Analysis Overview
SHA256
05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1
Threat Level: Known bad
The file DHL_TOC2_2407081728458457.pdf.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Blocklisted process makes network request
Drops startup file
Executes dropped EXE
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-16 22:15
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-16 22:15
Reported
2024-07-16 22:20
Platform
win11-20240709-en
Max time kernel
299s
Max time network
272s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~$name.vbs | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| File opened for modification | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\name.vbs | C:\Windows\system32\taskmgr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2380 set thread context of 4984 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4984 set thread context of 3280 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4984 set thread context of 3280 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1452 set thread context of 3280 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
| PID 1452 set thread context of 2200 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4204 set thread context of 2692 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2692 set thread context of 3280 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\Explorer.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "844" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "3" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 0100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0\NodeSlot = "5" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c00434653461600310000000000e9580786120041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbee9580786f058fdb12e0000005d570200000001000000000000000000000000000000bf53bf004100700070004400610074006100000042000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0 = 5a00310000000000f058fdb1100053797374656d33320000420009000400efbec5522d60f058fdb12e0000008f36000000000100000000000000000000000000000041967c00530079007300740065006d0033003200000018000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\Windows\Explorer.EXE | N/A |
| Key created | \Registry\User\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\NotificationData | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000a31672c91fd2da01f7d6f96624d2da019f8a06d4cdd7da0114000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5c00310000000000e958038a14004d4943524f537e310000440009000400efbee9580786f05800b22e0000005f5702000000010000000000000000000000000000006a952b004d006900630072006f0073006f0066007400000018000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1" | C:\Windows\Explorer.EXE | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\DHL_TOC2_2407081728458457.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_TOC2_2407081728458457.pdf.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_TOC2_2407081728458457.pdf.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_TOC2_2407081728458457.pdf.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\Winword.exe
"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\test.txt
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\directory\name.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 185.53.179.90:80 | www.business-printer-22001.bond | tcp |
| US | 104.21.74.139:80 | www.stargazerastrology.click | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| GB | 23.40.43.123:443 | metadata.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| GB | 95.101.28.35:443 | binaries.templates.cdn.office.net | tcp |
| DE | 185.53.179.90:80 | www.business-printer-22001.bond | tcp |
| US | 104.21.73.87:80 | www.popumail.net | tcp |
| US | 13.248.243.5:80 | www.superlottery.top | tcp |
| US | 13.248.243.5:80 | www.superlottery.top | tcp |
| US | 3.33.130.190:80 | www.liderparti.store | tcp |
| JP | 150.95.255.38:80 | www.run-run.tokyo | tcp |
| US | 76.223.105.230:80 | www.superlottery.top | tcp |
Files
memory/4120-10-0x00000000005F0000-0x00000000005F4000-memory.dmp
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | f6ed869b733b1f2aa3bdd06040f3372a |
| SHA1 | 7075acf1c62e44653f5c834a14b56cd342f0ae5a |
| SHA256 | 05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1 |
| SHA512 | cba7753022eaa43f2d1bc77c73c7276824545e3083eee5e321f8be5b729bad3b01fe84108cbc5bdbe5fca7df1e802a55b36ef19292b1874a1cb514af5c16c582 |
C:\Users\Admin\AppData\Local\Temp\Mazatl
| MD5 | e0a5cf114d58f8ee0ff4291a867fd137 |
| SHA1 | 1b158ff65388347954508f5b7f199371e19223e3 |
| SHA256 | eafeb8c80d4ad126dadef3f52db44f656a8aeef68287af04a50e6fa881b9140e |
| SHA512 | 8546fef189b766616f1d99e98dba8b46809e2f5097c7ab931096ff3838439a2e18b4a2a61cbd0d318c0aa0ff014e883711210f5cdeaa6a021aaa57f628fb7ac4 |
C:\Users\Admin\AppData\Local\Temp\niellists
| MD5 | 58078733b08c9abd4a1d6945eedd33f7 |
| SHA1 | 9d3b0fa2d1d78bc91875e656c82ac9c0a78ab5e2 |
| SHA256 | b9934664b8c472743c1170afd0acfbbc1d6a299ade5451e4dfd7dee18d1a60c7 |
| SHA512 | 87b2f00bb55166bfc1d3da8a3f65648fb9cc0690ccd47ec70f589be1808351c13904fc9ab8e2b253e59ff1e8d90e4e75d22f106627312ca26d2ff098166a2f40 |
memory/4984-28-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4984-29-0x0000000001900000-0x0000000001C56000-memory.dmp
memory/3280-33-0x0000000003BD0000-0x0000000003C96000-memory.dmp
memory/4984-32-0x0000000001880000-0x0000000001895000-memory.dmp
memory/4984-31-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1364-35-0x000001A992CF0000-0x000001A992CF1000-memory.dmp
memory/1364-37-0x000001A992CF0000-0x000001A992CF1000-memory.dmp
memory/1364-36-0x000001A992CF0000-0x000001A992CF1000-memory.dmp
memory/1364-41-0x000001A992CF0000-0x000001A992CF1000-memory.dmp
memory/1364-47-0x000001A992CF0000-0x000001A992CF1000-memory.dmp
memory/1364-46-0x000001A992CF0000-0x000001A992CF1000-memory.dmp
memory/1364-45-0x000001A992CF0000-0x000001A992CF1000-memory.dmp
memory/1364-44-0x000001A992CF0000-0x000001A992CF1000-memory.dmp
memory/1364-43-0x000001A992CF0000-0x000001A992CF1000-memory.dmp
memory/1364-42-0x000001A992CF0000-0x000001A992CF1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs
| MD5 | cabb1f8d30a7147e4fb96b9be21a18ed |
| SHA1 | e8d7d546f002126219644f2d21426f4a5ed0131c |
| SHA256 | 460491914d4528305288989dbd120da00ceb14a9ff8436c30485876e9a27bad2 |
| SHA512 | f36ed295204e99d9f3e5107617fdba641b2cb06325508d1dac4b337366b04c8937582ad4609a7f8e8e7d1900e4b75596ccad4d717687d9d3f45ccc72099031de |
memory/1452-52-0x0000000000830000-0x000000000083E000-memory.dmp
memory/4984-51-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1452-50-0x0000000000830000-0x000000000083E000-memory.dmp
memory/1452-53-0x0000000000C50000-0x0000000000C7F000-memory.dmp
memory/3280-55-0x0000000003BD0000-0x0000000003C96000-memory.dmp
memory/3280-58-0x0000000006A60000-0x0000000006B70000-memory.dmp
memory/3280-61-0x0000000015B00000-0x0000000015B10000-memory.dmp
memory/3280-69-0x0000000015C00000-0x0000000015C10000-memory.dmp
memory/3352-85-0x00007FFE405F0000-0x00007FFE40600000-memory.dmp
memory/3352-84-0x00007FFE405F0000-0x00007FFE40600000-memory.dmp
memory/3352-83-0x00007FFE405F0000-0x00007FFE40600000-memory.dmp
memory/3352-87-0x00007FFE405F0000-0x00007FFE40600000-memory.dmp
memory/3352-88-0x00007FFE405F0000-0x00007FFE40600000-memory.dmp
memory/3352-89-0x00007FFE3E2B0000-0x00007FFE3E2C0000-memory.dmp
memory/3352-90-0x00007FFE3E2B0000-0x00007FFE3E2C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 76eea5cac5570de6a36d8f8c509b6088 |
| SHA1 | 5f4ca779b3ad7a44864465026888dd239b2333db |
| SHA256 | 602c714add305bdd48f3bb39fae2ab896cd8d0321a2d721104574b92d7ba9793 |
| SHA512 | 6e011e89d7fdd94d0bcb7f9e48ce3d06fa6222b0ddbeb7288e26c2218975bd1a6562d9785f54df23601595cb524e49b87ba1752b198560f1c2287d49e91366a4 |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\TCD57F0.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
memory/3352-433-0x00007FFE405F0000-0x00007FFE40600000-memory.dmp
memory/3352-436-0x00007FFE405F0000-0x00007FFE40600000-memory.dmp
memory/3352-435-0x00007FFE405F0000-0x00007FFE40600000-memory.dmp
memory/3352-434-0x00007FFE405F0000-0x00007FFE40600000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 2595c393965508c2d12ac0706fe0bbcf |
| SHA1 | 49b338c5bb213c1842e768e06cfc1ba47e9076bd |
| SHA256 | a6db86172e953f361280ed45258cdd5225ae27b1abefc82d57e3d9a51a4672f9 |
| SHA512 | 8b3489b14893051315cac3d95987470624b25132d86e981f34e66ad51597de642d2c2bee931e49d4434cc8346fcf4909ef3a01e64db1077daaa4f5ffc19b20b4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | f7fc3d261a9c0dcbe4441b15020e9b2b |
| SHA1 | f99757accb8c3fc17bc48dbefec21507c0e6c30f |
| SHA256 | 6d282a872743f8ff55b19478f7d9348a60df949ebc86aceb599f78425993be3b |
| SHA512 | 8f77e608c0ea249d8f45d7beb5115488d6e36b6c58d7942e1039e4126bc702843a006db1d6753f97e5413a0059d64b91efbe70cb8ab35038c04c798d3d217032 |
C:\Users\Admin\AppData\Local\Temp\autA229.tmp
| MD5 | 6f11e5dd4b19acaef0d6e1f3f6e5cfb4 |
| SHA1 | 0ded7178b036bfa3b7fba86ecb88000a372791ab |
| SHA256 | ff110fbcc707afdc95d485e379ffeefa6db7b9eef3535e22a2f73c6998c04963 |
| SHA512 | a6a2b7103178ef4932a62574b94197cacfd7711c58f4b1c05d78d58ad0c8e9d18856ecc7e3fe1f3411c9e81b0666675b0f512e609b8808867ffe6396d96b23f2 |
C:\Users\Admin\AppData\Local\Temp\autA218.tmp
| MD5 | 8f00c6312ecadd84097fa759d4df7fc2 |
| SHA1 | bff90ea1e4bf123c54eeffe5337c7f43067e9828 |
| SHA256 | 7cc40b0a90a7248a40b11eadd9a1c059758dfb69731749a103cc4cf21985f8d0 |
| SHA512 | 1f63f9ec423c24c4012ab5464ebea81d4b251a00a6cc38e2fd021ddf84ad51306363fa96bb544c3b83a4d8cc28524c0b1a082b80ec22f2cb4db775fd71025b6c |