7bbb458e6579df29118174eb65579f6f02773e8ead9e89b65933191796774617

Analysis

max time kernel
136s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trkop.vbs
Size

4KB
MD5

e709fe17f4e7f99292b8685ddd0a0a7c
SHA1

f7f05bd5b2b4c134577a375f4d3d29fda36fc146
SHA256

101f060edf89f4362ee6657acc110f88d3140090fb676620049a2407b503b837
SHA512

58a3df44e7123d84abe59be6af06587845157f3e75132c0c55b891cd911c77ab0fa958eb1c395c17d34fec02fc07af93b57aa3188cb4bb9f66a251a9b23b9647
SSDEEP

96:UgWBAP2GmFP5AI2IYAvk4yZxIe2H132Tes2X2nj2jW32p2eR2p52pvc272nRgu/b:UAPbmFPrKlZxLk3uesceKso2eRo5okGY

Score

9^/10

defense_evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation WScript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

gpg.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1916	gpg.exe
4112	msedge.exe
4112	msedge.exe
2424	msedge.exe
2424	msedge.exe
5008	identity_helper.exe
5008	identity_helper.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2424 msedge.exe
2424 msedge.exe
2424 msedge.exe
2424 msedge.exe
2424 msedge.exe
2424 msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe
Token: SeManageVolumePrivilege	2244	WMIC.exe
Token: 33	2244	WMIC.exe
Token: 34	2244	WMIC.exe
Token: 35	2244	WMIC.exe
Token: 36	2244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe
Token: SeManageVolumePrivilege	2244	WMIC.exe
Token: 33	2244	WMIC.exe
Token: 34	2244	WMIC.exe
Token: 35	2244	WMIC.exe
Token: 36	2244	WMIC.exe
Token: SeBackupPrivilege	2336	vssvc.exe
Token: SeRestorePrivilege	2336	vssvc.exe
Token: SeAuditPrivilege	2336	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exemsedge.exe

description	pid	process	target process
PID 1168 wrote to memory of 2084	1168	WScript.exe	gpg.exe
PID 1168 wrote to memory of 2084	1168	WScript.exe	gpg.exe
PID 1168 wrote to memory of 2084	1168	WScript.exe	gpg.exe
PID 1168 wrote to memory of 1916	1168	WScript.exe	gpg.exe
PID 1168 wrote to memory of 1916	1168	WScript.exe	gpg.exe
PID 1168 wrote to memory of 1916	1168	WScript.exe	gpg.exe
PID 1168 wrote to memory of 2424	1168	WScript.exe	msedge.exe
PID 1168 wrote to memory of 2424	1168	WScript.exe	msedge.exe
PID 2424 wrote to memory of 2076	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 2076	2424	msedge.exe	msedge.exe
PID 1168 wrote to memory of 2244	1168	WScript.exe	WMIC.exe
PID 1168 wrote to memory of 2244	1168	WScript.exe	WMIC.exe
PID 1168 wrote to memory of 1680	1168	WScript.exe	cmd.exe
PID 1168 wrote to memory of 1680	1168	WScript.exe	cmd.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 3616	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 4112	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 4112	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 936	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 936	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 936	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 936	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 936	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 936	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 936	2424	msedge.exe	msedge.exe
PID 2424 wrote to memory of 936	2424	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\trkop.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\gpg.exe
"C:\Users\Admin\AppData\Local\Temp\gpg.exe" --import C:\Users\Admin\AppData\Local\Temp\yin1abtn.cq124aqq
2⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\gpg.exe
"C:\Users\Admin\AppData\Local\Temp\gpg.exe" -r y1688 --yes -q --no-verbose --trust-model always -o C:\Users\Admin\AppData\Local\Temp\BLKLOCK.KEY -e C:\Users\Admin\AppData\Local\Temp\rizot.doc
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\blklock_Help_decrypt.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcda1246f8,0x7ffcda124708,0x7ffcda124718
3⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
3⤵
PID:936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
3⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
3⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
3⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
3⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
3⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
3⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
3⤵
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12222699409402394575,3009261375236691001,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1260 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4600

C:\Windows\System32\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zapa.bat" "
2⤵
PID:1680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
2fb8885a9316a7d166a045b43d3be4d2

SHA1
12a18acff816136f55162afed56aa6d31816a587

SHA256
0a411d62a61b3ac4c13469b92785df80804c7d404562c1ea55c822daa76b2572

SHA512
1c92cfa921cfa0eb958e23fcd9aacdf48fbd09a40c014e3639f9dda618fcccaaefd5e8a9d5943a39cb6e8959f92ce6da7cbe17867d41d0eba6e6a5ee62684a63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f36b5da70377f38a8919b55878d01dab

SHA1
31129310f4812fd05a4b4d7eac0c75d5f8119cb2

SHA256
de74a7c320701081b267874922ab5a252ee1c5d3bc3f0e16acf1c0174dde742b

SHA512
daac89cb20bea06c9b77eeeec388e0bb894753d84034ad41bc4baa4374ea38e8ab61477e637ac5d58131527200c17032dc11e770c998dd714d911c96bb77387f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
8b40bf937a57b503a29982bd2277a648

SHA1
5b3cdcd39228cb79459e3a79f6e45b0f804c6847

SHA256
7d38f28c8500ef63ea04e1ac724f7808f95e9e8ece17b4a6346ff9d983d43ed7

SHA512
7e2481104d18ffe314a9f461a0d0e729aaae27bbb7ba2fd87f0a08d783b45d609b05b312b086b28bd8ea8d37dfc6385f379c9f3a3b30aef4d18f17571a03ae96

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLKLOCK.KEY
Filesize
363B

MD5
4b1632fad71f6a4405303bd0beb040e3

SHA1
9b3dd96ff0b53db4088489d51fbb33763e4bbd65

SHA256
16d2cd5c3bd66ac1e56c950c4ecf6a82bea582adb2a58c2e296d1e891814f071

SHA512
0d6620caa59a1cc61ed97a820130f4021979cc6147e29f603ccef4edd171fed43a13ddb5e578624ff559da43d4de88dfb5479a8665bb4822043c1b3e73ab5f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\blklock_Help_decrypt.html
Filesize
719B

MD5
67a3375773562e7e470c820536880720

SHA1
6ab9afcc84754315ff874fd5718f003ec2d8d23f

SHA256
315bbddec308682ed567e96410ec6a78065ba5a986ea082b95d0091001e75026

SHA512
0e611ae7f0395fc55c522b6625afe1b43d74dbe4bb43d0524f5c43b305ac1741dcae3dc711e88ec8e91ecfc5a5050459a34a030e1dfb56f971a5e68e8d033ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\blklock_Help_decrypt.txt
Filesize
351B

MD5
cd193d25475714fabab7a9ca80856383

SHA1
9dd655e367e63c26403822f410fb68ff11a2d435

SHA256
0fd72f68474bc84ce018a32cffc177b576001871295c2833528162626c402e4b

SHA512
6c49b36d848e805fd4ae88b477d0400d07b9850a51baf28830520c0918c2d16137be19891efa8d965c0d57ef26b189b30751d0281c98dae27883ad1b4055a2a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rizot.doc
Filesize
22B

MD5
8b02833af3c49d5c43dadeae182f5771

SHA1
c1d2fab3dc3818cf9f9850bca733460f6cd7cbfa

SHA256
a3d861d614c1fc049cbc9b1f52274533418a4bb0f684c9167226eaac533ee1bb

SHA512
779f59c8eb2586acf32423fb2eab8ea0209ed5065a5bfdefb8d6f9b9557519fb38f2ae0810d76958a7a9d6116ea41d8e379d99a7616bd31953638ccfbb396010

Download Submit
C:\Users\Admin\AppData\Local\Temp\rizot.doc
Filesize
87B

MD5
1e7c8aef2705d09c6d2d3064f4b3441b

SHA1
966bbf4f2c13066a6d01da31c4734e062944f65f

SHA256
c1ebe509542f5a3027feafe813474fb2ea8c6d8247c84554e7d8542337168c03

SHA512
6ee16ede6b39d6f54fc6eb9cbbf0a0c1c8e60eb8ab559d3e70b01a97924ac4b61fa5c18a979315d6d35a3f07eb0e8668449962f3bb51123bff34bb781a9b0b27

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\pubring.kbx
Filesize
1KB

MD5
134bf38d9f66826ee77cf93c010e4850

SHA1
90b464ebfdb01e79711528fec179472e2cf72f0f

SHA256
48bbd0f4199ed901ae9f713556898831e6f0bfb52865d52ba58f977fdabafccd

SHA512
0cf9324e0d1c4da6d72af978244b81dc43f1c663bfb0fd8eb458b5d1a62d7bcff78e25670f19ba648542232f564b8a30e2162942abc662034fd627e8a7cdd750

Download Submit
C:\Users\Admin\AppData\Roaming\gnupg\trustdb.gpg
Filesize
1KB

MD5
7b997637aa9488dc83c16d78bb85fe6d

SHA1
be2ad69c1e33ea073ebf049a52c369c75b349634

SHA256
6130b0bbe9ccf41d2a0dbf72173c6c2b2ed4e9afa37fe3f811a1e221ba32282e

SHA512
e749ae40d3a9092ee53eacee4226056f7f7a433f36cc34b86e7d1a1aa172f4f7a9ef9a2864cb298b46e3f7e46f3b6efb2e974e8befbf57cfe7dd67551fb8baa7

Download Submit
\??\pipe\LOCAL\crashpad_2424_LSDIBJCAWUOOHKUN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1916-25-0x0000000063080000-0x00000000630A0000-memory.dmp

Filesize
128KB

Download
memory/1916-22-0x00000000655C0000-0x00000000656BA000-memory.dmp

Filesize
1000KB

Download
memory/1916-24-0x0000000066580000-0x000000006664C000-memory.dmp

Filesize
816KB

Download
memory/1916-20-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/1916-21-0x0000000065A80000-0x0000000065A99000-memory.dmp

Filesize
100KB

Download
memory/1916-23-0x000000006B480000-0x000000006B4AF000-memory.dmp

Filesize
188KB

Download
memory/2084-9-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/2084-10-0x0000000065A80000-0x0000000065A99000-memory.dmp

Filesize
100KB

Download
memory/2084-14-0x00000000655C0000-0x00000000656BA000-memory.dmp

Filesize
1000KB

Download
memory/2084-11-0x000000006B480000-0x000000006B4AF000-memory.dmp

Filesize
188KB

Download
memory/2084-12-0x0000000066580000-0x000000006664C000-memory.dmp

Filesize
816KB

Download
memory/2084-13-0x0000000063080000-0x00000000630A0000-memory.dmp

Filesize
128KB

Download