Analysis
-
max time kernel
493s -
max time network
496s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-09-2024 01:13
Static task
static1
Behavioral task
behavioral1
Sample
octo hates niggers.wav
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
octo hates niggers.wav
Resource
win10-20240404-en
General
-
Target
octo hates niggers.wav
-
Size
1.1MB
-
MD5
e06c2af9bd3623d93dad4c19fa90b88a
-
SHA1
aae457d958f50416e1a1e6f2195e1c162e47abcf
-
SHA256
7a3b253a53b43df9024c580b8797df22ac022cebddb9305ff77f2c0884dd6ddf
-
SHA512
b5d73101ff3adabbe563dbf8c007f1279fc151c564d8563e5cb6a3a36eb354a177978225576d7bc1ebd428e8d80f9a73880ca221058babcb409a669da32ff30f
-
SSDEEP
1536:53PiVM28r4hL0/yJPGw9mtJdNRvDuKjmK0yjWJOcaY:5aVM8hLgucNRruKCpiMODY
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Birele.exe" Birele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (3758) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x00090000000236f8-5484.dat mimikatz -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe Annabelle.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3208 NetSh.exe -
Deletes itself 1 IoCs
pid Process 3484 drpbx.exe -
Executes dropped EXE 3 IoCs
pid Process 3484 drpbx.exe 4004 system.exe 3704 AE8D.tmp -
Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Birele.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" Annabelle.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Birele.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Birele.exe -
Loads dropped DLL 2 IoCs
pid Process 1748 rundll32.exe 3584 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/4604-5466-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/4604-5470-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/4604-5568-0x0000000000400000-0x0000000000438000-memory.dmp upx behavioral1/memory/4604-5633-0x0000000000400000-0x0000000000438000-memory.dmp upx -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" jigsaw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Birele.exe" Birele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 125 raw.githubusercontent.com 126 raw.githubusercontent.com 124 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\ui-strings.js drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close2x.png.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-colorize.png drpbx.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxWideTile.scale-100.png drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4 drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\ui-strings.js.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\offlineUtilities.js drpbx.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\packager.jar drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-48_contrast-white.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-200.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\appstore.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\ui-strings.js drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\ui-strings.js.fun drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\flags.png drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\autofill_labeling_features_email.txt drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\MedTile.scale-125.png drpbx.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\manifest.xml.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp8.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-24_altform-lightunplated.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-125.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeLogo.scale-200.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-72_altform-unplated.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_patterns_header.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupWideTile.scale-150.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyView.scale-150.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyFolder_160.svg.fun drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations_retina.png.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-200_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_contrast-white.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailSmallTile.scale-100.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\ui-strings.js drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-64_altform-unplated_contrast-black.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.contrast-white_scale-100.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons.png.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\DeviceNotFound.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-100.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSmallTile.scale-400.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-400.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_contrast-white.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf.fun drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-16_altform-unplated_contrast-black.png drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\ui-strings.js.fun drpbx.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-hover.svg.fun drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\ui-strings.js drpbx.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.scale-150.png drpbx.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-40_altform-unplated.png drpbx.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js drpbx.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxBlockMap.xml drpbx.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png drpbx.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\AE8D.tmp rundll32.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File created C:\Windows\cscc.dat rundll32.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4196 5056 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Birele.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCHTASKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ev3n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $uckyLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4296 vssadmin.exe 5064 vssadmin.exe 4192 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 3176 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698860513244778" chrome.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{52175E48-AA3F-4F3D-9009-02460A0AD4F1} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings OpenWith.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4492 schtasks.exe 4940 SCHTASKS.exe 5024 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 2192 chrome.exe 2192 chrome.exe 4000 msedge.exe 4000 msedge.exe 2484 msedge.exe 2484 msedge.exe 3200 identity_helper.exe 3200 identity_helper.exe 4804 msedge.exe 4804 msedge.exe 1616 msedge.exe 1616 msedge.exe 2148 msedge.exe 2148 msedge.exe 2148 msedge.exe 2148 msedge.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3448 msedge.exe 3448 msedge.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 1748 rundll32.exe 3584 rundll32.exe 3584 rundll32.exe 3704 AE8D.tmp 3704 AE8D.tmp 3704 AE8D.tmp 3704 AE8D.tmp 3704 AE8D.tmp 3704 AE8D.tmp 3704 AE8D.tmp -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1956 OpenWith.exe 1932 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
pid Process 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5056 wmplayer.exe Token: SeCreatePagefilePrivilege 5056 wmplayer.exe Token: SeShutdownPrivilege 952 unregmp2.exe Token: SeCreatePagefilePrivilege 952 unregmp2.exe Token: 33 4616 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4616 AUDIODG.EXE Token: SeShutdownPrivilege 5056 wmplayer.exe Token: SeCreatePagefilePrivilege 5056 wmplayer.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe Token: SeShutdownPrivilege 2192 chrome.exe Token: SeCreatePagefilePrivilege 2192 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5056 wmplayer.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2192 chrome.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe 3644 taskmgr.exe -
Suspicious use of SetWindowsHookEx 46 IoCs
pid Process 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 1956 OpenWith.exe 4644 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 4724 OpenWith.exe 1932 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5056 wrote to memory of 2900 5056 wmplayer.exe 84 PID 5056 wrote to memory of 2900 5056 wmplayer.exe 84 PID 5056 wrote to memory of 2900 5056 wmplayer.exe 84 PID 2900 wrote to memory of 952 2900 unregmp2.exe 85 PID 2900 wrote to memory of 952 2900 unregmp2.exe 85 PID 2192 wrote to memory of 452 2192 chrome.exe 100 PID 2192 wrote to memory of 452 2192 chrome.exe 100 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 3308 2192 chrome.exe 101 PID 2192 wrote to memory of 1300 2192 chrome.exe 102 PID 2192 wrote to memory of 1300 2192 chrome.exe 102 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 PID 2192 wrote to memory of 212 2192 chrome.exe 103 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Open "C:\Users\Admin\AppData\Local\Temp\octo hates niggers.wav"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 23122⤵
- Program crash
PID:4196
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:3132
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x530 0x52c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5056 -ip 50561⤵PID:4720
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1b6ecc40,0x7ffe1b6ecc4c,0x7ffe1b6ecc582⤵PID:452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2144,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:3308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1820,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:32⤵PID:1300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1736,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1664 /prefetch:82⤵PID:212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3128 /prefetch:12⤵PID:1252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:12⤵PID:3588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3660,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4500 /prefetch:12⤵PID:4040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:82⤵PID:1692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4968 /prefetch:82⤵PID:4720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4868,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3824 /prefetch:12⤵PID:5036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4440,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3680 /prefetch:12⤵PID:2012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3364,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:1656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3400,i,6497257331891514097,8625143600056254178,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5196 /prefetch:12⤵PID:3304
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe1be046f8,0x7ffe1be04708,0x7ffe1be047182⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:82⤵PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵PID:2512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:12⤵PID:1820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5292 /prefetch:82⤵PID:1896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5648 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵PID:656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵PID:1656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:2512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:12⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:3992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6072 /prefetch:82⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:1752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6612 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5728 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1392 /prefetch:12⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:12⤵PID:2268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,8028957380391994781,3686382292894053141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7096 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2392
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2284
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2748
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1956 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\README.md2⤵PID:516
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4644
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4724
-
C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Jigsaw\Ransomware.Jigsaw\jigsaw.exe"C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Jigsaw\Ransomware.Jigsaw\jigsaw.exe"1⤵
- Adds Run key to start application
PID:4668 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\Downloads\Ransomware-Samples-main\Ransomware-Samples-main\Jigsaw\Ransomware.Jigsaw\jigsaw.exe2⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
PID:3484
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:3644
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1932
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2716
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:3760
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\7ev3n.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4004 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
- System Location Discovery: System Language Discovery
PID:3972
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4940
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:1656
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:956
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:116 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:4568
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:672
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:4628
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:4836
-
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
PID:3468 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4296
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:4192
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:5064
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3208
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1748 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
PID:5048 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
PID:436
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2449352037 && exit"3⤵
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2449352037 && exit"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5024
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 01:39:003⤵
- System Location Discovery: System Language Discovery
PID:4128 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 01:39:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4492
-
-
-
C:\Windows\AE8D.tmp"C:\Windows\AE8D.tmp" \\.\pipe\{025205F5-432F-4853-9E0B-4976993EE5F2}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3704
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:640 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3584
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Birele.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Birele.exe"1⤵
- Modifies WinLogon for persistence
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM explorer.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3176
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3552
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun
Filesize720B
MD575a585c1b60bd6c75d496d3b042738d5
SHA102c310d7bf79b32a43acd367d031b6a88c7e95ed
SHA2565ebbfc6df60e21044486a5df3cb47ccdcd7a4d5f197804555715ffd9bf6c5834
SHA512663a302e651b9167f4c4e6ae30028307b4d8da0dda3a0e5fd414104951d50419862fc9396c5b39fe5c4b696efd3efbf0b575688983b1d341f3ef38becf500505
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun
Filesize7KB
MD572269cd78515bde3812a44fa4c1c028c
SHA187cada599a01acf0a43692f07a58f62f5d90d22c
SHA2567c78b3da50c1135a9e1ecace9aea4ea7ac8622d2a87b952fc917c81010c953f7
SHA5123834b7a8866e8656bbdbf711fc400956e9b7a14e192758f26ccf31d8f6ab8e34f7b1983c1845dc84e45ff70555e423d54a475f6a668511d3bcbdd1d460eeb4b0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun
Filesize7KB
MD5eda4add7a17cc3d53920dd85d5987a5f
SHA1863dcc28a16e16f66f607790807299b4578e6319
SHA25697f6348eaa48800e603d11fa22c62e10682ad919e7af2b2e59d6bd53937618f2
SHA512d59fa9648dc7cb76a5163014f91b6d65d33aaa86fc9d9c73bf147943a3254b4c4f77f06b2e95bb8f94246a982ea466eb33dac9573dd62f40953fd23de1c1b498
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun
Filesize15KB
MD57dbb12df8a1a7faae12a7df93b48a7aa
SHA107800ce598bee0825598ad6f5513e2ba60d56645
SHA256aecde4eb94a19095495d76ef3189a9abd45bcfd41acbed7705d22b4c7d00aa77
SHA51296e454ebb4c96573e8edc6822290c22d425f4c7f7adbab35e6dc4b3ce04a5916ae9254c2c312c98299835ecbf3c5aa95da2939b8408ac25fbae44ba87a3795dc
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun
Filesize8KB
MD582a2e835674d50f1a9388aaf1b935002
SHA1e09d0577da42a15ec1b71a887ff3e48cfbfeff1a
SHA256904372666ca3c40f92b20317d92ca531678958affbc34591401e338146fe0ecb
SHA512b10a8e384d0bd088443a5085f5c22a296f6f4d295a053d4526690ba65846e887daec47d01cf18fdf1160db98061a8b7c4040de56e6e604451a821fadccf32698
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun
Filesize17KB
MD5150c9a9ed69b12d54ada958fcdbb1d8a
SHA1804c540a51a8d14c6019d3886ece68f32f1631d5
SHA2562dee41184747742fbdc527b2023d67fecec1ccdfdf258439a06cd75d4fd33f43
SHA51270193ee6f0919eb14311f43b5a5da041deacb568db55fc43290ee76e17af902ac468435b37a150630ea3b7871c724073915ae5dcba3c301ac42f2d68dd598e2f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun
Filesize448B
MD5880833ad1399589728c877f0ebf9dce0
SHA10a98c8a78b48c4b1b4165a2c6b612084d9d26dce
SHA2567a27d891097df183fbf0031e3894bdac0ce77aef15d666ddd9f6a04e9836fb27
SHA5120ddf247892a72a390437390d535debf6e41d12e51b31eb4f0353b710ec380c5fbc531a48e76935088063a41aca843287d3def9c1cd46be05b8dcb69f5017a464
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun
Filesize624B
MD5409a8070b50ad164eda5691adf5a2345
SHA1e84e10471f3775d5d706a3b7e361100c9fbfaf74
SHA256a91790b778026db625c9dedfe1c6d94b884818b33d7977e86b2f9c2f3c500796
SHA512767a75edd37d29b3433040ce21cda849cd11ba549f27581f7edc6416c433ba7047c56908d40956422393ab0f35ede61617d4bd2aad0bde3d1ebd276584c858c7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun
Filesize400B
MD52884524604c89632ebbf595e1d905df9
SHA1b6053c85110b0364766e18daab579ac048b36545
SHA256ae2facd997527426fc4def82e0db68be29b44499bfff86a28c36f7c31b177d4f
SHA5120b506397627823a1768796129c6b37d146821471b89338b5f2d0fd3aea707fd46a8e197ee0e298ddfb3b50eef0a0b064946006346b060f733ef19cbd5d24fc90
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun
Filesize560B
MD5e092d14d26938d98728ce4698ee49bc3
SHA19f8ee037664b4871ec02ed6bba11a5317b9e784a
SHA2565e8ec278a273be22199884d519a79f748801baa3a45b76e57569fdfffe96e7fb
SHA512b2fcb5d46339cdf6b5a954f2a083cf913779e57cb6e8699bc5da1fba1c370c41117b7ddefb50075622067eb7b02a20268bc047171bd883bcda4a497c2ec64ea4
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun
Filesize400B
MD50c680b0b1e428ebc7bff87da2553d512
SHA1f801dedfc3796d7ec52ee8ba85f26f24bbd2627c
SHA2569433084e61062d2b709c1390e298ddaf3fb0226656662c04c0b7026a44dee750
SHA5122d1399a6bf225b048d2b12656e941ad912636acae2dec387f92f33ac80629a1e504bca63580ba73a8ed073788f697274d5eb76ea1b089f0555fd397a8f5cbbff
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun
Filesize560B
MD5be26a499465cfbb09a281f34012eada0
SHA1b8544b9f569724a863e85209f81cd952acdea561
SHA2569095e9b4759e823e96984981af41b7a9915a5ecaa6be769f89c13484cef9e0f5
SHA51228196e5de9670e9f63adcf648368bd3ea5926a03e28a13adc2fb69c567fba2f84e4f162637c487acb64eda2e30993f849806f2313820ba693c7e70303542d04f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun
Filesize400B
MD52de4e157bf747db92c978efce8754951
SHA1c8d31effbb9621aefac55cf3d4ecf8db5e77f53d
SHA256341976b4fe312824d02512d74770a6df9e1c37123781655532bd9cd97ea65fa9
SHA5123042a742c38434ae3ee4fe10f7137462cdebad5cae0f9a85fb61063d15a30e1b54ac878b1af65f699c6ca1a9d2c3e58d245e54bdebfadc460cbd060836734e11
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun
Filesize560B
MD5ad091690b979144c795c59933373ea3f
SHA15d9e481bc96e6f53b6ff148b0da8417f63962ada
SHA2567805ac9d0e05d560023e5aabed960d842e4f3ec2aa3db45a9cfb541688e2edb1
SHA51223b4c799a7b25f70962e8dd0ec7286ba7150053cab7c88f5fb1efc1095c2987bd6f3572e7fb3ee4b2238958e52a763de2c84a74615df7a6d3a19a034584fd687
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun
Filesize688B
MD565368c6dd915332ad36d061e55d02d6f
SHA1fb4bc0862b192ad322fcb8215a33bd06c4077c6b
SHA2566f9c7ebec5a707de439e3fd2e278fdfa07a39465d56157b70b24f091509bf76f
SHA5128bb9a7690aeb3c0b9e14e1a6ebc5741536d354cf2324fd74ee0c3e4ef511718f7795039a94c8d2df94b6e6d0fb1762191cb649089d1def12abdf34003f0cdd0f
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun
Filesize1KB
MD50d35b2591dc256d3575b38c748338021
SHA1313f42a267f483e16e9dd223202c6679f243f02d
SHA2561ca0cfc2df0354c8d886285ae5e743d9c7cc030e1afd68ac113c0f2ce43ad5fa
SHA512f6c58c27bbde7508a866bd0e7fabadb13a4f020378cd8b8cfc0c9fa23f645d811d6cdea04b81afdf30c064c6248152e74b3e6a78ec7a3d1d19037a0db8897d7e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun
Filesize192B
MD5b8454390c3402747f7c5e46c69bea782
SHA1e922c30891ff05939441d839bfe8e71ad9805ec0
SHA25676f8ed1dd50e50c7d62b804a0d6901a93e5534787d7b38467933d4c12ce98a0d
SHA51222b26c62473e80d17c1f78df14757ccfb6c7175faa541705edc153c02baa7ab0982b5daabe8dd2c8c9efb92af81f55ccaeeecffe8ed9a0b3c26e89135ca50923
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun
Filesize704B
MD56e333be79ea4454e2ae4a0649edc420d
SHA195a545127e10daea20fd38b29dcc66029bd3b8bc
SHA256112f72ef2bc57de697b82b731775fba3f518d1ae072120cd11b732bf4a782e36
SHA512bed5906c7373814acc8a54c1631428a17f0aa69282920447a1575d8db826afd5dab262301dc6da610ff8bb81d24ec6babd3d9fb99fd6945f1aca9cb9c76ec2c9
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun
Filesize8KB
MD53ae8789eb89621255cfd5708f5658dea
SHA16c3b530412474f62b91fd4393b636012c29217df
SHA2567c5b1d8469e232a58359ccbcb89e619c81c20e6d2c7579e4292eb9a19849bc5a
SHA512f6998dbae1a2fa56f962045261a11a50b8e03573d9d4cf39083da3be341cc104e0ecf5908076f03961bcdb1356d05a7450d69940ec3aaab73623a6fe180e7051
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun
Filesize19KB
MD5b7c62677ce78fbd3fb9c047665223fea
SHA13218c7b6fd8be5e0a8b67d3953d37d5dbd0c71d8
SHA256aa638be6e1107ed1f14e8430abedd6f6d0a837a31b1b63e6a7741d6d417eddc2
SHA5129e0cc29835845f2a0260a6989c1b362bac22a8e0c2825bc18f1dde812ce7868503881d2deaf951429a80b5017b6ce31e785ff524883e08d730aa38b36a2fb074
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun
Filesize832B
MD5117d6f863b5406cd4f2ac4ceaa4ba2c6
SHA15cac25f217399ea050182d28b08301fd819f2b2e
SHA25673acdc730d8a9ec8f340c724b4db96fc222bb1eaf836cec69dfe3fab8d6ac362
SHA512e10883029c1e0fbc64bec9aac0a6957a8499af255e1790843717212077926474e02b2870c5dd04b057c956b97ad4bb1747fe73e731ea61b891f4b38dd80494d7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun
Filesize1KB
MD5433755fcc2552446eb1345dd28c924eb
SHA123863f5257bdc268015f31ab22434728e5982019
SHA256d6c290e942ee665d71e288229423a1f1866842988eac01f886910b0ec383aa9b
SHA512de83b580ce27012a7677e1da867c91e2a42dbc6b5872dcf756ace51c2862801814665ecca997171f2e550e8b9a3de19994d2516a4e5d4d57e16c7b4b823236c0
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun
Filesize1KB
MD5781ed8cdd7186821383d43d770d2e357
SHA199638b49b4cfec881688b025467df9f6f15371e8
SHA256a955039cd9e53674395f4b758218e4d59c89e99a0c4d2a909e49f6008b8f5dd4
SHA51287cb9c4288586df232200f7bbacee3dee04f31c9444902dd369ad5c392d71e9837ebf8b3bb0fcb4a5db8a879cf757e97ce248939e3316c6bf3a3fe7cbe579534
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun
Filesize2KB
MD551da980061401d9a49494b58225b2753
SHA13445ffbf33f012ff638c1435f0834db9858f16d3
SHA2563fb25ddd378ab756ec9faa56f16b76691cf6d9c7405bb9a09ce542a6f5b94e44
SHA512ecc5eb2a045ce2508d461b999f16caba6cce55aa0c00b34bd73a33e0458795f93a77caff5026212912684164057be016f51dc57ec83821c2a1f2e27417c47b2c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun
Filesize2KB
MD52863e8df6fbbe35b81b590817dd42a04
SHA1562824deb05e2bfe1b57cd0abd3fc7fbec141b7c
SHA2567f1238332901b740cde70db622abcfb533fc02f71e93101340073552f4820dad
SHA5127b2d95465ea66951ea05c341549535a0a939d26dbde365b212e3983e4047fa6912c37d737cb8054c41bb1a7d92586d968a0154c666572a70ebc59a4776897f38
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun
Filesize4KB
MD579f6f006c95a4eb4141d6cedc7b2ebeb
SHA1012ca3de08fb304f022f4ea9565ae465f53ab9e8
SHA256e9847d0839d3cf1039bebdc49820ee7813d70941347ce420990592e5e3bd998e
SHA512c143a4cf1ccfa98039b73214978722408188535ee4aa3dac08a34760b94bdf6d36ad0ff0de893da5b17fd69c96a6dfb25098ab7fec219fad1a77532113d0353e
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun
Filesize304B
MD5b88e3983f77632fa21f1d11ac7e27a64
SHA103a2b008cc3fe914910b0250ed4d49bd6b021393
SHA2568469b8a64e80d662eec71c50513f6d295ef4a3a9992763dbcac9d81253cef9d5
SHA5125bf93d4f4250ca96169f3d27d4e648cc5d6e00b7558a3ef32e07edcbae36dadb8008d7ba5f83ac3ed812b72c9d52730e866191b4de7a339df57b5697e00df50d
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun
Filesize400B
MD5f77086a1d20bca6ba75b8f2fef2f0247
SHA1db7c58faaecd10e4b3473b74c1277603a75d6624
SHA256cf10d2a22b638cf0978cf30ecaf39ecb5bb0e3ad78cd920afa433ad60cc1290d
SHA512a77a897c0b41f4052cb9546d4cfd6e0856b288b6b8583a86d6c7e79059a05b19cc2593599251581e79107235e9d5cd589c392bf490452be04ff57e944cd19df3
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun
Filesize1008B
MD5e03c9cd255f1d8d6c03b52fee7273894
SHA1d0e9a9e6efd1746bc9ccb4eb8e7701c1cd707e2e
SHA25622a34c8321384fc7682102e40d082e7812232a9109e4d4e8fa2152fda3f260f6
SHA512d4bd002197b725316e1f1f2dd0a70ee44a82a53ac0dafa8c6b1166343adc406e147d0c4cca30d65a32aa545f1b327c6b69c0ec1d15330af48a6faa234dc4b5ac
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun
Filesize1KB
MD562b1443d82968878c773a1414de23c82
SHA1192bbf788c31bc7e6fe840c0ea113992a8d8621c
SHA2564e96529c023168df8dde241a9acdbf4788ea65bc35605e18febff2b2071f1e24
SHA51275c8604ea65e0cdd9ea74b4802930444dd16a945da1e7f0af4a9a3762259ee9eb41ea96973555d06f4814ee2f6b73ab662c6b314b97876e9628fa5d4536e771c
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun
Filesize2KB
MD5bca915870ae4ad0d86fcaba08a10f1fa
SHA17531259f5edae780e684a25635292bf4b2bb1aac
SHA256d153ed6c5ea8c2c2f1839f8dadcc730f61bd8cd86ad732bab002a258dea1d037
SHA51203f23de6b0ae10e63c41e73308b3844d49379c55d2df75fa1dc00771b26253d832c21081d8289f04260369df996e31273b7c0788cf3b5c78a27ec909f14a283a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun
Filesize848B
MD514145467d1e7bd96f1ffe21e0ae79199
SHA15db5fbd88779a088fd1c4319ff26beb284ad0ff3
SHA2567a75b8ec8809c460301f30e1960b13c518680792e5c743ce7e9a7f691cfafc38
SHA512762d499c54c5a25aba4357a50bb4e6b47451babeda84fa62cfbd649f8350bca55204ad002883b9147e78dda3dbabaae8da1dc94b716204226bb53326030772b7
-
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun
Filesize32KB
MD5829165ca0fd145de3c2c8051b321734f
SHA1f5cc3af85ab27c3ea2c2f7cbb8295b28a76a459e
SHA256a193ee2673e0ba5ebc5ea6e65665b8a28bd7611f06d2b0174ec2076e22d94356
SHA5127d380cda12b342a770def9d4e9c078c97874f3a30cd9f531355e3744a8fef2308f79878ffeb12ce26953325cb6a17bc7e54237dfdc2ee72b140ec295676adbcb
-
Filesize
160B
MD5580ee0344b7da2786da6a433a1e84893
SHA160f8c4dd5457e9834f5402cb326b1a2d3ca0ba7e
SHA25698b6c2ddfefc628d03ceaef9d69688674a6bc32eb707f9ed86bc8c75675c4513
SHA512356d2cdea3321e894b5b46ad1ea24c0e3c8be8e3c454b5bd300b7340cbb454e71fc89ca09ea0785b373b483e67c2f6f6bb408e489b0de4ff82d5ed69a75613ba
-
Filesize
283KB
MD52773e3dc59472296cb0024ba7715a64e
SHA127d99fbca067f478bb91cdbcb92f13a828b00859
SHA2563ae96f73d805e1d3995253db4d910300d8442ea603737a1428b613061e7f61e7
SHA5126ef530b209f8ec459cca66dbf2c31ec96c5f7d609f17fa3b877d276968032fbc6132ea4a45ed1450fb6c5d730a7c9349bf4481e28befaea6b119ec0ded842262
-
Filesize
40B
MD54b1b9a525f813b0b50fb768a91122eb0
SHA157a0788d952a0f50652f836ea7a687d3d6956b7f
SHA25625c3fa80556d205f3e16606118b663d7a465dea6ec1f0e80d11146fa174a1617
SHA5124973fd4728896dbdddff55f07ba80c038f0af11fc1e6e373272d291a079aea5dda09b17731d9a935c30544e65e2a9a92bcdcf457162e311399864bf185a2d0ba
-
Filesize
649B
MD5b428ab9aa166c4d0726bf8ff4d59beca
SHA1d8abda941edb7a277c3343ae02e2fc6be29c2368
SHA2563ff027da4d2de879c296c6828a1c6503a7d004fb30cd4cc42e7cf90ee6909547
SHA51263f919609a5160cea5083cdc5afb53ca1393dcdb409c5b3f88c56c58f87ff58af78d7ce825ec1bbb81d55e77b9c353eec66d4bef8d14e81f6c7ff455ec00495e
-
Filesize
211KB
MD5e7226392c938e4e604d2175eb9f43ca1
SHA12098293f39aa0bcdd62e718f9212d9062fa283ab
SHA256d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1
SHA51263a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145
-
Filesize
24KB
MD5c594a826934b9505d591d0f7a7df80b7
SHA1c04b8637e686f71f3fc46a29a86346ba9b04ae18
SHA256e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610
SHA51204a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961
-
Filesize
289B
MD50c97225e4a5a8298f32898f12c56b9f4
SHA1f2311ccc73a7959d6717d740a54bf7b1e2dd9295
SHA2568a580dbdbb3b86cfbdca267a61fea83eadf9bff81b03dbb966f63ea08cfcd051
SHA5121df2d8c804116de6c6d21143300e50e41df773556621965242048c24e01960ffa6eec71c1740f54439f9caa954b4d5df58d34c90f48beaaf572dadca4e24ce8f
-
Filesize
367KB
MD58340298485b2d7af6016b1c2d36c1428
SHA12cb1d63a17abc58496baf0d22d60b96c78813422
SHA256015c00244da9b404498f0b0db784fade30f9d81829d5c0664d143a3fca5ee83c
SHA5124d16d5dbf3b61470fdb0687c438b3a736e15b25b97e702270fe72b7a69fa03cf7a940b38b0d7cfcf8bec88e950a320bcf5d6c82b215c5851017e6b6adac8f663
-
Filesize
216B
MD5fd7ca1477e23ec4c9a3e51b351078ac9
SHA136a6cd7536e5004d284d7a204bdc99c243f6af7a
SHA25677625286a1e6061f7655a70efcd9686d903ae9d45548221b07c48ced09042661
SHA51258764df77d9930845529332c4fec9763fd25a3be4990a7728391b236bc9e958ec01eb49993c53ae6f752b9a04a6da3bc1c1fcc8ca85f23e6a6ecda6036444d44
-
Filesize
216B
MD54488458ab5b41d0ae4f54fe631fcd9e1
SHA121d3cf1251a61a7d056599158691c40bcc1ed93a
SHA2566cb725ac36061e0d735d5890d944e4d0c1e01ede6d3fd8abdeaaa66628e99d45
SHA51282eb16861f711065f68d9ae6edf4f925fa898a2d7d8d532a8a68732ec88844dd962202a1c35205a14f49c23dbd68cbd9240edb167417f0c131e7d5524e99ed83
-
Filesize
1KB
MD53d38dc0f0c576a3a7ae8fc5bdb4de8a9
SHA114a4b3c889cb0961043742153843fe5c1b459ee4
SHA2565ba14784ec4de3b633118587681687bde5000ea666a4dd75cef7feac4dc76495
SHA51234716f047d9978d2c622b339dc648dbe7b23983b623034c498231f9b8068976f87e02baef5618aec02eb67543550f3d4c730e8bd5b137bab1469f9238ee2d94e
-
Filesize
2KB
MD5b06b33851fe042fd43c86aaa2f56bd55
SHA17b4f299abc6669b7191a2770ae361f407c20bab5
SHA256e85176b9fc3f7537933fbbb8edad1627c368053e73a5fdede2449bfac9f9a547
SHA512db2174f3080600bf8559e75adf2bdc2117a065a2d1773c7e50c45d19b95385e85dc5127fa82190c1ecff18543f5587d5ffd73d5f3d07af8dc51048bb28742326
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5ac7ce453981a46bf993da05d39796012
SHA149abe65b328dcd312d91fd2b7a4907ed25374be2
SHA2563a7cf0915877fdc080ef7d8f9e37309086783cb3b8e5d8be3f04083e2c0ffc49
SHA51289fea72950399c528842426b5ac6a68b334ffe46e80bcd6962dd90c2292120cc0c50a26be3b1c3430cdee1550f8e89af81eed56a13fb13637f75775d85669d64
-
Filesize
356B
MD54ed65287e2ddcfd59b9778373e14c2e6
SHA1d19d86d0766e88d93d14cfd932730e5da44b27a3
SHA2566a30640c1ccf5c7d6a4a6c35ddf53bb3cd8440a7f70d0b1fcfaf01c8a61460ab
SHA5123c6556ccccc0cd8f6636634ade4fa10091b0b3e402cda90ac794e9aa79de9196894cea44076d412ec351bb7ecb28d06acf3bd712be262f7ecd9b03b2bb4741e5
-
Filesize
356B
MD525cdf35f07bf822871a7efae2761207f
SHA18d22f62bd56df62ed6dc9768032e15c0d2ae54d9
SHA25668986a0fe04ba39db25d267412fc6eaf0de19d3209a764994d0cedd26cc8d5b9
SHA5124f7931a7344e9f2fe67c699897a7d7e7ee8fec38ceb64dbe97e7ba56b321a59a4e8e6076efe9ce9b1619b0976381a1903b31376e600327495657180132416b90
-
Filesize
10KB
MD5eec44c64598d23b77a64d1f53b718e33
SHA1b5db173dacd4b391ae0e355578d8b70fe2449005
SHA256936a2575b2c0ba65c9cc301f34ac7b5561465c185c4ef80d4dad817690e24885
SHA51267df85084d81a1b146fa0570be9dc03fd3bbe38d4f88864477b17286c391a7b29b1b43adb5593a814ce0a0cc9348237368b9194eda7a06db339c0dbb08f7a9c9
-
Filesize
9KB
MD50bf3edde57160ef92f4690189f974183
SHA106c5fc8e3d16ef0520ef122b1bdabeb27e64d8e5
SHA2568bcd11ef8d5d302b8f3eb524116a3f3041ba85449aada92d83af20d63f26b024
SHA51247ea3c962ac128e986e10744228f3a6c85e5c16a18a357efca0ac3897c294ab23d9e3e7b8cf409b39cff89fbbd2bb15928bb2e4db076522e3cdcc2514c6ec471
-
Filesize
9KB
MD5b141f6647fe5c7fbd636a53e43338ec0
SHA12b2f2a55f0284383879ce23b09d396ac91dd9785
SHA25695dc33acf586ac6a46ab40da53786ec35738d209737c39da4d49bf17d8bf67a6
SHA512f6fd3233dd1d4750862c5def92fff0f246c5a876fdde9bb7a4258f350c93047673a7e54ff386d149c7d39c60a5572a57e4a5c8399def66a3d6c256d59cd27bbe
-
Filesize
10KB
MD5e8e5ab0c76d94d4b6187b79c5d90e17c
SHA18a6742622ee81e8de289798569e0434e69aaea63
SHA256e0c171682e9ca7b66ee1e80f763fd52c38f82f78b208e2dd916801b12332a3d7
SHA512b8f2db8203ec958aa6e178ea88479e294d93904f4ce8496c826005756b8056c096e41f0f63dd7f2751158b3379d9673b57af8215a77f87c5c530376836614ad5
-
Filesize
9KB
MD575664cb3833d4135fd8ea0ea93b142ff
SHA1287fea4d20ce96207818d70f2193f2f9796d86de
SHA256343da58be904a34b49be9dc6d402b2a4f6233ea2ce345e8cf52b9bd5ed262f72
SHA512e10eafc80cc405b06a12419f534675f23c8f0f96023ce26536d66bb8ba52450b6ae46782c560f305566bd1d7503d2551db299aa2bf000206b476c7eb62f9d20c
-
Filesize
9KB
MD540eb41fa255c308bfd8daf0f2a31ede9
SHA12330b5736fe377694126a3576c1a566dfbf8ad47
SHA25691888c62e9861cdd43ca6721bc7d92b9ec87586db4b53debeec1ee564b2bd6dc
SHA512c6c94a243c08d3e132417d3696eba0c20b9b1fae15d3a05dc136c864a8adaa42fc50c6243caa319054a1c75e7f2b82173efad1b2df24e86b9540011dc7022d40
-
Filesize
15KB
MD5256320f45c10f4f81347cce575b80f1f
SHA13b2da1923aa8af6b31212c619e22963b04633331
SHA2569baf0556bb73c69a4605758bd28472c1cedb12789f5ee1bee6eef9b0893627c4
SHA512f7e7714171a8aa6a76903bf2ff9c8ec235541fc6e523048ca5541630fbdaa94065613e4e73f648dfe942f28938007073495ee00d98eb868c80e8910198b4bcdc
-
Filesize
204KB
MD5232c5fda301f3e418607f3d8742c1227
SHA18ee4e591b2ff24666302a9e2a8a9d0e6e9f0d029
SHA256b3d9e18c63b2195daebc98ebb26d167f291f177d8c4ad9c3977b9353234c5475
SHA512070c5c86490485a8defde810f17e0b2827b618c474397161eec9f09dcf1b92d58a3d758b3ece481bc79427dc0d54230f418d3d1b65271623f87425bde3486c08
-
Filesize
204KB
MD582b54b09aaec707a2dab80ec4ea2d06a
SHA1d3f314c43e0a7f9ccd4f5b6d1136e1fcbc5aaae0
SHA256d4b1f533567c618894fbe3a17d4da4ca27bc94102aad313d0c84505a97a675b9
SHA5128e6975262869ebcca16beeb6f9fde4d88bbbca45fdc5e889d65dce76f5defd264b094ec3caf08ae00711f42f05789aca3d51c99eb7e08a24926effc96cd79cff
-
Filesize
204KB
MD54c322fa7d0bd5ce5ea81e3ce813e99eb
SHA19717f918e10e893c3b3b0b9455a67b94814f1669
SHA256fdc15b458b8c748ac94eb0ccc1ad28567ecbe5948cb3e0dbc2633c45d01ad86c
SHA512ea1f83674f8f2554b6305c1991cef3f74fc8ec3598dd7055efbeaa8faebe0bc1c4770920676068000774dceaa8e3db50af6b70b073b465cbe25b1f4244ec9b12
-
Filesize
264KB
MD53464e66e478baa2a984d77ddb9fe6f5f
SHA150aa827ec8657607046ec7b066fe4b3008683000
SHA256da55f3e15ee0b891e9e73b50161c4355b5a1bf404aab44f09c5eeda81cab02e3
SHA51232b5e4ef571da6eafa872fe3697b9009f8f26bed344690a15c8559bafd2adf281bc9b87de25f93f2fe41f5baf6a6d5e2cd6b167346fcf19d70e3fc0791173749
-
Filesize
48KB
MD55a1706ef2fb06594e5ec3a3f15fb89e2
SHA1983042bba239018b3dced4b56491a90d38ba084a
SHA25687d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd
SHA512c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
67KB
MD5ed124bdf39bbd5902bd2529a0a4114ea
SHA1b7dd9d364099ccd4e09fd45f4180d38df6590524
SHA25648232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44
SHA512c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532
-
Filesize
41KB
MD5f3d0a156d6ecb39d1805d60a28c8501d
SHA1d26dd641e0b9d7c52b19bc9e89b53b291fb1915c
SHA256e8be4436fcedf9737ea35d21ec0dcc36c30a1f41e02b3d40aa0bfa2be223a4a3
SHA512076acfd19e4a43538f347ab460aa0b340a2b60d33f8be5f9b0ef939ef4e9f365277c4ff886d62b7edb20a299aacf50976321f9f90baba8ccd97bc5ac24a580bc
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
Filesize
1.2MB
MD5540af416cc54fd550dcdd8d00b632572
SHA1644a9d1dfcf928c1e4ed007cd50c2f480a8b7528
SHA256e4e53d750c57e4d92ab9de185bb37f5d2cc5c4fcc6a2be97386af78082115cbb
SHA5127692e046e49fcde9c29c7d6ea06ed4f16216ec9fb7ea621d3cc4493364743c03925e74244785588d1a4bfc2bedd32b41e7e66e244990d4076e781d7f4bbb270f
-
Filesize
43KB
MD5d9b427d32109a7367b92e57dae471874
SHA1ce04c8aeb6d89d0961f65b28a6f4a03381fc9c39
SHA2569b02f8fe6810cacb76fbbcefdb708f590e22b1014dcae2732b43896a7ac060f3
SHA512dcabc4223745b69039ea6a634b2c5922f0a603e5eeb339f42160adc41c33b74911bb5a3daa169cd01c197aeaca09c5e4a34e759b64f552d15f7a45816105fb07
-
Filesize
74KB
MD5b07f576446fc2d6b9923828d656cadff
SHA135b2a39b66c3de60e7ec273bdf5e71a7c1f4b103
SHA256d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496
SHA5127358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df
-
Filesize
26KB
MD51de4708beee6992745a7c14b7d8580da
SHA103bb2b7dd07f1701da7cf19b68dd23a2b298827b
SHA256ba0ecf05941451756a9acfc7a913e64dd56ddee8f3811c8a9f1cdd0a219ad64b
SHA5125d21cd342f3f70a7dc4bdd3b100e6677e74a7fec22af3ffc9d048618d1daeb5dc5e3f1511ffaa2fddf2f3e49b31351d7d4613f7f03e21d2b609483ad6aab9c86
-
Filesize
4KB
MD579421dc238fe75c4cdecb92545604e0b
SHA15eb644f97e738bf978dbf338671c639a56e16a41
SHA25692098f41057f863099270cdb41a15a9f300256263ee04b0a1e71ccbeecdd3cf1
SHA512850f62ef8401870058e784427725119d5b3b2a347317bf6c158d1eb9c4d06599205027a1d429ec99bf2bc977390d696bc490407551dc5e994f06c97bb7ef5b46
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5bbfd643e51c018ce853508c984762536
SHA11e328e6e093a624ea1e3d66f74599ce189360dc9
SHA2561373c2f4b39415e2df5bea4681117ed11af66f18660d27927f6e4f6fefa85acb
SHA5129ed4ae349950696fcff72b122739dccf53588a9bf0663ef705f30ab10bcef0c121837d5827084018133cccd4592acff0feef8b91dfd9a87d1d43c4fb4339dd89
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD564fa0f6265e7b0a97ee95c1417a8d2cf
SHA185c31285423957f5357174a22a4638df140a27b5
SHA2568b5d78c713455b30f2e6018efae5d428389dd4c195f46fa1c79532cf9fd846cc
SHA51240cab1d3f3392f7edd5ca1e46b63094da3c585a479c15c9e287dcdc7934de98d82bebd314bf4399c3bc16bd85ee742ef0b72e93b6354962bb595a552584a335e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD51311ce506e02c42cd377feb6e8362cc7
SHA15396acd19960c70b0ed949b742cbec20da3f80d0
SHA25610961f5b2e457e5e9fee874c235a202c496a2faa046df82898ef8e73a93355bb
SHA512dc278cf2f80b9b64d5356324a1c5515b42f0983e278000a3343318321253d1f99a0bf2f28ac11006a424fa7116409e9baf08b1b05818d90ab652d22047c16d44
-
Filesize
1KB
MD549ce24d21954a3b729178d0cb2ef49db
SHA173e246b38c590dd0185b25b684ede329acc8a1ec
SHA25674c885369ff0e6b3fc968205f1a8cb392a83bf4e6b334ad4c174a52dd90590a9
SHA51251b897045040f3dd59f091ef9a8fae7ef15bf1574d33ba66663df95c3b5eab84b93d25509f8d5b09b9c0a4d993420cd77ca291a476168358ace158ff3b3205e2
-
Filesize
1KB
MD5ca8517ba1e2abcb5b7e0e26f35df33f9
SHA1d19601b01f424b22ba21b2ac77dc57bb0575e224
SHA25633315b47ab1372f12575b929beae3193ba3efca5df134bd7e451a61d92d3bcc0
SHA512449b431b13afb67a1ea5b05dfafd904c5cb7e8c595420a1a70428e0831c1becb30e746c8183d7052504751c968af4ebe830e08ccedf2bf56d3ab699f614e46f1
-
Filesize
1KB
MD5aeeb8cde1aad41f026b702a349ada3cb
SHA1a3a469089741206a3dfb2d9783a72af0a99f13cc
SHA2566ddb2289490275a7589260438bef86f62a8644e6acdae9c358252cf67cae1e6b
SHA5127d4b18b0dbaea7a73155eefaf28f476f47ae989f8c57fd9c300ec5a5d0d0fad5ecafdc518bb8998e6b13cfbf4c8e27f1aec6a8042cd5b11a8b2953ffdd8e05aa
-
Filesize
1KB
MD51a28b85f2052edd4639de49745be62f0
SHA19f33a2d4e56d1c8a5a4d3868b7b977d0d3ab914c
SHA256dc601f9a03870812fbf9a70fc90e12a5767dacd8ddb0e8d50e6df1f131295951
SHA51237b1facf619cf9eff0758451a33aba5c0544158177c27e515eaf2b15f070874999aea5c51bf10c83ea872c49d950a91cb93abe93a8c5934e2817e7765fc5297e
-
Filesize
1KB
MD5a55345ba664a96b24ff12536d75433ad
SHA1237ebd61f1dd23cded8b48295296cfd435ef6897
SHA256fcbe5f385beb88e7b88ac91a807ba1d9ef8a4c03171d33e85a8a7756487fadb7
SHA5120c064d64260c746e360503d75e5c81a06f19f0452f1258917e3193aec9a8d2948bf87c96d7fe1dfc545584cc9329e9ce7dfd1feca750135816a06543ce0f7178
-
Filesize
956B
MD59334741394699755504ed1db4e36dc53
SHA13ed3b061ad3e38d37cc20464ca55e35d5ffb8ba8
SHA256c365772fd6399b361f05a1a1e41ba3234877a24f7748e8061242a82ca9b1d526
SHA512f83fb64feac767d4ad2c5bcb22acb92099da7065f081904137aff3778c64d9903cb9d28f123e303a29c90f70bf98d94266af3b07fa933962a9eab5ca5e78220e
-
Filesize
6KB
MD524dff154113b4527b1d74fd0dc4c6f1c
SHA16475e127ae2b4508af11a12586494c34a5c403ec
SHA256a90055ed060a19078982658201f463b9debbd7b8a2f713d8ff931aa7dac0e9d5
SHA5124bdba95c8f12cd92f0561efa00523c50db1ecd724ed19120d55165ca9b75a73665efe26b21e0d80a8e65c76c363e127e63549872ed660ffbaff29ea596c90e1b
-
Filesize
7KB
MD5f854b6551363627779229232d83c7f17
SHA146984cb0b9aafc29b2be33cc4e0fb7318cf5a53c
SHA256399eef93cc41e8cb3918f1f7bc3d21ddf8f730e8a01ba8d2b50aca8bac5eb3e5
SHA512a6460bcddf6b6933af300f48057746d8036a336dde04fa2de048feb0c6a89957fc799a57417f53e93e944cd75de1887153f025804717732879568a164a7381e5
-
Filesize
6KB
MD558741ab992d5fd177585cc720dc3499b
SHA1f65d555172abcb3308cc9fd89308a3575f725ba6
SHA256fb85fd8673aa118ea9cd469477ecb5354b24296f6586f36d0f6624720aa0ef9f
SHA512ae5496b5215b793671c0bdd96646be6b1d0ff0e2fb1dd0d564e1c3b7ea421ac27ca3a3c92a2151554987885c747637bd73f32356f07ec1718ba177a5172909de
-
Filesize
5KB
MD5b506a243fb7c0d1a0856b02108fe8545
SHA1a18ca7d1134ac65b3bf94489e70ba45bc50f1682
SHA256c098f46c9f3dcfb7217bbd1f5404a362147397a46a1d77cc3d0388db59036863
SHA512900b405bead3b5158c1a5d56efd89a89416f75805ba3e036b41ed2a6972c2ccfd99159a17713fbf0f5db902745761460bfdbabf769b488b25f1a71cbbc24dcbd
-
Filesize
6KB
MD51a2e8a379e17d795f0bdd5d76c2b2487
SHA116b1b22fd1fd2cf26effb66289780b08c5949236
SHA2565541f45197271e792431e93473630747ba88637d5094f25f7f5baf1d826d1cba
SHA51203b7b8eff9ccab7cb37606a558551ede45d0bb5445660d3cdc3fb32ce081c883794b5cafa7e6984deb7f6ee4804ebf75b888a450593bde4984f00457e12eb8ca
-
Filesize
7KB
MD59852baa177a519278170b05482bacd77
SHA19a845d1c23208b85ded467e1fccc4d7fa47082d9
SHA2562044d4bf49c967b24ee88112594da9d1007875139d781b9e231df1ac417e5f93
SHA51233e4e878cf28a0a56e34bf98efbe8147388b780544aaf6728c6dec2f9b98053aa432824ac32e482a3a23a4b301ccbc6f3157f114a18294f25e9501af23516cc1
-
Filesize
1KB
MD5c2c30b1693b450a40d4ec741d97a7a2d
SHA19fa567c8d0bb82b9af60e687c0246a03285571f5
SHA2562e458acf6a8dafb9c803a929219dd48a4070e5dae38e4dd55db6ce37b1e8a06c
SHA51201077a768570a113782c8a37648209265d2f27b8731e9ce21d171db4c8fffff7c7f548ced7e52a29db466d925a1e5859ab7a7498ed90b31691f31bbdd1c9184a
-
Filesize
1KB
MD58329ef803d76a7dc8cb02f3208cf2795
SHA1da7adc1c9f78c29be598286f5f8064946bd73dfb
SHA256299378c71de78f26bbd8a723fb303eac3d80a5fd52610eb003dffd27e0888f20
SHA512e1712aa90a284fa9548f84b6ec8d7d3f57b0b460d8d970e2f97f2c047675aec4694384da4e2fc6ebb7dd5ded0a4dc6ac7aa5f952ee2b50dbe71beffe4859d70e
-
Filesize
1KB
MD59504b1dd94cb832f0fecf6a5ca970750
SHA18a62134b6e9a8ce219a37c4b044248b92931adad
SHA2566f9a0bfae5642f9c6fff02f780f90291d7744602e1b71d3660e9103e4616d7e7
SHA5129cf88d3ca43e7f39eee49fe1c033d744a2122fd96156d4de19d2d25da5781b5efc9508f4fb041476c83eefb32771807fd65b719f8c2b26865008b3f5fcf834f1
-
Filesize
538B
MD59abef0fe8212206d313755f8d00cb95b
SHA15b9f76da47dcd09f9a95d840f9f0d3de9ccda5ab
SHA256b95eed561cb43482bbf618f553184b2bde4b3cc0242fe9bdf45e9ee488f652c9
SHA5125700b0d73180e0020897c35a8e996692db13ad18b194719619798a089e0a45925793e0d4de3578801cf858ec02a3f44bdc72e354ca395c0fb3c0ea7067727955
-
Filesize
1KB
MD5dd52614ea5de387ab0cc18e35a1a1800
SHA15086d5950c0b01ea1e01753fef8d3f721ac5235b
SHA25629af714dc6640ff76a2b3f0fef989d8205a993144ed3440b2cc7162faa7551bb
SHA512f722ef559a136600b01046a4901c7ef9a441ed994639f0914afcb25982f29b814083191077bb0833961a87431815c50cfc35ee16d4e787f2747479716df6ce05
-
Filesize
1KB
MD554a6d8398bc0a8b7eaee130b82c69f93
SHA1f7befe0655821f5ada46a50824f37c376448e8c7
SHA25692172e0b5ae289192a16bfb97ab78daac443be6fcb7d3c0616ce29b744da8842
SHA512e7cc36a1ce8cfeec3216b8e9e79fe57efc6daf969506fb6bbdaf3b69c9cec022bf14572ba480ca19c6cd2b75e607bcbdb4e2f0243de8de0bea99861061d64886
-
Filesize
538B
MD5a4879f91bdf6212608937ee43740fc17
SHA1103603b6bc3f7a29e77049fbe9ae35bd9e9b0b37
SHA2568aa2e5d805f22ee50028bf3c54d7c62d8c21253a2e1ec4bff11fedce1fa2c027
SHA512abc47e18e87fadfc425fdb28ae2abd02679f4401f644bbb477471c4db71016798e7166d79b159134e40ab9a03a23db22b37251d6798aca37c0f7a2a4efc36d5c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD517afd71fdaa281f0dbc0255e7795e57c
SHA19d6feea1db1c496b4569b4e8b5968fd379eed2fc
SHA256a13afb9eccf01bc8c94e6d187fc458c9149203ce47e89ac1956ded5cc45c48f0
SHA512affa48ce837473fb6d469df2dbd1b31859e751e455d0b8c0fdc65409245052ff11f5e10dc776c0f778a78a771bfeac6a7c85c7fe59ab924c56681679d07a9b61
-
Filesize
10KB
MD5a41e007e94e4d3bde8638e2745bc4c44
SHA1e99f11edaecef042858e5a1098a5e01f389564c0
SHA256b11dab0ba2c4c58d1d5cb046c174d3879f190c258650117b5aad6844421f9030
SHA512c1104128c7f29fe414ffe91378012d45f939398c358be1e74500110099e29cc13e502fb10d3c7de80916a27affa931c7d23192885f65218756571d0d1d1d63dc
-
Filesize
11KB
MD5a10dcf78f84f60eccfbd97b1d2f649b8
SHA15dc2567ffc1e8cce99960aca8a8d849a3390d701
SHA256957709ea411a3d41683770a60c59e574d16246be8715d18481a413bde05ebeea
SHA5124867c3de136f5ceac400ee611e4dad06f583d7b710eda0c33a9a273170feb579f551b001b23c5aef489c73b1f6b6cf903c1ecebfb5656c38e20fab5d3eede7e3
-
Filesize
11KB
MD527d5534d0a3b61d3c10983d811adbe81
SHA16736ca70ce20685078842d4a72562c6704f598d3
SHA2561bb3308556c5214f766d01a6385371df3033c9e634adb9c80392a786bd6f8007
SHA512c4c8526338579ebc4afa202c54d3e690e8592dd9ae4ba3f2fc874a42944d98d79aee37db2b753a37328ef71cf7abc6c0f69b69bf57782e05121d1e88dfbc8f24
-
Filesize
11KB
MD57a8215090349c312f46597b759dec518
SHA19b8f2f2dbe29026de1cbc2c2a07489c42ac66dc9
SHA25642300b275d65f30dc89906913cc24f8766053e6ba7b5fb71a7d06aa30689e79d
SHA5126ee6dc92688a5a7bcc18766e06b9b042476433532a96491fe89db65afd63356d7477557a4f39b785912601d86759b8b54fc80cde60f31e899918736d8a3fe508
-
Filesize
384KB
MD5063793e4ba784832026ec8bc3528f7f1
SHA1687d03823d7ab8954826f753a645426cff3c5db4
SHA256cb153cb703aea1ba1afe2614cffb086fa781646a285c5ac37354ee933a29cedd
SHA512225910c24052dfdf7fca574b12ecef4eb68e990167010f80d7136f03ac6e7faa33233685cbf37b38ee626bb22ff3afeee39e597080e429be3ec241fb30af40c6
-
Filesize
1024KB
MD5ba5f62e6a24d6e67c4a4484b97bdf89b
SHA17df9d1813e83a7a1377c0fa93267d79677cfa437
SHA25626fc85b97da97bf082076d2e9fc13b2058db5950ea1c1eb836fe355f9c64d75f
SHA512c37aa319f03a859b16bfcd2a5288ae3e420c693da0fda3519a939d486f684e4de3c43dc2e6be2508be408077aa57e793b05387bb5d8682e2ff49aa7e50e9d7d0
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun
Filesize8KB
MD5f22599af9343cac74a6c5412104d748c
SHA1e2ac4c57fa38f9d99f3d38c2f6582b4334331df5
SHA25636537e56d60910ab6aa548e64ca4adafdcabde9d60739013993e12ba061dfd65
SHA5125c8afc025e1d8342d93b7842dc7ef22eca61085857a80a08ba9b3f156ee3b814606bb32bc244bd525a7913e7915bdf3a86771d39577f4a1176ade04dc381c6d4
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{df4fc690-2383-44d4-99bc-508335a6b53c}\0.1.filtertrie.intermediate.txt.fun
Filesize16B
MD51fd532d45d20d5c86da0196e1af3f59a
SHA134adcab9d06e04ea6771fa6c9612b445fe261fab
SHA256dae6420ea1d7dbe55ab9d32b04270a2b7092a9b6645ed4e87ad2c2da5fdd6bae
SHA512f778cd0256eda2c1d8724a46f82e18ab760221181f75649e49dd32e9a2558bec0e9c52c5306ad17b18ab60395d83c438742103fe9adddf808e40c3d8384ea0b0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{df4fc690-2383-44d4-99bc-508335a6b53c}\0.2.filtertrie.intermediate.txt.fun
Filesize16B
MD5f405f596786198c6260d9c5c2b057999
SHA1f8f3345eb5abc30606964a460d8eef43d3304076
SHA25658e3090edb9316d9141065ac654a08169f2833091e6eb3a53b5a774a61b7e30a
SHA512a0b3573dae218ade265709a6fdee5f7700c9754eb10747de5af34af340ae95909d0a8902159a735e82eb5d7091f50a7997113661a7ec3fcc2b408fb6c78a4c39
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754821347503.txt.fun
Filesize55KB
MD5fef51d9bcc19c6f385e6ebfc3ee41966
SHA1fc17c5fa30e60defca14643fe0cd2e03bf09a7f4
SHA2568b06feddc560d7e7df721b92edafc34e17187d498e3449aa35b42df6dd9b3841
SHA51286cd87dc54d291f3cce10c5e625c71dffb9f0a430b57e08fa95ac1b5b13803df284493a3a3012833d8e83c78b6982cf4d336909383fc8aec07753f9e3ea66519
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670762798939774.txt.fun
Filesize65KB
MD50a6fc6957d9da30cbb0d0c925ba657b1
SHA1b29086d455aa4f9d36204a1ce917272a415ecc2d
SHA256f581722807a442022e500acc8d622aa7d81f1fe94bc6ecf84e4765a0b20ebc6c
SHA51213ac2e28bf9b6146332b9a6e9fcb2bef28c7451940650e4a1331df5c6782a05cca9c777ef4090d2282f81eb3467c5d786b1106bd0f91460a40c4cbf59c69adc1
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133698861266930438.txt.fun
Filesize75KB
MD5f4708a93f89936096261c3d2fa3f1791
SHA1239a362f54c669311f905b0d63a674b55cbe1fb6
SHA256c97989d7531d1ace92a698d4db0d2c09b3a6cf2dcbd6b58231d971ed7c0214ff
SHA512aa59c605642e1745860f281d66a2377c1b1def1040c79d7552def545efed0daef147087f2c7a15a94814b8eca2a5059f42b3d02adbae291e025759340c980e7b
-
Filesize
53B
MD56bbd74c94a570e86542225b7717549d8
SHA1643faf35434fd0cf111e11d483fdf5693307d264
SHA256ccdf0c22e522c636c2193f24223a1a9ca4522011a65fa430c0df20d13343eac0
SHA5129531543f3b5329b6a5bc383e82191999a0512175797db26638f372799741938c794eb5058edf2581214088ca215f02a9cd49af2f18352cd69f10e43b02abd07c
-
Filesize
1KB
MD52853a131f976ff6077a9e53045206f25
SHA10bcd4ea8e46d8880ee8890b1821e8b08f986d511
SHA256f4a633cb8f0bec540f274936583c4a2f991d43b90537c16b6ac796563edabfdd
SHA5126e39a470a9cea560f0ce5cf1c9130236f784623604d47842c982c2f6544e7380e71370c0d1f43bcb93b85768b3bdcf3b1352b80e364d625ad15ff87c4cafd25c
-
Filesize
16B
MD58ebcc5ca5ac09a09376801ecdd6f3792
SHA181187142b138e0245d5d0bc511f7c46c30df3e14
SHA256619e246fc0ac11320ff9e322a979948d949494b0c18217f4d794e1b398818880
SHA512cec50bfc6ad2f57f16da99459f40f2d424c6d5691685fa1053284f46c8c8c8a975d7bcb1f3521c4f3fbdc310cf4714e29404aa23be6021e2e267c97b090dc650
-
Filesize
115B
MD5f3517cbd484198b25b6e67eb202232e2
SHA1bddc5645eca791472ae438f6099459983bb42419
SHA256c7d853927c93ced4b6c6c44d0f2ccbbcfcfd569fddbf1add0505c89358d3b8d9
SHA51244cc42c49d54ab885ed846aca80579bd56e639af9e3f9c8f5fd737e9472197bd53ab5f64cce4145c952035bac382078f0743f918a7b581f2a7758083f94eb06d
-
Filesize
315KB
MD545d59b80d884de4ef934eeab68299a3a
SHA1eb4928be7809bb331f5e109742fa066fbc2daafb
SHA2560c7f5fcb3cd84509eb051516158f0487f11a11863bd3ab9a3d2c18af64743507
SHA5125e255294dbf9646e290e18cc078aeb4b459267de2296b947f810f34eb7d1e581a2f200416c0790e6dd4be17ab5341a1bd3c20f21ade4667bf82be6b9a46c18ae
-
Filesize
124B
MD554ba0db9b8701f99a46ae533da6fe630
SHA12bd5aea2aceea62deb7ba06969ff6108f3381929
SHA256bb1455630e747e00b60910f9eadf47641ecc46e917034d08530430569d8eaeac
SHA51227fa4e43cf1a1b79a597cfb28aa29457aa096d8c485f84d7b2754268148bfa7430e53abdee4897f911af51aabbae3942ff57cbae02765bbea27e1c181bfecc1a
-
Filesize
405KB
MD553a82871515a2b2d40535f0cb0ee2074
SHA17196dfc932ce8982b7518c8f93737a0f9cf719c3
SHA25699ad55015aa8c467aa495e6b5edca3caf43be42510970a7cfa71491f26b7bf6e
SHA51258630d75872c9a37b852591f6f5b4a16c3cf27e06fbd59da1383835f6d0258ef3a8b7e5633a9ebd19985478b2890efdeda6bcf32437cae60ecb8796dc02b5202
-
Filesize
15.1MB
MD5e88a0140466c45348c7b482bb3e103df
SHA1c59741da45f77ed2350c72055c7b3d96afd4bfc1
SHA256bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7
SHA5122dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113