Resubmissions

25/03/2025, 21:10

250325-zz6gfswm14 10

25/03/2025, 18:04

250325-wntrqszwgs 10

Analysis

  • max time kernel
    934s
  • max time network
    654s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2025, 21:10

General

  • Target

    3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f.exe

  • Size

    421KB

  • MD5

    2b825ea77e240d2ab6b6695a602cb07c

  • SHA1

    ae6eb3cce06f666934e03dd46269526e56aff3b1

  • SHA256

    3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f

  • SHA512

    f2029aec439f4727e96436390027e100df521cd6557797a17d50f82335487b2a91ddc04dbd18fb8df96b3deea776ecf429321a55401b7739b1b4979b58db7e39

  • SSDEEP

    6144:/u+2b7RNhPmrpQRF/2lfhOJoe7NzgMFgTkoQj6RgLaDMT:nGyRe7STng6KaD

Malware Config

Signatures

  • Detect Rhysida ransomware 3 IoCs
  • Rhysida

    Rhysida is a ransomware that is written in C++ and discovered in 2023.

  • Rhysida family
  • Renames multiple (2619) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

  • Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

  • Drops file in System32 directory 11 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 21 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f.exe
    "C:\Users\Admin\AppData\Local\Temp\3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:4036
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5416
      • C:\Windows\system32\cmd.exe
        cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4264
        • C:\Windows\system32\reg.exe
          reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
          4⤵
            PID:4936
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\system32\cmd.exe
          cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3628
          • C:\Windows\system32\reg.exe
            reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
            4⤵
              PID:964
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:5100
          • C:\Windows\system32\cmd.exe
            cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5796
            • C:\Windows\system32\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
              4⤵
                PID:1536
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3084
            • C:\Windows\system32\cmd.exe
              cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:5904
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
                4⤵
                  PID:3848
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4804
              • C:\Windows\system32\cmd.exe
                cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:436
                • C:\Windows\system32\reg.exe
                  reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                  4⤵
                  • Sets desktop wallpaper using registry
                  PID:3968
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:5712
              • C:\Windows\system32\cmd.exe
                cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:332
                • C:\Windows\system32\reg.exe
                  reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
                  4⤵
                    PID:5332
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3240
                • C:\Windows\system32\cmd.exe
                  cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5564
                  • C:\Windows\system32\reg.exe
                    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
                    4⤵
                      PID:5980
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                  2⤵
                    PID:5004
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:760
                      • C:\Windows\system32\reg.exe
                        reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
                        4⤵
                          PID:3160
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:6084
                      • C:\Windows\system32\rundll32.exe
                        rundll32.exe user32.dll,UpdatePerUserSystemParameters
                        3⤵
                          PID:6124
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
                        2⤵
                        • Hide Artifacts: Hidden Window
                        • Indicator Removal: Clear Persistence
                        • Suspicious use of WriteProcessMemory
                        PID:5504
                        • C:\Windows\system32\cmd.exe
                          cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
                          3⤵
                          • Hide Artifacts: Hidden Window
                          • Indicator Removal: Clear Persistence
                          • Suspicious use of WriteProcessMemory
                          PID:2604
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
                            4⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2744
                            • C:\Windows\system32\schtasks.exe
                              "C:\Windows\system32\schtasks.exe" /delete /tn Rhsd /f
                              5⤵
                                PID:3960
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\AppData\Local\Temp\3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f.exe"
                          2⤵
                          • System Network Configuration Discovery: Internet Connection Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1636
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c start ping 127.0.0.1 -n 2
                            3⤵
                            • System Network Configuration Discovery: Internet Connection Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:704
                            • C:\Windows\system32\PING.EXE
                              ping 127.0.0.1 -n 2
                              4⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:5336
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:4708
                        • C:\Windows\system32\mspaint.exe
                          "C:\Windows\system32\mspaint.exe" "C:\Users\Public\bg.jpg" /ForceBootstrapPaint3D
                          1⤵
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of SetWindowsHookEx
                          PID:3600
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
                          1⤵
                          • Drops file in System32 directory
                          PID:4004
                        • C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
                          "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
                          1⤵
                          • Checks SCSI registry key(s)
                          • Modifies registry class
                          • Suspicious behavior: AddClipboardFormatListener
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SetWindowsHookEx
                          PID:2388
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1792
                          • C:\Windows\system32\dashost.exe
                            dashost.exe {81a0eebd-4962-4167-bd617a72906e4ba5}
                            2⤵
                              PID:3208
                          • C:\Windows\system32\mspaint.exe
                            "C:\Windows\system32\mspaint.exe" "C:\Users\Public\bg.jpg"
                            1⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of SetWindowsHookEx
                            PID:2860
                          • C:\Windows\system32\OpenWith.exe
                            C:\Windows\system32\OpenWith.exe -Embedding
                            1⤵
                            • Modifies registry class
                            • Suspicious use of SetWindowsHookEx
                            PID:2252
                          • C:\Windows\system32\mspaint.exe
                            "C:\Windows\system32\mspaint.exe" "C:\Users\Public\bg.jpg" /ForceBootstrapPaint3D
                            1⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of SetWindowsHookEx
                            PID:6032
                          • C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
                            "C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"
                            1⤵
                            • Checks SCSI registry key(s)
                            • Modifies registry class
                            • Suspicious behavior: AddClipboardFormatListener
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:4364
                          • C:\Windows\System32\schtasks.exe
                            "C:\Windows\System32\schtasks.exe"
                            1⤵
                              PID:5504
                            • C:\Windows\System32\schtasks.exe
                              "C:\Windows\System32\schtasks.exe"
                              1⤵
                                PID:4796
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe"
                                1⤵
                                  PID:3184
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe
                                    2⤵
                                      PID:1240
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe -v
                                      2⤵
                                        PID:6020
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe
                                        2⤵
                                          PID:4596
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe
                                          2⤵
                                            PID:5620
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /?
                                            2⤵
                                              PID:1124
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /Query USO_UxBroker
                                              2⤵
                                                PID:3148
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /Query
                                                2⤵
                                                  PID:5504
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /Query /tn USO_UxBroker
                                                  2⤵
                                                    PID:3636
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /Query /tn:USO_UxBroker
                                                    2⤵
                                                      PID:5396

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

                                                    Filesize

                                                    2B

                                                    MD5

                                                    d751713988987e9331980363e24189ce

                                                    SHA1

                                                    97d170e1550eee4afc0af065b78cda302a97674c

                                                    SHA256

                                                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                    SHA512

                                                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

                                                    Filesize

                                                    477B

                                                    MD5

                                                    2dec61ac28917a14a7be42d9dae2e3cf

                                                    SHA1

                                                    dc77df0be664ae82de2ba67d0c6d039958a9bbb0

                                                    SHA256

                                                    18a2a0afea6475d9b833cb0abda2a0ccc32bffff98bee5d16023dfc87b3b7a0a

                                                    SHA512

                                                    61bd09e183f351cf1456c39d164c2f2060587b59d90067affa4370b650a2ca495fb960e8356cf416972b289fb34c84424060f8b14d0c2b8591f19a5b28035f1b

                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

                                                    Filesize

                                                    237B

                                                    MD5

                                                    31bac31cc716047e56e4e6f505ae75b4

                                                    SHA1

                                                    a4d96eaf3863b752bfd30254818acc0f11d11c48

                                                    SHA256

                                                    5cad81f62481defe14b7af068fc59b83157c2417efc1eb33e5b4b60fc461c6cf

                                                    SHA512

                                                    e01e01c1453a4c049ab192ba68f6be0b12da6f1b868559b3cba2f8c178dc40db1b911a077c2f6fa25584053e16f009ca26a0901084598467e53504004701249e

                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

                                                    Filesize

                                                    242B

                                                    MD5

                                                    770fe3a45b643c068f120b0a2b7b1254

                                                    SHA1

                                                    f68244768f39e5727d972abaf34dadd524b10116

                                                    SHA256

                                                    6048c6a46ed66699b0c667efac5c7db7f7b6fd564c0690c0e5049b379c7e64b5

                                                    SHA512

                                                    6d7f0aa584912f3a35d4e61e3198b3f56d2256a4b4ac7e7adced8f1e860deff95ae754243aeab452798c6a297c18be138651a93c0a0fa8464b4981cc1e00337e

                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json

                                                    Filesize

                                                    236B

                                                    MD5

                                                    0cb5fb354a2165c3d5fb19b7cd46b3b5

                                                    SHA1

                                                    ba4a249dbe131f71ff28cfd2d701c186fe6c585a

                                                    SHA256

                                                    630f98a1c1bb985aae5b7acac5afad9c699670d8567cf2a208cddaef480a4581

                                                    SHA512

                                                    320b10e61ae44c47cbea135c28ce528f75af2396f71410be4400ba0a72135784512b9589efc4ed4ff5f3626e877ea7e6fee7103a97948adae099f79544644b5d

                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json.~tmp

                                                    Filesize

                                                    236B

                                                    MD5

                                                    63254b896498552b33143561333d44b8

                                                    SHA1

                                                    672124df322836ef37eeca12344ed2a46202ad25

                                                    SHA256

                                                    35f3dcb98c24f82cd95ed0f35a79e4370d896bb00203008be7efa7862230de47

                                                    SHA512

                                                    0283a1f2251c64ed0c1e182e43ac734518ecc9d4b6432fd0b022901a3c8e0a8f97e2e5ec84c6f7f6f0a635ecfe6f5fe7dc7723a4f2308c93bb87c05daada81ef

                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_24.bin

                                                    Filesize

                                                    909B

                                                    MD5

                                                    a7cb3b83789dd3f8376215f2b023b037

                                                    SHA1

                                                    2a3ca5e8655258931bef48c3cc21d319231d8954

                                                    SHA256

                                                    48f278bbed6221e2634b7685f5dab22aa2c6e6898fe5e2515006a0ff811935b0

                                                    SHA512

                                                    0f67aacdf16af179325dc30e7d9a4c45c14deb7db7f7b1a1bec65b314f15d40a5e2d15e8f428a9809a54981bf40379214a0b80375235edb2978242220e8923d9

                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_38.bin

                                                    Filesize

                                                    309B

                                                    MD5

                                                    f00d3706bde8b94af1bfdc227e8906df

                                                    SHA1

                                                    38533839a055a614b2fd5d4f38c1d1e01126e06a

                                                    SHA256

                                                    0404504fc8e3c8af4eeb793a318457a26fbce47013cf1a0b7221f9ec24f78ad7

                                                    SHA512

                                                    6907c4a737e4d9e0fe248710bf6f7e7fbbd70dc66a4b777a6f906e09f10bb1e45bbfb50a0475a8a00ce3c1ee4b6b233e5b4432dabe0272650a429203af5556dc

                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\WorkingFolder\Canvas_7.bin

                                                    Filesize

                                                    749B

                                                    MD5

                                                    2006f6b557549bc080e9f1362788b030

                                                    SHA1

                                                    90165c0d5c9ed4eccd3400040f4a50770fecb745

                                                    SHA256

                                                    56e966444fe175cf8ebf75069bd5a45a355dcbc50d96317b97e17c33cf072f8d

                                                    SHA512

                                                    02a906ae0f1eedb158f1099bb6809eed57e8943d1e4043b99c25fef68e5696ff0aea150202b22f7d02a76847bce437bb15852992362514892b1964dc1984fb8f

                                                  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    f4e4a03ebd0ab3a953c56a300d61d223

                                                    SHA1

                                                    97a9acf22c3bdd6989d7c120c21077c4d5a9a80e

                                                    SHA256

                                                    52bfb22aa2d7b0ce083d312fb8fa8dcda3063207186f99fc259aebd9064cbedc

                                                    SHA512

                                                    12aa71eea45720a4d7d057da0b662635671e4cd165ad2e0d30a3d2a43950b47dd60c26c1bbbe049418f815850e571b8d93e4c8b8cbbd686abc3cf7926ba719c2

                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vsijf2rt.zlo.ps1

                                                    Filesize

                                                    60B

                                                    MD5

                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                    SHA1

                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                    SHA256

                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                    SHA512

                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                  • C:\Users\Admin\CriticalBreachDetected.pdf

                                                    Filesize

                                                    35KB

                                                    MD5

                                                    38c9c6953f1fcb83b1e6e04825f3b4db

                                                    SHA1

                                                    5af8caf42b0ab98349c5806f5b22d4402a343de7

                                                    SHA256

                                                    dfd0bd7b4e4f84287ab4b19bb77d5308eb29e12e8724f04cb8c2fc6d4fb66d62

                                                    SHA512

                                                    6ba08b5ff206a5bb53c60e62dac872e6473aa419ffed5c09c1cdbb18f1dde7b2ec268df8abc3080fe484a4f0a32d8fec922f65e959f0dbd91fb8a4272e492ed1

                                                  • C:\Users\Public\bg.jpg

                                                    Filesize

                                                    385KB

                                                    MD5

                                                    f7532cd65e297463c9321eff8d3118cd

                                                    SHA1

                                                    f191a4bad27882731287ced00d8f80734c6b765e

                                                    SHA256

                                                    b39b52c14265b5ecd00df61341bbb3b1248d716a230d2f9d5bfcf0529b675074

                                                    SHA512

                                                    f888124e7e900e6fcf3bace46e835d4d9c9d7ead742019661b38e59e27479e2cd45f8f1acf42178913387aef20e15e07d31209cf1da6775b3e8693bb73ccb3fa

                                                  • C:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk

                                                    Filesize

                                                    8KB

                                                    MD5

                                                    6bdaa6313d98c6692ba2c37976a3ccf9

                                                    SHA1

                                                    475389123a2656eb5a7ebbb79ae5f1316f9f16e3

                                                    SHA256

                                                    40728add632707ff8363750150cd9e79aacd492c20d3487a23e27d8c970d768a

                                                    SHA512

                                                    554cac16cd58944aa8c0e9fed3e420d5f9c012cd0f14dfd1f96617cdd4246f45cef78e4e7a36772915a3d454ae0c703fa0fc608b2e5be56cdb05998932de1f94

                                                  • memory/2744-4792-0x00000255E9900000-0x00000255E9922000-memory.dmp

                                                    Filesize

                                                    136KB

                                                  • memory/4004-4798-0x00000134D1160000-0x00000134D1170000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/4004-4809-0x00000134D9DF0000-0x00000134D9DF1000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4004-4816-0x00000134D9F10000-0x00000134D9F11000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4004-4813-0x00000134D9E70000-0x00000134D9E71000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4004-4814-0x00000134D9F00000-0x00000134D9F01000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4004-4815-0x00000134D9F00000-0x00000134D9F01000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4004-4811-0x00000134D9E70000-0x00000134D9E71000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4004-4817-0x00000134D9F10000-0x00000134D9F11000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4004-4802-0x00000134D11A0000-0x00000134D11B0000-memory.dmp

                                                    Filesize

                                                    64KB

                                                  • memory/4004-5021-0x00000134D9F60000-0x00000134D9F61000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4004-5016-0x00000134D9F70000-0x00000134D9F71000-memory.dmp

                                                    Filesize

                                                    4KB

                                                  • memory/4036-4783-0x0000000000400000-0x0000000000478000-memory.dmp

                                                    Filesize

                                                    480KB

                                                  • memory/4036-4785-0x0000000000400000-0x0000000000478000-memory.dmp

                                                    Filesize

                                                    480KB

                                                  • memory/4036-4782-0x0000000000400000-0x0000000000478000-memory.dmp

                                                    Filesize

                                                    480KB