecb0af2626fab3753aaf10d078bc713a1e649736b396785452321c8f9b8

SHA512
89d031b7f066ce1409df9cc3ddddb779d2d6b00bc5c1707aa02b565aa971cea41242a36c4e5c54606dc1f4ce06fdfec6ecd462c4d8174b8e8a4751fdae3a146e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.WNCRY

Filesize
560B

MD5
553fdf2733d3727ca294b8cebe4aa3cd

SHA1
c2da40a42990472a20fe462c68c6fcb6b02300a5

SHA256
65d41b1abc6c4293ad0224600985259de967a27886d316e496f92eef98b321c0

SHA512
4ee7f631a24bf3e3f37b67a536ae418d10bbd8276ff1cbb294ea29772deba6f870c55ed5001dd2f40399f1726f865e836b861750a31acb577e600ea63a2fafea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.WNCRY

Filesize
400B

MD5
58197d4ca83316602fcd779338c61169

SHA1
5a7797fc8ddd14e460eca118b5f856ee66586ec4

SHA256
8fea5658a2d0d1c2d50be98a45f04244c284988a732ba5ee9071bfe10b999c8b

SHA512
823dc1401a139a79c717ee63c1df993f615105c93abc1c857869a3435d851e13bd74db2454c219defb94809194bddbaaadea69ac0719aa97f36858d5e76ab17f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.WNCRY

Filesize
560B

MD5
a2ed565ce2528828055be8fe24995252

SHA1
94d175ea415d5b24d3a18b73a11f474cbf42d8af

SHA256
bd1dcfdea516600079dcb6d33dbd3e62dc9a5a9e8186662346b8676dd9b01043

SHA512
1a537b894f1bc5ce6fd49637cb3f8b59a2596ebab67851a4c21507782a7abb26c1445eaca901f6772d6b7cf991550597341774109e541cd266d9ded85e497339

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.WNCRY

Filesize
688B

MD5
81a4dabd6a90e21ee4fc73f5d60efc18

SHA1
b1e2c93ef01a1bccced7533569875d3341d3b964

SHA256
10c8fddc627559947566443ee297e6eeeaf4707613b105a3a6e8edef64adb9a4

SHA512
3e8afdfd36f88ecce8c2050836310a0f4b4df11d04c9ce034287cd79a0af03df93aac8965bcab5f0a23e3bb97864306fafd7966a538c4f2c1715854a1ffa9ab4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.WNCRY

Filesize
1KB

MD5
a7cefeeb8d29f03c5d6564cfe7562497

SHA1
8971340ab9fe23a819cc6153ccb193afd7a2b5df

SHA256
c8a652b2e78c61aebd4caca556906b59f713b7d8bb841d8dc6ce69d182b01b26

SHA512
b2a0ee3b728882f468105a9ec3e05fcb8c6e027cb584a6e95f782fe1c55147ef1260f443cedbd1e3328eddb5f5e277f13299ef03922c7dd1db4d1b57b6b1a43a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.WNCRY

Filesize
192B

MD5
9b682a160d93639c61bdc046f5b0dc30

SHA1
8aecc1f2269df93a38188aac6f5e2882a73b68a3

SHA256
f938c9c5fdbeeee16c35f43733e52646b3685143804457f3ae6cb19ea8d197ab

SHA512
e31efc902d28b1b4772c80513e4f3ab89961cb2e7e0c3bd9d1031fdafb2065a9a1b0538ff77f3879f0a5bec2ffb2c9a31e6c8ce3c635548b9165f3cf997689eb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.WNCRY

Filesize
704B

MD5
cfa87d6b32b722102e6c32177153a125

SHA1
9999a98f19457bd701095d90bac1ed1630ea9496

SHA256
5e25b15b3f0f845e5072fee751fadbffc49d6fa4ffe05d0f40c338741aa22dcc

SHA512
1a671f87ffa32c527b6b578ce3eed80170bce94f8a69d1be74522daa72f4d2959f35df91a5ca3adbc2c40e1e8414054e316f6b7a0695d59a5c3b10288d493a75

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.WNCRY

Filesize
8KB

MD5
e36b78b55205e4ea06faa9bd4a22f026

SHA1
12ad757081e795a875a09c89382aae6c35688328

SHA256
3e82bcd85ba57cbc781caef9ea710da550ac0dce89a2a8886d4a24d291400457

SHA512
fae7771dc947fb07ba523869ce129cb1ffa1b0cb1402f68f70a925891fbb079c744445e435e5aa1f2ef719918d4419565ee40812bf628a95961dc87daa695aa0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.WNCRY

Filesize
19KB

MD5
7c8ef562bbdbe3ebaff24c1c6ea565d1

SHA1
a22b1d45e04da54624af339d10044359e35b55bc

SHA256
e85ba08aac39523041999b4a17727e98d1c9ff4ecf09fe7c94d0879fa8cb69a9

SHA512
6e4acf12006dcd8b3e82196535f2c3c50b402a2358e10178378a34e3142b168e8a365077920bdba8c4f6034a8f4dfb92d2c2a7e407464cc576facf1d0c84d4ef

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.WNCRY

Filesize
832B

MD5
c147efab49dd5a88feadeab96e8827ee

SHA1
b28b2ac17536db0447a9ef371895cf73dca34181

SHA256
07e7f14ac78252e7450cc26deabec24cdf75c52d89758b46cbd3a546bf005d18

SHA512
8ae8d29778f236fddc5281af629a267c799269eee23033e7289b8cb3fef77c07c0177979e5bff410064dbc111ad2667a4b22c6fe6f738a0478c2eb65e8edad5e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.WNCRY

Filesize
1KB

MD5
7a342d57b975f1a8f92c424c8636a532

SHA1
cbd12d2d7f0b75bc11e7b9742d99b30b3f591a99

SHA256
608a663dfa8d453647be4261b0d10f64bf9b59b46ec00aed6d37447b8fb21dc5

SHA512
a794ef6f8e14a73d93072b2a1744a77c7fe9c55273a61ba7a1bc2ef870de680a71909f04297d2dcf78bcfd79aaf528514e12fb9c06e490c8f127ea06f938593a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.WNCRY

Filesize
1KB

MD5
3485bdbdbea11d6ca7d6d872ee4e6659

SHA1
ad9d39e6e54c3756f7ceb65723cdc023189d3fe5

SHA256
d509a8a2c1ed47754b8527a84326b069802b00c9d1082cf229b3ebbdae4e5f76

SHA512
10279cce4c4384e94fbbaa458225d446242fc2094590e060b5548027f3d3b3f2718bc697ae1d87f34d86d91a57e7d6aedfa005b2dfcb26524f3b9b709befa267

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.WNCRY

Filesize
2KB

MD5
3ebd863531cbbf18454a629ee091b218

SHA1
e0738cf22253704283bf1ab05485afb4f6a7a4d1

SHA256
9cd4bd1cacaca8d6d06d5cebc7d26bec0f31213b79397f4b865550f4ea64268e

SHA512
bdc475993e720eae46756115569d2dddd7ff78b207e9a4b8d1c3552166ca4c57ff5817ba7c675191c56122a93f342efb921238bf488c657eccd04cd493e3880c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.WNCRY

Filesize
2KB

MD5
3c657b8608990f18130329a447306149

SHA1
410ac7816a6bcb430f4e0a47be32643b938425b8

SHA256
2a7747c3d54e3836dd17fdd54691cb0db7453ab5a77f141fe9a245c10919c9ff

SHA512
b8ef7cbbb78db9a9701aa63b9b7f1699e8d8bfc587c03c381c843bd29da637363bff0ed97630263224e1ca52425154236d6d68b4d07d224b7c42ae3fdc0a8541

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.WNCRY

Filesize
4KB

MD5
b4000b24696f0499f6caf20075286b26

SHA1
090f958b802963ef025da503d79bef48a258dae7

SHA256
c778acace7c582c823e895af83272e1154de0eddf497b55cf4d62de547261b25

SHA512
7d3f9f16342bb2a59b1f2771293200c81c787cd311c00e116c95db5f6d882ee74810aef58518a204e3f393abf891d03043908058ad380fbc96821b187efbcac3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.WNCRY

Filesize
304B

MD5
e3d8af4afaddb0c259b78c22a01e83e2

SHA1
9f55f935e502c49feba4b661a02c96b6fb0ca1cf

SHA256
9d2cdb65f008630809af945b1f2a2938a27d1a764003b9e1f559be461280f5ec

SHA512
13670abdec774c924981385a7d1e5d6b91a8882b1d134ddaa1ed47e1e6d942c1283d2acc805dcbaf3682ba726ef6f491bf2e65bf0dfd034ae9c950890b9ae4a1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.WNCRY

Filesize
400B

MD5
b9f0e212f51bd7a3b4ad4581f47ac193

SHA1
4ee1fdf75724dc9999ca660d4f067bb24696f623

SHA256
f4c917b9ed2a5bb141f77372e5afcdee27c18c35b722104588a872ad0a83c62d

SHA512
19710b3803856f2ada527e01753e0e65d77ddca6d0735545650be8bb3abd670b2f6f7e88d298435748435e587d5992e3406c38b272601ae5352e3b8a2b9a1b7d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.WNCRY

Filesize
1008B

MD5
ae7364620d56536a71270dbbfc2acde4

SHA1
ba340d4c7de5e0ffd9839ab6f2e749f1295d0d58

SHA256
22578a783778394b63628c4eb7ab66d15ce7ed23e682b545cbc5dbf8b2184955

SHA512
e6ea1985d986e7fbfa6e021efe51a9b1f4c8a53718755e2828ff9d7246d550697d622605f984a55cd2a9330c72ee6e94b4442029e3d80c180e26849cdfa0ff13

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.WNCRY

Filesize
1KB

MD5
5dc3f8b9f12a7d917b68ff3dad8d4af0

SHA1
6791cf4cf36ff84e1d7be01eafbcb7a9f8722305

SHA256
1cf78cd61983d985fd05a97e653da4a1b1d40f8834d33340929a109eebd10605

SHA512
156e9d6c2c0905e20c90c61ad49868253484667924814ee38f40b21623931ff1de9aea24f00b781631f854f227ff5908265353f8fe949a6a648420e1c4393b69

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.WNCRY

Filesize
2KB

MD5
a6c9283864ddf94dde2f06e17afcf02b

SHA1
c8a2e693df492d0e94828430b2f2092724aa0fb9

SHA256
e1e4c9586b0a10195b7ca71c2c980530be2199fb5c34eebdffee8f659120c963

SHA512
760a091d75e1f8fde76ba7624064405fd32708362592cc7c8881f96c5112f098ebe3ad18fe324e8ea0dfade8063bc1be9e76674e9b435d0951b3054c53a31ba8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.WNCRY

Filesize
848B

MD5
bfc84bc3af349034687a783184c17b89

SHA1
9d4dfc20801ebfce77b72a622cf65c1bde5a709e

SHA256
2829de7744c53baa383babe95d6fac83ebad11b22c250b9390aef3c9b33f34a1

SHA512
eff0e618788a682d9270277708c9446378133e1322290f518ec413f44482986d8eff077fce287803d065512f1c5067495a8bc15866ff49c18efbc2269dd73b3c

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.WNCRY

Filesize
32KB

MD5
db0a3045dca4ecb87e6f7c2b590bca91

SHA1
b1bc88f975b3e75a4ca533c4bf214a78dc755d81

SHA256
efb1393b50d3f7ba7a089315f35341d4ead80f20db39c13a5ca3e9c02e12a401

SHA512
95ff7ed3c793910a34a4ab90f7ffeaf5adef23857067a2ec6cd87f1f7cef191d74d9457f54fd5b4da9452997bcf9614a4005f9f69541b53313bb59d15e18a9a2

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.WNCRY

Filesize
160B

MD5
b47ee4c07daf661cf1f19a5045d8579c

SHA1
951ac0b4f0af6318496de1159aa2c6c017180cf6

SHA256
e6b31d9b6c7a0e39892fbe2ba743f6a52c052471d678cdf75ce3333eb9a77b79

SHA512
232d25b95d9dbb9e62c2a652ac154609189b231a44d13248250cb6d196823126cf861cf5c3518f496ae1cb8be6f7515d8b16ddaf1dfb101157ad3386435363cd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.WNCRY

Filesize
8KB

MD5
27c625987a560e413c6e516d464388b9

SHA1
d043db9bbcd8259ffff32f0f6098080aecd72019

SHA256
8393b7b37858b2e4eb5ea619abf004f17aa7078b44dc7d425d4a6d95878cc820

SHA512
0f092e223efb75b2b8ac050a5182aeeba1908c235bdbde2abee9ff0d6488dad9961795c9a92631d342ca97f0997c7aa9e5c04af9ed2726705e3db85e0af17ad0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{2cacdae0-21b0-4299-919a-af486c607bc5}\0.1.filtertrie.intermediate.txt.WNCRY

Filesize
16B

MD5
9bde5046970454e99650833c972802e8

SHA1
a85a4368a91eabafa1b5cbc4d1d9f77ed4a76532

SHA256
7853602c4b85eb3d10b09f3b3c20431ea346b4a8aca1a793d5d4018b179fcddb

SHA512
f93e720f5ab3b1415430c3d90a71316de413b2022ca1dee462a4dbbd092dafbf253846258b744d556fb864eb9008abd45263d0f54ac168f8021f75721e2097fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{2cacdae0-21b0-4299-919a-af486c607bc5}\0.2.filtertrie.intermediate.txt.WNCRY

Filesize
16B

MD5
362d18015ab1a036d179c7919e79a332

SHA1
4ea24964d070820d282366c33280df939249cb0b

SHA256
a9a623c9301d5ade950a03251e2424b4f8144df8d56dd312e3aa3f76e9570a80

SHA512
94836b6925205e98f2415e664b81756d620065a43eb25962ef9e492cdcfea08780ea80b89c047382c75d0a34d4cc6cb57bb581e1cad79e1073d4957e485bd631

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626048066417757.txt.WNCRY

Filesize
77KB

MD5
c28dee4f6db14a8f089fd3394bc5352d

SHA1
ab6c88d149c4ef10f48ff644dfd7bba42ba5df38

SHA256
0892ecc63143b927d6cfddc1c25e50d9a110b8d5ccf598531ec84d4160f701aa

SHA512
35defc44e37879c0d5d22e26c789fb408c1cb48794565b5d264575bba01d2d786e14980a375e1fe3484a0d09ee0d01b4d38bfa8e4057cde0b58fb7c55fd22317

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626050355949751.txt.WNCRY

Filesize
47KB

MD5
b0d00dbe35a71f7be01c7a91100e262b

SHA1
82468e2fccecec052e89c6b0eea2a23e1bdac3b6

SHA256
2d73eb06dfc3ff9e5e418dc8bbd6c2f8ad3d3f50f0b7a76a445a650582a16c44

SHA512
4d3486fcc1e8a58ad388a0c20326fabb81d2b35fd357a249700489ed747f6c5340b76f2b04959bcb77ed0e0ad8bc416df5e6885f744265152f1329b64d6923ce

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626057188971158.txt.WNCRY

Filesize
66KB

MD5
b679e13e213fd84871ac942ed205be86

SHA1
dafe8ada8961c62efb4532cfba9a6f943a0882b1

SHA256
41365a4758f6c56ab35c0c49bbfa1718a6cb38a506ca9a4534286ae4dfde3dba

SHA512
fbbff5f7c2da3525717f664f8cf83ff94a331804968e19712616cc550af2fda783de7ce7e6e6f19e763753203ccfb0ab4eb01a1660a87965d6154cbe35de40a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08FCA996-B8EF-4195-B59C-A8C12C30BAB9} - OProcSessId.dat.WNCRY

Filesize
16B

MD5
e297ceeff18239b87454cafc2cd585cf

SHA1
6116549961c1ce433963bb1fa0b0b5c35abe8335

SHA256
0849953d2b85255cc8caecac2b3765a720dd2d6b088ac0cd95d2202cfe2df0ea

SHA512
f18b40bc7730cd872f600c1b6d5a80606677ad5457f42bee0036bdc6f3662125eedcb79716984e828ea3bf853c05946e866661149248ce97f6db44e3448e1f86

Download Submit
C:\Users\Admin\AppData\Local\chrme\chrome.exe

Filesize
676KB

MD5
c1ed709a4375516d25889357d0660f00

SHA1
3f16cd69f3772b9aa51ff2b528f95227e7caed6f

SHA256
5cc851c0bce31e62a7c293c01117e5d80383b97ce97c040f2c08cfaa29380037

SHA512
215cc02a53e3d0eff52f511c516fd5d87726926984e84cd18a7b35c3783792a0ee050e736f2c72bc28d42f1975bb6314d9f0f9e28766839db257c7c500c81ac0

Download Submit
memory/2252-2-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/2252-3-0x000000001B720000-0x000000001BBEE000-memory.dmp

Filesize
4.8MB

Download
memory/2252-4-0x000000001BBF0000-0x000000001BC8C000-memory.dmp

Filesize
624KB

Download
memory/2252-1-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/2252-0-0x00007FFF7DA15000-0x00007FFF7DA16000-memory.dmp

Filesize
4KB

Download
memory/2252-19-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-251-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-21-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-22-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/5068-20-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-252-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-253-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-18-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-3818-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-3819-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-3820-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-3823-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download
memory/5068-3824-0x00007FFF7D760000-0x00007FFF7E101000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads