hakbit | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16/04/2025, 11:04

250416-m58gsaz1ay 10

15/04/2025, 17:34

15/04/2025, 06:16

14/04/2025, 08:06

14/04/2025, 07:59

14/04/2025, 07:22

14/04/2025, 07:16

11/04/2025, 21:39

Analysis

max time kernel
435s
max time network
441s
platform
windows11-21h2_x64
resource
win11-20250411-en
resource tags

arch:x64arch:x86image:win11-20250411-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: wfQbqIO9Buru6Oi/OP+4dxutmrNi3FrTNyM5Fa2f12ptT8Ai+3LmJc9Q11sQlLmQ9xQOZ4HnOKem5ySS0e443bNNpbvhRBXaMRkibOujKXVvkmkToJ2UOxC/UqhWKNqKZvt2gLM7v2ymnWmkv4BoT5ERA+PgoFvT0yGm3i0RwsQcaHFbhoK4MDXflEPc24Shoa5GeLzeaqPFmJpeDXPTtcM99BzAU+6sCmF20CnTfPup9JvlkO9K2zMP7yoI3s1rGresioeAar+IN4CnZiR+JqC7Ng1KYmP6zPL0GVBTC4mtfqiu/NR+pCVL+Ip0kDopsmXPw8RoBTFWVIbcWMVdjGGypkmIre2ldFoej+lSLjZMgPfp9dfr+DQf+T27px2H0iuYuZ86fRvU5wyBcKwByFaR7PVcb6lDSA9TdIQTmBT7M1s11ITZDkVkE+Zat/6VSGm1u6lxE+d30AyzpuBamCmYDJ0g1B21iLKEbbIK8g3UwxIJke3Uw8GmobLfQ9z7t4Y8bHDSJzgq4O84vvEYdCizioHV0HY4XfFNdif7Sh6H428UAeIvps+L00jvGx4ivwgcXI2UK9tzKiXBdwQQ00eAqlPd05IVvudGdG5rzzwgdLgYpJ9W+H+ZfEtL7vwORj0aok7RPTU195IiNDNcPAy9aefmBV2l2tCBNKWhVM0= Number of files that were processed is: 439

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3208	sc.exe
6092	sc.exe
3356	sc.exe
3904	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3240	cmd.exe
6948	PING.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Kills process with taskkill 47 IoCs

defense_evasion

pid	Process
1408	taskkill.exe
2876	taskkill.exe
4336	taskkill.exe
4960	taskkill.exe
4168	taskkill.exe
1116	taskkill.exe
4588	taskkill.exe
464	taskkill.exe
5028	taskkill.exe
2348	taskkill.exe
4980	taskkill.exe
4968	taskkill.exe
1888	taskkill.exe
4328	taskkill.exe
5032	taskkill.exe
4708	taskkill.exe
3568	taskkill.exe
5604	taskkill.exe
1704	taskkill.exe
5052	taskkill.exe
2860	taskkill.exe
5020	taskkill.exe
4736	taskkill.exe
5000	taskkill.exe
4892	taskkill.exe
4236	taskkill.exe
5036	taskkill.exe
4860	taskkill.exe
2128	taskkill.exe
1932	taskkill.exe
1112	taskkill.exe
4348	taskkill.exe
4220	taskkill.exe
1800	taskkill.exe
4976	taskkill.exe
560	taskkill.exe
4952	taskkill.exe
5768	taskkill.exe
764	taskkill.exe
3776	taskkill.exe
5436	taskkill.exe
5980	taskkill.exe
2368	taskkill.exe
5024	taskkill.exe
4376	taskkill.exe
4332	taskkill.exe
712	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15424"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "14457"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7396"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "12443"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14978"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "14011"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13410"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "14457"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7396"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "14903"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "12443"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15870"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2316063146-1984817004-4437738-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1932	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6948	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	5768	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	5980	taskkill.exe
Token: SeDebugPrivilege	3568	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeDebugPrivilege	5604	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	712	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	4976	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	5436	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	5020	taskkill.exe
Token: SeDebugPrivilege	1112	taskkill.exe
Token: SeDebugPrivilege	4236	taskkill.exe
Token: SeDebugPrivilege	464	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3324	SearchHost.exe
2260	SearchHost.exe
2444	SearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 3904	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 576 wrote to memory of 3904	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 576 wrote to memory of 3356	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 576 wrote to memory of 3356	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	84
PID 576 wrote to memory of 6092	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 576 wrote to memory of 6092	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 576 wrote to memory of 3208	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 576 wrote to memory of 3208	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 576 wrote to memory of 5980	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 576 wrote to memory of 5980	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 576 wrote to memory of 1888	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 576 wrote to memory of 1888	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 576 wrote to memory of 5768	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 576 wrote to memory of 5768	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 576 wrote to memory of 1932	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 576 wrote to memory of 1932	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 576 wrote to memory of 2128	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 576 wrote to memory of 2128	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 576 wrote to memory of 4168	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 576 wrote to memory of 4168	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 576 wrote to memory of 4860	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 576 wrote to memory of 4860	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 576 wrote to memory of 4236	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 576 wrote to memory of 4236	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 576 wrote to memory of 4960	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 576 wrote to memory of 4960	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 576 wrote to memory of 4968	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 576 wrote to memory of 4968	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 576 wrote to memory of 4952	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 576 wrote to memory of 4952	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 576 wrote to memory of 5604	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 576 wrote to memory of 5604	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 576 wrote to memory of 4892	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 576 wrote to memory of 4892	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 576 wrote to memory of 4980	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 576 wrote to memory of 4980	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 576 wrote to memory of 5000	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 576 wrote to memory of 5000	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	101
PID 576 wrote to memory of 4736	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 576 wrote to memory of 4736	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	102
PID 576 wrote to memory of 4336	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 576 wrote to memory of 4336	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 576 wrote to memory of 5024	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 576 wrote to memory of 5024	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	104
PID 576 wrote to memory of 5020	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 576 wrote to memory of 5020	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	105
PID 576 wrote to memory of 4348	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 576 wrote to memory of 4348	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	106
PID 576 wrote to memory of 4332	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 576 wrote to memory of 4332	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	107
PID 576 wrote to memory of 4376	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 576 wrote to memory of 4376	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	108
PID 576 wrote to memory of 4328	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 576 wrote to memory of 4328	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	109
PID 576 wrote to memory of 5032	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 576 wrote to memory of 5032	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	110
PID 576 wrote to memory of 2368	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 576 wrote to memory of 2368	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 576 wrote to memory of 1116	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 576 wrote to memory of 1116	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 576 wrote to memory of 1112	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 576 wrote to memory of 1112	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 576 wrote to memory of 5036	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 576 wrote to memory of 5036	576	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:3904
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:3356
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:6092
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:3208
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5768
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5604
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5020
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4332
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4376
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5036
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5436
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:712
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4708
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:1016
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1932
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3240
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6948
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:5872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:6932
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:7056

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3324

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2444

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
6973ef326e0e7f4ab868e61f36c39a34

SHA1
498ad7661413ce9abc3d37294be82d9a443653a4

SHA256
f61dd579f454f7796b6a35af0ee9c0dd266cbc4ab4879c5acd7058127a5c13ab

SHA512
f763c8ffaf041e79a442e54e0434e8b11985cec1d6f0659eb77f0c10b003d82580e12b7f9fe0a55e4afdf59583675312b3ad5b601643f33382279942a82f6407

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
f1a23767eb6d9d360c942aeebc952ce8

SHA1
5169d3ea0a30d8b5f3befda7974cf5a51c6fa886

SHA256
9ee09caebb8cc052c11a69a8a76750b636e1d1615208c406de1b432539b45b29

SHA512
c3cd7516883bafa48e339bb79e0c8883e5d7751345533366e803751b02d1e8d2a59bbd4e67dcf85e92f5bb82b47e649afd904f7035ae51f141f3fd7c570debf7

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

Filesize
728KB

MD5
2cf0f7822655b0707e81648266ac5bfd

SHA1
aa61f2a2b52dfc7408163f1a94f4e1bea07ba9b4

SHA256
ae2bcb77e2232ef7cd3d67834ca1746aaadc4509887d4057decc438ef85ddfc5

SHA512
240166eed93fcb6ea3a86dba50e1e510489c04cf59646350f63d8d418b5c03bc04ec68a10788ecb9f0362df53d585b41256cef0a43013be0adbc67484d21e1e2

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
634b8387eca68d0a54aadec5cb50b0cd

SHA1
0705e5351fbbd53e690f5d55ce04c1bbbb513d33

SHA256
04bac0f45971fbfca622717147115461af037f4bc37b243e9837d45f1a6d714f

SHA512
5e5baa5a42886aa5b13d69ec4660e68c1db51fcdc6cd154ef96dc5df728d45740de4586fbba663be3d480e9782abdd4ded99079e2ec656c90217cd12fe6b26b0

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
9d3827706088d3c95fccf01acee596e2

SHA1
ce1566be8e75befd4b430324afd0af455c4185b9

SHA256
5024e811e6c2ab14e2f527ed2ad3373770da85cedd4329eebd1c7c663bb331c2

SHA512
177f490dc90297dc4b2f62704c54074c3fa6b6345b8256b40a6621c5188d5372e5de273661c301442471f90a5f52b31fb86781dd0f8a0ad2440522b06fce534a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\3LZOUTMR\CSX-Fhl7QOdvMJB-1TX4dcDGTiI.br[1].js

Filesize
113KB

MD5
d3d4f21ac033339761670ea0ed37a25f

SHA1
0390339fb6f9ff57f8e47e1309a3ae5eec799a8f

SHA256
2c41217112b3dcf88ab091c0dcec6a0a4b736a41dd16872d1d4a5a2f66a85379

SHA512
27de0bc135d7d4ec707ebbcecb2714b2828a0c415577d42a3beab58bdf88148efa697de8ca6f41e13309a72ea1f4a0b2ee87a2bdf15389f0acb8a21e01f54a43

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\3LZOUTMR\FgBbpIj0thGWZOh_xFnM9i4O7ek[1].css

Filesize
19KB

MD5
908111eb0ffb1360d5dd61279c21703e

SHA1
9144330fd728fb48fd690335cb0ed897888e1b9d

SHA256
1ed87cf425ded994b05a842271ab4d28a76f399e571688cf2e7b186f70dc3059

SHA512
3dc1414091d7872c108cad59a0ca53f7f4e4cfaef716d2f719ba95e9f812e0e22b61b8c84ae0af45258d4974b4303b50ae56a4915c6256253a91b50f27239123

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\RF3WH0DV\Kw-hqxyqLK6odmI-5H3LHnGRNUU.br[1].js

Filesize
11KB

MD5
c91a45aff19707f6b4d042a50a8dd4e5

SHA1
4bed528a7f61c635b52e48a3c9988b040fc51dd9

SHA256
18ba3b0d7ab67001f9fd241e6590b4115fe9cc030d01cc0b8f5f82b284e16797

SHA512
cfce4bb78482a710ce1ca1492480ec827ea4ebe3abd10621cd52fef94f6929713e1c37a928ac6f8280d87cdcc23e391ce1ab66844e8a21623a7be2d2482f9477

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\RF3WH0DV\UWPNlC-i8nvzxS4eJQXyOXdYeUI.br[1].js

Filesize
397KB

MD5
4ac7119d5ba567d918700b32ad230e04

SHA1
43348e68cced380b1c4745411e566186a4f8bfa0

SHA256
d061e49937f6887d1b12932b2c09c345ffe6b42738ed761825d511547dee0690

SHA512
3d2f31fa33c12277d353d23bc6598d3c46613a829cf2a04394c5253526371d4bf23b39bac70a558dfeb003fb7739589c8a77a168b865025b79abe6b8b9f2b476

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\ST5U0HL6\uHvb4xZ0jf73ve32GnM3xl5hadc[1].css

Filesize
976KB

MD5
05cf5c465e30d98ba3877e0ce5dfe14e

SHA1
2bc3cbc8e78a6047bf78f4e5981a62d6730120e6

SHA256
42b390173502d8c7f0ad1a8bac2bfde23f882340cd3d1ad847ec3d0fef0976a9

SHA512
6b13bc9fc4b7923f15442040620171246f7c141048fdaa86b229d3498d43c2a53a9a637fe7410d0313c79808cb1e614459487774ff67da646f49d96a72ae5829

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\ST5U0HL6\xoGsbQtbe4kKZFKr-jERbrfBIOo.br[1].js

Filesize
73KB

MD5
e56791fe62563addf4a956dc50e56323

SHA1
7186a41a8585a51fbc128f520f85d7e5dd5d04e7

SHA256
573ed5d7e55c308e8ee2ec342ab54fb019f4a24b41beaa90a88d6c2ded222f2c

SHA512
81d344435d771a9c5c878a24b39b4242fa2d10399f5b9975cd97d1a216c0046b48886e1270b35bdcecb843b42a1c46ee75d8e4ce3b6a85d1da401e967338d01e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\Z8AOXQUK\KnpAYqL4mWMybLnE1BbtS8sdjYs[1].js

Filesize
57KB

MD5
2af728548a08a5c498fe46023bd93a4d

SHA1
909cc1e8d826b84a4d755eab58ff1bae290bac41

SHA256
1d88b8a4495dad20bfd6e6530cbfe837718b0393ac530543c7d797719fea7152

SHA512
1902d664870555d1af1875b1961acd46c291354e70a7c83429f6343e1566863597796ceed7970c568b274054fc0b3f32fc2e63c4fca52680983866ff8e647d20

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\Z8AOXQUK\ZQqFzPrHf2g9Cz24Zpi0gfYbxVI.br[1].js

Filesize
313KB

MD5
311caca5e53f4f6d0554682db3788571

SHA1
67764baff04bc4b609832aaaee76fa3f20b4dc61

SHA256
cd5d7539e5761eefe417f7cd36464ccf6b955511a8a085906043c1c2e3e6136f

SHA512
324908ee1e3f34485260929ac0c78dbdbd92fe72173b63a10b953a5a87a8df5d7a11d50cf57acc80f1679ad5daefe37659390166a8094aa9831dd7ee6b1df241

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\INetCache\Z8AOXQUK\onra7PQl9o5bYT2lASI1BE4DDEs[1].css

Filesize
65KB

MD5
d167f317b3da20c8cb7f24e078e0358a

SHA1
d44ed3ec2cde263c53a1ba3c94b402410a636c5f

SHA256
be2e9b42fc02b16643c01833de7d1c14d8790ecc4355c76529a41fa2f7d3efad

SHA512
afc65b0fa648d49a5eb896be60331aa222301894e228fe5684399e9276342f6510773dffa3e7e75b8d6197bc51c732bc7fd7518e593ecd20c4884c47058d46d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\62MVDHQO\www.bing[1].xml

Filesize
15KB

MD5
7f2c20e86dff6149deb87638377c0ab9

SHA1
cdee8440c4f329d6a028166a594b4e47e3683d58

SHA256
b2c6a88b048e0b0bf22b21c8275b0b4f58f26500bf8e40883d0e6d3c68dd9738

SHA512
c15cb2f442df91acf90977b4d48c6866536055985134b00a1e8ab586b412999616b5399a8748b8939c7e356d04d067d9be241855ce0679ad29c5635dce94ed48

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\62MVDHQO\www.bing[1].xml

Filesize
328B

MD5
48e9bc8483b17cceecf32a15f7ae7007

SHA1
f0e25060d80227c546d98c7b7d5e14171a97e9af

SHA256
687c445d57d323c498c03b6fc2bbc00880fa83c2df4ac4d115af582486304658

SHA512
38d8f0c47843419da25b0c4bb73c6edaac8aa1f489df22366a0761323e15b779f0c18279d45b0965bdf84a9ab236570f1f68a37d2218954dbb6dd3ad6e1d8527

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\62MVDHQO\www.bing[1].xml

Filesize
17KB

MD5
a011ddfa25bf73f7e7292e511dd20eb3

SHA1
ad56e6fabc0bfddce41ccbf28a35327f27c976d0

SHA256
ac16b2816ac1ad258c90318e7c1b60f18d7c9023072f320de6bf395ed31ae247

SHA512
38d661d6fdf71fe37add8009ff47478e544aeca3e1cc18b6d445875428cb0cb5083c6af568080ccdc56497ca213269b8e8241820f4fff3755aab50529eca5b4b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\62MVDHQO\www.bing[1].xml

Filesize
328B

MD5
bd71f91be4bc89a7ec259b5d240ff6b7

SHA1
a416e83aa5d7c1e943541e6935ec6340041125ab

SHA256
a4966276c8fc6de0d859f5007db8fb9f4d95369bb785a8f0cbec6dab6399b12c

SHA512
912d561ee46d57d1081bd8c327159bbb2a2700b08e7b744e58f5fdb8d61c39dd72090b23af484d86eaff4fb0d79adc5ebc905adf3c9c9f874601a9e75931de16

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\35BC0B29-9B2B-4072-A814-D54A7BDF6124\Zrtu2hQ08VU_1.bytecode

Filesize
66KB

MD5
6f3c390b73327ee09f2ca116cea7a12a

SHA1
94e96465c5a590fc778c028e45f2657d75084666

SHA256
80686f50c556b735c8cdb78089485cad1d98ffcfc3c206180a3c092675a4a185

SHA512
616f07a1ee5d539aa1a155b4806de221055273fa32c183d5f0510d7339735f722cc550cdbabf56b72a512cbdcc8eeb3b191e66453724fabc1ce0e3f4ec6b81b1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\35BC0B29-9B2B-4072-A814-D54A7BDF6124\Zrtu2hQ08VU_1.js

Filesize
72KB

MD5
157f3a849141214bb9826aac79abad17

SHA1
e2f0cfb1ad15ceae66d43d717b821f92f709853f

SHA256
66d796d606bc7dbe9f10763e11b4d12c71383d6e6088e616e9a0342483b435c0

SHA512
587836ba24ab1f3524b0ec3c997e077b77cf8d71698a574a55d1c5b8ad61bf52f5ca5645f5112b36244deff54a4d7c894450b8960cf18ec2ab6e1cdebe318288

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\35BC0B29-9B2B-4072-A814-D54A7BDF6124\Zrtu2hQ08VU_1.metadata

Filesize
192B

MD5
da1ff7683ff1059d2389a3073bf8b66f

SHA1
e72fcc9176b2ee7465c3399222c2beb4c5065b3f

SHA256
c7164fa618d8c824e14071a05606bd77f0770b252fae1d85a46a7e83d046ced3

SHA512
65fe6b29d3d2506263feccd5ba029ec70c77c15dad3c56462ef2bd215ca1d9870068a622df8dabafc1c08f9d44262ab092e513345167b9a33ce9ea4feb8fa343

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\62MVDHQO\www.bing[1].xml

Filesize
18KB

MD5
3173d642b953946d46536ed3e709b440

SHA1
1fd88d53b1c38808bc1dafd0e2372a9a08f2169d

SHA256
95da91fbb221e5370aca81cb1f6da902150166c30ba1051686b9ad0161a06dff

SHA512
1499d18654ce901f6195acac1b20c8d9870c3446ffdb461a571d69d22fcb6c05b79ff0f188b2340ae53b67b284559d2991089be763214750cf37491bcca16340

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2vakvbf.sdt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
9735a79e73cf01ddadc2de674ac9169b

SHA1
4da62f403e8235371c2e8f7316cd2fa71ac866ca

SHA256
28cd12b78bb86b1f419a60fadff5688f7f57d403fe54822b1cc9161380134db5

SHA512
a1a471ee972a16cc5e1411bb63aab8a6bd2dc78085f834938744239d3a04b17d3aaec23c823507bc5f867bcd8067931df19fc0e9554d224cc986870d9fcadd1d

Download Submit
memory/576-1028-0x00007FFF5EEB0000-0x00007FFF5F972000-memory.dmp

Filesize
10.8MB

Download
memory/576-0-0x00007FFF5EEB3000-0x00007FFF5EEB5000-memory.dmp

Filesize
8KB

Download
memory/576-558-0x00007FFF5EEB0000-0x00007FFF5F972000-memory.dmp

Filesize
10.8MB

Download
memory/576-368-0x00007FFF5EEB3000-0x00007FFF5EEB5000-memory.dmp

Filesize
8KB

Download
memory/576-2-0x00007FFF5EEB0000-0x00007FFF5F972000-memory.dmp

Filesize
10.8MB

Download
memory/576-1-0x0000000000E10000-0x0000000000E2A000-memory.dmp

Filesize
104KB

Download
memory/2260-744-0x0000018E57A80000-0x0000018E57B80000-memory.dmp

Filesize
1024KB

Download
memory/2260-857-0x0000018E34B00000-0x0000018E34C00000-memory.dmp

Filesize
1024KB

Download
memory/2260-683-0x0000018E34B00000-0x0000018E34C00000-memory.dmp

Filesize
1024KB

Download
memory/2260-743-0x0000018E56720000-0x0000018E56740000-memory.dmp

Filesize
128KB

Download
memory/2260-856-0x0000018E34B00000-0x0000018E34C00000-memory.dmp

Filesize
1024KB

Download
memory/2260-745-0x0000018E576C0000-0x0000018E576E0000-memory.dmp

Filesize
128KB

Download
memory/2444-1097-0x0000021EEBF30000-0x0000021EEBF50000-memory.dmp

Filesize
128KB

Download
memory/2444-1098-0x0000021EED560000-0x0000021EED660000-memory.dmp

Filesize
1024KB

Download
memory/2444-1099-0x0000021EECD70000-0x0000021EECD90000-memory.dmp

Filesize
128KB

Download
memory/2444-1193-0x0000021EF1200000-0x0000021EF1300000-memory.dmp

Filesize
1024KB

Download
memory/3324-283-0x0000023D54D50000-0x0000023D54D70000-memory.dmp

Filesize
128KB

Download
memory/3324-397-0x0000023D58F90000-0x0000023D59090000-memory.dmp

Filesize
1024KB

Download
memory/3324-281-0x0000023D43800000-0x0000023D43820000-memory.dmp

Filesize
128KB

Download
memory/3324-282-0x0000023D54E70000-0x0000023D54F70000-memory.dmp

Filesize
1024KB

Download
memory/3324-197-0x0000023D21AA0000-0x0000023D21BA0000-memory.dmp

Filesize
1024KB

Download
memory/3324-393-0x0000023D58F90000-0x0000023D59090000-memory.dmp

Filesize
1024KB

Download
memory/4304-21-0x0000027A6C200000-0x0000027A6C222000-memory.dmp

Filesize
136KB

Download