863a54fcc0edc46e52df772d40698c5645029ea6031022ea8e19a686245d49c6

Analysis

max time kernel
299s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Client.exe
Size

164KB
MD5

865bf3d2eeb62c50359ede787f510100
SHA1

462a1745c2da3d1ae7688a3fda60e441debede32
SHA256

863a54fcc0edc46e52df772d40698c5645029ea6031022ea8e19a686245d49c6
SHA512

6d37e88b08fbff52db3db3b19627f49cdad54082c9b34ad8decb90857ab8318b14764a3ee5e6a4dd96f4e272daf8ebfb79139bc3332d8842368431383932d862
SSDEEP

3072:8w11/wTvYZDDNF90qhRb70L8czxE2YY6q9bLzl6fHMEBuo:8wZD9b70wczSTYh9bAlD

Score

9^/10

credential_access discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Renames multiple (5089) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	New Client.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
1016	StartupHelper.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.Lime	StartupHelper.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupHelper.exe.Lime	StartupHelper.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupHelper.exe	StartupHelper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupHelper.exe	StartupHelper.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupHelper.exe	StartupHelper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupHelper.exe	StartupHelper.exe

Executes dropped EXE 5 IoCs

pid	Process
1016	StartupHelper.exe
2484	StartupHelper.exe
4452	StartupHelper.exe
3252	StartupHelper.exe
4400	StartupHelper.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupHelper.exe = "\"C:\\Windows\\StartupHelper.exe\" .."	StartupHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartupHelper.exe = "\"C:\\Windows\\StartupHelper.exe\" .."	StartupHelper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartupHelper.exe = "\"C:\\Windows\\StartupHelper.exe\" .."	StartupHelper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartupHelper.exe = "\"C:\\Windows\\StartupHelper.exe\" .."	StartupHelper.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp559D.tmp.jpg"	StartupHelper.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1016 set thread context of 2736	1016	StartupHelper.exe	122

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-5281-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2736-5282-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2736-5283-0x0000000000400000-0x0000000000472000-memory.dmp	upx
behavioral1/memory/2736-5285-0x0000000000400000-0x0000000000472000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\sqmapi.dll.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\manifest.json.DATA.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_ko_135x40.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_fil.dll.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sk.pak.DATA.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sv.pak.DATA.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_zh_cn_135x40.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\close.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85250\javaw.exe.Lime.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\bg_get.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\file_info2x.png.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\AppStore_icon.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\CompleteCheckmark.png.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main-selector.css.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-hover_32.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\illustrations.png.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_mr.dll.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\EdgeWebView.dat.DATA.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.Targets.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lv_get.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_sl.dll.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pt_get.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fa.pak.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr-Cyrl-BA.pak.DATA.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-disabled.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-down.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\ui-strings.js.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-hk_get.svg.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_bn-IN.dll.Lime	StartupHelper.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\ui-strings.js.Lime	StartupHelper.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\StartupHelper.exe	New Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartupHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartupHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartupHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartupHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StartupHelper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4456	cmd.exe
3508	PING.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\WallpaperStyle = "2"	StartupHelper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\TileWallpaper = "0"	StartupHelper.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3508	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3296	schtasks.exe
1260	schtasks.exe
216	schtasks.exe
4584	schtasks.exe
3700	schtasks.exe
3528	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: SeDebugPrivilege	2736	vbc.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: 33	1016	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	1016	StartupHelper.exe
Token: SeDebugPrivilege	4400	StartupHelper.exe
Token: 33	4400	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	4400	StartupHelper.exe
Token: 33	4400	StartupHelper.exe
Token: SeIncBasePriorityPrivilege	4400	StartupHelper.exe
Token: 33	4400	StartupHelper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3344	OpenWith.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 2920	872	New Client.exe	82
PID 872 wrote to memory of 2920	872	New Client.exe	82
PID 872 wrote to memory of 2920	872	New Client.exe	82
PID 872 wrote to memory of 3528	872	New Client.exe	84
PID 872 wrote to memory of 3528	872	New Client.exe	84
PID 872 wrote to memory of 3528	872	New Client.exe	84
PID 872 wrote to memory of 1016	872	New Client.exe	88
PID 872 wrote to memory of 1016	872	New Client.exe	88
PID 872 wrote to memory of 1016	872	New Client.exe	88
PID 1016 wrote to memory of 2436	1016	StartupHelper.exe	89
PID 1016 wrote to memory of 2436	1016	StartupHelper.exe	89
PID 1016 wrote to memory of 2436	1016	StartupHelper.exe	89
PID 1016 wrote to memory of 3296	1016	StartupHelper.exe	91
PID 1016 wrote to memory of 3296	1016	StartupHelper.exe	91
PID 1016 wrote to memory of 3296	1016	StartupHelper.exe	91
PID 2484 wrote to memory of 3592	2484	StartupHelper.exe	113
PID 2484 wrote to memory of 3592	2484	StartupHelper.exe	113
PID 2484 wrote to memory of 3592	2484	StartupHelper.exe	113
PID 2484 wrote to memory of 1260	2484	StartupHelper.exe	115
PID 2484 wrote to memory of 1260	2484	StartupHelper.exe	115
PID 2484 wrote to memory of 1260	2484	StartupHelper.exe	115
PID 4452 wrote to memory of 4984	4452	StartupHelper.exe	118
PID 4452 wrote to memory of 4984	4452	StartupHelper.exe	118
PID 4452 wrote to memory of 4984	4452	StartupHelper.exe	118
PID 4452 wrote to memory of 216	4452	StartupHelper.exe	120
PID 4452 wrote to memory of 216	4452	StartupHelper.exe	120
PID 4452 wrote to memory of 216	4452	StartupHelper.exe	120
PID 1016 wrote to memory of 2736	1016	StartupHelper.exe	122
PID 1016 wrote to memory of 2736	1016	StartupHelper.exe	122
PID 1016 wrote to memory of 2736	1016	StartupHelper.exe	122
PID 1016 wrote to memory of 2736	1016	StartupHelper.exe	122
PID 1016 wrote to memory of 2736	1016	StartupHelper.exe	122
PID 1016 wrote to memory of 2736	1016	StartupHelper.exe	122
PID 1016 wrote to memory of 2736	1016	StartupHelper.exe	122
PID 3252 wrote to memory of 728	3252	StartupHelper.exe	125
PID 3252 wrote to memory of 728	3252	StartupHelper.exe	125
PID 3252 wrote to memory of 728	3252	StartupHelper.exe	125
PID 3252 wrote to memory of 4584	3252	StartupHelper.exe	127
PID 3252 wrote to memory of 4584	3252	StartupHelper.exe	127
PID 3252 wrote to memory of 4584	3252	StartupHelper.exe	127
PID 4400 wrote to memory of 1924	4400	StartupHelper.exe	130
PID 4400 wrote to memory of 1924	4400	StartupHelper.exe	130
PID 4400 wrote to memory of 1924	4400	StartupHelper.exe	130
PID 4400 wrote to memory of 3700	4400	StartupHelper.exe	132
PID 4400 wrote to memory of 3700	4400	StartupHelper.exe	132
PID 4400 wrote to memory of 3700	4400	StartupHelper.exe	132
PID 1016 wrote to memory of 1716	1016	StartupHelper.exe	134
PID 1016 wrote to memory of 1716	1016	StartupHelper.exe	134
PID 1016 wrote to memory of 1716	1016	StartupHelper.exe	134
PID 1016 wrote to memory of 4396	1016	StartupHelper.exe	136
PID 1016 wrote to memory of 4396	1016	StartupHelper.exe	136
PID 1016 wrote to memory of 4396	1016	StartupHelper.exe	136
PID 1016 wrote to memory of 4456	1016	StartupHelper.exe	137
PID 1016 wrote to memory of 4456	1016	StartupHelper.exe	137
PID 1016 wrote to memory of 4456	1016	StartupHelper.exe	137
PID 4456 wrote to memory of 3508	4456	cmd.exe	140
PID 4456 wrote to memory of 3508	4456	cmd.exe	140
PID 4456 wrote to memory of 3508	4456	cmd.exe	140

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\New Client.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3528
- C:\Windows\StartupHelper.exe
  "C:\Windows\StartupHelper.exe"
  2⤵
  - Deletes itself
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Windows\StartupHelper.exe" /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3296
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" -f "C:\Users\Admin\AppData\Local\Temp\1683786"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1716
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYANP /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ping 0 -n 2 & del "C:\Windows\StartupHelper.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\SysWOW64\PING.EXE
      ping 0 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3344

C:\Windows\StartupHelper.exe
C:\Windows\StartupHelper.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3592
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Windows\StartupHelper.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1260

C:\Windows\StartupHelper.exe
C:\Windows\StartupHelper.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Windows\StartupHelper.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:216

C:\Windows\StartupHelper.exe
C:\Windows\StartupHelper.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:728
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Windows\StartupHelper.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4584

C:\Windows\StartupHelper.exe
C:\Windows\StartupHelper.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Windows\StartupHelper.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.Lime

Filesize
720B

MD5
b4e00ef31caa1780bda1313007ef3c48

SHA1
8d44a90eaac6f5fc271b13addfddfbacd7b1959b

SHA256
0f9d7d912d4c10470487ff4756dcc64307566b2f1899704b17d138315217477f

SHA512
6e3013ab7545c666152ec9d3b0f88f9d17cf3616e6c59df74606b98c4dd57d5d51a999d6e80f3cb670feb70549c0575e09d9ad5256365be75d18d7438a74db5f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png.Lime

Filesize
688B

MD5
2ddee0bfa89766e74f8efd11f8cf51d0

SHA1
708c4dd9bd6243522a2f76bb14b9c46fc03ec308

SHA256
f50eeb5e9ee753a7e92c603ff1e0adf528b0a648d966926aaf3a387e5ecda78e

SHA512
9cf6dc6c569968f15702a769b811f78d151565f02d28beaf131060638718d72b2b092082b5dd897e8da9a8e563b4f389f98c999ce2af70de8ad67de6be3f71a5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.Lime

Filesize
1KB

MD5
0a4ce33653da4781912dd97aebee5c77

SHA1
4585bf06495284c193a905d22b79c90aac667450

SHA256
ed492d339ca4df861b9dae5471d738da9b7bc2f05d8e2846d26fe9637e4cf55b

SHA512
33de0c9d5925063d1eaaa56b7181f09ca06abe1ba1706de2c54cebcd9f0421ffe194648c205f3b97fcb5ec22b5ba7ecfb8019068f71a165fff4119f15d372a8f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.Lime

Filesize
448B

MD5
dbccb41e9bf17623527a3ee09e4f81af

SHA1
aaf2b3685aabc4026e71c9c4a19499a2a62044f6

SHA256
495a807e716631393ca1836cac700e6368222c7ce9e8f4972cd17e3bc83719b7

SHA512
75b9e38692e8ec0e2372e6541aa57abfa6972ac36983717e6df2c265016f4a6459f5f22265853ec2aef8405195d2977c2c56c13e6cfa881cc29c3aa227f0729a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.Lime

Filesize
624B

MD5
9da5084514a59955c3d2cef7f7445046

SHA1
b0a2b6d7bc99915ca96c72e93acb0812b1ed5a3f

SHA256
71bc38fefcc72895900e4d4537daf776f96a3b8e81ad298a93ccb1f84b5644bc

SHA512
d42d2ae33131b5b4da4a970d962993011da9993a5206b5dc409d9ea31a5d8f42590afdfb18ee481499435bbd9470965568f7596d6049d86884f458e8b6083853

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.Lime

Filesize
400B

MD5
3bb77c39ebd29b06e2e9a04d5e964ca2

SHA1
84382a8712d020ae7bc0936c1be22aeb325d9e6a

SHA256
81274e2c3be40cc1d9ac8957430f40c2654e27fc0f21d93ef99fb31ab8b8f98f

SHA512
309965d3b0e0929864784fe740542b9b9344ab177fef56358aa57abeea2b88a13d47c761d65fdc2511c53640e2006c2a07b2605a1c80c4b2e593eefa033ebbea

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.Lime

Filesize
560B

MD5
dcc5b68d799f03ce4965e5cdfc35b11e

SHA1
62227f4f108d6bcf191d6e24997f7bbf6f1616df

SHA256
43d6998bb317c79a8b551ca5305f64c876540efe3e6fe21f0b15058d06a856b2

SHA512
fec1bdf6550f64e2a736958b4591b269ce062e978c0bef589d42826ee1c23be8696cfb3a125f3d19ebe9951b68c0f508472f465e8de51a44459023e964f71318

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.Lime

Filesize
400B

MD5
0d98bd0642e370514f3f4a77dc16a689

SHA1
0b01dcadff008fb6e54d1632fa49a5f9bdb7cd3f

SHA256
3403207d123d4716fab721679a76da783cb860a3de242df074c968d5d21908d1

SHA512
1d99fd0d4818961114c2978e73176aabf2f686255320f17173a2a7db395ba8712d062007349fcb27778ef3bba1cee663e7badcbaf50892c46ab1e8eafc2384b9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.Lime

Filesize
560B

MD5
4f03497bb5beaae1f6775930b7a98d04

SHA1
1a3910795bc1c2a42506e27aed9dd4447cb7a284

SHA256
ebb2d10dfcc3cda133b660df79fbfab4e4ad1bbf19eda40fdc9a08d0c194427a

SHA512
02352a1efb98d6c17abdb7c817a3924a7ebf670fc26d9f32c016e05149d440f77e71fd3ec1f0532d84f96573fb6df1877214a1c2ad50bdabe4ae4d3d8a8d2439

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.Lime

Filesize
400B

MD5
daa52daa65cf65a4b5dd7be202e7a1ac

SHA1
40f8b5d64eb4afe9796e5916f5fd01a57e9e8788

SHA256
49eec34a4beb767b0a63d4644a5e35243414dfef59dcc4b99bf6dbbcfcb7bfd7

SHA512
b246bd5ac57abb086d2927a981cc775789156971e241238b10165e6778f2a18508fef353184fe4fc25b972291f159393bdc7e6c656b40c781e460051477d7f54

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.Lime

Filesize
560B

MD5
c763720f0405b4ec83678cabee504ea3

SHA1
dcd12874319aeaf38d9ab6cdefec6938987e0c89

SHA256
e6a1a2076e7115753661c64e783004693d645ad4efad44dc735c7eaa54afcfc9

SHA512
b30b73c0f10f2cebae53a416ebace8b3caaefb6f4dd852f165d53ca9ab60a2348afe42f2a62c46ecb900271dea04a08c1cce84bb3820e74bfd526c8ea85958f9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons.png.Lime

Filesize
7KB

MD5
b0098eb5ff980a4e705efafa6a100df2

SHA1
b785d1fa0ee593e4b51cb5da5dfdf918748420f2

SHA256
a41f17c7217f36bffa5a9293196b216a35180e93e69eb6e70e58ec4fcc10f744

SHA512
f2f8f94a2777719cc8ed83d4ee4240f752e2bff6ffb4fe127c23f759fde67622e94479a4f0794ed77ce7005b206d65cc44f3a2efb5805a5f00ce62d4344e5529

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.Lime

Filesize
7KB

MD5
62ce64aaeef82928f6ed485af92671ee

SHA1
adb80d46f0f22752d4f5eb8da41f77d0a72189a5

SHA256
e2a55615a4e64eb41a4580a1659c17a93a231cb196ef866f99937d5a193ca84a

SHA512
9c6281bbc8a7616db088369c9a52901a5050830b0d8ee9c1d38230e1f12c6a5c5ff674aae1597c3f598207ce4537557e7a2440fb76694ea6f870f1781cf2f432

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png.Lime

Filesize
15KB

MD5
bf291bb187d8aeb1f3cd1c966a4faca1

SHA1
85f8b1368628bd4d8b521ed4f9747990e90f30e6

SHA256
4c596193b850e9eb7224a1f7e8a9382881b2d4e4f6a7e2f07819680ae3999e1b

SHA512
022cb669a29c14b8570ce4d77e948b0824c510f0e77d769cc3261529247b725d15913c7f66580c8731f9b54ec7e43a7b77c79fa9804474e8dd48c2aad1e5e305

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons.png.Lime

Filesize
8KB

MD5
3615b7fe11bd593fa4056420340c0f00

SHA1
bc8b38043be7d12db1e236a4d0b6d313af364311

SHA256
828cc67a7aa5dec44965edaf390e4cf77876fb2154c1b8570e02fa2e725aca4c

SHA512
4b8a1b3a300b1371c3a9e16fa03986d7eafe4b643c7642c2a121c502dce07bc1fcb454a6eeb0a1c20e5a1719c8d4d98c6ec06accb380662d23c5a108d4dd1a00

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\new_icons_retina.png.Lime

Filesize
17KB

MD5
2c019c06437567ca9b7d2d461b722d5d

SHA1
9e4dac4fcc9550cfbc13c6b803a88972b80228d8

SHA256
dd9e30eca36e0d8264fe6c62505cafa2279c110fb8bd811c71d4757ffbc76ea5

SHA512
f4ae4ec1dd5af8516ea20167c33f2ee91af72ec472603d62009103fb557bb4f2ed1331caa05660e9b3c64b38967b7f8a145d598ff870f312e53abfe6196dafd2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_pattern_RHP.png.Lime

Filesize
192B

MD5
60f89035145c176f1600fe9b373f0745

SHA1
447dd2f07944960c7916bd853ba25f07ff5902af

SHA256
3415b1b8e5a7a8267e841bec582c48e5996c4a55e0bdc737964a53079e4423cd

SHA512
193959692e281b42fdf44656a2ed8d2193e45347b347b117edef4bf1ea4757da4b9502695e0d863c7c923cb8c3754d70655bed348ebdfe4dc7b1bc9b63f6e9e8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png.Lime

Filesize
704B

MD5
81a8af89287203ec0f00ee9476340285

SHA1
2d87a92fbdeb29834465c7da361c52a7a025ad4d

SHA256
9375c856e10248cc8843f823eea9ab5587fa4c433a6424b62413f015fdcde139

SHA512
f6651733d097fae76e29dc8e154f1e4d7366ce8a246cae3fb0b9bcf14d9f5668c8e623766cf4fa6cbfde0690d0e127be65caf28f297020f0d4fc4f79c011af6a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations.png.Lime

Filesize
8KB

MD5
1cba1813642fd16e1def5fe66035fb05

SHA1
618fc1c15a03906854ce3372c5491c61836945c5

SHA256
981e607f1a7525d26e77c77d712130619c65fbec42f7e9bc8a74df5253cbcdd8

SHA512
d063cfff17cd99e50e48c581c166bf7699086170046fa464a0dce279a382c9c5a29e15d4ed04b917b2b0a23b7646b129461fe4a81336e0026e21495a29126799

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\illustrations_retina.png.Lime

Filesize
19KB

MD5
b973c1653c05a2e686e6c1f3cd82d554

SHA1
b4c8d4992c8692ca94d9c3950b74da099f71b92f

SHA256
a94a52ec411c69db45d9fd4b28d77214ddb409368af0836831c33dc05702dc25

SHA512
80da5797d11bc1f2be66117fb47ff02e76596294a0403cdf66c69ceb21c8f9ee553876f6ade1b2378f0afb187256a4ac6aca43fd0759c15f7da83092285121f0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.Lime

Filesize
832B

MD5
9a5bad7522b485faca3b685f4df87d83

SHA1
ed1823ad3b6c9e80c4d6dffcde9a8ead8d3a97b9

SHA256
49ae538dbb2b1cf6add6722eef130d94f7abd95a7c1e7c476a0b460db9bd5024

SHA512
800dac916a70a20228d471e308c4fc453d0dcfcb1dfdcf5b117144fffb3c9baf591481452d34b753befdc55b97ed0f2bc664989a181544bf8cc94160854eebb2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.Lime

Filesize
1KB

MD5
7046cd15134373cc5a72df0019356a27

SHA1
549411e9673cd48afc7fdda3c62d51b9e25f29df

SHA256
4fa7e490a2b586e6a19166e9bb29912e2ba8c8867c0f734463979a360bc119e4

SHA512
a36b2b748bbbf9677902368387f1546d17d4663384a117a8110183e9bc5a0a6ca9f9f52a558e303794e6851ad55b9cdf8a4b0391cbf81dc9945e24baadf8d8a9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.Lime

Filesize
1KB

MD5
90f59e63acbdc4b9ea50a1cd4dc171ca

SHA1
29849d513b2b80719896cc5c2d87eb8fa1d56154

SHA256
923406cab3aa11c19a83d696413fde57dff2d7e1ea9395a4153bcce9ebcb04fe

SHA512
0e4a02f676682f61413b7440181ec9b963a1ec725abf372b87393af7c70975af1f16d4760c5f666f71baa02bc42372194596309df126bbc7b7788eed676c58e8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main.css.Lime

Filesize
816B

MD5
b1facb1fa9b89259bc941217ce1cb5d9

SHA1
5095d0cddaaea65c6141fff6e9b7eb1e8ae8d07f

SHA256
4ae447e485edf9bbdb31661c15d5a6a718743cac6c4d5061becf9f6ca857973a

SHA512
a57da4b9917af710e672417bcaad705f1de9dfff942e07e0d6a576b476ecb26efc9f4a9be927c6a15e31225f5cc2822b983e382941e3a9b7564bdf00470564e2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.Lime

Filesize
2KB

MD5
af2dfdaec1b7781f70a9cbba75e57bb4

SHA1
90f86e97e728474b238c5179045ec2cfa83831ef

SHA256
0154ef5b81321c71af060f06c4c62731a00e7ccfb817b32698948c1cbd37c688

SHA512
9d3b06b204519e47839eaae9ebcbeceeae6674b964afbdebfd68721c1eb3d3a7ceb5295af0f09b060b9dd82c77a899ae45d2ac722c4e26070d325de90ff4b24c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.Lime

Filesize
2KB

MD5
2278cecaba6ccfd3b516f42d5b760ae0

SHA1
0bcdd946d7a20d8f824e764ac2dc79a104ba88c1

SHA256
63e56e5f3c2fd9ae08668b86f87a0066f5448ff77e32a1b91b30e240eb5ca544

SHA512
05acb85ebac6918cc3070c32e8ff35c9fc0e5c398355bf7b9adc04ad23195442655ad859380bd54f917492a4cc47fa9d2fcba8ac89332095b97e814bc34837f6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.Lime

Filesize
4KB

MD5
872a3ec2920fc7889d66c8d70afd9c53

SHA1
c0fc7f7c2dc0695cc0e0e802048e9bcbbb807efe

SHA256
6d10651495bff1fed746c588503fc985f00c63600b786c423dfd9c56922a5e07

SHA512
6b8ac5f07a47ba0fedca79bbf6122ecfa579f844d850155bcbab94203b2bb7d96b52278a9e0b030aac63d4ce0b32573e245503bb9d1156e2fe928fdbff9afc15

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.Lime

Filesize
304B

MD5
41d9751395aa3e3bd666840851efc641

SHA1
84c8fad54c32f02ed53e44e6bd289b8af28729aa

SHA256
cf9460d45940a2d5be9c9232a337b9bf53e9692ff84c8048f36df166fdd9a074

SHA512
cf17900a9a3b11f9284be82f722724045638ef69eaa1ca6dce1955ec227c1060714369b29859c3cf52f818234def7eb236bf48501359b8ff483220dcaebafb3a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.Lime

Filesize
400B

MD5
24840d8c534bb17306534b986eb4a112

SHA1
f0ed5b10991402ce70f4527235944b0937d6dfc0

SHA256
836753e98259d533d0b9da87cc5ab6b947887e98751aa4f7401308948acf1783

SHA512
74e246dd9a9ab6e76ea19c29e564ee346eccb32d4f407934515b77ed74b34c748266e0d66cad924975915558f6be9aa5b481a121625cd331a0551cec6afaef3c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.Lime

Filesize
1008B

MD5
d38ff7eec70320e02917c43baae86a20

SHA1
fb5d368e97b2e362ee8dff91a0435979f7b74a04

SHA256
d24351a1c15fc83afaade8f4deb402cfea08ec9fbaa9ce441dcba7decd174549

SHA512
31473645637071df49e82e1d66e23ab55b1b7faf630ee1b0c00cf6c65f7562b078474548af1bfc6290792e70d40fab5963b24307813e21e5fd6bd5f55c64baa1

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.Lime

Filesize
1KB

MD5
ac3a6ecedabed3bed467e2c52d25144d

SHA1
66e45d6ad00c66afa8d685f10c4e500498375720

SHA256
9622919d3f5cfba68f3414b57d53a58d51ccff163de11ce3d167824f82fcb15c

SHA512
0cf6848b496d01b352e695b3723a6c5b24f593c9628b9af8577e032210430d2df9784f3c6c3aa2ece1e18ba86b0e1a98a2b2f1c0116a2b118c88f4c3915c5e29

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.Lime

Filesize
2KB

MD5
e7e732d22054f8804b08961ee2be62f7

SHA1
b454c9e7e8b803411e3bd2165c0486c9187fcaea

SHA256
ae615cd95725a4b562204b11981978d4d4939383b9aefebff5ebeb337a3f9e22

SHA512
3c196b9f26387aea6f05d3b293bd4730a6506f35ae4a8345b0d2049173c50258f016830761159fbb7522d975d5b67f96775e164fa41c2caa3784acdf70763367

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.Lime

Filesize
848B

MD5
ffe00f42c1ea6a7215c7ce6d5a16a225

SHA1
312aea5a44867ac7768a93dd658fea04eafd9b79

SHA256
eab8257561ca25179d10d7ed936dc07656f795011aafb38a76db4fa0651d498a

SHA512
3f60d0a9f35172e135e36c329b865afd1edc2580968065cebd3a161a619e7fb2a806bdd2d73737743ab62190325474fb308370a01eada78b803347a6dcc047c8

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.Lime

Filesize
32KB

MD5
6910db0f07ea3bb62d550ed13348b437

SHA1
7df2dbe024d9ae792e0cac06a14896d15e692f01

SHA256
d770e9b51244d7dfa7a53b7aeee620bdda33e4628e8d64aa554f935618138c3e

SHA512
014972ecfe668f915c0a119c8af96e8a14133b40f889800dfd9fc652b69e57e244a21c7646cbbe8f02f4c96c005247e325316e181a2b42b3482db16c2bd1da36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old.Lime

Filesize
16B

MD5
2d042da5a26c8c4739061bb41e28456c

SHA1
9ab6f46b7c626f251eb5166fc51c3b0644cf4473

SHA256
292672c08855195ec4e37623659fb380156b051b14d10d8f333f72211c3aa751

SHA512
f9bb0983b9ba797f1324b1939c51bc2931b07fdbcd8faaaea89107d58f3eddbf5f82c28339a08eba4ad9ba66d101e09b478dcbbacdca9e6a801879e28ed4a6f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT.Lime

Filesize
32B

MD5
23e5b47dd08cdb9a8b0f11cf7052b235

SHA1
cd3ba1dcdf2e27a35038bd87901174dacb08e9f9

SHA256
b6c4f20292b8a12c95fbcde0b17c55d71480be3343b58d131e21a6e685fab01b

SHA512
9893136e1410606b9a5910398a79e012a2dbf05bee4697904b223660e2dc4f7408be659245f54b5fc595db3ab8290d1141c7aee011d70a52e831d134a8ea5460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\MANIFEST-000001.Lime

Filesize
48B

MD5
ade0106fd2b6e0725f0d8813cc891bcc

SHA1
92d7b3aab423a1cefb4b5f6f8c96341f6e341304

SHA256
d72261a440e8d6d216117f28ddcf537242578ff59010dadf45a878cbefa6d11d

SHA512
dd082fdee26d855ced1456e7748a6641bc06ed1d9b28ec2ac975375ce9ebcc5880f0a2e14d713fae9bcdc0caa2edd7e2ca784f89302f6ec9a64958683e6310f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index.Lime

Filesize
32B

MD5
807e2dc6d3a07722d03e0aff422c7c02

SHA1
8f57484b7ee02c5a90009a8278bd4ba2daf364e6

SHA256
9f484e444b44f668b42be30200330766662d99d72d56ccc3c168d6f93db860fc

SHA512
c33f279a203f48b0766124b26b3b997743f90f2ce72f0d702c33507b11b3a9ec82541c4ca84ad8f8b97a60e0c649f588cc9ee750c42b007afd47fc0daefd5104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_0.Lime

Filesize
8KB

MD5
2d0aa7a66cd8e73a5f40323027d7bb67

SHA1
8d1c81e1c7dd1a8a956d1d4181d3595f17e09ab6

SHA256
82d42c7ae3b974b69d4ec34263cb06abfaa88ecc4af261c6417e8d1d54cdd536

SHA512
8f35e8c39652b07557391f1becf4d66c5b28cb9d2e49f5f63da601200a8f459291709040acd30e362a0ef6cfc5435bc3e38d417c13bc1eee7c0337b7069a0c6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1.Lime

Filesize
264KB

MD5
6c2d5b30625f06a035a6fdaa63eb8fa1

SHA1
e3a2af4cdd27f71409240794b86d43b4beb94641

SHA256
b78af7d497bd5688a717de02c754989250531f0c4dedaaa14a6f9503bfa33cce

SHA512
a838601f9119e8001d080622d8e4a5376b8ce88e1303e90e0521bfbbde1385374a966691c8f78131cd36c8fb0ddb01563f875006e3c7106244ebf8bb67364045

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_2.Lime

Filesize
8KB

MD5
14c482a8372a2cafdf2e0a87074f7939

SHA1
c0afa3e3677a547c0d0124595c65e8dd39db471b

SHA256
7cdebec40f3e24b7ec228e26d329fb6882f7ef9070c80589c4637f8d24ba347a

SHA512
8685ebac4da523ea2e79571ca65d781097bfdcb738762bfdb53bf0fe4c97e6d6c64762432ee6649864da43d5d0d7678dc97b518d058fe8eef6da17981244963f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_3.Lime

Filesize
8KB

MD5
1c0f9c4317e4f2c5d852d99661b78401

SHA1
64b0e31c6cf64d5e8a699cda2028ecf59e33ac25

SHA256
6eaed33ca0168368f169f91fa930fcf1a85c7b56c656962e16732ea04bbd8a91

SHA512
8604e7cd57a14d0f889d730dfaa896d623168cfa08b1c3a77e097de1dc1d2786284c883e9bb3b050f7836ed518270ffc7b147038dca11f0beb73de67383a3432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\New Client.exe.log

Filesize
588B

MD5
e293216bc892a819986fbe64a0f8d0b4

SHA1
5152f6fec6914c0b0561d444837f79b8436f403c

SHA256
5185c5bb61a3163e462585f5016cafb6b957948cf1fdd72e700a8d437e84b787

SHA512
f78cb3635a06c7f94f11c60fac8b962df34784f166529db81022dc18b5e233449ae04e62ae0e9298d87646eedcb4e52c09d3ac2754ffaf98a277ce8916a953be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\StartupHelper.exe.log

Filesize
408B

MD5
40b0c3caa1b14a4c83e8475c46bf2016

SHA1
af9575cda4d842f028d18b17063796a894ecd9d0

SHA256
70e88a428d92b6ab5905dac9f324824c4c6f120bc3f385c82b2d12f707a4a867

SHA512
916437df737de4b6063b7116b4d148229d4a975eb4046122d47434b81fba06e88e09e5f273ec496c81ef3feecb843ccad20a7a04074224416c1fa9951acbdac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db.Lime

Filesize
24KB

MD5
96a27225a30a5c7d1ff81206da7b417a

SHA1
c6bd0e61f01df04f43a06ecd80da526dc79cc02b

SHA256
4a7c46150cd1456f4fe5dd8eae1f8829555c8bad7d0bdc9b93d273a894b4a235

SHA512
7e806f782f7f2db917dc049cffc535653a4701df8d9464875f5b91490aa0cfaef0e782878acb5ad99cafc2d7c71e8fb245eadaa9b3519e22708615f01227079a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.Lime

Filesize
8KB

MD5
0cdba7cc15baa0aa2dd72f44225740f3

SHA1
6cda5bc3ab720057b6b42f0324c63ea874dc19f9

SHA256
44ba74a5d541b5a1fc97558a1744e27db25acb94da282850d8e14b7e98a565fe

SHA512
f596170749821e0935c8fbf4a119793cdb84099e55745c5826c8da87f022251f21fee0d1fc28f168e80f03c41f4e8e4a4dc8fba62227b3af28a494b7a9a0149a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.Lime

Filesize
36KB

MD5
57c8ca1abf28845fe1d9a0a03e4f3d82

SHA1
cbe5fabdae9ce8a1bc215224c4baf5cf17c9867c

SHA256
99c99c1af620f4392ff243f43dbdad4c6577e7ac312bc388d7bfcf8c9c16ace3

SHA512
6ce7836a9df5207fb1948d80b19cf061b1b66f492b0c8bee101d5a736e1b9f6b6451931e834eb8ae76a1151be0a1dee71912e8ae5fcefdb879b280f48c15b1bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.Lime

Filesize
36KB

MD5
230055425f8ee3e950a203feea75934f

SHA1
c488f69f8f4bf945692996d6add1987a50a1467b

SHA256
617f3e23d04bb79fb4096b03628fad623b94b6b212f31958edfee17359e5f64c

SHA512
6e60d0563e4899e2aaaec5a5381f64f1e3ed3c0bceb0f989f88bac1867eec3eeda73512ccb5499af1f0a6390d5d18e497bf030abb24bd661b9f6c4c2c688a695

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727656156761623.txt.Lime

Filesize
77KB

MD5
91402ab9766dbecdd1cdebde8a12be1e

SHA1
53f144f82d2b1a51ce8ba2ad7d1ff451829f3024

SHA256
977343d73c263a04890cc081cfb8d259305bbf4ee311f4c75babc842d9e57b7a

SHA512
fc7adcdb70a7b29c6059b1a52feb61ffa9cc66edd91b34d3c91fdfc3dbe82db97e80c12296af3e09bb657b5334058800a889e43c40e58ce9047ec83ff53765d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727658166467731.txt.Lime

Filesize
47KB

MD5
3f39c76fc43ae259cd6282e766811f11

SHA1
7ff5878cc24e5705be38902d74879f048bd9fc4b

SHA256
463ef9c9fb0b61dc5c97ad3c9e25fbf56ef5672254261d9dfda9328a5f653d15

SHA512
0fe85a9159caa0be9a59b7712c2db3b17df26161f0a19908ea9197d21dd16287afdd6e83dc83201f234b4fb6d8fba5db98d27b5fd4895add51e0697f8a62af1e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664132098124.txt.Lime

Filesize
65KB

MD5
8fdcf18ab0ed6e84e34d1c5d37b3c643

SHA1
9696c05a77e6d231d6233c6caf89aeaf0b45e12e

SHA256
f7e3f08af4fad075dfa33b65b23f5d33b4e96e94a41936dc5d75b97ed2187832

SHA512
687cc43c30ecff42a904a5103051665a314d1180d73e4a7838bbc4cbbf25dfc9de5400045eaa21c95ad9cb8c3036ac458cb082cfea3432b80024bf6f5726ef64

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727692122353911.txt.Lime

Filesize
75KB

MD5
4519899632221a2ad1f51d32dc174640

SHA1
fa232f04ea95c773819062a8f6b958ebcc12303b

SHA256
5bdb263ee4916e9da4585956b7eaaa049bb61995a01367643810c6aa8af94be6

SHA512
60a72aaaf7000c68f377e6851f143282c9890ccfd340adc4ac6ecb01c64b456e74d0e617e3b596ab3f9dc773326ca3827930f71ea8f9293b6863dbe003edd721

Download Submit
C:\Users\Admin\AppData\Local\Temp\1683786

Filesize
96B

MD5
4f0f313d090a031e7bfffba76d78ecab

SHA1
0d577bc0155b493820fb9fd842e3dde629b90459

SHA256
a7546c5d43a26481aae0052942b9a7cdcfa3a5a8452c535fcbe0c62cd1df005e

SHA512
51824c60159f4ed3023af2a00dacb7889dad1efeae30cdd515bf16b456c610e0b83d4d326edc75b2eb925d510b36180e147b5bb54ccd2f102fe449676d223693

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.Lime

Filesize
48KB

MD5
df63443a192c50d25f65f84e2eec9ec7

SHA1
a3c6933f44f80a4d6b11d86e7318fd4b92eb5259

SHA256
905e49d540e85a46ba9a5d24ccba36d435b7f4b58c3380cbc3f4de96830927ba

SHA512
e5ce90e3c07a2cd74a215bbc0624044a07eedde4037b4c3ed109b7c4e9f7648bb9e4eb7aee9df1ca847478a3f32192abd538bedff1001105ab528f254005d904

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.Lime.Lime

Filesize
48KB

MD5
7f1b136c58f84b046705f82b767f447a

SHA1
e6f50c76238d063bc9805542dafe3a07ef61c506

SHA256
377d94d0b2bbd56eef502dd64cca5a42c7621821b04d395eeb7ce8925f2b83d5

SHA512
583152933005642f055e69b45cfb023cb98ed207f9bf14620e75d2bdacb34b9074dd89b7678971670eecf508178da4bb7cd1110a4a096f4c6fb5aff909b064eb

Download Submit
C:\Windows\StartupHelper.exe

Filesize
164KB

MD5
865bf3d2eeb62c50359ede787f510100

SHA1
462a1745c2da3d1ae7688a3fda60e441debede32

SHA256
863a54fcc0edc46e52df772d40698c5645029ea6031022ea8e19a686245d49c6

SHA512
6d37e88b08fbff52db3db3b19627f49cdad54082c9b34ad8decb90857ab8318b14764a3ee5e6a4dd96f4e272daf8ebfb79139bc3332d8842368431383932d862

Download Submit
memory/872-0-0x0000000074E92000-0x0000000074E93000-memory.dmp

Filesize
4KB

Download
memory/872-1-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/872-2-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/872-12-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1016-515-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1016-14-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1016-16-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1016-17-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1016-13-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/1016-5293-0x0000000074E90000-0x0000000075441000-memory.dmp

Filesize
5.7MB

Download
memory/2736-5281-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2736-5282-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2736-5283-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2736-5285-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads