Overview
overview
10Static
static
7Documents/...er.exe
windows7-x64
Documents/...er.exe
windows10-2004-x64
10Documents/...ll.exe
windows7-x64
9Documents/...ll.exe
windows10-2004-x64
3Documents/...aw.exe
windows7-x64
10Documents/...aw.exe
windows10-2004-x64
10Documents/...ky.exe
windows7-x64
10Documents/...ky.exe
windows10-2004-x64
10Documents/...31.exe
windows7-x64
1Documents/...31.exe
windows10-2004-x64
1Documents/...3 .exe
windows7-x64
7Documents/...3 .exe
windows10-2004-x64
3Documents/...d9.dll
windows7-x64
10Documents/...d9.dll
windows10-2004-x64
10027cc450ef...ju.dll
windows7-x64
10027cc450ef...ju.dll
windows10-2004-x64
10ee29b9c013...bc6.js
windows7-x64
3ee29b9c013...bc6.js
windows10-2004-x64
3fe2e5d0543...L9.rtf
windows7-x64
4fe2e5d0543...L9.rtf
windows10-2004-x64
1Documents/...uy.hta
windows7-x64
10Documents/...uy.hta
windows10-2004-x64
10Documents/...st.exe
windows7-x64
7Documents/...st.exe
windows10-2004-x64
7Documents/...39.exe
windows7-x64
6Documents/...39.exe
windows10-2004-x64
Documents/...5c.exe
windows7-x64
6Documents/...5c.exe
windows10-2004-x64
Documents/...00.exe
windows7-x64
7Documents/...00.exe
windows10-2004-x64
7out.exe
windows7-x64
3out.exe
windows10-2004-x64
3Resubmissions
22-08-2024 18:43
240822-xc563asamh 1021-08-2024 17:16
240821-vtjnaathnq 1030-06-2024 00:59
240630-bcjr6svbkk 1020-06-2024 02:02
240620-cf43ysxbnk 1020-06-2024 01:44
240620-b5v1xawemk 1019-06-2024 01:10
240619-bjmseavfmp 1018-06-2024 20:40
240618-zfwsxawdpa 1018-06-2024 13:45
240618-q2vcjawdle 10Analysis
-
max time kernel
1354s -
max time network
1178s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 00:59
Behavioral task
behavioral1
Sample
Documents/Ransomware.Cerber/cerber.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Documents/Ransomware.Cerber/cerber.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Documents/Ransomware.Cryptowall/cryptowall.exe
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
Documents/Ransomware.Cryptowall/cryptowall.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Documents/Ransomware.Jigsaw/jigsaw.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
Documents/Ransomware.Jigsaw/jigsaw.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
Documents/Ransomware.Locky/Locky.exe
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
Documents/Ransomware.Locky/Locky.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral9
Sample
Documents/Ransomware.Mamba/131.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
Documents/Ransomware.Mamba/131.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win7-20240611-en
Behavioral task
behavioral12
Sample
Documents/Ransomware.Matsnu/Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/027cc450ef5f8c5f653329641ec1fed9.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win7-20240419-en
Behavioral task
behavioral16
Sample
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745_98STJd8lju.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js
Resource
win7-20240611-en
Behavioral task
behavioral18
Sample
ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6.js
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206_OFkNP1kKL9.rtf
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
Resource
win7-20240611-en
Behavioral task
behavioral22
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/myguy.hta
Resource
win10v2004-20240611-en
Behavioral task
behavioral23
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
Documents/Ransomware.Petrwrap/Ransomware.Petrwrap/svchost.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral25
Sample
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
Documents/Ransomware.Petya/Ransomware.Petya/26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
Documents/Ransomware.Petya/Ransomware.Petya/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe
Resource
win7-20240611-en
Behavioral task
behavioral30
Sample
Documents/Ransomware.Radamant/Ransomware.Radamant/DUMP_00A10000-00A1D000.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
out.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
out.exe
Resource
win10v2004-20240508-en
General
-
Target
Documents/Ransomware.Jigsaw/jigsaw.exe
-
Size
283KB
-
MD5
2773e3dc59472296cb0024ba7715a64e
-
SHA1
27d99fbca067f478bb91cdbcb92f13a828b00859
-
SHA256
3ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
-
SHA512
6ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
SSDEEP
6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
description pid Process procid_target PID 2884 created 3428 2884 taskmgr.exe 84 PID 2884 created 3428 2884 taskmgr.exe 84 PID 2884 created 1768 2884 taskmgr.exe 126 PID 2884 created 1768 2884 taskmgr.exe 126 -
Renames multiple (3792) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Port Monitors 1 TTPs 12 IoCs
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port spoolsv.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports spoolsv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation jigsaw.exe -
Executes dropped EXE 1 IoCs
pid Process 3428 drpbx.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" jigsaw.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-30.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\FreeCell.Medium.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\ui-strings.js.fun drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\ui-strings.js.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d1.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js.fun drpbx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml drpbx.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_altform-unplated_contrast-white.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsStoreLogo.scale-100.png drpbx.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-colorize.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.scale-100.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\ui-strings.js.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StoreLogo.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-400.HCWhite.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalSplashScreen.scale-100_contrast-black.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluDCFilesEmpty_180x180.svg drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\word.x-none.msi.16.x-none.vreg.dat drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-100.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\ui-strings.js.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupSmallTile.scale-400.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailLargeTile.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Default.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\PaySplashScreen.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-20_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-150.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-lightunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\13.jpg drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lv_get.svg drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Scientific.targetsize-32_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupSmallTile.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\192.png drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\ExploreButtonGradientTenfoot.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\faf-main.js.fun drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ui-strings.js.fun drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-down.svg.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-60_altform-lightunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-150.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_altform-unplated_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Retail\NinjaCatOnDragon.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\SmallTile.scale-100_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNotePageWideTile.scale-150.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\ui-strings.js.fun drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\onenote_whatsnew.xml drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_tr_135x40.svg drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\ui-strings.js drpbx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 15 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0002 spoolsv.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spoolsv.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 22 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Fax = "winspool,Ne02:,15,45" spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft XPS Document Writer = "winspool,Ne00:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Microsoft Print to PDF = "winspool,Ne01:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" spoolsv.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" spoolsv.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Send To OneNote 2016 = "winspool,nul:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft Print to PDF = "winspool,Ne01:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Send To OneNote 2016 = "winspool,nul:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PrinterPorts\Microsoft XPS Document Writer = "winspool,Ne00:,15,45" spoolsv.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices\Fax = "winspool,Ne02:" spoolsv.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Devices spoolsv.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 4888 NOTEPAD.EXE 4516 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 4016 msedge.exe 4016 msedge.exe 3548 msedge.exe 3548 msedge.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2884 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 3548 msedge.exe 3548 msedge.exe 1768 chrome.exe 1768 chrome.exe 1768 chrome.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2884 taskmgr.exe Token: SeSystemProfilePrivilege 2884 taskmgr.exe Token: SeCreateGlobalPrivilege 2884 taskmgr.exe Token: SeShutdownPrivilege 1768 chrome.exe Token: SeCreatePagefilePrivilege 1768 chrome.exe Token: SeShutdownPrivilege 1768 chrome.exe Token: SeCreatePagefilePrivilege 1768 chrome.exe Token: SeShutdownPrivilege 1768 chrome.exe Token: SeCreatePagefilePrivilege 1768 chrome.exe Token: SeShutdownPrivilege 1768 chrome.exe Token: SeCreatePagefilePrivilege 1768 chrome.exe Token: SeShutdownPrivilege 1768 chrome.exe Token: SeCreatePagefilePrivilege 1768 chrome.exe Token: 33 2884 taskmgr.exe Token: SeIncBasePriorityPrivilege 2884 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 3428 drpbx.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 2884 taskmgr.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe 3548 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2816 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4028 wrote to memory of 3428 4028 jigsaw.exe 84 PID 4028 wrote to memory of 3428 4028 jigsaw.exe 84 PID 3548 wrote to memory of 468 3548 msedge.exe 109 PID 3548 wrote to memory of 468 3548 msedge.exe 109 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 1948 3548 msedge.exe 110 PID 3548 wrote to memory of 4016 3548 msedge.exe 111 PID 3548 wrote to memory of 4016 3548 msedge.exe 111 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112 PID 3548 wrote to memory of 1940 3548 msedge.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Jigsaw\jigsaw.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3428
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2884
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\ShowConnect.mht1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x120,0x124,0xfc,0x128,0x7ffb7ffc46f8,0x7ffb7ffc4708,0x7ffb7ffc47182⤵PID:468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,17103721558146777487,14580073802057630622,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:22⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,17103721558146777487,14580073802057630622,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,17103721558146777487,14580073802057630622,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17103721558146777487,14580073802057630622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,17103721558146777487,14580073802057630622,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:1920
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:516
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:4640
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log1⤵
- Opens file in notepad (likely ransom note)
PID:4888
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b4b2597ca91442b88eea24723abaa22f /t 3068 /p 34281⤵PID:2180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:1768 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb91f9ab58,0x7ffb91f9ab68,0x7ffb91f9ab782⤵PID:1880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:22⤵PID:4088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:82⤵PID:3016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:82⤵PID:2688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:12⤵PID:3200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:12⤵PID:3348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4420 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:12⤵PID:3724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4100 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:82⤵PID:840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:82⤵PID:980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3924 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:82⤵PID:4880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:22⤵PID:4064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1844,i,18079249652616784200,2035754481317327268,131072 /prefetch:82⤵PID:4420
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:4288
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\e3ffa307a7d0471fa6045809606adf9c /t 180 /p 17681⤵PID:60
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2816
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log1⤵
- Opens file in notepad (likely ransom note)
PID:4516
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Port Monitors
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Port Monitors
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun
Filesize720B
MD575a585c1b60bd6c75d496d3b042738d5
SHA102c310d7bf79b32a43acd367d031b6a88c7e95ed
SHA2565ebbfc6df60e21044486a5df3cb47ccdcd7a4d5f197804555715ffd9bf6c5834
SHA512663a302e651b9167f4c4e6ae30028307b4d8da0dda3a0e5fd414104951d50419862fc9396c5b39fe5c4b696efd3efbf0b575688983b1d341f3ef38becf500505
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun
Filesize7KB
MD572269cd78515bde3812a44fa4c1c028c
SHA187cada599a01acf0a43692f07a58f62f5d90d22c
SHA2567c78b3da50c1135a9e1ecace9aea4ea7ac8622d2a87b952fc917c81010c953f7
SHA5123834b7a8866e8656bbdbf711fc400956e9b7a14e192758f26ccf31d8f6ab8e34f7b1983c1845dc84e45ff70555e423d54a475f6a668511d3bcbdd1d460eeb4b0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun
Filesize7KB
MD5eda4add7a17cc3d53920dd85d5987a5f
SHA1863dcc28a16e16f66f607790807299b4578e6319
SHA25697f6348eaa48800e603d11fa22c62e10682ad919e7af2b2e59d6bd53937618f2
SHA512d59fa9648dc7cb76a5163014f91b6d65d33aaa86fc9d9c73bf147943a3254b4c4f77f06b2e95bb8f94246a982ea466eb33dac9573dd62f40953fd23de1c1b498
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun
Filesize15KB
MD57dbb12df8a1a7faae12a7df93b48a7aa
SHA107800ce598bee0825598ad6f5513e2ba60d56645
SHA256aecde4eb94a19095495d76ef3189a9abd45bcfd41acbed7705d22b4c7d00aa77
SHA51296e454ebb4c96573e8edc6822290c22d425f4c7f7adbab35e6dc4b3ce04a5916ae9254c2c312c98299835ecbf3c5aa95da2939b8408ac25fbae44ba87a3795dc
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun
Filesize8KB
MD582a2e835674d50f1a9388aaf1b935002
SHA1e09d0577da42a15ec1b71a887ff3e48cfbfeff1a
SHA256904372666ca3c40f92b20317d92ca531678958affbc34591401e338146fe0ecb
SHA512b10a8e384d0bd088443a5085f5c22a296f6f4d295a053d4526690ba65846e887daec47d01cf18fdf1160db98061a8b7c4040de56e6e604451a821fadccf32698
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun
Filesize17KB
MD5150c9a9ed69b12d54ada958fcdbb1d8a
SHA1804c540a51a8d14c6019d3886ece68f32f1631d5
SHA2562dee41184747742fbdc527b2023d67fecec1ccdfdf258439a06cd75d4fd33f43
SHA51270193ee6f0919eb14311f43b5a5da041deacb568db55fc43290ee76e17af902ac468435b37a150630ea3b7871c724073915ae5dcba3c301ac42f2d68dd598e2f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun
Filesize448B
MD5880833ad1399589728c877f0ebf9dce0
SHA10a98c8a78b48c4b1b4165a2c6b612084d9d26dce
SHA2567a27d891097df183fbf0031e3894bdac0ce77aef15d666ddd9f6a04e9836fb27
SHA5120ddf247892a72a390437390d535debf6e41d12e51b31eb4f0353b710ec380c5fbc531a48e76935088063a41aca843287d3def9c1cd46be05b8dcb69f5017a464
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun
Filesize624B
MD5409a8070b50ad164eda5691adf5a2345
SHA1e84e10471f3775d5d706a3b7e361100c9fbfaf74
SHA256a91790b778026db625c9dedfe1c6d94b884818b33d7977e86b2f9c2f3c500796
SHA512767a75edd37d29b3433040ce21cda849cd11ba549f27581f7edc6416c433ba7047c56908d40956422393ab0f35ede61617d4bd2aad0bde3d1ebd276584c858c7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun
Filesize400B
MD52884524604c89632ebbf595e1d905df9
SHA1b6053c85110b0364766e18daab579ac048b36545
SHA256ae2facd997527426fc4def82e0db68be29b44499bfff86a28c36f7c31b177d4f
SHA5120b506397627823a1768796129c6b37d146821471b89338b5f2d0fd3aea707fd46a8e197ee0e298ddfb3b50eef0a0b064946006346b060f733ef19cbd5d24fc90
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun
Filesize560B
MD5e092d14d26938d98728ce4698ee49bc3
SHA19f8ee037664b4871ec02ed6bba11a5317b9e784a
SHA2565e8ec278a273be22199884d519a79f748801baa3a45b76e57569fdfffe96e7fb
SHA512b2fcb5d46339cdf6b5a954f2a083cf913779e57cb6e8699bc5da1fba1c370c41117b7ddefb50075622067eb7b02a20268bc047171bd883bcda4a497c2ec64ea4
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun
Filesize400B
MD50c680b0b1e428ebc7bff87da2553d512
SHA1f801dedfc3796d7ec52ee8ba85f26f24bbd2627c
SHA2569433084e61062d2b709c1390e298ddaf3fb0226656662c04c0b7026a44dee750
SHA5122d1399a6bf225b048d2b12656e941ad912636acae2dec387f92f33ac80629a1e504bca63580ba73a8ed073788f697274d5eb76ea1b089f0555fd397a8f5cbbff
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun
Filesize560B
MD5be26a499465cfbb09a281f34012eada0
SHA1b8544b9f569724a863e85209f81cd952acdea561
SHA2569095e9b4759e823e96984981af41b7a9915a5ecaa6be769f89c13484cef9e0f5
SHA51228196e5de9670e9f63adcf648368bd3ea5926a03e28a13adc2fb69c567fba2f84e4f162637c487acb64eda2e30993f849806f2313820ba693c7e70303542d04f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun
Filesize400B
MD52de4e157bf747db92c978efce8754951
SHA1c8d31effbb9621aefac55cf3d4ecf8db5e77f53d
SHA256341976b4fe312824d02512d74770a6df9e1c37123781655532bd9cd97ea65fa9
SHA5123042a742c38434ae3ee4fe10f7137462cdebad5cae0f9a85fb61063d15a30e1b54ac878b1af65f699c6ca1a9d2c3e58d245e54bdebfadc460cbd060836734e11
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun
Filesize560B
MD5ad091690b979144c795c59933373ea3f
SHA15d9e481bc96e6f53b6ff148b0da8417f63962ada
SHA2567805ac9d0e05d560023e5aabed960d842e4f3ec2aa3db45a9cfb541688e2edb1
SHA51223b4c799a7b25f70962e8dd0ec7286ba7150053cab7c88f5fb1efc1095c2987bd6f3572e7fb3ee4b2238958e52a763de2c84a74615df7a6d3a19a034584fd687
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun
Filesize688B
MD565368c6dd915332ad36d061e55d02d6f
SHA1fb4bc0862b192ad322fcb8215a33bd06c4077c6b
SHA2566f9c7ebec5a707de439e3fd2e278fdfa07a39465d56157b70b24f091509bf76f
SHA5128bb9a7690aeb3c0b9e14e1a6ebc5741536d354cf2324fd74ee0c3e4ef511718f7795039a94c8d2df94b6e6d0fb1762191cb649089d1def12abdf34003f0cdd0f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun
Filesize1KB
MD50d35b2591dc256d3575b38c748338021
SHA1313f42a267f483e16e9dd223202c6679f243f02d
SHA2561ca0cfc2df0354c8d886285ae5e743d9c7cc030e1afd68ac113c0f2ce43ad5fa
SHA512f6c58c27bbde7508a866bd0e7fabadb13a4f020378cd8b8cfc0c9fa23f645d811d6cdea04b81afdf30c064c6248152e74b3e6a78ec7a3d1d19037a0db8897d7e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun
Filesize192B
MD5b8454390c3402747f7c5e46c69bea782
SHA1e922c30891ff05939441d839bfe8e71ad9805ec0
SHA25676f8ed1dd50e50c7d62b804a0d6901a93e5534787d7b38467933d4c12ce98a0d
SHA51222b26c62473e80d17c1f78df14757ccfb6c7175faa541705edc153c02baa7ab0982b5daabe8dd2c8c9efb92af81f55ccaeeecffe8ed9a0b3c26e89135ca50923
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun
Filesize704B
MD56e333be79ea4454e2ae4a0649edc420d
SHA195a545127e10daea20fd38b29dcc66029bd3b8bc
SHA256112f72ef2bc57de697b82b731775fba3f518d1ae072120cd11b732bf4a782e36
SHA512bed5906c7373814acc8a54c1631428a17f0aa69282920447a1575d8db826afd5dab262301dc6da610ff8bb81d24ec6babd3d9fb99fd6945f1aca9cb9c76ec2c9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun
Filesize8KB
MD53ae8789eb89621255cfd5708f5658dea
SHA16c3b530412474f62b91fd4393b636012c29217df
SHA2567c5b1d8469e232a58359ccbcb89e619c81c20e6d2c7579e4292eb9a19849bc5a
SHA512f6998dbae1a2fa56f962045261a11a50b8e03573d9d4cf39083da3be341cc104e0ecf5908076f03961bcdb1356d05a7450d69940ec3aaab73623a6fe180e7051
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun
Filesize19KB
MD5b7c62677ce78fbd3fb9c047665223fea
SHA13218c7b6fd8be5e0a8b67d3953d37d5dbd0c71d8
SHA256aa638be6e1107ed1f14e8430abedd6f6d0a837a31b1b63e6a7741d6d417eddc2
SHA5129e0cc29835845f2a0260a6989c1b362bac22a8e0c2825bc18f1dde812ce7868503881d2deaf951429a80b5017b6ce31e785ff524883e08d730aa38b36a2fb074
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun
Filesize832B
MD5117d6f863b5406cd4f2ac4ceaa4ba2c6
SHA15cac25f217399ea050182d28b08301fd819f2b2e
SHA25673acdc730d8a9ec8f340c724b4db96fc222bb1eaf836cec69dfe3fab8d6ac362
SHA512e10883029c1e0fbc64bec9aac0a6957a8499af255e1790843717212077926474e02b2870c5dd04b057c956b97ad4bb1747fe73e731ea61b891f4b38dd80494d7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun
Filesize1KB
MD5433755fcc2552446eb1345dd28c924eb
SHA123863f5257bdc268015f31ab22434728e5982019
SHA256d6c290e942ee665d71e288229423a1f1866842988eac01f886910b0ec383aa9b
SHA512de83b580ce27012a7677e1da867c91e2a42dbc6b5872dcf756ace51c2862801814665ecca997171f2e550e8b9a3de19994d2516a4e5d4d57e16c7b4b823236c0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun
Filesize1KB
MD5781ed8cdd7186821383d43d770d2e357
SHA199638b49b4cfec881688b025467df9f6f15371e8
SHA256a955039cd9e53674395f4b758218e4d59c89e99a0c4d2a909e49f6008b8f5dd4
SHA51287cb9c4288586df232200f7bbacee3dee04f31c9444902dd369ad5c392d71e9837ebf8b3bb0fcb4a5db8a879cf757e97ce248939e3316c6bf3a3fe7cbe579534
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun
Filesize2KB
MD551da980061401d9a49494b58225b2753
SHA13445ffbf33f012ff638c1435f0834db9858f16d3
SHA2563fb25ddd378ab756ec9faa56f16b76691cf6d9c7405bb9a09ce542a6f5b94e44
SHA512ecc5eb2a045ce2508d461b999f16caba6cce55aa0c00b34bd73a33e0458795f93a77caff5026212912684164057be016f51dc57ec83821c2a1f2e27417c47b2c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun
Filesize2KB
MD52863e8df6fbbe35b81b590817dd42a04
SHA1562824deb05e2bfe1b57cd0abd3fc7fbec141b7c
SHA2567f1238332901b740cde70db622abcfb533fc02f71e93101340073552f4820dad
SHA5127b2d95465ea66951ea05c341549535a0a939d26dbde365b212e3983e4047fa6912c37d737cb8054c41bb1a7d92586d968a0154c666572a70ebc59a4776897f38
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun
Filesize4KB
MD579f6f006c95a4eb4141d6cedc7b2ebeb
SHA1012ca3de08fb304f022f4ea9565ae465f53ab9e8
SHA256e9847d0839d3cf1039bebdc49820ee7813d70941347ce420990592e5e3bd998e
SHA512c143a4cf1ccfa98039b73214978722408188535ee4aa3dac08a34760b94bdf6d36ad0ff0de893da5b17fd69c96a6dfb25098ab7fec219fad1a77532113d0353e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun
Filesize304B
MD5b88e3983f77632fa21f1d11ac7e27a64
SHA103a2b008cc3fe914910b0250ed4d49bd6b021393
SHA2568469b8a64e80d662eec71c50513f6d295ef4a3a9992763dbcac9d81253cef9d5
SHA5125bf93d4f4250ca96169f3d27d4e648cc5d6e00b7558a3ef32e07edcbae36dadb8008d7ba5f83ac3ed812b72c9d52730e866191b4de7a339df57b5697e00df50d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun
Filesize400B
MD5f77086a1d20bca6ba75b8f2fef2f0247
SHA1db7c58faaecd10e4b3473b74c1277603a75d6624
SHA256cf10d2a22b638cf0978cf30ecaf39ecb5bb0e3ad78cd920afa433ad60cc1290d
SHA512a77a897c0b41f4052cb9546d4cfd6e0856b288b6b8583a86d6c7e79059a05b19cc2593599251581e79107235e9d5cd589c392bf490452be04ff57e944cd19df3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun
Filesize1008B
MD5e03c9cd255f1d8d6c03b52fee7273894
SHA1d0e9a9e6efd1746bc9ccb4eb8e7701c1cd707e2e
SHA25622a34c8321384fc7682102e40d082e7812232a9109e4d4e8fa2152fda3f260f6
SHA512d4bd002197b725316e1f1f2dd0a70ee44a82a53ac0dafa8c6b1166343adc406e147d0c4cca30d65a32aa545f1b327c6b69c0ec1d15330af48a6faa234dc4b5ac
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun
Filesize1KB
MD562b1443d82968878c773a1414de23c82
SHA1192bbf788c31bc7e6fe840c0ea113992a8d8621c
SHA2564e96529c023168df8dde241a9acdbf4788ea65bc35605e18febff2b2071f1e24
SHA51275c8604ea65e0cdd9ea74b4802930444dd16a945da1e7f0af4a9a3762259ee9eb41ea96973555d06f4814ee2f6b73ab662c6b314b97876e9628fa5d4536e771c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun
Filesize2KB
MD5bca915870ae4ad0d86fcaba08a10f1fa
SHA17531259f5edae780e684a25635292bf4b2bb1aac
SHA256d153ed6c5ea8c2c2f1839f8dadcc730f61bd8cd86ad732bab002a258dea1d037
SHA51203f23de6b0ae10e63c41e73308b3844d49379c55d2df75fa1dc00771b26253d832c21081d8289f04260369df996e31273b7c0788cf3b5c78a27ec909f14a283a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun
Filesize848B
MD514145467d1e7bd96f1ffe21e0ae79199
SHA15db5fbd88779a088fd1c4319ff26beb284ad0ff3
SHA2567a75b8ec8809c460301f30e1960b13c518680792e5c743ce7e9a7f691cfafc38
SHA512762d499c54c5a25aba4357a50bb4e6b47451babeda84fa62cfbd649f8350bca55204ad002883b9147e78dda3dbabaae8da1dc94b716204226bb53326030772b7
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun
Filesize32KB
MD5829165ca0fd145de3c2c8051b321734f
SHA1f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e
SHA256a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356
SHA5127d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb
-
Filesize
160B
MD5580ee0344b7da2786da6a433a1e84893
SHA160f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA25698b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba
-
Filesize
283KB
MD52773e3dc59472296cb0024ba7715a64e
SHA127d99fbca067f478bb91cdbcb92f13a828b00859
SHA2563ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA5126ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
Filesize
40B
MD572e4c3ebb537e0f3004613ddcb1f1f7a
SHA1189caeb981f4cd50c861744d69fa90a0a726aea8
SHA25696d6be3f6368eb7b759108d76717fa07adbce7c17f538d10bc04f71538460670
SHA512433652038e10b0473a9e552d63a6a8ade2defd8d82c09b64908e49e3b2bcde64cf09359c6ad0686f9faec3f614ab956ca7c94e915e3a024a779586d144c31588
-
Filesize
44KB
MD581c745a7b9da1870cb19b0adfba3e11c
SHA1fae41656aacf3fac21e386c58766b9f9b8e6700d
SHA256fe15bddb3882ff5c83526c80620fdad5412d911c553bb351816ee26f8d61a91d
SHA5125faef262e2fa510d67728a6d327c56f95238d87aa9a1429718263cd44c0293f4da8529fa9d82c2ba12ae9b1794ac56b1f9e46e26a55beabb80d893c3c3cfa6bc
-
Filesize
264KB
MD501970935c674f63ca63204d759a8c7cb
SHA1cba8da3336b3b50381861cd73a8b5108439b3069
SHA2566a1f6935f74975a5907d0676377abe28d77e841475389ac4e6e0a5c254362e5b
SHA512278ca4a8c01d514580f412be09797488f2a6394541204ffc28761d05a520836bc960b270d291918b8d50abd1a8ddf064e92e94cf4082825716a86fcfd86c2b13
-
Filesize
1.0MB
MD5c4cc026ba9c6a06fb7237734d18d13a0
SHA165b5b78b21cc2f82ddb5b7ede3777872a676c5ee
SHA256c620ab7d666c26e8873b9805fcb06d812fb6c5e7ecb55198b8dd924b17da486f
SHA5127311a34058c0671e1fea5b5863c8744d5df8abaf85865825a8e013639d36daaf8556c92e18fb32d28fda8c591e643e962d4ac08bb0ec1e8a0f5551b5400dbfc0
-
Filesize
4.0MB
MD5c1bcbe601dd74de7e292508c7d4690d2
SHA1507efa66aece1f3a8517211f8c01fc2cdf8e11c2
SHA256414426141bafd1eb80481706dde44b584f0ae5a4bbfc05e89912b05343c4e8fd
SHA51243342a45b995aa305f68678d34a6f8c28086f90e40c4ce0604f83f16a42a653c43ce76123487ead556d04c9e7545df68314a8a6fc32811a5b0efbb692eab4cb7
-
Filesize
35KB
MD526a31ce75ac8de1d6c95dfa64a71c9ef
SHA1344db07d1d45301e7ac65978f8a9756b0e6e6fe5
SHA256021c57f13e1e9eeefa54e0b14f352549bb3772e8b0d846b27c0b04eac1d585ef
SHA5128ec5e308b3fa0f40255546576d5f0a014db71f14d992c35c66f8eb3d981dba74fa7fde308b8e34431f28a58b24e0e0cec5fb076811614985d88a196c91806c5c
-
Filesize
59KB
MD51d5f57b36984d3bc13513937212f7c85
SHA16962d480bc6216080b90505c9f25c8a3ed4c8df0
SHA2567c5544c2101aa4a9ab3bd0ed98d6d1126457f802c8073333d2e7fb7be273dc30
SHA512dcb01342a2eb9ff3ed03a23b7e0914ccb626e1136c2a24dc4e8144cd785c90acdbffc877408a922519055f0a375b4a31172e3120744de656d55dcd83b84a4f4a
-
Filesize
41KB
MD5cfd2fdfedddc08d2932df2d665e36745
SHA1b3ddd2ea3ff672a4f0babe49ed656b33800e79d0
SHA256576cff014b4dea0ff3a0c7a4044503b758bceb6a30c2678a1177446f456a4536
SHA512394c2f25b002b77fd5c12a4872fd669a0ef10c663b2803eb66e2cdaee48ca386e1f76fe552200535c30b05b7f21091a472a50271cd9620131dfb2317276dbe6c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
6KB
MD5d081d45ad4a76f9cd48ccadef2f18445
SHA1e601ce653c9e6acf1f5429dabf0a21567dc858e2
SHA256072653951345a9019dcd9e33c1850d39eae0869565ccabad226850597053b01c
SHA512db25d3d4d0aca8b48c264b9fb5e4254bb0a3abefac07a16ac1fc1dda8a81ea17255b4e7c44d24564ca4806ddc19682f8184f9dc37e9b4b231742905d9ffdb21d
-
Filesize
44KB
MD57a80e942bd78ca60aec4ed288dde8b75
SHA1fdf7df7a014cfe4b8a7ec73059d4fa87c1169653
SHA2560fa04a271404bc3c9635d5f326d1a918857f60238b8784d2cfc683d6a1315f49
SHA51211a6c88d72894a2e75622a64d0b186e729196e65d56826af50377209949c1b763e13da2c2712fd146157aa36c2b5f365aac94302809354dcb9bf98fdd8012a6f
-
Filesize
264KB
MD55c6dfc6e77b99ee870e40d22bfab50a1
SHA19a9045aa66242a04152f98920e54c9d3ba12e48c
SHA2568e6490d21c00a1b7e079c896128ae16e0509771dc81a1bd3d3f605900299f892
SHA51232d1f23863e33babcde04b26d49db6655269537778245718b572d4595586e98bcf9b9c566e984b73ada30c5774fd9505ccab6786ed745e14742684b4ca2b9fed
-
Filesize
4.0MB
MD55ff8f8987906c1a7271ff7d9db09824e
SHA1d4ae9dc7afc8689a09708b71a6bcd0df112f195e
SHA25619fea9161a1d71c6c2476aaba0586c64cf6cc5b29db8c1836e0146f24269c071
SHA512b2f45874a3de891e7b5a359d550036c339094a032349217774a993f3d612b05852c76c38c4d3cf7cdc9922f83088e937f2bc7c3d8c6474d3f28b6e1ec71ee915
-
Filesize
138KB
MD5a9e8b8b5c1002967e8a3999a9cf3f2ae
SHA19586e32bca3acfdbddfe9283d71b2288bf225df6
SHA256fe4727792968d55bf5006207f68631b4c5f964b2d3ee7fa2ab7a16c5d085e6f5
SHA51282ad63120da655ce80dddce99660b1156e4145275c0d5322d31a894af0a29def538348bfce1b4a742f2fdb0808f948f1db389c20aa82f4d689498bd88536d36f
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
152B
MD554b2455bfcdddf3c06291afc710b4f11
SHA1a174a51217de5cbdf959e83677b25c5722223e28
SHA256fafcd6b8f27b5df5c1b68a819c252d50b7db403ac6be9aae50dbb226528a728b
SHA512e85ff8341fac21e5252f55a8cb833d3d498bd766e23987f9fd059d7b196bb0ed10230e90dfc26956752a7b49a2971ad17fde1787ea18af5f1b1b880b0da2c50b
-
Filesize
152B
MD572fd997643f377e598a94b56fd757298
SHA1f89647302abba836fae8f18f312997ebae7b8332
SHA2564dd8ede795910cd3dab744e6fe7c66bb195a68fa5021e36d5be31dcb41f76c92
SHA5124e2df8a2a436c4229f87cd2ce31f48c639236e6412d0e7911a2507f13000cce9d246804f5083fd90e628c1a0e2122ae6ca2d5695c41dcddefff159ccc045cf3f
-
Filesize
152B
MD547f25abfb63f30fbbd3252de5f576beb
SHA134f1e502699adfb251a42589eca267fe5c1fbae0
SHA256117d877bd0b3ce08ce73d02f32cf3074a0af0a75483224358f474d7fae8dce17
SHA5127297075c02cbbb1002a7220e075e3ceb035c72092b061a345e50231cc8c1d7265dcd8ce508d60c5b6a0a883cc3df736d1cd165e3c064bea6e25c1f3ba36fc145
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
5KB
MD570e9da5b08506dc7b1633b22af2c5e7f
SHA1309d197fb0bfbfd93e44acf88222c50fc8de965d
SHA256276f77c7b64bbe94711af616aeb03ae943a1d2eb941b6e3174896ea6f8d36420
SHA5123bfcfeeb7d50299fc8bd2b43f0c6d30893a19a6b8564ed25296ebcbf3716640142291516529be21a2e4009735280fbf0cdb00026d80d9a0133348b2cc9436159
-
Filesize
6KB
MD51653479da817d09f7eb67986a9148ba7
SHA1ef38bdd57d2d2130685d009c6711d9731597805d
SHA256fd6fa0e7c7f58648e5e962495f322f0cf348a9fc2638374aff6be2d0cbea662d
SHA5120d091452cf929beac2105ac8897e18abad0393d3aeb5904ce5b8683fc63b10785ad69dd57f79ecec28420742816d403a19dd98ee0d6bc70b4dceb4d09a21a071
-
Filesize
11KB
MD510e64fe948d832948d1c1c059a133849
SHA16cc7a0534ff745c6bdbc44e19c0ead01f3cd9830
SHA2566b64626fc0ba3a847d9abbdbcfa3310d65431e68cd14c9bc41fb118b72351504
SHA5123896c5cc4da7f0479fb16b9c2b0132e79c87c018b56682af4cd3ac74b0d665f685d84e9bb529d8709fb7f110b95f27a9511941d940f0eba7ea75b8b49e12b993
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun
Filesize8KB
MD5f22599af9343cac74a6c5412104d748c
SHA1e2ac4c57fa38f9d99f3d38c2f6582b4334331df5
SHA25636537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65
SHA5125c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fbf257de-6570-4630-902c-10acf3a7613b}\0.1.filtertrie.intermediate.txt.fun
Filesize16B
MD51fd532d45d20d5c86da0196e1af3f59a
SHA134adcab9d06e04ea6771fa6c9612b445fe261fab
SHA256dae6420ea1d7dbe55ab9d32b04270a2b7092a9b6645ed4e87ad2c2da5fdd6bae
SHA512f778cd0256eda2c1d8724a46f82e18ab760221181f75649e49dd32e9a2558bec0e9c52c5306ad17b18ab60395d83c438742103fe9adddf808e40c3d8384ea0b0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fbf257de-6570-4630-902c-10acf3a7613b}\0.2.filtertrie.intermediate.txt.fun
Filesize16B
MD5f405f596786198c6260d9c5c2b057999
SHA1f8f3345eb5abc30606964a460d8eef43d3304076
SHA25658e3090edb9316d9141065ac654a08169f2833091e6eb3a53b5a774a61b7e30a
SHA512a0b3573dae218ade265709a6fdee5f7700c9754eb10747de5af34af340ae95909d0a8902159a735e82eb5d7091f50a7997113661a7ec3fcc2b408fb6c78a4c39
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626047950574231.txt.fun
Filesize77KB
MD5c408fe54ebacb4f32d787b81ef224d39
SHA1e3d2528a5ff4a52c9e2d9ab562a04a2c710da1c7
SHA25699262dd9d9e4a7219143051937efbd2a98fe5db1d1e60dbfc2bc6601fc01efc8
SHA5127556ab93b16b72f3c9d619b30e574b67f95a1983ed5dd05e63ef33b23893ab3768b4d139691b4fb36490c1d5170854bb954aa17adc8446eb204847caa20e0012
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626052813607644.txt.fun
Filesize48KB
MD54f162a341c5623f4f9fb48bde1bd8687
SHA13c4f2000b4b73b9e32eb8bc28f2a9b50c06bfef9
SHA256aaacfbd30fec8f67ef3119075b1ce9e81afc6b7ceffc6e9f55c5fa6fcd13ce46
SHA5123b6d1146b4a75c5d4def3d80a2981baaaabf016580b0671b65195b555263a05139c2c79b15efa2cfcc24ce3aada0e1c643bec9ef0dc9a12aee454eeeeea8ead8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133626055682919415.txt.fun
Filesize66KB
MD50c4039e2bc1d499f82cc957a90885637
SHA101ca3eedaf8d2ea5311722a37755285288b72fac
SHA256c08e5c75b9dc71a283489dd7e3fd97b55fd5c7a8e1032d1b19ba780f693c39e3
SHA51227fa753b784246affa1f4e911595503af53a422e5938b481649392c7d8efc1d3ccda19a45d0abad2027298b2dc1f7599dd0bed95c96c9fd05938a978e32d4b6a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
Filesize13KB
MD55ef891f52576f52daa5eec976e97760c
SHA102c028947ea73c943539eb8a162f9231ceafe3cd
SHA256774f23c7171a5bc84f53f9c1d61153b43defbc4b3589a608e01f6d46d2b0bc91
SHA512048598e3cfdbdc3832da4fd97b5d3d9a39a73ef3c2ead8dcac408ef576039ece040d0ac29ed210a5baa01cc818cd25261468ed53322e3dc4f49980d94f95ed8a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\~tartUnifiedTileModelCache.tmp
Filesize14KB
MD5907f7b3d3410d67b7a65b849fe4c5c66
SHA10d1f94d02810d191376d8d2a39c7f385e6f85785
SHA256fb2c68005df09ffdd2520d038bf095ea209864a82168b10ee7d625c6e2a32276
SHA512861d05c8f9a3f250e5ffe6fb6eff205d9d267d4fd1eb896ddc009152235613297709d99fa1735d6ab5ddef09769019801b5e6a79f03db7d78fd693d4488fcec2
-
Filesize
16B
MD58ebcc5ca5ac09a09376801ecdd6f3792
SHA181187142b138e0245d5d0bc511f7c46c30df3e14
SHA256619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650