jigsaw | 4bdfa0f7676d04b93a7abd26d1ca02114b7ffeab3b4aa21f003e9e605ce7425d

Analysis

max time kernel
320s
max time network
321s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan-Ransom.MSIL.Gen.gen-0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.7z
Size

221KB
MD5

4295ccfda99a2c3185ed6da64e71c692
SHA1

f652680c70da9db20f2ed63e81e3e8f3e8dc9f73
SHA256

4bdfa0f7676d04b93a7abd26d1ca02114b7ffeab3b4aa21f003e9e605ce7425d
SHA512

e1c5c2b8c8e7538c93f98a1a17deeed012e291eb8f92f1ff6c5efbc6cb446c9419b3ad493d1e4c86b9928453a3475fb8b67315fe8e574915a038ebc2d5dfeec8
SSDEEP

6144:dzL0N14NF6r93BAJkqp/PIey3SxOTe6CixjsY5aFkAB:dWUF6hQkqpaeMpCixjswCkY

Score

10^/10

jigsaw discovery persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4044 created 4276	4044	taskmgr.exe	116
PID 4044 created 4276	4044	taskmgr.exe	116

Renames multiple (3690) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	Wire_Transfer.docx.exe

Executes dropped EXE 2 IoCs

pid	Process
4060	Wire_Transfer.docx.exe
4276	drpbx.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	MsiExec.exe
2620	MsiExec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	Wire_Transfer.docx.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Telemetry\BIEvents.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerWideTile.contrast-black_scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\FileIcons\FileLogoExtensions.targetsize-16.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarMediumTile.scale-125.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\comment.svg.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-24_altform-unplated.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7e3.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\SmallTile.scale-100.png	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	drpbx.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jmc.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxSmallTile.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\LargeTile.scale-125.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\MicrosoftAccount.scale-100.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-20.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\check_2x.png.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ui-strings.js	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg.fun	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pl_get.svg.fun	drpbx.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\AppxManifest.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-80.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\ui-strings.js.fun	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailBadge.scale-150.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNewNoteWideTile.scale-400.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppValueProp.svg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\193.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\91.jpg	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\eu-ES\View3d\3DViewerProductDescription-universal.xml	drpbx.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png.fun	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ThirdPartyNotices.MSHWLatin.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\75.jpg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\ui-strings.js.fun	drpbx.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\LinkedInboxBadge.scale-200.png	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-black_scale-125.png	drpbx.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\en-US\webviewCore.min.js	drpbx.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\example_icons2x.png.fun	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\ui-strings.js	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	drpbx.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\11.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\bg_patterns_header.png	drpbx.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js	drpbx.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDEA.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\e57e85c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Installer\MSIF4A2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF52F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e85c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6CC1D7E5-F55B-405E-8E29-8BF624B41193}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe

Checks SCSI registry key(s) 3 TTPs 11 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000074e11e240694ce490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000074e11e240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090074e11e24000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d74e11e24000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000074e11e2400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
2660	msiexec.exe
2660	msiexec.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1168	7zFM.exe
4044	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1168	7zFM.exe
Token: 35	1168	7zFM.exe
Token: SeSecurityPrivilege	1168	7zFM.exe
Token: SeDebugPrivilege	1344	taskmgr.exe
Token: SeSystemProfilePrivilege	1344	taskmgr.exe
Token: SeCreateGlobalPrivilege	1344	taskmgr.exe
Token: SeDebugPrivilege	4044	taskmgr.exe
Token: SeSystemProfilePrivilege	4044	taskmgr.exe
Token: SeCreateGlobalPrivilege	4044	taskmgr.exe
Token: 33	1344	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1344	taskmgr.exe
Token: SeShutdownPrivilege	3912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3912	msiexec.exe
Token: SeSecurityPrivilege	2660	msiexec.exe
Token: SeCreateTokenPrivilege	3912	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3912	msiexec.exe
Token: SeLockMemoryPrivilege	3912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3912	msiexec.exe
Token: SeMachineAccountPrivilege	3912	msiexec.exe
Token: SeTcbPrivilege	3912	msiexec.exe
Token: SeSecurityPrivilege	3912	msiexec.exe
Token: SeTakeOwnershipPrivilege	3912	msiexec.exe
Token: SeLoadDriverPrivilege	3912	msiexec.exe
Token: SeSystemProfilePrivilege	3912	msiexec.exe
Token: SeSystemtimePrivilege	3912	msiexec.exe
Token: SeProfSingleProcessPrivilege	3912	msiexec.exe
Token: SeIncBasePriorityPrivilege	3912	msiexec.exe
Token: SeCreatePagefilePrivilege	3912	msiexec.exe
Token: SeCreatePermanentPrivilege	3912	msiexec.exe
Token: SeBackupPrivilege	3912	msiexec.exe
Token: SeRestorePrivilege	3912	msiexec.exe
Token: SeShutdownPrivilege	3912	msiexec.exe
Token: SeDebugPrivilege	3912	msiexec.exe
Token: SeAuditPrivilege	3912	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3912	msiexec.exe
Token: SeChangeNotifyPrivilege	3912	msiexec.exe
Token: SeRemoteShutdownPrivilege	3912	msiexec.exe
Token: SeUndockPrivilege	3912	msiexec.exe
Token: SeSyncAgentPrivilege	3912	msiexec.exe
Token: SeEnableDelegationPrivilege	3912	msiexec.exe
Token: SeManageVolumePrivilege	3912	msiexec.exe
Token: SeImpersonatePrivilege	3912	msiexec.exe
Token: SeCreateGlobalPrivilege	3912	msiexec.exe
Token: SeBackupPrivilege	4364	vssvc.exe
Token: SeRestorePrivilege	4364	vssvc.exe
Token: SeAuditPrivilege	4364	vssvc.exe
Token: SeBackupPrivilege	2660	msiexec.exe
Token: SeRestorePrivilege	2660	msiexec.exe
Token: SeRestorePrivilege	2660	msiexec.exe
Token: SeTakeOwnershipPrivilege	2660	msiexec.exe
Token: SeRestorePrivilege	2660	msiexec.exe
Token: SeTakeOwnershipPrivilege	2660	msiexec.exe
Token: SeRestorePrivilege	2660	msiexec.exe
Token: SeTakeOwnershipPrivilege	2660	msiexec.exe
Token: SeRestorePrivilege	2660	msiexec.exe
Token: SeTakeOwnershipPrivilege	2660	msiexec.exe
Token: SeRestorePrivilege	2660	msiexec.exe
Token: SeTakeOwnershipPrivilege	2660	msiexec.exe
Token: SeRestorePrivilege	2660	msiexec.exe
Token: SeTakeOwnershipPrivilege	2660	msiexec.exe
Token: SeBackupPrivilege	5112	srtasks.exe
Token: SeRestorePrivilege	5112	srtasks.exe
Token: SeSecurityPrivilege	5112	srtasks.exe
Token: SeTakeOwnershipPrivilege	5112	srtasks.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1168	7zFM.exe
1168	7zFM.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
3912	msiexec.exe
4044	taskmgr.exe
3912	msiexec.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
1344	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe
4044	taskmgr.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 4044	1344	taskmgr.exe	97
PID 1344 wrote to memory of 4044	1344	taskmgr.exe	97
PID 2660 wrote to memory of 5112	2660	msiexec.exe	107
PID 2660 wrote to memory of 5112	2660	msiexec.exe	107
PID 2660 wrote to memory of 3016	2660	msiexec.exe	111
PID 2660 wrote to memory of 3016	2660	msiexec.exe	111
PID 2660 wrote to memory of 3016	2660	msiexec.exe	111
PID 3016 wrote to memory of 3112	3016	MsiExec.exe	112
PID 3016 wrote to memory of 3112	3016	MsiExec.exe	112
PID 3016 wrote to memory of 3112	3016	MsiExec.exe	112
PID 3016 wrote to memory of 4060	3016	MsiExec.exe	114
PID 3016 wrote to memory of 4060	3016	MsiExec.exe	114
PID 4060 wrote to memory of 4276	4060	Wire_Transfer.docx.exe	116
PID 4060 wrote to memory of 4276	4060	Wire_Transfer.docx.exe	116
PID 2660 wrote to memory of 2620	2660	msiexec.exe	118
PID 2660 wrote to memory of 2620	2660	msiexec.exe	118
PID 2660 wrote to memory of 2620	2660	msiexec.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.MSIL.Gen.gen-0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1168

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4044

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.MSIL.Gen.gen-0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2538B1BCF2CDB12ADE15CFA4EE88BEDF
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\expand.exe
    "C:\Windows\System32\expand.exe" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3112
- - C:\Users\Admin\AppData\Local\Temp\MW-54e4f0ea-cb31-48bd-bbdc-2e34d2fe19e6\files\Wire_Transfer.docx.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-54e4f0ea-cb31-48bd-bbdc-2e34d2fe19e6\files\Wire_Transfer.docx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe
      "C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\MW-54e4f0ea-cb31-48bd-bbdc-2e34d2fe19e6\files\Wire_Transfer.docx.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4276
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 15CAADEEC87881C68D57C727940312E1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\52b2062e1e7d467eb58339f3e5846e4b /t 4300 /p 4276
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg.fun

Filesize
720B

MD5
61947d0907c945a6df0f1d86b894e4c7

SHA1
fd488589b551ef61957bc329d1a10a4dd20481db

SHA256
cfa663ff1da533b46726d1761848a327ff515ee7dd4bb395a9430f6cbc568bdd

SHA512
296a37e91d1fbce5e951413e09b240db31eef5ff88ce783a506cb40151dfc394465e0ba617f8d2ce4310a1432b969d88873e74905012b65492cdccd11a874981

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.fun

Filesize
7KB

MD5
a842db7ac1990b29e2c453d22188eafc

SHA1
562adae12978c15a03c541c86a930d306d1a3618

SHA256
577aceff95acfa55f729b8c56d5a5848d55d76ac0664b7ad4e32f1ffbc6729f3

SHA512
21639cb95779a49f24fa1fc74e2c26eba8040800b2f3fcba8815b41a915cb7710d2d528d00fb9d3acce8a74ce155a83e0f1b24fd7f4614934405d10211a19554

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_ie8.gif.fun

Filesize
7KB

MD5
f13b68445c6a611c58b69d0663adcd41

SHA1
f4405939a8ce9d73be0b9e95bc694c0e3187d4f5

SHA256
dfa70d2305ea3cc4ceedf503877087e358697aba61f28e6afe310af68dddfcee

SHA512
c2e8e3fda0588bf6bf8385c654a245a597ba146e5877943db63d0f2177833de3a1e0f6118d318071f07a2c0a107001bfeac901119e036b15ebf5dfa6b7795f28

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons_retina.png.fun

Filesize
15KB

MD5
c8fc25207f8ceecd9227242be2efbac3

SHA1
46f774b5a0f7cbd381d4434ce8e50de84c3c0c12

SHA256
bab54850e29f9ebc93b283187ef71904745c380cf99f7b2fa75de22a59ed3d97

SHA512
8ebfe4584beb21ad2a82da8ad799aebb00e52b5c819775f4df6dbf6dd2435f45514cbb15747baaea6018d476f43ea2c7ba66f6103b551ccf55ae3642167bc653

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons.png.fun

Filesize
8KB

MD5
b5d8672c3a1c0c03ea94ed8e7545b730

SHA1
95dc280bb5e13b9979952cc20f30f6830f184901

SHA256
fca20ec5c665941480e92223fc4719aac0b3235a7f115d2574d7129e7e6ee348

SHA512
de8da4e24416eda326404a717e77a8d810aa6f995c5fd545c9da1ef8cb47fa9786628d3ac3273f165167e4ea4f63532303f07518c85f8198adbfd89f0342f7c3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.fun

Filesize
17KB

MD5
ce629e483860631759ed4b212ade9bfb

SHA1
f5b4a74fcd8a4c203febcbcf808d2581959ab442

SHA256
5091a8ca0d8b0b72af4059110ad2197a423e2ddf8c8cc15e6a7f468c3fb2a78e

SHA512
d530e96e76b674605c4cf5ec30288ad4ea93399021ba88d68961cee3b158aed0e56729925a025ab355a888dda8d668780723aa3decfdebbeabfb6d5109504b42

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png.fun

Filesize
448B

MD5
cab6c8585046fdcc0b2600cef0cb22aa

SHA1
2b0ce8b6523310938dceeec9fb9c9d864acc2f6b

SHA256
628b2ec6f6336318df443543de6a8a1d16e3b3400753e75a54e7a68cac604720

SHA512
8a88ceb9ec69d8f3cb6ac5965d7498fecb83e9c64f18d96c385ffffd9eae8fcebdc382c8a2c4b4b45581995fd1bc77e0afb0d3c568a6ce2907543092b3e6f992

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.fun

Filesize
624B

MD5
363b1b98d976980f0af736f587e99651

SHA1
4c9dbdd0523152e757c445a0495cb0572306b5f9

SHA256
bb70106809438ed5d550b69ae3d5119ecb46c75f7d8e0dddddd18e2967df73d0

SHA512
ca1c0b3690e7c9ce985a7f6ff2af321685d365d5ce61d700d2d17afd231cce067c01372faf43e2634414e3e6aa0c1ebdcadbdcab7c46eab759d6e4e584030e7a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover.png.fun

Filesize
400B

MD5
296b9b5580cc931820d1a1e62c29c41a

SHA1
484d786dc7196520072ec4a4952ec96d88ed6e26

SHA256
a36df9606a73c204e04696b1930d23c3581d33876d2b1510c9d324996186247c

SHA512
58e4b6c8014c9413540733003a2075c74ce9170bfdcfc27db79b795616988d91f58b7f3234183850a24a6b38ef2b4befdc61bae828a0d50bb79e729e51e458ca

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_hover_2x.png.fun

Filesize
560B

MD5
355f9c4064151c7089fbe1126af0cb77

SHA1
b138c3b0563efc29dc3ed24180dcd46cec5819b4

SHA256
0d8584a9d9fbf7c7b0b54f69b308da3204281c93aa1bf2f83c02e129c73a987e

SHA512
cc39d40c5058cee42fd451210b64def65499a5e2abe1475426aa88b65305e3b0a7572b7a0de15756ab68660d899bfd0c28fb62c2b6920c98d0a7e1896e292905

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon.png.fun

Filesize
400B

MD5
b9928ad5ffa158894354df8b8ff6b23f

SHA1
e228563a9873a502801dda31c3d33be880080251

SHA256
e1a2e7cd9fe8586b95860da7c13d7b9407797ab253573c24fe423c8bc4485cf7

SHA512
d18f4fe5500a0cd70092f22f414895782cb8f3f3040c627a21ddafb1295faa146bf158e8b71ed4741f53c096b13d24d1046f7c6d6753fe0fe9a72b496f1093a6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.fun

Filesize
560B

MD5
2e7765187796a13a10d805e0ee978a6a

SHA1
c7a8e4989068703a552b2cfe13e2411a621114f2

SHA256
cf050c014f972d74e2e9ef5aab5dab5ca46fb1344d07539aa4071305f51d2b9e

SHA512
73fd7b93efc84fb8a7c63eca4b51c85a33c85db58c2e98161bb2045ad06fc60479a0cf672346a0fd9ee30ed4cd28e565310921315180400cab56561ce0f9ed40

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.fun

Filesize
400B

MD5
d86ab3c169ebf736f5109312a9ce1c27

SHA1
513eacceed79aeba7c7ef521759d65e73edb368b

SHA256
aca7c25306834d60e990bbff5a59d35171811a4cd764cd6f19ed7f3d60678a6c

SHA512
ae27bd93e06be3c9e392ad9ed852e5b06828ab298a7e91ea58411b04cc7997858f6d3e891212a044dde51307f9cf759fb18e90c6d3afa7e78ed8f404116ec0c4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png.fun

Filesize
560B

MD5
ba92eb229413a4997d609cb7c32a262b

SHA1
7e3d458cb15bdd2b4dfb48cd636b915f1e216d69

SHA256
307ed4b76842f00b9b5ccbdfee3dbe845027badaf9fefa0f270ffdb37d053195

SHA512
4d532be35dbee30672cc2734717c827cc1ba3e9961fe5068bc21b0826edfceaabbf9e8511ed60b03522fa8f02f3c028c5c815727628a29217a8a843200ae3925

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons.png.fun

Filesize
688B

MD5
79928359f473ca412b6619daa126ea4a

SHA1
55d1f1d741b2327b2853a26b9c55712460ab6433

SHA256
26bc3338fa8e8f825c0e8fef85c572df98afa06dfd09dcbf6be0be93a0e7644e

SHA512
6e976147cec5201ed7d9543db2b335d007dc159f571e7df373d4efd28625255c53e47d76e21ff514de08887b15995111ba68ae0b047678d5c64387465729e52e

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\example_icons2x.png.fun

Filesize
1KB

MD5
27c2ae5ec13d9be007de8f3bd3577b19

SHA1
0b4fb7f92ed8c9a72bb48a2b6ff4dd0eeac45f5c

SHA256
9bc2e43816cd6586b50b94902b7beac1291a4123b9ca38fa2f3cb6bf647cb9a8

SHA512
832d67e486247748c3eafff6c9c0b3a039203c349c31677d26361e0f66c1e0e1e671f637be9c6dc22687b7ec77cd3ac4bc1a2d7eeac3e67204b79dfc2f664e4d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png.fun

Filesize
192B

MD5
840221d27a09a3080a93c1f4bb265f5e

SHA1
6ed12d47df1500f7ad56ce0e3e43fa803dc040c0

SHA256
9999fa3e8b7b136d9688bc0bb42a144fab43263998c28850facdcf0def8d6360

SHA512
cc4afa07c610dba58ac80779196edaf2a745c733bcbb3b1a581ddf36c0a3f4e79a70e93ee448074d3f06f25362919140288ba59e71fc21a89ba46688434db7d7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_patterns_header.png.fun

Filesize
704B

MD5
a967c33396482152971c0a3dd54053a2

SHA1
2d8cf663746ad928d0ebfcf87af685988f540aca

SHA256
107c2a1239238755e33ce29ef7b000935ede80dc9fdf544182d01e5c330a5a6e

SHA512
63e990a4d044c2414571481e6fd40bf30d1bc59c009b6b497eef062c9b2b3443005caf0dd014055d2da08e2f7e8a12d7c324f6c63430b1bfd95d14088c9b7162

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png.fun

Filesize
8KB

MD5
a48c79d6485aa84f70909e0deac5afc6

SHA1
5885dd3d8553862554312632d40b04ecc583e09e

SHA256
02f138096bc96757a83a6b42e855007d6f4fd1c8390c220fb5f428219253d573

SHA512
3615eba5102df9ad4bc8aafa4c43ad3a43afb617f49607789c8a6c0fb80d0fc4f5a625ba27600b5e7f6ef302dfdedee3022d61ae202dfa6c319762befc31ca46

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations_retina.png.fun

Filesize
19KB

MD5
a5b25141ae69df8e8627814bc7da55e7

SHA1
862ab0471f3d3415ded16e77f2542f84023fe8ad

SHA256
bc2276d83723961e25e621e4400a2aadefb95f1e38642ba2fd8c4e7f83dda6a1

SHA512
b9b0b0c3e5bf9026e684ef38ee576aab142ccb9a19759834d30771df121a0f87167d298bfda2d341055c1949e203102e88d5195a53ab96eb18ec2c6e70d614cc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\ui-strings.js.fun

Filesize
832B

MD5
f9d942430d103eb14bb89a8b06dd354c

SHA1
28c8f183fc1c03eb2f69dfc662c0d47f25dceb9c

SHA256
30f745264662bb65ea8e073548faa9cbb594394fe6bb8f238fd463cd4b19a16b

SHA512
51994cfee07ebe1f030eb609f5d70c42b15f7f4d7a7e7e82c44682048b405ccc52cc33aed16ac21ac189d378eb93db093e32c50ece0d1c6bb5687fa1451ffea5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ui-strings.js.fun

Filesize
1KB

MD5
254e6e1f919c82e7e6386148f4fd8b85

SHA1
4b16f83c625875047f0e397bd22c318e3dc401f5

SHA256
6fd7ad452179754ac6fe6ee17a1e9ca7277173e23096153ab776cb5c572f19f5

SHA512
b9d8f88e89da06a98685ef2dab1f85115defd342d09527fcdf81712b000800fa1350db0ba085e2fc9df29ba0da394346a9d2c68395a3f9509d525e155d986ca4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js.fun

Filesize
1KB

MD5
c8df49bb4bbdc9da2bcab074f61beb09

SHA1
7bec3ca11d7533d9853d2a9a6ba2dfeb7d8201a8

SHA256
ef67108356c94c9c8826ab0a667fb88add02381715a352f9be62ee92ad781647

SHA512
53b472bdc116931819173f7385d23a8becfce39f63fcd451962bc3c6d0e117fc5f2e7ae6dac3297bf778bb35b06d5d514c10dc882ed3a5d958f8f5cdd979a213

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png.fun

Filesize
2KB

MD5
5a7c257c74c8c7d5352b57cde2f0b55c

SHA1
ef9cac32cb1329bef6857173abee2fff4cac3ac6

SHA256
b2a557b40c73eb81ca22b167c4a6ac1f43622c59b2d85e5f43119769c6d6b6f5

SHA512
031764f3fb1194d778a84a294df4e0509ba00e50ddefe3a6cf7a655f48219cc38e53f5c47a56646d6ea63275ed56d19328c7b82f14e717a688d6181093764928

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.fun

Filesize
2KB

MD5
2ac07813a74d6adaa3e44db55e899e09

SHA1
a0447b0b95d442c2d770987b1e007826cdae98a2

SHA256
b770a96d153a9e662d5a586e571ba9687a0995b9dccf3f50afdb5dba8da465d9

SHA512
940e4a99d233d99b1b342c4a8d032ce70f66ef0134d57b3c13f1cdde780453e32f54f442fe9255cfe73cc9e478f72f707a383a156aa924a95ffbd3cfc840a94c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.fun

Filesize
4KB

MD5
2613b34bca30302406bbfa57c93b6c0f

SHA1
04a4e32759eb78be5d4397916bc9e51090fa4333

SHA256
53bbcb949a287d7ac25e7a31d671cd9eb11ac609f7344a38aaa5c2f165dc4093

SHA512
4c170f25c9d3238cc6572ff5522495effab28c7e0047a44eaba8939d2da46950ff9f8f1329b923d82b0b8a3e28de735dd41ebaf83711eb20b2fa52ba82f23855

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.fun

Filesize
304B

MD5
e4e7837a4f0c71864f2ed00e23aae8e0

SHA1
c35796c887fb94fc2112caf3921ba504570dde1e

SHA256
e69aa05159c50cb7dc9083dcd34a21f811aa80ca24e67eda8fca86c244d9a483

SHA512
296817bbf0f9faafa16577edb105f560be7a27ded19370efbbe9e14657fca5c202d3f19d0f001de5d9119fdef304e099bafda922135f679b487afe05e36d4fbb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png.fun

Filesize
400B

MD5
30c5fafcb889cfdfef7a7373c623221b

SHA1
e4a12b7ef07ca5780ebe205201be538a34fc6154

SHA256
b2bf549220418c47e80507084b43eeccd85c0a43f4da74de6858fc96dd3020af

SHA512
4a621fa79335711dab7dbde3bf0fd30979b15c2f48eff9b867a0cde99ddc67a97d612ea0472db9903c5cb5555800907b8a183cf499f55d186a42fe0ad6fb023b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png.fun

Filesize
1008B

MD5
3c501b84ed7912d164470fb2024d29ba

SHA1
f54ec8a32fe7a67acfcbd48e789c0b5d2c0b6816

SHA256
d1ba5eb730cc20b906290b76d64d2697896cc25ab4d782588f98c62c9b7ea1bc

SHA512
cf9adc56a6685c7f5131d703238752700cfe9b32133ee38f6e828b658dbd64af9732509a47abee3958c5cc22f3685f10cc27a1d5d76f7459b99498310fb6cdb9

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons.png.fun

Filesize
1KB

MD5
242c795c3e07e4f7e1db97121e007727

SHA1
c0704070f2026d817b82f71878e334be06bab551

SHA256
2ab2f7f6b540d3bcab915e7626db8db6ed71736ba7da94ce2ca4366d440cd822

SHA512
8b990d5a35b324ebbd5ee6d6d88d74e783e211f3c778162dfdf1577e2d3c6cc32693117fbfd1175ad34d7bb46e05504e8ccdcdc116a6895eee31f50d583289cb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png.fun

Filesize
2KB

MD5
a06ee81cc9009bcac3c9a5af0dab2b1d

SHA1
b95ada870dd0ebfd4058b6710076d750186ca151

SHA256
c82b8a9a8fa45f93bc000a754e07e9922fc1788f9d54bcdd0b4c6869145c613e

SHA512
b4271b58a89b37e2c48584778eeb08668e2d32026f98990fb017215e854a7006184f09149e478bd95a5b15027e308b61982f5a2275b998174bdf281736edece8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\ui-strings.js.fun

Filesize
848B

MD5
fe2afee9fcdf2d43940944ebd1145480

SHA1
986b8b7ce80ec8b8e223f95b508532e69cd49c05

SHA256
116b7fbce50c3c08cc73efca3439106f4f2e00012794fbad81ebff4598066a42

SHA512
b66aec41ffabc4d1566b2316de80efe3528d2ad5dd8b0030d1a127d58c0f9257c8b76ca7c301199e92213eb35f1d557a85062dc8c432e5c554590f0a91d2ceaf

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.fun

Filesize
32KB

MD5
aec7bd7c96948d97d13c7df53988e89c

SHA1
7b906b88009e7509324ae92dc8a32ae4fb38626c

SHA256
15fcb7c77cf60f287e9c81ec8053a9cdd1aa8bc0413734e8a1499a9de635c6d0

SHA512
27d12f825c16d1d5349f53a23d57f71eb8d4534a1ae4af2c4eead9cda09a4440dadc518a8887a3ea818494cb6319fc82ab8147cdb85958e9b344400b7d6b2803

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.fun

Filesize
160B

MD5
000e8c41d4a15fb34d0be0dbb56e3778

SHA1
00c4eae64ee6239d7c65d819c6ce1ac329224f8c

SHA256
8bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28

SHA512
775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat.fun

Filesize
8KB

MD5
420960c4b17842a24bbf117222c60e47

SHA1
4e2f5bc3a3fe7da4ea60dfaae851b1b88e48751d

SHA256
e94c37d7dc8dd954bfee8e340abc882bc361baf0d3771ed442ed625a3bcb0174

SHA512
b42f16f6fca9b66d49a2ad7c80e56c51e04d023a4ae50e984dbd267e204682ecbb929fefb5c7ee67775597773b08b6bd39416f13b87f1782cf8c5d553ecd7ce5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842782713428539.txt.fun

Filesize
77KB

MD5
6084568724860c4044d33b598fbece87

SHA1
1b2ab8a9a3f3414930aaf398b288565c2dea8dfa

SHA256
5243e7e5e811ac6640d718dfc63647117f806d793d84950bcb25d7cd22fe1a44

SHA512
5a6076fb98973735e8f9d1e60a29589c106ea4215ca0498203ac77083e9c3a79ff44cd6c4eb29c216874f28858bdf1b60cd1966fb7b144d633027e0897fc5055

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842788336266196.txt.fun

Filesize
48KB

MD5
6adb5aca58ed799ff728f6ba9a3c93dd

SHA1
d88642cf45ee156e8a918253d3c281adec87e66a

SHA256
1ce8617726a7a492a321c6581410c067e9323d857479ef015d0071493ee9e31d

SHA512
6111a0a4b020e0998338489b99fefa4a870593b709c58a37bf72ca17d79e2ff52fc69c2efd3b74a6aa725b392c1ebfc1d5a0ad623cf9fc690a511c4b281c3b00

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842790245155104.txt.fun

Filesize
63KB

MD5
12efdb120ada2f6a69e9a3fa2055636c

SHA1
1023676a79fbbff70d88284941c55580e3eebbb7

SHA256
7431349a4765e2e33726ab0af091f65562d1c37701bdf350c6988106ce8cf2c0

SHA512
fb92f69c8b332d61a67e27af45701cddb6ed6060729c52600e2d256af5e2bf82a1dc7492c2e5dee95487153660ed63f2ea36ddd52a2ebfc10607886d8fc983d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133842843517140636.txt.fun

Filesize
74KB

MD5
0079beecf0bf1cece2ebadb5b5e484e9

SHA1
67374a32beaf504d00f07fe6da21faeb4c5216b3

SHA256
7d280546343710ee03587f732f1db68895223176a62c16cddbfb17941e9139a4

SHA512
7b4f34d174701bf662aab1e4eab53012c718759056bbd25b43622bdabc5ccbe8d84a9cb5bb21bc3d1b5ef84c59c680bc9c5ef03aaea2f69c81bc5589b099b42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-54e4f0ea-cb31-48bd-bbdc-2e34d2fe19e6\files.cab

Filesize
282KB

MD5
807718ec27e1cdf76ea45291e0b73dcb

SHA1
43fd298dff26c7cc2180d5b198ef23e0c37d578e

SHA256
1001621d1b1d3cbba8d28644b24d7c4ff165c13ab2850661b3ed863efb6d1759

SHA512
a01444e070e6cbcf6b0aeb00c54469ea2dcf36e841c9179bb8a8d4c316000ebab6cef72cfe21467cf283bbed8372ce4787f60296c985ab831c49e3d18646da43

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-54e4f0ea-cb31-48bd-bbdc-2e34d2fe19e6\files\Wire_Transfer.docx.exe

Filesize
282KB

MD5
fba7f5f58a53322d0b85cc588cfaacd1

SHA1
da2617cb96dd02a075565de6a704551fd7995dab

SHA256
1fccbea75b44bae2ba147cf63facbbcf1cc440af4de9bde9a6d8d2f32bde420a

SHA512
c9a4cb9076aeccff2cd1409dcdd8046ffa524ce768459443c2d69f21ef9c3fc899e2db19bed0377852e8e626436a80d9f192258e7e320fd3e252c0073eb762db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-54e4f0ea-cb31-48bd-bbdc-2e34d2fe19e6\msiwrapper.ini

Filesize
513B

MD5
50ef445037f1ff4da482fc9bb8197384

SHA1
fadc6fdce702a697d4bcd14e6338a0efb821fd42

SHA256
4ef605e0182b4b312c6c56c8f8f52d560bd727e9c051c72d9d81f592c81b1556

SHA512
d3f4d53c9f876527ebd8d1d72c839f6b903eef1310fa6a3e750f8e3fc4e1b23db064afbc35cb0227c5c48baa5386ac00efe5e28b2fe08d1e2116a43b90799b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B30B5580-6341-438A-B452-AC981706D131} - OProcSessId.dat.fun

Filesize
16B

MD5
cfdae8214d34112dbee6587664059558

SHA1
f649f45d08c46572a9a50476478ddaef7e964353

SHA256
33088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325

SHA512
c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3

Download Submit
C:\Users\Admin\Desktop\HEUR-Trojan-Ransom.MSIL.Gen.gen-0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.msi

Filesize
1.1MB

MD5
a362de111d5dff6bcdeaf4717af268b6

SHA1
2e5104db35871c5bc7da2035d8b91398bb5d5e0e

SHA256
0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca

SHA512
b48a18158a0dff9a9012952c467fcf69b8bfc53ceeacaf32a90fc4b7f3afd34465e676b282fa87f3c5c85b4780baf96cc754dcdeef77ba5330fa8c4fd1d20b72

Download Submit
C:\Windows\Installer\MSIEDEA.tmp

Filesize
601KB

MD5
ffe70d3419a64f4be1982d5cdf1155f4

SHA1
c62e03d533925c871cb9caac853a1d3a33f60f34

SHA256
8b590d235166ed734e376bcbb27491be8d5592682919e961ccac59b2aa19e909

SHA512
5b2fd2c6cd1a8087be74a2b7ac04fce728a83c413bb041541314c534978d825818b250f3e1b81b3eeb4835800c6d66d40e7d7fd56fb582bc92c10566cee83675

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
3a381fddb44f6ece00c16837dd72dd15

SHA1
42978aca854fcb607ac68e1941b1d40f707aa8a1

SHA256
902e988b80b058de3b614f5fe9c22f8477cbee6a8adbec5a5bc1bd74acd119d9

SHA512
4596fd03af4e8ff0ad225ecb6ede88623c6041c4e0ad0fc848efd595969063b0553e22438787b3c63034715f5bfbf323d86c535f8d41ce7063621aad87b9869c

Download Submit
\??\Volume{241ee174-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bce4898f-31dc-4aa9-9541-19324f11e282}_OnDiskSnapshotProp

Filesize
6KB

MD5
d5bff6eba62cd478f2a87f2517d209b1

SHA1
e05ab5794c78e17b259aafcc8f3e6833159ba795

SHA256
fad8b1038704e07cda92a6335b1228d39ec7f096aba95fe447e337f3620b5c1e

SHA512
5b00916f55daa5b51c0ba233f8f0a39307fe4be777a4bd732a1c2963b9bf2e356848d8c78ea74722130a74bfaf0f57c7f59124bb697492bcc4a7ac042e9411da

Download Submit
memory/1344-13-0x000002320AAA0000-0x000002320AAA1000-memory.dmp

Filesize
4KB

Download
memory/1344-2-0x000002320AAA0000-0x000002320AAA1000-memory.dmp

Filesize
4KB

Download
memory/1344-4-0x000002320AAA0000-0x000002320AAA1000-memory.dmp

Filesize
4KB

Download
memory/1344-14-0x000002320AAA0000-0x000002320AAA1000-memory.dmp

Filesize
4KB

Download
memory/1344-3-0x000002320AAA0000-0x000002320AAA1000-memory.dmp

Filesize
4KB

Download
memory/1344-12-0x000002320AAA0000-0x000002320AAA1000-memory.dmp

Filesize
4KB

Download
memory/1344-8-0x000002320AAA0000-0x000002320AAA1000-memory.dmp

Filesize
4KB

Download
memory/1344-9-0x000002320AAA0000-0x000002320AAA1000-memory.dmp

Filesize
4KB

Download
memory/1344-10-0x000002320AAA0000-0x000002320AAA1000-memory.dmp

Filesize
4KB

Download
memory/1344-11-0x000002320AAA0000-0x000002320AAA1000-memory.dmp

Filesize
4KB

Download
memory/2620-98-0x0000000074680000-0x0000000074755000-memory.dmp

Filesize
852KB

Download
memory/3016-42-0x0000000074680000-0x0000000074755000-memory.dmp

Filesize
852KB

Download
memory/4060-78-0x000000001B4C0000-0x000000001B98E000-memory.dmp

Filesize
4.8MB

Download
memory/4060-79-0x000000001BA30000-0x000000001BACC000-memory.dmp

Filesize
624KB

Download
memory/4276-109-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download