Overview

overview

10

Static

static

10

084c57449c...0e.exe

windows7-x64

10

084c57449c...0e.exe

windows10-2004-x64

10

14b94844b9...c3.exe

windows7-x64

10

14b94844b9...c3.exe

windows10-2004-x64

10

2daa514408...2e.exe

windows7-x64

10

2daa514408...2e.exe

windows10-2004-x64

10

2e6f094748...ec.exe

windows7-x64

2e6f094748...ec.exe

windows10-2004-x64

2e96b55980...ea.exe

windows7-x64

1

2e96b55980...ea.exe

windows10-2004-x64

1

34c392448f...ea.exe

windows7-x64

10

34c392448f...ea.exe

windows10-2004-x64

10

37d8add251...4c.exe

windows7-x64

10

37d8add251...4c.exe

windows10-2004-x64

8

3a72653053...59.exe

windows7-x64

10

3a72653053...59.exe

windows10-2004-x64

10

49aca08f5b...24.exe

windows7-x64

10

49aca08f5b...24.exe

windows10-2004-x64

10

4a2ad49c93...9f.exe

windows7-x64

3

4a2ad49c93...9f.exe

windows10-2004-x64

3

5199b64b50...3c.exe

windows7-x64

5199b64b50...3c.exe

windows10-2004-x64

55c30024ae...15.exe

windows7-x64

10

55c30024ae...15.exe

windows10-2004-x64

10

56f7b48f38...59.exe

windows7-x64

10

56f7b48f38...59.exe

windows10-2004-x64

10

5a96b92938...a4.exe

windows7-x64

10

5a96b92938...a4.exe

windows10-2004-x64

10

606b88fce1...c4.exe

windows7-x64

1

606b88fce1...c4.exe

windows10-2004-x64

3

6bda9faf71...4b.exe

windows7-x64

10

6bda9faf71...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2025, 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe

  • Size

    71KB

  • MD5

    8f033c07f57f8ce2e62e3a327f423d55

  • SHA1

    57ac411652d7b1d9accaa8a1af5f4b6a45ef7448

  • SHA256

    6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b

  • SHA512

    f3712e7d5d55b27a4c20de07cce136e6d58ce62fa146d29b34dece6248e4456139703c50df10cb318346311cfeee0a8449d49163e821744efcde3ecfe8b880df

  • SSDEEP

    768:zncoLkaCbCq2l52DbnoPV0Yglwlu1y7e7th3BuItxn:QoLkaCb12l0DbCV6Wqyixn

Score
10/10
chaosdefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\Restore_Files.html

Ransom Note
<p style='text-align: center;'><img src='https://odkrywcyplanet.pl/wp-content/uploads/2020/05/galaktyka-Cosmos-Redshift-7.jpg' alt='' width='235' height='167' /></p> <p style='text-align: center;'>A S T R A L O C K E R 2.0</p> <p style='text-align: center;'>&nbsp;</p> <p style='text-align: center;'><span class='Y2IQFc' lang='en'>What happened?</span><br />----------------------------------------------<br />All Your files has been succesfully<span style='background-color: #ffffff; color: #000000;'> <strong>encrypted</strong></span> due to security problem with Your PC.</p> <p style='text-align: center;'>All Your backups are deleted, or encrypted.</p> <p style='text-align: center;'>Can I recover my files?<br />----------------------------------------------<br />Sure! But You need special decryptor for that.<br />If You want to recover Your files, you need to cooperate.</p> <p style='text-align: center;'>What can I do to get my files back?<br />----------------------------------------------<br />You can buy my decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.<br />The price for the software is about 50$ (USD). Payment can be made in Monero, or Bitcoin (Cryptocurrency) only.</p> <p style='text-align: center;'>What guarantees?<br />----------------------------------------------<br />I value my reputation. If i do not do my work and liabilities, nobody will pay me. This is not in my interests.<br />All my decryption software is perfectly tested and will decrypt your data.</p> <p style='text-align: center;'>How do I pay, where do I get Monero or Bitcoin?<br />----------------------------------------------<br />Purchasing Monero or Bitcoin varies by country, it's best to do a quick google search yourself to learn how to buy Monero or Bitcoin. You need to pay 50$ in Bitcoin or Monero.</p> <p style='text-align: center;'>You can buy Bitcoin here:<br />https://localbitcoins.com/</p> <p style='text-align: center;'>Where i can pay?<br />----------------------------------------------<br />Monero Address:<br />48CEU93NRDqCmH3qfksLRLeQJ9mjbFCUXEyZkStiRDWtDodmAtd7voHF1sHa17MgmoYmMoErrJstV6nC1DqYoKxT38r6TUh<br />Bitcoin Addres:<br />bc1qpawwquwas0gd88u66hgxp222p52madqp5lk5xw</p> <p style='text-align: center;'>Contact<br />----------------------------------------------<br />After payment contact:<br />[email protected]<br />and send Your <strong>personal ID</strong> with transaction ID (if you are paying with Bitcoin)</p> <p style='text-align: center;'>Warning! If you report these emails, they may be suspended and NOBODY gets help.<br />It is in Your INTEREST to get the decryptor.</p> <p style='text-align: center;'>Your personal ID is:<br /><strong>ID12_Yashma</strong></p> <p style='text-align: center;'>1)Don't change the extension of the files. You will harm the files.<br />2)Don't move encrypted files.<br />3)<strong>Don't try to recover files by Yourself.</strong> This is impossible. Your files are encrypted with Curve25519 encryption algorithm, You can't decrypt files without private key.<br />4)Don't report to authoritaries. If You do it, key will be deleted, and Your files will be encrypted forever.</p> <p style='text-align: center;'>5)The price will be lower if you email me within 24 hours after encrypting your files.</p>
Emails

/>[email protected]<br

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    defense_evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 49 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe
    "C:\Users\Admin\AppData\Local\Temp\6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:6128
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1904
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:3528
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:6044
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:5116
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2556
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5148
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:1616
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\Restore_Files.html
        3⤵
        • Drops file in Program Files directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3468
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2f0,0x7ffff1d8f208,0x7ffff1d8f214,0x7ffff1d8f220
          4⤵
            PID:1048
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=2324 /prefetch:3
            4⤵
              PID:4940
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2120,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=2116 /prefetch:2
              4⤵
                PID:296
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2616,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=2764 /prefetch:8
                4⤵
                  PID:6044
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3452,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:1
                  4⤵
                    PID:2296
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
                    4⤵
                      PID:3016
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4832,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:8
                      4⤵
                        PID:2168
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5320,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:8
                        4⤵
                          PID:2208
                        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5840,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5872 /prefetch:8
                          4⤵
                            PID:5844
                          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5840,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5872 /prefetch:8
                            4⤵
                              PID:4460
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5952,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5960 /prefetch:8
                              4⤵
                                PID:3924
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4292,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5100 /prefetch:8
                                4⤵
                                  PID:1144
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5012,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=3448 /prefetch:8
                                  4⤵
                                    PID:4384
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4916,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:8
                                    4⤵
                                      PID:4892
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5336 /prefetch:8
                                      4⤵
                                        PID:3924
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5248,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:8
                                        4⤵
                                          PID:2904
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5792,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
                                          4⤵
                                            PID:5192
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5436,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:8
                                            4⤵
                                              PID:5272
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5788,i,17260796211642296213,4669467052300856617,262144 --variations-seed-version --mojo-platform-channel-handle=5364 /prefetch:8
                                              4⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2168
                                      • C:\Windows\system32\vssvc.exe
                                        C:\Windows\system32\vssvc.exe
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5556
                                      • C:\Windows\system32\wbengine.exe
                                        "C:\Windows\system32\wbengine.exe"
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5632
                                      • C:\Windows\System32\vdsldr.exe
                                        C:\Windows\System32\vdsldr.exe -Embedding
                                        1⤵
                                          PID:5968
                                        • C:\Windows\System32\vds.exe
                                          C:\Windows\System32\vds.exe
                                          1⤵
                                          • Checks SCSI registry key(s)
                                          PID:3168
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                          1⤵
                                            PID:2368

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Reconnaissance

                                          Resource Development

                                          Initial Access

                                          Execution

                                          Command and Scripting Interpreter

                                          1
                                          T1059

                                          Windows Management Instrumentation

                                          1
                                          T1047

                                          Persistence

                                          Boot or Logon Autostart Execution

                                          1
                                          T1547

                                          Registry Run Keys / Startup Folder

                                          1
                                          T1547.001

                                          Privilege Escalation

                                          Boot or Logon Autostart Execution

                                          1
                                          T1547

                                          Registry Run Keys / Startup Folder

                                          1
                                          T1547.001

                                          Defense Evasion

                                          Direct Volume Access

                                          1
                                          T1006

                                          Indicator Removal

                                          3
                                          T1070

                                          File Deletion

                                          3
                                          T1070.004

                                          Modify Registry

                                          1
                                          T1112

                                          Credential Access

                                          Credentials from Password Stores

                                          1
                                          T1555

                                          Credentials from Web Browsers

                                          1
                                          T1555.003

                                          Unsecured Credentials

                                          1
                                          T1552

                                          Credentials In Files

                                          1
                                          T1552.001

                                          Discovery

                                          Browser Information Discovery

                                          1
                                          T1217

                                          Peripheral Device Discovery

                                          1
                                          T1120

                                          Query Registry

                                          5
                                          T1012

                                          System Information Discovery

                                          5
                                          T1082

                                          Lateral Movement

                                          Collection

                                          Data from Local System

                                          1
                                          T1005

                                          Command and Control

                                          Exfiltration

                                          Impact

                                          Inhibit System Recovery

                                          4
                                          T1490

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Program Files\chrome_Unpacker_BeginUnzipping3468_319905990\manifest.json
                                            Filesize

                                            119B

                                            MD5

                                            f3eb631411fea6b5f0f0d369e1236cb3

                                            SHA1

                                            8366d7cddf1c1ab8ba541e884475697e7028b4e0

                                            SHA256

                                            ebbc79d0fccf58eeaeee58e3acbd3b327c06b5b62fc83ef0128804b00a7025d0

                                            SHA512

                                            4830e03d643b0474726ef93ad379814f4b54471e882c1aec5be17a0147f04cfbe031f8d74960a80be6b6491d3427eca3f06bc88cc06740c2ad4eb08e4d3e4338

                                            Download Submit

                                          • C:\Program Files\chrome_Unpacker_BeginUnzipping3468_364876610\LICENSE
                                            Filesize

                                            1KB

                                            MD5

                                            ee002cb9e51bb8dfa89640a406a1090a

                                            SHA1

                                            49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

                                            SHA256

                                            3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

                                            SHA512

                                            d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

                                            Download Submit

                                          • C:\Program Files\chrome_Unpacker_BeginUnzipping3468_364876610\manifest.json
                                            Filesize

                                            85B

                                            MD5

                                            c3419069a1c30140b77045aba38f12cf

                                            SHA1

                                            11920f0c1e55cadc7d2893d1eebb268b3459762a

                                            SHA256

                                            db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

                                            SHA512

                                            c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

                                            Download Submit

                                          • C:\Program Files\chrome_Unpacker_BeginUnzipping3468_537740062\manifest.json
                                            Filesize

                                            79B

                                            MD5

                                            7f4b594a35d631af0e37fea02df71e72

                                            SHA1

                                            f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

                                            SHA256

                                            530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

                                            SHA512

                                            bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

                                            Download Submit

                                          • C:\Users\Admin\2012_x64_0_vcRuntimeMinimum_x64.log
                                            Filesize

                                            1B

                                            MD5

                                            d1457b72c3fb323a2671125aef3eab5d

                                            SHA1

                                            5bab61eb53176449e25c2c82f172b82cb13ffb9d

                                            SHA256

                                            8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

                                            SHA512

                                            ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b.exe.log
                                            Filesize

                                            1KB

                                            MD5

                                            baf55b95da4a601229647f25dad12878

                                            SHA1

                                            abc16954ebfd213733c4493fc1910164d825cac8

                                            SHA256

                                            ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                            SHA512

                                            24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3c0a1516-2534-4309-9d97-885887fa0d1a.tmp
                                            Filesize

                                            49KB

                                            MD5

                                            3b7221e0fccf1eb435d7b352dd067ca3

                                            SHA1

                                            b1bb5cd97bb57a02a6e5495630518f6696f57923

                                            SHA256

                                            a8eb2fed51223e1b71e47f54f4838658ed6341e63a62ecf117a6c4df05c25a7f

                                            SHA512

                                            de0a86c844fed1e65ea90465d3594e4c61906a76c0e119360fa9e75cde61926ad91ee85a9fd7f0b086a474812b1932aea0a5e1bbe695135126fb0fb706c3e2ef

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.14\autofill_bypass_cache_forms.json
                                            Filesize

                                            175B

                                            MD5

                                            8060c129d08468ed3f3f3d09f13540ce

                                            SHA1

                                            f979419a76d5abfc89007d91f35412420aeae611

                                            SHA256

                                            b32bfdb89e35959aaf3e61ae58d0be1da94a12b6667e281c9567295efdd92f92

                                            SHA512

                                            99d0d9c816a680d7c0a28845aab7e8f33084688b1f3be4845f9cca596384b7a0811b9586c86ba9152de54cafcdea5871a6febbee1d5b3df6c778cdcb66f42cfa

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.14\edge_autofill_global_block_list.json
                                            Filesize

                                            4KB

                                            MD5

                                            afb6f8315b244d03b262d28e1c5f6fae

                                            SHA1

                                            a92aaff896f4c07bdea5c5d0ab6fdb035e9ec71e

                                            SHA256

                                            a3bcb682dd63c048cd9ca88c49100333651b4f50de43b60ec681de5f8208d742

                                            SHA512

                                            d80e232da16f94a93cfe95339f0db4ff4f385e0aa2ba9cbd454e43666a915f8e730b615085b45cc7c029aa45803e5aca61b86e63dac0cf5f1128beed431f9df0

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.1.14\v1FieldTypes.json
                                            Filesize

                                            509KB

                                            MD5

                                            630f694f05bdfb788a9731d59b7a5bfe

                                            SHA1

                                            689c0e95aaefcbaca002f4e60c51c3610d100b67

                                            SHA256

                                            ad6fdee06aa37e3af6034af935f74b58c1933752478026ceeccf47dc506c8779

                                            SHA512

                                            6ee64baab1af4551851dcef549b49ec1442aa0b67d2149ac9338dc1fe0082ee24f4611fcc76d6b8abeb828ad957a9fa847cbc9c98cdf42dd410d046686b3769b

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                            Filesize

                                            280B

                                            MD5

                                            60d40d2b37759323c10800b75df359b8

                                            SHA1

                                            f5890e7d8fc1976fe036fea293832d2e9968c05c

                                            SHA256

                                            c3a2f26d5aef8b5ed1d23b59ed6fce952b48194bed69e108a48f78aec72126e0

                                            SHA512

                                            0c339563594cc9f930a64903281589886308d4412ee267e976520a58d86b2c339d7b2320e1b3fd6fbf81f092ff1735f0710c669af2986ea5b63d2c1e0a6df902

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
                                            Filesize

                                            2B

                                            MD5

                                            99914b932bd37a50b983c5e7c90ae93b

                                            SHA1

                                            bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                            SHA256

                                            44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                            SHA512

                                            27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
                                            Filesize

                                            107KB

                                            MD5

                                            40e2018187b61af5be8caf035fb72882

                                            SHA1

                                            72a0b7bcb454b6b727bf90da35879b3e9a70621e

                                            SHA256

                                            b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

                                            SHA512

                                            a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
                                            Filesize

                                            2KB

                                            MD5

                                            03ad8cb7a15e97775e5ecd03c3a8ba06

                                            SHA1

                                            6d52081bc51c11cfdeffb2eaaffabb32b2f1d3e6

                                            SHA256

                                            99c471e4ffba9ca0eaabb912841b616a85ac7289150dd5962c505796fbc8d728

                                            SHA512

                                            fd9f4d4ff9ac36f7b86a3c462fc161969f299739d198a2f293a55eb79b3f0d5499594495e2914b2262423f53a96362e352b473663ceef4cc0e64b8b4a0049633

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
                                            Filesize

                                            2B

                                            MD5

                                            d751713988987e9331980363e24189ce

                                            SHA1

                                            97d170e1550eee4afc0af065b78cda302a97674c

                                            SHA256

                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                            SHA512

                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
                                            Filesize

                                            40B

                                            MD5

                                            20d4b8fa017a12a108c87f540836e250

                                            SHA1

                                            1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                            SHA256

                                            6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                            SHA512

                                            507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            17KB

                                            MD5

                                            dc7febe5c8a264af178a60751abb0f44

                                            SHA1

                                            5bf876ac7fff0cbe403f20eaa4afd7148ef17ec0

                                            SHA256

                                            dce916343c84f56fcf3aef1343fbf9dd466cf9d78de8832c53f2df3c621eda62

                                            SHA512

                                            14afbbd1d9162dd8edc0a8ebc13794fa5caccedd83e84a3878d51f1fbc178bab8608de10b605af81c140059c57b1cd554f1690523d80bc5ad6b2771024ce918d

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            17KB

                                            MD5

                                            0a3ee7b3f91056bed5083b85f3ff1164

                                            SHA1

                                            0a2be1410664637910b5ac5f8165efc4926956af

                                            SHA256

                                            059caba9ccb1a85d0026cf88becbcd6c4ee9ae72994367ff87c9f7293e096bfe

                                            SHA512

                                            c04c958ec26d89c1ae59ce8ca0156c147150974dd8d9d5acee315451bb43af3b97f6c054e8d1209550ea105fcf4641e3d612b3829e9e9e97841cbf5b517e440a

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                            Filesize

                                            36KB

                                            MD5

                                            595728c30535605609e87a1a035d9673

                                            SHA1

                                            f0da06ea4f7164c705869daf98e0d9d10b363c9c

                                            SHA256

                                            c46be44fb77ed2a0dba3cd9c8d945f06c8d6f2599ca91359968790edbc24d0a6

                                            SHA512

                                            44d654da94c18172216b8669a9d85bcc6cc4a60e28af70caf6bec457bf01ae43afc8c39d4ce4143d65ec3556cc5f374ddd5bcc37d3f3826a441d8f49e995c97f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
                                            Filesize

                                            22KB

                                            MD5

                                            1093d973fdc6800ef80e4256966c7d6c

                                            SHA1

                                            85d4da7bae88b91e7dfee0e097b4b19de79102fa

                                            SHA256

                                            b965cf7b4de4f38361dbf3c306fbe2da7f68c5a5675da4d47a2ede2c44de9180

                                            SHA512

                                            191d82f58e17944c161cc92c45c9cc803674b74b2d3c974ae452dcd33a1d700c7594ff4be2acbe2844509ed798a12a13858e235a6d85e3f85a40eb359fda34f2

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
                                            Filesize

                                            467B

                                            MD5

                                            1e4d766f2ba8adc39eda4c9d03a79854

                                            SHA1

                                            e6d9892716dbbd20d94698a8113f34b081a42b31

                                            SHA256

                                            79668643a84bc9e8bdffeba335bd324caf5dea83f71983ef6608b4bc28c200d2

                                            SHA512

                                            9528e9b496f1d0d30ac36fd68f7a90365c1baffb952ec4da80e280f4c841cec1aa91abea3b6bcd51354f70e45336b975252deb20c4c901d20d8448086e3c0f60

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
                                            Filesize

                                            23KB

                                            MD5

                                            7eccc3063792eb9a2e79e2f0c4ae38ce

                                            SHA1

                                            106770b9e2086de66e51d13c240e55e02c57f226

                                            SHA256

                                            306b70e6aecfd7c8f4415b9041cebff85b59b30bf587ec20919413aea1452d74

                                            SHA512

                                            deec4de00429ae3f65392371f067629ce4d14e915ccd69a6be2ebeaf1d334074aff6c392f71a9113bc1de7c618cf1e8f24a9fe899d9de5a3b3ec7d12f091fa52

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
                                            Filesize

                                            900B

                                            MD5

                                            b315a907884620e99edb95e858c8944c

                                            SHA1

                                            c29d2688c26c5fed7c5b0d36dcf7cc7e77ff3b47

                                            SHA256

                                            6820645ad965ef32975e49df2389c1278de06fdf3dae538e38c1e439bf165309

                                            SHA512

                                            e5ba558dd4c5a53b1cbbd346074c73a327e0eb0872838073ea8477e2d8b36a20399af9e708c93e3b67bd521d5b9edd7230d1af21ce4cf3fe5102caa8636402c2

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig
                                            Filesize

                                            19KB

                                            MD5

                                            41c1930548d8b99ff1dbb64ba7fecb3d

                                            SHA1

                                            d8acfeaf7c74e2b289be37687f886f50c01d4f2f

                                            SHA256

                                            16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

                                            SHA512

                                            a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            40KB

                                            MD5

                                            c349efb29990db4657d4f6cf851cc23e

                                            SHA1

                                            510a55334d2fa998296c246fecee7d83dce6631b

                                            SHA256

                                            d723a163327b2f9519bc6c2c761426bd8ffa4de219e8eab5b971f1cce1dcf21b

                                            SHA512

                                            2d1a91bc42ec363a625ad909390b582fe6eb8d800844c1a9da38ba123650ebcb5afe46dd7234cd6f49eaecca4203b6b5ecf9e50ba5295a3d66c06d6ec1950d40

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            40KB

                                            MD5

                                            701b6327ba9f6fb2deb97c2567e14acb

                                            SHA1

                                            e8abcaf14ee484200627d2911e0b9503835b7b6a

                                            SHA256

                                            de6279cac1067fd4412f4f8b066052c1a44bbf23ff32488ece0b611f6283f12f

                                            SHA512

                                            962b919f103156654bdd286152c466d16749a50e12d0a73b788c8b1f4d42ab137313f767d598684736de2d3d3b7536349c4484878f376d54ac4975e004381e8b

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json
                                            Filesize

                                            6KB

                                            MD5

                                            bef4f9f856321c6dccb47a61f605e823

                                            SHA1

                                            8e60af5b17ed70db0505d7e1647a8bc9f7612939

                                            SHA256

                                            fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

                                            SHA512

                                            bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
                                            Filesize

                                            2KB

                                            MD5

                                            4ab5a502dbe0f58e28c412f691488914

                                            SHA1

                                            62e1b04568be9fad94ff179b7067c16a7c6c19c3

                                            SHA256

                                            926d94f2c2fcc8d5fd2fc415189feb71e5296c80074c0d294dfbb3bff131e0a0

                                            SHA512

                                            25c3c763e2eece60548f78ebb48ef98f71e71314e8db7b51b2eb362a9ddd68fa54c48985f684a89eb3130f7df185fad631b092bb50c102a3d104b92e98746785

                                            Download Submit

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk..hacked
                                            Filesize

                                            768B

                                            MD5

                                            2867471ffca3b76bcb68b3c7e245c97b

                                            SHA1

                                            f9df17a60fda4777fc31973f04e7fcff30a416b5

                                            SHA256

                                            9302791f893fdf554db15b1b2e0a6d1e70927311cc51b0006f43c01b35f2ccba

                                            SHA512

                                            34d0f036fa79d73b830a4098b3999179091f2fe73db284e3cd56167d3f6e25d0fb95461f907ca985a2600b067b15a849ca4a5883462a47339fc14fc1fb3fe16e

                                            Download Submit

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk..hacked
                                            Filesize

                                            1KB

                                            MD5

                                            d1285be0dea433d442c7ca9a5029cb1f

                                            SHA1

                                            baee8374819da44777d652e2f9b4371381c76840

                                            SHA256

                                            42e6700d24971409948282b5bd99b18e40ae2eb34e5e2f88375411bc1fc05ec3

                                            SHA512

                                            0032dfbc3db550500fd7fd35b075115fc320ac6dfcd03d4bfbfe2a6164832979f91d35c97a9d7b78770724cbaa4e77e67d1714244cd0bf8b44dc4c342ac2b956

                                            Download Submit

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk..hacked
                                            Filesize

                                            2KB

                                            MD5

                                            918b2985a3d2ce46e6ae84a671dd975b

                                            SHA1

                                            4d2fc77679bf00bd8f339f4ceef56e6a875e8011

                                            SHA256

                                            b0175996d168ad307a3c5bc9fc21105fa2025048742df7caa8cf76677caf1e0f

                                            SHA512

                                            5e2521bf6d2506b3697e64ff50563d244ecfb2ea469e5138f4308f8c794a32da105f4698149519c97f2ad5360194b9c6dfb7a62a150d2b035e72b47482d96877

                                            Download Submit

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk..hacked
                                            Filesize

                                            2KB

                                            MD5

                                            158ac2a9fd387af066c7b6ec685eeb8e

                                            SHA1

                                            0aa575401c286e6dd6fdc403d17343cf61be8382

                                            SHA256

                                            7fe8975281f5d4b07e15b2496333543e04be3e30dcd184ad8f7edc73cd316fd5

                                            SHA512

                                            48af043efa0e41e49304db1cf5a6af195a27441a62c92930238417149c624de0b9d8df3dec76f5962e187a651c54f0fdb671a70dc5947d7e1dd41f664789d2d7

                                            Download Submit

                                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                                            Filesize

                                            71KB

                                            MD5

                                            8f033c07f57f8ce2e62e3a327f423d55

                                            SHA1

                                            57ac411652d7b1d9accaa8a1af5f4b6a45ef7448

                                            SHA256

                                            6bda9faf719bb7a55e822667d909086193d323d8fa06b1a3d62437fcf6a9e24b

                                            SHA512

                                            f3712e7d5d55b27a4c20de07cce136e6d58ce62fa146d29b34dece6248e4456139703c50df10cb318346311cfeee0a8449d49163e821744efcde3ecfe8b880df

                                            Download Submit

                                          • C:\Users\Admin\Desktop\ApproveImport.ppt..hacked
                                            Filesize

                                            512KB

                                            MD5

                                            265ab916898155b1949d9b877e76a631

                                            SHA1

                                            9f396bbf1b12d78cef26e811ee9c1bd92d837065

                                            SHA256

                                            65304a391f9123141521b5a43c9a92370230a568e7c67c66e0363779dcfb6409

                                            SHA512

                                            8db348e71a2898efe2b2c4a4c1d19c9da507756f02f05a5f6bc6129e67b499241925443ce80b34552a2590732ed2110751a8440af4b815022bd8019d881086f4

                                            Download Submit

                                          • C:\Users\Admin\Desktop\ConfirmConvertFrom.jpg..hacked
                                            Filesize

                                            532KB

                                            MD5

                                            21666cf19e0b2608b84afa9401e23d97

                                            SHA1

                                            ee52d3625de73ee5414d6041434fb0bf86e9e137

                                            SHA256

                                            4f5fdfe75008a0c799e9a66f13f2fa3b2a17000244a64d0b01a99095c82419d6

                                            SHA512

                                            26261d7f6097d16560c2a642f56b49dfe46c513e1105f0df23b376333f7bd5e8c452297a4849c4da24b1f8fbf364e8928ca0c2e51e835366d881415ffc6787f4

                                            Download Submit

                                          • C:\Users\Admin\Desktop\EnterSend.xls..hacked
                                            Filesize

                                            369KB

                                            MD5

                                            7bdb18f91c72cf0344bc3c33b9b99662

                                            SHA1

                                            5f4348434873eaaee05049faf038b2fa6075026d

                                            SHA256

                                            0021b9123047743b564d725e322dfb46fcbdbb744e7bc952564ce4632f2ae685

                                            SHA512

                                            a42b4e6bba1f641e618f4560b9ab89782c54ab8798ba5a4c03a2b9ed856824d5be8d3cc098f781fca335e6082f7da0abeac837887f83d2743e0da62033858f5f

                                            Download Submit

                                          • C:\Users\Admin\Desktop\InitializeUnregister.mhtml..hacked
                                            Filesize

                                            491KB

                                            MD5

                                            5b8b76c86059a492a6e0d260d79058db

                                            SHA1

                                            b3384782b48990d4e9cb81825960bd043b96edd3

                                            SHA256

                                            4bc90b9e53e6bfa3245d04f83efbd51136d6ae977a6d72f9630145d06da2b4dd

                                            SHA512

                                            88722b3462285905a5a466fe67adbd370ba5e08eb013564a54174d6fc87e1eaebfde7dac3e3de93104c104de2ae10dc59d0fa610a2aebfc5cc6935f4a91a6c16

                                            Download Submit

                                          • C:\Users\Admin\Desktop\InstallExit.txt..hacked
                                            Filesize

                                            307KB

                                            MD5

                                            7ddc8f8b5b04d6fafd405545f8466070

                                            SHA1

                                            5bfc73d50a72916193b3ff51cee5ffc2cfc44014

                                            SHA256

                                            bffc6e41062e752deda408f88c1f58130e0ac1493e47cdd4a770374bf05aa111

                                            SHA512

                                            a2f62cd5e8cdde185a38779b9ed3ca90126d83930de401a0e267830f7586275ff77d749351848335053c82b9bfc31d17d478a5212281126649b3346d2bb4deda

                                            Download Submit

                                          • C:\Users\Admin\Desktop\MergeRevoke.xlsx..hacked
                                            Filesize

                                            9KB

                                            MD5

                                            8369cbafa633f5fe93ea58de41363547

                                            SHA1

                                            4213a6febe4f1cc52ebf247763cf6491f1754208

                                            SHA256

                                            aeac5b063a7b680bd24f0305d0b96372798295b89a47d63b20633c0245ed7421

                                            SHA512

                                            ad8d5e34b80b0d2824d18b94d370189d9b04dcb92c203e9a5195ec3f5193630bba0cda64bc716d7968835c4c6499938e968f83c147747454ee4ace14ec676d95

                                            Download Submit

                                          • C:\Users\Admin\Desktop\SendRevoke.wma..hacked
                                            Filesize

                                            348KB

                                            MD5

                                            b1f6677632b311dcf58acac9b4d14a5c

                                            SHA1

                                            48a787c16a5975e093a6f03d34864c8c5c2c875f

                                            SHA256

                                            9ff6a20c321850f4940e6731b175ba85c2a270d780be0651a228bfc11487a9cd

                                            SHA512

                                            2459f76f48ecefa5bb2fbdda69dd756e68e7300f6b72d24ea77b977ae7c7d9ecd29fde8cf304195aefaccbfa2834a30df1f1f6d6518f75e23a16a03a98dbf7d5

                                            Download Submit

                                          • C:\Users\Admin\Desktop\UnblockAdd.docx..hacked
                                            Filesize

                                            18KB

                                            MD5

                                            96165221e43a38fccc966698f3f62262

                                            SHA1

                                            9dc89b62677b7e586c132364ff0914673cf5b303

                                            SHA256

                                            3d859cdc8e532b5754815132ed7a8d00b7a911ca375b22523c1d66dec62ca206

                                            SHA512

                                            94ba93dce9b1769879f4176c017405d9b34b004807ab1b6dd50937a38893f95337fe6c038612e61636001a94012d170d2ddaafb22061cc515f4ce36f564a1b2e

                                            Download Submit

                                          • C:\Users\Admin\Desktop\UndoSkip.mhtml..hacked
                                            Filesize

                                            389KB

                                            MD5

                                            c3fc4167f813a7456633daffc6ef27d3

                                            SHA1

                                            27eeaaef44c37e7db5a41b3403e649f1b0432c20

                                            SHA256

                                            096fe8f1f3cc431e07e3bfbbd92707c9e52994db362d70bf8996148642a4c725

                                            SHA512

                                            2457253915fa2529292b61a93b22173db33508fd50bbeb94a4c799cd4e16adadb9c5cc9dd09ddfcbb65c52a62521c5237ecf3f9b45a55370619150a69722e95a

                                            Download Submit

                                          • C:\Users\Admin\Desktop\UndoUnpublish.bin..hacked
                                            Filesize

                                            573KB

                                            MD5

                                            d096a7df3d8fbb37158cf94143f755c4

                                            SHA1

                                            fe40cf54d594579059b9e68eedd0aefdfd1ab035

                                            SHA256

                                            ef6775c28a1db284352c18d5e98e3eb6289cf6afdfb3fc40ef2c52da68b313c7

                                            SHA512

                                            a272a2820e29f951a92e8a75450d3b21753cd4a4f0383c5c56c7426c90898cd0aa01515d26d5b08c4ef3c481a4805e6cc548f53192428f66f4d818fe483a5c31

                                            Download Submit

                                          • C:\Users\Admin\Restore_Files.html
                                            Filesize

                                            3KB

                                            MD5

                                            cf0cc6e9f7b71141a348d2f8a9cc800f

                                            SHA1

                                            bd198c4263359f42901ee30c3c24fc0ee8b2bd9e

                                            SHA256

                                            5a78197d3cd89269832678d0a59244b21fb0d6a8a87c2a080f68975e9c2febb9

                                            SHA512

                                            4dd5ff23ba3401ffc050e34dd83f37aeef6e4e24ff29809309ddd40ffce4b4b9cab2764f53dbf843c4cf870e37590ece34c98d7bce9f50b193f632a3b1db38de

                                            Download Submit

                                          • C:\Users\Public\Desktop\Acrobat Reader DC.lnk..hacked
                                            Filesize

                                            2KB

                                            MD5

                                            c60970541b8547548ef57d51beef0ce6

                                            SHA1

                                            01062aa833a82fa4c85e9ca947094c25ca797cde

                                            SHA256

                                            ad6b7276ca037c49d28f5f8462c4bf970d47683dbcbf335f514aadb6dfdc0ab8

                                            SHA512

                                            b95209030297e295284a6154da42030b1aa356edb19f020b78bf85fa259012bf455e141f82e98654a83efb507a4a7d7af000fc5e82eecab08b55517d758bde8b

                                            Download Submit

                                          • C:\Users\Public\Desktop\Firefox.lnk..hacked
                                            Filesize

                                            1KB

                                            MD5

                                            84b4f2955c53803c2272b9433db398d5

                                            SHA1

                                            08558460f61d27144e3d4f16fa1c886cd75d2b57

                                            SHA256

                                            86baab6a12bee4f8b3f4a78ab8e7d1b19afd0492270583b46eaf37616d48a9e6

                                            SHA512

                                            95b868f9399b7481f222eecc30aa0187ebd653197997e8dfeb88307c8456efe3cc3640017e98ee82d626afd4eb8df8f11373d4e7795f2136b46b565793a5babe

                                            Download Submit

                                          • C:\Users\Public\Desktop\Google Chrome.lnk..hacked
                                            Filesize

                                            2KB

                                            MD5

                                            7f41dd963bad0c7837ac0de57a45bcc3

                                            SHA1

                                            c3ec0bfc00fc84c9881ba60e052639ed388ad29e

                                            SHA256

                                            64dbfb4b74641efcba7d2c497b6aabb63ac845fe78765d2e9c24e183b4a320a0

                                            SHA512

                                            5ffa716ec4ca0f9087ff9021a249a8ad496ec5eff5eaa9b0a39480a743f9d6ba3a5dd355e657ea0e51cddd82b90fbc4d40c420e8587ff0da328ac257e099d273

                                            Download Submit

                                          • C:\Users\Public\Desktop\Microsoft Edge.lnk..hacked
                                            Filesize

                                            2KB

                                            MD5

                                            9aa16f7e32be172c24a1afa34241b56d

                                            SHA1

                                            08b62652dbf67ec70254d137e22f82224386c9db

                                            SHA256

                                            ca8582cb2474be3f5b2d21dc3d93e4f045013f394da318894a7b5c6e4db65744

                                            SHA512

                                            0399e98c1257b8a72c372cad0c44950b0fdb27edbc0e495cf4fc65a86438d72a6e29c5db7e705d801243f583e5bb009c13dc4d250bbcbf0876cfe8baff44e565

                                            Download Submit

                                          • C:\Users\Public\Desktop\VLC media player.lnk..hacked
                                            Filesize

                                            1KB

                                            MD5

                                            d2455b0aee88eff77430b7d4e3c19562

                                            SHA1

                                            cebb6676c59d1e9bb5a9e1ca0309ea3c40f525f3

                                            SHA256

                                            9e96a76999f400f0f39ff00dc61e27888a7328b63709810bb3f31774223d3874

                                            SHA512

                                            f713d493b8527b3e10fb7dbc55c52d508cb232ccf344bdb87b985c7f3419fa5fe9d778857929a7f3ee50734515253d8e95d6efaf60364e137d737271256cecca

                                            Download Submit

                                          • memory/4860-1477-0x00007FFFF8A30000-0x00007FFFF94F1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/4860-18-0x00007FFFF8A30000-0x00007FFFF94F1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/6128-0-0x00007FFFF8A33000-0x00007FFFF8A35000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/6128-17-0x00007FFFF8A30000-0x00007FFFF94F1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/6128-4-0x00007FFFF8A30000-0x00007FFFF94F1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/6128-3-0x00007FFFF8A33000-0x00007FFFF8A35000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/6128-2-0x00007FFFF8A30000-0x00007FFFF94F1000-memory.dmp

                                            Filesize

                                            10.8MB

                                            Download

                                          • memory/6128-1-0x0000000000F20000-0x0000000000F38000-memory.dmp

                                            Filesize

                                            96KB

                                            Download