hakbit | d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337

Analysis

max time kernel
96s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250502-en
resource tags

arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
submitted
04/05/2025, 04:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Size

80KB
MD5

8152a3d0d76f7e968597f4f834fdfa9d
SHA1

c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e
SHA256

69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b
SHA512

eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4
SSDEEP

1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Score

10^/10

hakbit credential_access defense_evasion discovery execution ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note

To recover your data contact the email below [email protected] Key Identifier: Fe07Km85K7ZZvr4Tn+KVYtJ8J2I5cdMLDDiNbDxu1l5cLmxG2QZMJ6WNrL0C7hbelaEpY6Jgc8HiKu6hIwExn8l1c35Sck6CB1ol8LDHU3JyePiALZN+4OAv3g9u5i/VEpr8OL6zLC9wSZ0VpqYCO8+faEpHFbf3ANrwgkgFfFstuBCcEV8GkFU/RlhgcOwm1bDLaskZVouz/OQ4lyUSdVKHCEP6211/m3wVjPVfil2uiWgPV4b/SUWLrqzKuEbUKTtTXWKZYBcl72w/57BcLO3G6hZWTOK9i1b+ASPjFmxEtDqxftQTR1twG6OP4yOsXR65cAV7Ul4P88CxAcbuutGz2PcVS0Pyvc9Ep8Uw1BLHNt4SWZu4O1qZjvB+Jn7CboYbph92Q90zuYMZwqe1mus4x6zM63w2WcmSpXJdLWUtAjSvoW0y3soCw8VFcZfbjuoQCCGdW2hLdZUbnn67z6hYIueZuGAlOW4PWqVIaa/BwxA0FzRygHkfPiTK2JL1rHDu0e49QwUJNjyrAIBjAqQOweJXRIzalZkJUhgZzVWXtQWLzJvWEzM2jILTRkIYy964DpVvEwE2d0NruGObObi9r2kYq6aW7e/XWj6DKGNV1D4hoNzFaYSSlyagfUd+vAVnd6Jp/GFCOpzhxJHUHwrJYKA2hDpLJ8PDV5NjEJ0= Number of files that were processed is: 439

Emails

[email protected]

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
ransomware hakbit
Hakbit family
hakbit
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4888	sc.exe
4724	sc.exe
4928	sc.exe
4920	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3996	cmd.exe
5072	PING.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe

Kills process with taskkill 47 IoCs

defense_evasion

pid	Process
3172	taskkill.exe
5740	taskkill.exe
2304	taskkill.exe
3364	taskkill.exe
5028	taskkill.exe
1028	taskkill.exe
2092	taskkill.exe
5396	taskkill.exe
2424	taskkill.exe
5160	taskkill.exe
5044	taskkill.exe
5056	taskkill.exe
4988	taskkill.exe
3876	taskkill.exe
5008	taskkill.exe
4192	taskkill.exe
2492	taskkill.exe
2464	taskkill.exe
4868	taskkill.exe
4676	taskkill.exe
4120	taskkill.exe
2228	taskkill.exe
2948	taskkill.exe
5068	taskkill.exe
4964	taskkill.exe
4940	taskkill.exe
5880	taskkill.exe
5080	taskkill.exe
5984	taskkill.exe
5060	taskkill.exe
4220	taskkill.exe
4456	taskkill.exe
5112	taskkill.exe
6132	taskkill.exe
2420	taskkill.exe
4492	taskkill.exe
2264	taskkill.exe
2928	taskkill.exe
2160	taskkill.exe
5040	taskkill.exe
2040	taskkill.exe
1084	taskkill.exe
4828	taskkill.exe
4028	taskkill.exe
4628	taskkill.exe
5192	taskkill.exe
5012	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "15007"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "14561"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "12338"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "165"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "7501"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13305"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "14115"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15528"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8468"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "14115"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "165"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15082"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15974"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1099"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "14561"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "12338"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "132"	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1132"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "7501"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000_Classes\Local Settings\MuiCache	SearchHost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3980	notepad.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5072	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	5040	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	4964	taskkill.exe
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	2928	taskkill.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	5740	taskkill.exe
Token: SeDebugPrivilege	5984	taskkill.exe
Token: SeDebugPrivilege	6132	taskkill.exe
Token: SeDebugPrivilege	5192	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	4828	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	5760	powershell.exe
Token: SeDebugPrivilege	3172	taskkill.exe
Token: SeDebugPrivilege	5396	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	2948	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	5880	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	5160	taskkill.exe
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3368	SearchHost.exe
5716	SearchHost.exe
808	SearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5280 wrote to memory of 4888	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 5280 wrote to memory of 4888	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	83
PID 5280 wrote to memory of 4920	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 5280 wrote to memory of 4920	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	85
PID 5280 wrote to memory of 4928	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 5280 wrote to memory of 4928	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	86
PID 5280 wrote to memory of 4724	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 5280 wrote to memory of 4724	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	87
PID 5280 wrote to memory of 4220	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 5280 wrote to memory of 4220	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	88
PID 5280 wrote to memory of 2040	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 5280 wrote to memory of 2040	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	89
PID 5280 wrote to memory of 4868	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 5280 wrote to memory of 4868	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	90
PID 5280 wrote to memory of 4940	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 5280 wrote to memory of 4940	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	91
PID 5280 wrote to memory of 4988	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 5280 wrote to memory of 4988	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	92
PID 5280 wrote to memory of 5012	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 5280 wrote to memory of 5012	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	93
PID 5280 wrote to memory of 5028	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 5280 wrote to memory of 5028	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	94
PID 5280 wrote to memory of 4964	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 5280 wrote to memory of 4964	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	95
PID 5280 wrote to memory of 5040	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 5280 wrote to memory of 5040	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	96
PID 5280 wrote to memory of 5056	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 5280 wrote to memory of 5056	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	97
PID 5280 wrote to memory of 5068	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 5280 wrote to memory of 5068	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	98
PID 5280 wrote to memory of 5060	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 5280 wrote to memory of 5060	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	99
PID 5280 wrote to memory of 5044	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 5280 wrote to memory of 5044	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	100
PID 5280 wrote to memory of 4932	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 5280 wrote to memory of 4932	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	103
PID 5280 wrote to memory of 5396	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	118
PID 5280 wrote to memory of 5396	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	118
PID 5280 wrote to memory of 4192	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 5280 wrote to memory of 4192	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	119
PID 5280 wrote to memory of 5008	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 5280 wrote to memory of 5008	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	120
PID 5280 wrote to memory of 2092	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 5280 wrote to memory of 2092	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	121
PID 5280 wrote to memory of 4492	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 5280 wrote to memory of 4492	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	122
PID 5280 wrote to memory of 1028	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	123
PID 5280 wrote to memory of 1028	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	123
PID 5280 wrote to memory of 2420	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 5280 wrote to memory of 2420	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	124
PID 5280 wrote to memory of 3876	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	125
PID 5280 wrote to memory of 3876	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	125
PID 5280 wrote to memory of 5112	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	126
PID 5280 wrote to memory of 5112	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	126
PID 5280 wrote to memory of 4628	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 5280 wrote to memory of 4628	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	127
PID 5280 wrote to memory of 4028	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 5280 wrote to memory of 4028	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	128
PID 5280 wrote to memory of 4828	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 5280 wrote to memory of 4828	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	129
PID 5280 wrote to memory of 5740	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 5280 wrote to memory of 5740	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	130
PID 5280 wrote to memory of 5880	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	131
PID 5280 wrote to memory of 5880	5280	69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe	131

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5280
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  PID:4888
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:4920
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  PID:4928
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4724
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  PID:4932
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5396
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:3876
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4828
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5740
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5880
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3364
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5160
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5984
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5760
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3980
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3996
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5072
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:6548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
  2⤵
  PID:4148
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4188

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3368

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5716

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:808

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

Filesize
1.3MB

MD5
ac84a26cdfd28cb42fb63596c659065d

SHA1
2cd74f5efbb3ad527ce233df6a2d73742484e0f7

SHA256
f6568c39bd596b16c16f7c2f0a18c96f35692c7d34faa0bf9c1d69e3af27dfb7

SHA512
816a327511c951ed014a45f17ea8cb131466d8b42eb70fb13a8735787e4cbc376b119e55d5007efcf13dfe819569b4ace7a7e4b2a38ad6389dbec877f7511890

Download Submit
C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

Filesize
28.8MB

MD5
e47d3247ed82c1ddb98e927995ee5e3e

SHA1
791247bb5bf897295781c53b32a2743b89f4c673

SHA256
9e430d5e52cff4c09207c74581b74edcf92f40c7d0fb57cb3c22bf5664927f22

SHA512
d0c2d46cad3958658bface80ce5ab4715fe33d508093be5fcfe84aa10d3087adfaaa906eff99c8881d63e78b5111cd908b1c82fad853ca3ea9235fd44d5194b3

Download Submit
C:\ProgramData\Package Cache\{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797}v56.64.8781\dotnet-hostfxr-7.0.16-win-x64.msi.energy[[email protected]]

Filesize
804KB

MD5
c2cc84d0aa2b6e9afdd225cfc5262c4c

SHA1
27528c0f3bb2dba48321cab001f3fb4d89d75dd0

SHA256
9bcf01c36018201f18fc2b7e629fdd74b85e4b42f1d2cf90a8882f0e344ca95d

SHA512
4f8600d5cc26b0d0049a586f0c763c8c3f206ccbf721978e3b88154ba441bc6b7d4b8df8e43b31fed1d509e9ce90dbc3ccef02b730529d9d7075545b9889f8b0

Download Submit
C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

Filesize
25.7MB

MD5
46c63d594cae0f9ba8bafd082651cf82

SHA1
fb357657750f9c77599142df5fed85d5679863ef

SHA256
cc32367b394e2fda9d730a4d2408a62c01b99d11eb4b8362ce5bd916eb9ea0cd

SHA512
55a3355de72f87b565941d810e4a0fa9bcd519e1f50ecf6a6a6b62dbfa9b6ed21eaa8e9addd24eaee1799f5a8019a54e0c76e89f9557e6b1cacc074779eb9373

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

Filesize
180KB

MD5
aeade605337377736cd2ff78a2a2e33f

SHA1
d531395055ed89b6fa438adde0f238087e3560f8

SHA256
d65f9bf6d062c7d9f649afe14efc217492125cf7b4531e14f9a430693100d32b

SHA512
a2a6df1434145f0615ba8072e455cfdca1acba0856e3ae77231aaebffa1bbcc874f13f114a681235472c0dd659b81c02d735fe54265038ab59131d8324b798af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CCAABHXL\www.bing[1].xml

Filesize
327B

MD5
fc61bd3c1837af90d23ccc4819274910

SHA1
2d9d022a11e9a0abe90de09607835a6088ee0588

SHA256
ed237f41842d8f824e3416f32a41a0302206a84126cd4d8ff3f6ab1033fe47f0

SHA512
26e32eaf8cb2518e29d5297c694c8bf7394c02ef235709b33eb8032d7ce408ab9c7280989fcc6e2441a4bcc28f67fbfde5b847ef0c377c3d2f86b7313ee25c74

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CCAABHXL\www.bing[1].xml

Filesize
327B

MD5
72dc63814ebe586b014f029d5d5cdc1c

SHA1
d5f76c4516e49dcc0510d2522e4e9bccc5ed16a9

SHA256
d6195a2723933fdf1b084f50442659e6dff597f42d4f3d45f9578919f4ff6944

SHA512
8e8fc40bbef6f2068ff5f494b5e47d7ebd1918321233b766b0e0c2e8f8fecf5ae0775b9cf2c49b1e06328a9f4a69507ed5934baffae1345e41036de88a37df9e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\0C988F33-6B24-45CA-BDB3-2C1585F0DB4C\Zrtu2hQ08VU_1.bytecode

Filesize
66KB

MD5
9c5f5812aa1cae4cd6c7813e9a533472

SHA1
cce3cac026ce20ce5a1a08600f692596c3226faa

SHA256
2ff93fd9fc9b175a041123ac0fe69099afa11384bd578dee33b6b966dd5f3991

SHA512
ff80b28c0355de960382a29ba5108cb306fd0b518f7c14017d8e6d10429d1ef5224e59436a926cc74ecdef4e12aa010b56d3bc374507f09746a743bc2fab5226

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\0C988F33-6B24-45CA-BDB3-2C1585F0DB4C\Zrtu2hQ08VU_1.metadata

Filesize
192B

MD5
c185a6c03b3aca345d491aa60ebfbe25

SHA1
8207a31ebc9c730db7438403f49e11325274f11a

SHA256
c8b25a14006d9974cdc1bf16d572b95f1ed33d0b4fe8cbadaa793dc574ad2b41

SHA512
3c8d0a530a3c1657ebd3f1151d578dcb568107173db9d1d76d782e7f3251e12acccde6e72f8f21dd248d9246e6871228ad4e1ee08b91c8fbb1b7ff6e3b237fb7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CCAABHXL\www.bing[1].xml

Filesize
18KB

MD5
d3909060fefb8fb52be83b50eef9e84e

SHA1
d14112c2312ab3e16ad98dcd9f7654788d4818c2

SHA256
2eb402bce2d124ea98e7ebe14f973a7c06410a2fe9f3f6ee1275051b1b4eda1c

SHA512
11a5939e30a2058a2866024cfd95379ac2386feb14130c34e78c9263262b1465f53b5c350627041da103ebaae6a6b3d99afacff786dd1493e331895983e76680

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\CCAABHXL\www.bing[1].xml

Filesize
18KB

MD5
0a238399d50a8297030c569f18b1dcc1

SHA1
6a3df358e1fb2c36c3f869d9de239adf64ca2e4e

SHA256
6b73352e9ad51fc4c693a18efded20102fbc6f6547782c98bbb8e2d8292366e0

SHA512
61b98b6e0b228716936a6330efbe11736d051b3f95987e57c8c4497d0d696f11db45ded831213564b2deb47fcf521dfb5a6f74f294240b3af3beee92fbb010c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yh143oyk.23o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
828B

MD5
0a64b0127c2d2f94b5589b8c75d39c9c

SHA1
9bf1ac00faebe0ece398c8595a95fb22e4087bf6

SHA256
a6362b2cca461ac5309224084acf70a2822f0b0c76f34ebfa9fdf262c6556159

SHA512
9f14a57a2ca0eec99261bb77bd52c5c264c914f455b34e1e16ae8aaf5c0150130e3c1ad7f808f48de5e31a34574079fc936d09b0adb5250186dbaa1642d28cf1

Download Submit
memory/808-1115-0x000001D59F4A0000-0x000001D59F4C0000-memory.dmp

Filesize
128KB

Download
memory/808-1071-0x000001CD8D6A0000-0x000001CD8D7A0000-memory.dmp

Filesize
1024KB

Download
memory/808-1113-0x000001D5B1100000-0x000001D5B1120000-memory.dmp

Filesize
128KB

Download
memory/808-1114-0x000001D5B15A0000-0x000001D5B16A0000-memory.dmp

Filesize
1024KB

Download
memory/808-1225-0x000001D5B52B0000-0x000001D5B53B0000-memory.dmp

Filesize
1024KB

Download
memory/3368-375-0x000002C37E6E0000-0x000002C37E7E0000-memory.dmp

Filesize
1024KB

Download
memory/3368-379-0x000002C37E400000-0x000002C37E420000-memory.dmp

Filesize
128KB

Download
memory/3368-316-0x000002C37AE20000-0x000002C37AF20000-memory.dmp

Filesize
1024KB

Download
memory/3368-560-0x000002C382030000-0x000002C382130000-memory.dmp

Filesize
1024KB

Download
memory/3368-374-0x000002C37D200000-0x000002C37D220000-memory.dmp

Filesize
128KB

Download
memory/3368-487-0x000002C3821E0000-0x000002C3822E0000-memory.dmp

Filesize
1024KB

Download
memory/5280-481-0x00007FFBE8583000-0x00007FFBE8585000-memory.dmp

Filesize
8KB

Download
memory/5280-1-0x0000000000940000-0x000000000095A000-memory.dmp

Filesize
104KB

Download
memory/5280-3-0x00007FFBE8580000-0x00007FFBE9042000-memory.dmp

Filesize
10.8MB

Download
memory/5280-613-0x00007FFBE8580000-0x00007FFBE9042000-memory.dmp

Filesize
10.8MB

Download
memory/5280-0-0x00007FFBE8583000-0x00007FFBE8585000-memory.dmp

Filesize
8KB

Download
memory/5280-1061-0x00007FFBE8580000-0x00007FFBE9042000-memory.dmp

Filesize
10.8MB

Download
memory/5716-740-0x000002A64C9C0000-0x000002A64CAC0000-memory.dmp

Filesize
1024KB

Download
memory/5716-909-0x000002A6500D0000-0x000002A6501D0000-memory.dmp

Filesize
1024KB

Download
memory/5716-692-0x0000029E28A70000-0x0000029E28B70000-memory.dmp

Filesize
1024KB

Download
memory/5716-739-0x000002A64BBD0000-0x000002A64BBF0000-memory.dmp

Filesize
128KB

Download
memory/5716-875-0x000002A650680000-0x000002A650780000-memory.dmp

Filesize
1024KB

Download
memory/5716-742-0x000002A64C940000-0x000002A64C960000-memory.dmp

Filesize
128KB

Download
memory/5760-56-0x0000019080040000-0x000001908018F000-memory.dmp

Filesize
1.3MB

Download
memory/5760-22-0x00000190FFF20000-0x00000190FFF42000-memory.dmp

Filesize
136KB

Download