Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/D...

windows11-21h2-x64

Analysis

  • max time kernel
    378s
  • max time network
    382s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-09-2024 11:51

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo

Score
10/10
badrabbitcerbermimikatzdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwaretrojanupx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___KUPY_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/57EA-8D6A-E672-0098-BD4A Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/57EA-8D6A-E672-0098-BD4A 2. http://xpcx6erilkjced3j.19kdeh.top/57EA-8D6A-E672-0098-BD4A 3. http://xpcx6erilkjced3j.1mpsnr.top/57EA-8D6A-E672-0098-BD4A 4. http://xpcx6erilkjced3j.18ey8e.top/57EA-8D6A-E672-0098-BD4A 5. http://xpcx6erilkjced3j.17gcun.top/57EA-8D6A-E672-0098-BD4A ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/57EA-8D6A-E672-0098-BD4A

http://xpcx6erilkjced3j.1n5mod.top/57EA-8D6A-E672-0098-BD4A

http://xpcx6erilkjced3j.19kdeh.top/57EA-8D6A-E672-0098-BD4A

http://xpcx6erilkjced3j.1mpsnr.top/57EA-8D6A-E672-0098-BD4A

http://xpcx6erilkjced3j.18ey8e.top/57EA-8D6A-E672-0098-BD4A

http://xpcx6erilkjced3j.17gcun.top/57EA-8D6A-E672-0098-BD4A

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
    evasiontrojan
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Contacts a large (1119) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 3 IoCs
    evasion
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs
    defense_evasion
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1904 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {091b9011-fca7-41ce-8127-ccccb2f8fce9} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" gpu
        3⤵
          PID:3524
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d7c1d91-e1e5-4d8d-beb9-37bed0eb21cc} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" socket
          3⤵
            PID:240
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2768 -childID 1 -isForBrowser -prefsHandle 1624 -prefMapHandle 3080 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa86c7d3-2da4-447b-a158-4bcdd9905bc0} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
            3⤵
              PID:392
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3672 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b35d6f9d-fa9f-4e4d-874a-9c7cf11ac668} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
              3⤵
                PID:2972
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4068 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4228 -prefMapHandle 4252 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa6711c7-fb7c-424e-ac4a-364f45c90df4} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" utility
                3⤵
                • Checks processor information in registry
                PID:3536
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3915101b-f870-4cbc-9e18-bdfd4e8b0482} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
                3⤵
                  PID:2948
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 4 -isForBrowser -prefsHandle 5620 -prefMapHandle 5624 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f32ef272-3bd3-4537-88c8-b0c1a31c1576} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
                  3⤵
                    PID:3540
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 5 -isForBrowser -prefsHandle 5904 -prefMapHandle 5900 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9945a04c-d9dd-4390-bcc1-16d5b20f244c} 1512 "\\.\pipe\gecko-crash-server-pipe.1512" tab
                    3⤵
                      PID:4752
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  1⤵
                    PID:1888
                  • C:\Users\Admin\Desktop\BadRabbit.exe
                    "C:\Users\Admin\Desktop\BadRabbit.exe"
                    1⤵
                    • System Location Discovery: System Language Discovery
                    PID:3464
                    • C:\Windows\SysWOW64\rundll32.exe
                      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                      2⤵
                      • Loads dropped DLL
                      • Drops file in Windows directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1380
                      • C:\Windows\SysWOW64\cmd.exe
                        /c schtasks /Delete /F /TN rhaegal
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:2372
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /Delete /F /TN rhaegal
                          4⤵
                          • System Location Discovery: System Language Discovery
                          PID:4764
                      • C:\Windows\SysWOW64\cmd.exe
                        /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1954613211 && exit"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1944
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1954613211 && exit"
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:2300
                      • C:\Windows\SysWOW64\cmd.exe
                        /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:15:00
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:3068
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:15:00
                          4⤵
                          • System Location Discovery: System Language Discovery
                          • Scheduled Task/Job: Scheduled Task
                          PID:2648
                      • C:\Windows\BB58.tmp
                        "C:\Windows\BB58.tmp" \\.\pipe\{33A3DE48-7B42-4D65-A8AC-35440784A4BC}
                        3⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4888
                  • C:\Users\Admin\Desktop\Birele.exe
                    "C:\Users\Admin\Desktop\Birele.exe"
                    1⤵
                    • System Location Discovery: System Language Discovery
                    PID:1468
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 280
                      2⤵
                      • Program crash
                      PID:1760
                  • C:\Users\Admin\Desktop\Cerber5.exe
                    "C:\Users\Admin\Desktop\Cerber5.exe"
                    1⤵
                    • Drops startup file
                    • Enumerates connected drives
                    • Drops file in System32 directory
                    • Sets desktop wallpaper using registry
                    • Drops file in Program Files directory
                    • Drops file in Windows directory
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4440
                    • C:\Windows\SysWOW64\netsh.exe
                      C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
                      2⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:972
                    • C:\Windows\SysWOW64\netsh.exe
                      C:\Windows\system32\netsh.exe advfirewall reset
                      2⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:452
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___U1MD053_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                      2⤵
                      • System Location Discovery: System Language Discovery
                      PID:4640
                    • C:\Windows\SysWOW64\NOTEPAD.EXE
                      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___YXWWW_.txt
                      2⤵
                      • System Location Discovery: System Language Discovery
                      • Opens file in notepad (likely ransom note)
                      PID:5116
                  • C:\Users\Admin\Desktop\$uckyLocker.exe
                    "C:\Users\Admin\Desktop\$uckyLocker.exe"
                    1⤵
                    • Sets desktop wallpaper using registry
                    • System Location Discovery: System Language Discovery
                    PID:2340
                  • C:\Users\Admin\Desktop\7ev3n.exe
                    "C:\Users\Admin\Desktop\7ev3n.exe"
                    1⤵
                    • System Location Discovery: System Language Discovery
                    • NTFS ADS
                    PID:2956
                    • C:\Users\Admin\AppData\Local\system.exe
                      "C:\Users\Admin\AppData\Local\system.exe"
                      2⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:1584
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:4320
                      • C:\Windows\SysWOW64\SCHTASKS.exe
                        C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
                        3⤵
                        • System Location Discovery: System Language Discovery
                        • Scheduled Task/Job: Scheduled Task
                        PID:1576
                      • C:\windows\SysWOW64\cmd.exe
                        C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:4772
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
                          4⤵
                          • Modifies WinLogon for persistence
                          • System Location Discovery: System Language Discovery
                          PID:4908
                      • C:\windows\SysWOW64\cmd.exe
                        C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:3732
                        • C:\Windows\SysWOW64\reg.exe
                          REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
                          4⤵
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          PID:2648
                      • C:\windows\SysWOW64\cmd.exe
                        C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:1048
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          4⤵
                            PID:972
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:2260
                        • C:\windows\SysWOW64\cmd.exe
                          C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:4032
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:3480
                        • C:\windows\SysWOW64\cmd.exe
                          C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:412
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
                            4⤵
                            • System Location Discovery: System Language Discovery
                            PID:1796
                        • C:\windows\SysWOW64\cmd.exe
                          C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
                          3⤵
                          • System Location Discovery: System Language Discovery
                          PID:3780
                          • C:\Windows\SysWOW64\reg.exe
                            REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
                            4⤵
                            • UAC bypass
                            • System Location Discovery: System Language Discovery
                            PID:4764
                    • C:\Users\Admin\Desktop\Annabelle.exe
                      "C:\Users\Admin\Desktop\Annabelle.exe"
                      1⤵
                      • Modifies WinLogon for persistence
                      • Modifies Windows Defender Real-time Protection settings
                      • UAC bypass
                      • Disables RegEdit via registry modification
                      • Event Triggered Execution: Image File Execution Options Injection
                      • Impair Defenses: Safe Mode Boot
                      • Adds Run key to start application
                      PID:568
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        vssadmin delete shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:4044
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        vssadmin delete shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:3828
                      • C:\Windows\SYSTEM32\vssadmin.exe
                        vssadmin delete shadows /all /quiet
                        2⤵
                        • Interacts with shadow copies
                        PID:4132
                        • C:\Windows\System32\Conhost.exe
                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          3⤵
                            PID:4908
                        • C:\Windows\SYSTEM32\NetSh.exe
                          NetSh Advfirewall set allprofiles state off
                          2⤵
                          • Modifies Windows Firewall
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:3096
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            3⤵
                              PID:4764
                          • C:\Windows\System32\shutdown.exe
                            "C:\Windows\System32\shutdown.exe" -r -t 00 -f
                            2⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4736
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1468 -ip 1468
                          1⤵
                            PID:3172
                          • C:\Windows\system32\vssvc.exe
                            C:\Windows\system32\vssvc.exe
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:236
                          • C:\Users\Admin\Desktop\Birele.exe
                            "C:\Users\Admin\Desktop\Birele.exe"
                            1⤵
                            • System Location Discovery: System Language Discovery
                            PID:4528
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 252
                              2⤵
                              • Program crash
                              PID:3544
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4528 -ip 4528
                            1⤵
                              PID:3612
                            • C:\Windows\system32\LogonUI.exe
                              "LogonUI.exe" /flags:0x4 /state0:0xa3993855 /state1:0x41c64e6d
                              1⤵
                              • Modifies data under HKEY_USERS
                              • Suspicious use of SetWindowsHookEx
                              PID:1988

                            Network

                            MITRE ATT&CK Enterprise v15

                            Reconnaissance

                            Resource Development

                            Initial Access

                            Execution

                            Scheduled Task/Job

                            1
                            T1053

                            Scheduled Task

                            1
                            T1053.005

                            Windows Management Instrumentation

                            1
                            T1047

                            Persistence

                            Boot or Logon Autostart Execution

                            2
                            T1547

                            Registry Run Keys / Startup Folder

                            1
                            T1547.001

                            Winlogon Helper DLL

                            1
                            T1547.004

                            Create or Modify System Process

                            2
                            T1543

                            Windows Service

                            2
                            T1543.003

                            Event Triggered Execution

                            2
                            T1546

                            Image File Execution Options Injection

                            1
                            T1546.012

                            Netsh Helper DLL

                            1
                            T1546.007

                            Scheduled Task/Job

                            1
                            T1053

                            Scheduled Task

                            1
                            T1053.005

                            Privilege Escalation

                            Abuse Elevation Control Mechanism

                            1
                            T1548

                            Bypass User Account Control

                            1
                            T1548.002

                            Boot or Logon Autostart Execution

                            2
                            T1547

                            Registry Run Keys / Startup Folder

                            1
                            T1547.001

                            Winlogon Helper DLL

                            1
                            T1547.004

                            Create or Modify System Process

                            2
                            T1543

                            Windows Service

                            2
                            T1543.003

                            Event Triggered Execution

                            2
                            T1546

                            Image File Execution Options Injection

                            1
                            T1546.012

                            Netsh Helper DLL

                            1
                            T1546.007

                            Scheduled Task/Job

                            1
                            T1053

                            Scheduled Task

                            1
                            T1053.005

                            Defense Evasion

                            Abuse Elevation Control Mechanism

                            1
                            T1548

                            Bypass User Account Control

                            1
                            T1548.002

                            Direct Volume Access

                            1
                            T1006

                            Impair Defenses

                            4
                            T1562

                            Disable or Modify System Firewall

                            1
                            T1562.004

                            Disable or Modify Tools

                            2
                            T1562.001

                            Safe Mode Boot

                            1
                            T1562.009

                            Indicator Removal

                            2
                            T1070

                            File Deletion

                            2
                            T1070.004

                            Modify Registry

                            5
                            T1112

                            Credential Access

                            Discovery

                            Network Service Discovery

                            1
                            T1046

                            Peripheral Device Discovery

                            1
                            T1120

                            Query Registry

                            3
                            T1012

                            System Information Discovery

                            2
                            T1082

                            System Location Discovery

                            1
                            T1614

                            System Language Discovery

                            1
                            T1614.001

                            Lateral Movement

                            Collection

                            Command and Control

                            Exfiltration

                            Impact

                            Defacement

                            1
                            T1491

                            Inhibit System Recovery

                            3
                            T1490

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                              Filesize

                              479KB

                              MD5

                              09372174e83dbbf696ee732fd2e875bb

                              SHA1

                              ba360186ba650a769f9303f48b7200fb5eaccee1

                              SHA256

                              c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                              SHA512

                              b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                              Filesize

                              13.8MB

                              MD5

                              0a8747a2ac9ac08ae9508f36c6d75692

                              SHA1

                              b287a96fd6cc12433adb42193dfe06111c38eaf0

                              SHA256

                              32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                              SHA512

                              59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\del.bat
                              Filesize

                              54B

                              MD5

                              6ad6da5d783b98eb467458907c1ca3bb

                              SHA1

                              6221386d3a96f1259d9a8f8f796fa3ea37dd3829

                              SHA256

                              a652da24835564547d04d4701263f3845a52bbfea05e95aacc1a135b40982f83

                              SHA512

                              3a7f8c76893482579081e68425fe610235a23ddbd67574127b5ef9a61c2a5d489fb12458515b881d97d99afc76886f8e2002f75f7f67a3121f80538d0540891f

                              Download Submit

                            • C:\Users\Admin\AppData\Local\system.exe
                              Filesize

                              315KB

                              MD5

                              900d089b3e9d24fc14bf9cb2bd8214b3

                              SHA1

                              d9ae19c20eb515600ef059ce42c007964aa6c043

                              SHA256

                              36fb3d8b57921e423962ac69f47531b969c7a7464b25d951a2b3cb8063592da6

                              SHA512

                              d4a47a01f099e86fea482764721115083010645442dc40291e8c163a0251f536de772b01e8c0574b040ff84865f2be111e0fcf7e111c86b95ebf88283b03883f

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___KUPY_.txt
                              Filesize

                              1KB

                              MD5

                              eb95a44ffc544e23f95703ac47fdde56

                              SHA1

                              1fb7430ac00937b6ba1b1dbd5478508deb01ad0f

                              SHA256

                              23a152a41e530160978b3edba895ea00b91677a2af90bad077fa2564dd4e5966

                              SHA512

                              54e9ba77dcc55aed223fc1616dfb5a9f3a603e24a10d70929754f8509b8453c3e08f396f4b7364241ed6a49f243d3a05b6efd9145eabec9fdd192c3b2cc21c81

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___S4F69_.hta
                              Filesize

                              76KB

                              MD5

                              6a1d48a4daa7cf18dfb86a113523bb9a

                              SHA1

                              748ab9e5013d52088c8046e65685830a3a745a6b

                              SHA256

                              51ad0b1751c6444d8797f2b524d8f3b29a3da5b32a06dd4366c8a66c3f474f72

                              SHA512

                              093b6c5870009986f7c7b1e91b7127d47335127db9f3c4e1abaef893e981cd83ad05ced8b30ddb03ce6f9c4e484072e6c18586da0318b3a44b8a833a28d91916

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                              Filesize

                              9KB

                              MD5

                              5f45fa25e7b43229c41b3a3c3039eeef

                              SHA1

                              3d34797b94a63117b9455dc0bc58a015c55b93e1

                              SHA256

                              4904986aad307adcda72166c67b80331b87f8caf29f77399bf035656be9a7c35

                              SHA512

                              b7b0b293066c40168ec7955ab20297f1fc384439c2617dd689032db4d5f15c2d74736c99df54df089b1a0d2f3033954b168e2add041eb772a4b93d14eefae36d

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NXAGYVE5IB25ZGPVHY2V.temp
                              Filesize

                              9KB

                              MD5

                              52526cbfce7d8fdbad891faf6a3b8d0e

                              SHA1

                              c18f925c339e13a8d22b0e25566e5b3a427c1b28

                              SHA256

                              30c877569eed7fa83794b795c1672e9adee781f2a81daa1708eb0dcb1547388d

                              SHA512

                              abb91f08846eb7a87c5b553a5c63c9c9d1cfe6fd3e69e1bfba54983ac9363a109bc0e742a1475edf991e8d70b3aceb8fb8c58abc78a89b430bcb3009863007e1

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\AlternateServices.bin
                              Filesize

                              6KB

                              MD5

                              b4d4e058a59cd72e5fb8eee7505b2b62

                              SHA1

                              0236face3f767308f926a79543dc0e57b3b01f04

                              SHA256

                              83770955782d72dba598a8f49281ac66cc0fc8772946524aff0f36221fb1ddce

                              SHA512

                              fd4492d949895745bd8b834a71b3fb1b3c5fb5288f4afed9371c98dc475b065d3987b5254be8032d1939ee8ac7c8d738969ac18d8c23a8a94f29e658e643536d

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\AlternateServices.bin
                              Filesize

                              8KB

                              MD5

                              f9cd49671a7118428deedb3f538461fd

                              SHA1

                              ec664cf4bd15e0842d1a7ee37bc8d60f3231bb0d

                              SHA256

                              f6c2e82c8503c194fb3f90c90272d5a7a3d4f6f954beaf263de6dfe88f22cc88

                              SHA512

                              36c6ee3aae5636010643ecd75c15eafe67adc0c005ae215c40bc035769ac5aaf4d936193a01c0718ae818fe6ad745e696767d5473b7baa444d387851a148035c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              16KB

                              MD5

                              7707ca71d52464eec497becc99604850

                              SHA1

                              a8e9e17f4bda243d34689ecb55bbb5c4bdd28fc3

                              SHA256

                              38904f550a05f9d3b1f0767c33da0ff01ee92c11d284e8ae0fc71bbd9983f7f4

                              SHA512

                              54ecdcb3ddc4cb61f7db0afc71b8ecce650de4fe371fc2b8d146a8efecd2b369373f21598e1b9bc5bbd21ac7e6040e0ca5d1f9ff25542d48f04d9709091f7d4e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              5KB

                              MD5

                              dc0525b70d02a8757eb01411ce7afe75

                              SHA1

                              0e0e7e3f0af1a943033f10f4668ddeb6f7a62684

                              SHA256

                              e5089311cd04393e092a472376d33f8a1f1ea7cf9e80bd278ca55554d3396865

                              SHA512

                              d36825eb9b03ad298a41ed2e538bf9b61bbc547cfc58afc127f49d30bfb7b1e22a94bed0d4e1439f0dd4d7a2a5ccfec229764eee4da13a1c8bbbafedf909b39b

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              38KB

                              MD5

                              1c4da7b5b5b87d4e5a809c3515e10dd1

                              SHA1

                              d01ef91bf3617e49f33c4549579256bd38eb6e48

                              SHA256

                              4e56428e33e1f23e3389cbc00279218f65001188f879e1e8ffbaa2ac25f5e479

                              SHA512

                              b6532140290b2dec63f7932deff7ea22aca3c610e801b48572db4e677aae0fa6d9b1a397c23504d065d5ed2f339727c2f8801328c08db9531b3eb510e407d524

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              5KB

                              MD5

                              fcb0df163f1371c0d76c2f7da02e4b26

                              SHA1

                              44958286116890c758586d3963677dafec4b973b

                              SHA256

                              8474a818671b1638dbea37b353d554def97418c594bcacea06e52af4ff22e7d2

                              SHA512

                              83fe6bab26e410511c4c80fc54cb0b2244776dac5c4ba4c0d10e9bfb8cafb1e4ac0e833b4d40c07cf81d9456902dce951f6ac3acd31cbedd4f17e0809fe71448

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\1a660ddf-f611-4189-ab53-d5dddd964c0d
                              Filesize

                              671B

                              MD5

                              63e04237079f1f15f9fe5d8d5c51afc7

                              SHA1

                              3a78b0ebd73a16f1781a644c2dd40270f2c4d178

                              SHA256

                              812818932ebe84f05db22bd33cf170eecea170251f1d3f81d677f2779cf6f638

                              SHA512

                              ed2705fd24cc8d059a6d5610c0966d2c80582cce274e4dc1cbba379ad6492e5511ea09840b6520263f4d21b450e1ae2993db6ecda5bea16856183a447c94710a

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\579fa393-8939-4643-8180-fee14b9ff186
                              Filesize

                              25KB

                              MD5

                              e609c73c359788b1d05204f8d7ddcf78

                              SHA1

                              7f340b676414da2347b87f80d29090a86fe10313

                              SHA256

                              44b7122e32ed52c011040ebac8c31f7d95e7f415433eb663c96205a6ab2a4f7b

                              SHA512

                              b761a33db8f08f7c89f19303aeb616bdb3dca185c24cb4019764d20db641d9160a23c95bc2664b8838adb378a21f5a26b189e0c343ebd8a73fa48a2d37d857ec

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\79b37499-8a6d-46eb-b1c7-ac3eaff6be88
                              Filesize

                              982B

                              MD5

                              e0ebebc182c5ab9d0c1f0c34b4638d19

                              SHA1

                              9d38406b7a726076725d24c4bf3117fa96d132e1

                              SHA256

                              5cd903833587f676a7928ffac2d6146713a8532c91b57e5aa664c40fa462ef8e

                              SHA512

                              4e16f2668c625e1204e44ebb82652f2f9681beac70fe555860ed206ebcc4eded3bcecadc3645382ebd8f42dfa3598c8446af1d8bf1ee6b3048f74ad2c55f8e71

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                              Filesize

                              1.1MB

                              MD5

                              842039753bf41fa5e11b3a1383061a87

                              SHA1

                              3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                              SHA256

                              d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                              SHA512

                              d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                              Filesize

                              116B

                              MD5

                              2a461e9eb87fd1955cea740a3444ee7a

                              SHA1

                              b10755914c713f5a4677494dbe8a686ed458c3c5

                              SHA256

                              4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                              SHA512

                              34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                              Filesize

                              372B

                              MD5

                              bf957ad58b55f64219ab3f793e374316

                              SHA1

                              a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                              SHA256

                              bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                              SHA512

                              79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                              Filesize

                              17.8MB

                              MD5

                              daf7ef3acccab478aaa7d6dc1c60f865

                              SHA1

                              f8246162b97ce4a945feced27b6ea114366ff2ad

                              SHA256

                              bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                              SHA512

                              5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\prefs-1.js
                              Filesize

                              11KB

                              MD5

                              e20b0803d6cae4cb05a795cd3e6f09d2

                              SHA1

                              1b12fbe7bc6780ccf755543b3ebaaa5161706e32

                              SHA256

                              8a9f4c0fa40f3591da402aff1fe28648d0c9bf965de15faebf083090df4fdddd

                              SHA512

                              31680471bae3a295b823f923241b6ea20ac8e3c7d13da8377f6652f37248d5cec3b8063ce6f95174f8e1d1084ef533ab44818371c9124964d04ca48de392abbb

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\prefs-1.js
                              Filesize

                              11KB

                              MD5

                              d449081544b8ad6d30b040bbd05c599b

                              SHA1

                              3b7189a22430c296ea7e4860df848a52e8ba4581

                              SHA256

                              10c599c5a29c59d414f6a8bad64f8db5847895a7adec9db3a5279044e67d0bdf

                              SHA512

                              f658feadaf28f77ec9dae42908ccf0cc7e8bedb515be5ec59aa9247b6036e61c2601fdaa9e222cbdae3f6601e679e5ba62cebd87ae1b90c7b944ed6a46de1355

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\prefs.js
                              Filesize

                              11KB

                              MD5

                              0701352452437c69d4f994a04893b466

                              SHA1

                              755648540158dd75333b7a2c1480c8c0153406df

                              SHA256

                              da51996e1e95f38f28538de9dad9b29c992f00b24ec2266c7535a7c3b590d04b

                              SHA512

                              4053c5c3b92edd39ec6c9827a0ade756743c4bc6cd3e66595462e6044856f81b0373013642435869a180727abe8ba2a2629be2a0ace114f76e58362d504f8d3a

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\prefs.js
                              Filesize

                              10KB

                              MD5

                              4827de7438167b56cc1ce0124244a9de

                              SHA1

                              f362d71a1d8d85c23580e3e83b21ada9b8c2ee0a

                              SHA256

                              2205b3f016b445d9b0457a75814cd2ead795aeaef035d3688aa9c88bf61ad408

                              SHA512

                              06215a18ee4de010cfdcbec1260331fa38f5f2470570dc1b2094ce004b1e0f8ef8cd6f72b0621010a5a424175d18cbfd4f3cc934cdad38972b671de7296a1eb1

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\sessionCheckpoints.json.tmp
                              Filesize

                              259B

                              MD5

                              c8dc58eff0c029d381a67f5dca34a913

                              SHA1

                              3576807e793473bcbd3cf7d664b83948e3ec8f2d

                              SHA256

                              4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

                              SHA512

                              b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              3KB

                              MD5

                              5f79003e1a7dceb848db6d25569c5358

                              SHA1

                              9968b222cfc80d829d2faf34f4e085727978104b

                              SHA256

                              ffd73c6244322e1fe75442b2159b905dcd8b76b7e25c9c7f8dae6f71e3d62245

                              SHA512

                              44ac66270f730e6ceec6920fc9722f6c5a8266066f440ac597c0b6465e12eb51c00be2d1b9bb0a59f05aa692297eb128d95e2f81802d9e97bc86c0a21a12eae8

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\sessionstore-backups\recovery.baklz4
                              Filesize

                              3KB

                              MD5

                              f38c66856e1854263de8af9a2e462722

                              SHA1

                              4cc1509d0654856c344c1a62f56fc006995b3ffb

                              SHA256

                              fea0a2d1d5655754b7bd49b63e0b76965cdcebdede1cf574bbd3880ce9b2e76a

                              SHA512

                              e7741f32b2bc158759058d67621e52d8628c7dfd517da11973fe090a0825e8b439d41a859cf1fffd35ca2d75c63ab8862e7080c6c6ffded59aae3ed4133bfb26

                              Download Submit

                            • C:\Users\Admin\Desktop\1.R5A
                              Filesize

                              341KB

                              MD5

                              8127d3f4f0cc843d19c01efb63a6d59d

                              SHA1

                              97bbcaf8f63f4bda6b338604e21aaf041249b187

                              SHA256

                              0b4ae68d575c86b669047e2a2c324413705db22851221e4a5b8e7edbacdceae2

                              SHA512

                              e3cbf6bb8dff260bf786395975c023e88fee655d17f770b1fc64ec60b34e4582df407de1ad902fb1d3569d8e5f8aa143e3b9d49c8e03e10c31e9b4c5013e40a3

                              Download Submit

                            • C:\Users\Admin\Desktop\CheckpointClear.html.WINDOWS
                              Filesize

                              438KB

                              MD5

                              5ffdfc13b53936ec03c341b7e61f1f8b

                              SHA1

                              384fe8333ec8fad6b35d35724c7139c1980601ef

                              SHA256

                              120d1ffa1a4c2ceeb0b45d79cd7315d3b3062496cba62e6e655d1642544740e7

                              SHA512

                              1d9bbbb6526ac5316e1774380ffadf9ab66355f2a87f3c95508b5e8fb6a08d650b54b29aa5e4e3db74c63c40841cc92897f58c97fd6e0c3eea358ee0b091e02d

                              Download Submit

                            • C:\Users\Admin\Desktop\CompareRevoke.xlsx.WINDOWS
                              Filesize

                              11KB

                              MD5

                              2d6e37202b67ed22678044c56a33cee5

                              SHA1

                              0c74d5ddf191cc191f6527ee65c9fee0b3130996

                              SHA256

                              221c8e144d3e759b312b6acec3ab5ec9614b55a2d86779aa4f28d1d5252123b8

                              SHA512

                              ae6835553fb58c66da89e9308d0f4d0ce4118baed2c6675037b85fb231b402b4481ad829f165351dc70d206c2edbebd8c38c29b3278ca0ab2aa0cc7ec48db6e7

                              Download Submit

                            • C:\Users\Admin\Desktop\MeasureFind.xlsx.WINDOWS
                              Filesize

                              12KB

                              MD5

                              6a0b907b2b4a49aeaaf29ae1b78be2f8

                              SHA1

                              176dd8884f6ddf6f170f6dc91caf84489ddce26c

                              SHA256

                              f937054af1920777611cca2a65d9fc373a92b9a9c4c63f02282cfd0c08e167bf

                              SHA512

                              45d1df563065ca2cbad6d6e6acbaa994be048da4a0aa43a8a999451e616e39de9bec4962c1a43a4564fb32efa8991df11c6860b0f8b8b76c757acde23fb18a5e

                              Download Submit

                            • C:\Users\Admin\Desktop\READ_IT.txt
                              Filesize

                              124B

                              MD5

                              54ba0db9b8701f99a46ae533da6fe630

                              SHA1

                              2bd5aea2aceea62deb7ba06969ff6108f3381929

                              SHA256

                              bb1455630e747e00b60910f9eadf47641ecc46e917034d08530430569d8eaeac

                              SHA512

                              27fa4e43cf1a1b79a597cfb28aa29457aa096d8c485f84d7b2754268148bfa7430e53abdee4897f911af51aabbae3942ff57cbae02765bbea27e1c181bfecc1a

                              Download Submit

                            • C:\Users\Admin\Desktop\ResolveAssert.docx.WINDOWS
                              Filesize

                              14KB

                              MD5

                              b1de6aa49bb11d7e0aaeed1bee23b4c0

                              SHA1

                              2e006bc33868d09f14ed95b09207ca458a31e5a4

                              SHA256

                              ca8aca7d63cd5b59fc5cecd01435f8322310a59cf591175ef1ed2c766502729a

                              SHA512

                              131552a6d01d2b65ecdaa5dbbfa404b4d19984d6789f3f423296438def1d3e127702f1fe2984388692a6dcaec1460cf38bd6d31d7b3d195687f0028d5deb6980

                              Download Submit

                            • C:\Users\Admin\Documents\1.R5A
                              Filesize

                              11KB

                              MD5

                              c623a5c4aacd51aac2bfca8360858625

                              SHA1

                              a8581dae9e3161a9f4b3dd4b94fdde926f9b2cd1

                              SHA256

                              f1df85e2f5092aa59dc4f0c473678716c9cb91026531d5b71a67c68c340c747f

                              SHA512

                              f6cfdf0e1f08186b7f566dea4177458ff65c80d9c759625429ec6e4646a412553087199f270503dfc4f553c4ac0114cdbad5096820349b6eea1060da4f4bc821

                              Download Submit

                            • C:\Users\Admin\Documents\2.R5A
                              Filesize

                              616KB

                              MD5

                              59307329628d668b0dade1ffb8dab618

                              SHA1

                              22bf336191805616989a6ec33894ffab0ce43d91

                              SHA256

                              e4587340685a09ef1cc0f2956c6774459df89c82609b2bc3794cabd9a81c084c

                              SHA512

                              ac864a9ca71aa361bfb2b1438a407c49ddfc8276e50da77f41b9ef173ee0712043b1e2d3163571350db91c5ce0478e4d067773c0e5c11dd52122d78c79e5234b

                              Download Submit

                            • C:\Windows\BB58.tmp
                              Filesize

                              60KB

                              MD5

                              347ac3b6b791054de3e5720a7144a977

                              SHA1

                              413eba3973a15c1a6429d9f170f3e8287f98c21c

                              SHA256

                              301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                              SHA512

                              9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                              Download Submit

                            • C:\Windows\infpub.dat
                              Filesize

                              401KB

                              MD5

                              1d724f95c61f1055f0d02c2154bbccd3

                              SHA1

                              79116fe99f2b421c52ef64097f0f39b815b20907

                              SHA256

                              579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                              SHA512

                              f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                              Download Submit

                            • C:\Windows\infpub.dat
                              Filesize

                              401KB

                              MD5

                              f6f7dfe324da976481c8730ffd5509c0

                              SHA1

                              240f9e6e3caecd8ba5b95a1e426f9d61655a56f1

                              SHA256

                              7d03ed6535d8c34bf9672eeccb16cd0eca0d50941b7e2e410b0a7be58545d686

                              SHA512

                              4b1b7a9daa0ee984c124f6059beefac7bb2d24599e435b00f1df6a10d752eef7d5575a69775924a3ed8fda20566f4e1cb07b02eda68b81662fdd128c807929ed

                              Download Submit

                            • memory/568-705-0x0000016E7D710000-0x0000016E7E704000-memory.dmp

                              Filesize

                              16.0MB

                              Download

                            • memory/568-780-0x0000016E19410000-0x0000016E1A99E000-memory.dmp

                              Filesize

                              21.6MB

                              Download

                            • memory/1380-743-0x00000000025B0000-0x0000000002618000-memory.dmp

                              Filesize

                              416KB

                              Download

                            • memory/1380-708-0x00000000025B0000-0x0000000002618000-memory.dmp

                              Filesize

                              416KB

                              Download

                            • memory/1380-716-0x00000000025B0000-0x0000000002618000-memory.dmp

                              Filesize

                              416KB

                              Download

                            • memory/1468-733-0x0000000000400000-0x0000000000438000-memory.dmp

                              Filesize

                              224KB

                              Download

                            • memory/1468-690-0x0000000000400000-0x0000000000438000-memory.dmp

                              Filesize

                              224KB

                              Download

                            • memory/1468-692-0x0000000002280000-0x0000000002286000-memory.dmp

                              Filesize

                              24KB

                              Download

                            • memory/1468-734-0x0000000000418000-0x0000000000425000-memory.dmp

                              Filesize

                              52KB

                              Download

                            • memory/1468-696-0x0000000000418000-0x0000000000425000-memory.dmp

                              Filesize

                              52KB

                              Download

                            • memory/1468-694-0x0000000000400000-0x0000000000438000-memory.dmp

                              Filesize

                              224KB

                              Download

                            • memory/2340-701-0x0000000000F90000-0x0000000000FFE000-memory.dmp

                              Filesize

                              440KB

                              Download

                            • memory/2340-707-0x0000000005A00000-0x0000000005A0A000-memory.dmp

                              Filesize

                              40KB

                              Download

                            • memory/2340-693-0x00000000750EE000-0x00000000750EF000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2340-702-0x0000000005FE0000-0x0000000006586000-memory.dmp

                              Filesize

                              5.6MB

                              Download

                            • memory/2340-706-0x0000000005950000-0x00000000059E2000-memory.dmp

                              Filesize

                              584KB

                              Download

                            • memory/4440-922-0x0000000000400000-0x0000000000433000-memory.dmp

                              Filesize

                              204KB

                              Download

                            • memory/4440-1270-0x0000000000400000-0x0000000000433000-memory.dmp

                              Filesize

                              204KB

                              Download

                            • memory/4440-769-0x0000000000400000-0x0000000000433000-memory.dmp

                              Filesize

                              204KB

                              Download

                            • memory/4440-697-0x0000000000400000-0x0000000000450000-memory.dmp

                              Filesize

                              320KB

                              Download

                            • memory/4440-1331-0x0000000000400000-0x0000000000433000-memory.dmp

                              Filesize

                              204KB

                              Download

                            • memory/4440-836-0x0000000000400000-0x0000000000450000-memory.dmp

                              Filesize

                              320KB

                              Download

                            • memory/4440-1387-0x0000000000440000-0x000000000044E000-memory.dmp

                              Filesize

                              56KB

                              Download