hxxp://dddd | Triage

Resubmissions

17-12-2024 19:15

241217-xylpjsvncv 3

17-12-2024 19:13

241217-xw2b8avmgy 8

17-12-2024 19:09

241217-xt41bsvmcy 10

Analysis

max time kernel
146s
max time network
144s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-12-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://dddd

Score

8^/10

defense_evasion discovery evasion ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1844	$uckyLocker.exe
2332	$uckyLocker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com
48	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Cerber5.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$uckyLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$uckyLocker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 101880.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Cerber5.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 813180.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
1920	msedge.exe
1920	msedge.exe
4084	msedge.exe
4084	msedge.exe
4876	identity_helper.exe
4876	identity_helper.exe
3016	msedge.exe
3016	msedge.exe
3820	msedge.exe
3820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5116	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 3376	1920	msedge.exe	77
PID 1920 wrote to memory of 3376	1920	msedge.exe	77
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 1660	1920	msedge.exe	78
PID 1920 wrote to memory of 4924	1920	msedge.exe	79
PID 1920 wrote to memory of 4924	1920	msedge.exe	79
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80
PID 1920 wrote to memory of 1056	1920	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://dddd
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe1d1f3cb8,0x7ffe1d1f3cc8,0x7ffe1d1f3cd8
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1712,4636082265134431230,5803633829442711249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Users\Admin\Downloads\$uckyLocker.exe
  "C:\Users\Admin\Downloads\$uckyLocker.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:1844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4584

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3424

C:\Users\Admin\Downloads\$uckyLocker.exe
"C:\Users\Admin\Downloads\$uckyLocker.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\74FBF93595CFC8459196065CE54AD928

Filesize
1KB

MD5
ab9b109ce8934f11e7cd22ed550680da

SHA1
8d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b

SHA256
38392f17ce7b682c198d29c6e71d2740964a2074c8d2558e6cff64c27823f129

SHA512
678a8048e54a1323f8b5a8e735a1085a5bdd22bd2a3f5a975fd2824049725eb06405029901071356f42cdfd843712c05b418598fad700ad7a1edb1fa9b37af20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928

Filesize
298B

MD5
4c9bef20a72fb73b1f75adaf3a38ceb2

SHA1
1bcb85c4d20ff7f9eb3c3a797403b1c6571e68cd

SHA256
1e9f6c56960fe097096574d9d8ed650392b81604967505bbe82e6891cc78c870

SHA512
4f7d2a3920e6292f148cea32689dde301f49c1415295af0224a22c47ec43228a024bff66d551cd298654965516bde3a64c8c44b2cafd84f2bad4104650d76884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
0d89f546ebdd5c3eaa275ff1f898174a

SHA1
339ab928a1a5699b3b0c74087baa3ea08ecd59f5

SHA256
939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e

SHA512
26edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
26KB

MD5
5dea626a3a08cc0f2676427e427eb467

SHA1
ad21ac31d0bbdee76eb909484277421630ea2dbd

SHA256
b19581c0e86b74b904a2b3a418040957a12e9b5ae6a8de07787d8bb0e4324ed6

SHA512
118016178abe2c714636232edc1e289a37442cc12914b5e067396803aa321ceaec3bcfd4684def47a95274bb0efd72ca6b2d7bc27bb93467984b84bc57931fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
38KB

MD5
53214f37c15ce68a217e2915c835b235

SHA1
912add71f2d55aef34ceed48859cac16207759e3

SHA256
5b50f1bacf12105016c72bb57bdb3a468b274fc21d4485d1922a14e2e127f803

SHA512
7289364baa2d22ebe8754a3b0c0ee75e707d88cb925a7a2e871644899bff3a91afff924eb5f3bb1afac7ec6d5fc571dcefc20c5bbf049a1bdc1e0a8515f6fad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
37KB

MD5
fc8b9283e9c3686899120581f73dbf88

SHA1
5d2c3af2bf4a2054daf15098d95992c9aac1bf17

SHA256
27d6e4815025d7fe830001e206a4dfee19b496f302332f195ece6295f5d1f216

SHA512
9dff216af5570c81213c24076f9afdb150b52df46d0143e199d12cc1d05d7e8b21e096b129d5d722ab0b51996a41cd70f0b2f06a65f9cd127c5700fc6ce49319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
18KB

MD5
5874476248aa64a7474180838abbfacb

SHA1
82bce12fcef16b46aa29747f1f4f5b3675ea920a

SHA256
69633ea1317c6e008ec045c365f8ac1bd633db8454c1d90eea7b77368e3462a0

SHA512
7847bc55ebe9dbc4a77f634d4f2f0ad508bf2e81ba175beb071b927d0361efb6cffed65479211c719b9f6bc29b91ed8d98164ed9ac393ac31162227aa50eaf8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
16KB

MD5
6bd297ca3e7194e80a3b03d545a2033d

SHA1
6720368ae50640eedbdb4b4d3e1311a3d696bfaa

SHA256
e59224be8c0105da450467d1986adc9c315ffe34282c4b6def19ad9cf413db8c

SHA512
885a70a2634d882188241c5c725255bd2611973c3a6999220d1215ed90452bd418250e9f18e81722277777c66ebc2f693c37a988b6a2f7623295b34356b3cdce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
3f08d0f4aa8418103fa76a93dc67638c

SHA1
d6490ae24f98f88271eb413e4f7b01fbce0ad55d

SHA256
cf3875d3d5a5fe0a9eb16d583fcfcf694bf5cb387bd37919890e0b2e29ca580d

SHA512
ff01d4f522638b90164b9927f3a4ffb968fcd282a5942d873a1dd6d8819012ed167f1f0cf8b30bc97ff61e1dcd3ecc3e0a5a9f427791ec17b00119390d2630a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
53b7da86ae1056c0b569549b983db3eb

SHA1
85eb3d4d770da2dde1e09fc0608903590c3350b0

SHA256
b96020b00106fe5b33f8d050436dcc14c2c1ec67729657b1c5b14b2c8e9ee929

SHA512
fdad09084b197bbb337ddbca1263e54f9c6b3d3fc23ad6188709612ed1710a23924a0b7a07b5b896b971d8e96d9cd788858daf0b6c24ebed744c7affd88133e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
67cd834d26090c4de38f21ce940f88ae

SHA1
e11f24f314b2a09ede21c61066b7e89c3e18db80

SHA256
06127c670115dde00865b216cc79de96ff0c27bc1c0ff8788f1467786dccd91c

SHA512
8571f0168799e483247739ebad0b9d844992ecf6b2ca0c503438162fd90b3bef0402878c65cebcf7708e3de84e2e6039f166f14a22ff17440075a3cf4753c4bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
79b2b61d9857304906d682974fe4c0ea

SHA1
87ff8b690424e4419787e637da050f0d2d58f477

SHA256
dee25170995267be0a3f9490f47b8a9b186debab97b6ead012102a556406852b

SHA512
12ece8df2461c971cd821f7b91776d0e2385942ddc77d203d20966a06635d341b090c6db45df82e1b795d84d2e3e8fa0d745b6428db63fa54b43cf9135319e88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8805592a3039469614d31827fd76b031

SHA1
f49f6ecd064ad3e7c7eb6140aaf5f5c944596691

SHA256
214a2218d755628ee1d6a2bc5e7015a83b0cbc81b5b7ba014aa511e06cc60b7c

SHA512
11985534b6a9f195ccd8e641ba5cbe1fa25dc741c8c83dde28eff3ad226a0b1557704af486da15e6baeac5f13f9998c1bc8ae51e7ee3563e2e3e4034babc7379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8054a993e51b5060ffd1df2a7b18afee

SHA1
0d90d8c8ce86f3183e6dcfbd8c51e8f250f82e66

SHA256
61ffd3df4da52dce1083ef621ef8cbedf0b6e6d1a806c2645862ccb9f87a8060

SHA512
514de5ddf340c0ca7e6dc6dfeda987872b70ac4e4e5a554e65e26efed455c4c9bff6184a7fa3d566b379c5cd44e3b4c6e7f23465c6666df3705a49505e1fddce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
607595afcd48121bebd0bc8d851e0d9c

SHA1
91658b7e214b16018851e8cadbc66a8ff2e52b1d

SHA256
a7dea72462e0423f5684a1459e74b54cff55992f56d452875ea0ed83a72415de

SHA512
200659fb7a976edaefed8690d04763b01568a7e649d5bcc60926cdcd769e5f06916f3b8c25b2c8459a8d78061e1fd1c69eaed8f75f4835f185931fc8c8f4885a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c69c63e5bbec75033c14b817119b3599

SHA1
007941368fec33483ace12f367ba497a6d11412c

SHA256
b5f6d8718fca83ac99048e98b4161dc7a2c1e5eadc7939ebde9f003e88eb9e3e

SHA512
906c3be2f75d4d773e4f2f88b51e9bc2684a9e6af009a47f9d90fcb3c21c1fd0797bbc5032320c5e8401672dd2ed6ffdba14b73c577647219271c4cd6701b6ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
865e59f8b682b87ba396293efdfa6a2c

SHA1
7066e3d4248258a9b5580a97a5ef7143b3c0b42b

SHA256
7b31ade0bd806d8b546943090a079a688b15b23153de28cd269c2a7e43e4750d

SHA512
805d79f10cc3ac076408c2ae612dd05582628ab04df9c7e5ffab21dba8f4516a573d01004fb902cd481abc4e3ae45acae8480b5b0f8398a67418c97ba4e23f9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9eb7c3a346db0928826b9b18a48165e9

SHA1
c9b6171f8d55b8aba99562a10df5479ea28243a7

SHA256
addb86b59fc4ca26143d8b143f878ced646f1b6fe1d7f68b611483081c276b99

SHA512
462ec3843a2023799efac1980e121bfc4dfe97562757ddd35fc6c480f2219623ce528b3a1a5807197ab0ca31a28d094daa152dada5653f7a6c59a294a4bc04c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1163440517a5979415bc8cd7109d7c19

SHA1
6ab4d1db428362630a3c456182848eeeaf3de088

SHA256
92563a2e863d2ee241274af19401a875f77b1345b1ec8c933e3d9780014c6a37

SHA512
d6319478512f5b9fca3740a2b677c52d2017be87398d31bd96aaaf1d75cb1f2881941b4aeab5415947009978db2d0fcff9a8038c5a38514b9ab3a66ae7e5af94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c6bf360db0b0191d76ab8eec6d3d75ac

SHA1
7fe18b52ca0cfc75cbb90152e204b7d91bb5530a

SHA256
565fadecb2971b9011d36ac45aa0016233a67e07b600549ccc438730ae3d070a

SHA512
884cb1ad6c228240f64024e809b6089c6f6ae1178918b0b75adff31d910c85a582b2b001725bed0f8445b2c1a5eee5d78f22bf09d0436a3f8321201f6e1cde34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
76162d288906db14901c372720b25636

SHA1
68ce02edc32acf4f5858db3b1ae5615a8339c823

SHA256
552d06ff4f201f6ec2ce3ed3cf4c4a52c4dc9d47ebe838ab7f5c0ba4f1fb2e94

SHA512
8dd0ad04ba657c0c88e5c991b3e79061c0346126363f8285b13819b4502b90fdb498f677ad194a2ea8e4595006e13c18f16cd3b1eeadf9e8f6fe1e735677612b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
30251b92b7e488d9c733b6fe3a47b12e

SHA1
48b30748fa136329aa51ada6d91bf0bfe6b37896

SHA256
42ea9f2cbfce8b40005246086340ee45ccd4975999909c29a676d27ad981c8f8

SHA512
a1a4768ae0f644e0127c6f2b9f985bf401088226c69d88faf4c21331ec56b6c3c970063413d718a4590355c63391ec6610f265167785c803167b7d77f7eb2f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57de4a.TMP

Filesize
538B

MD5
95b7e589c2e4e55a5c66c71a59a814a3

SHA1
4248fdf76b575060f5a84f33997607d1eb739241

SHA256
4ac13db02ac0b23be71a3f9bfa571a4828ee57ffdba845ec9140bdbf0b58247b

SHA512
967ea70ade6bdb0dc4f4a0ae5a8cbe9aa8af0b99563acbd1cdd4f2dcae243fbd656deeb020ff49163bd022edb3ae1f2ed070a94d1f787210e86f0917930e3f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6a63e23d479c8d0bc74aa2470c78b5a4

SHA1
3b95defc85b2ed9ff5b6597f673befe494fb70b8

SHA256
f9f93451b9959b60945219165e3558bc9db6e5abdcd45714b996885d4b149357

SHA512
ef51844a0a0a0a05690a61cef220f78dcda1e5c9de9419cb7febfcca641ddb3719d65e0176227a9453fc871bc1d67a13b00a1e4389c704048d527eb2882b94ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
17af534d80ceabced8af6309d9c8cb0c

SHA1
8a3b60d60b00fab1d7d369fe364333dd9f217b81

SHA256
c491cbaa823ba9a574ebdf971371892a683350429451cea135262301d5e3680a

SHA512
823034ae05efabc067d9b29e925c4bf9c61ebc38e0dcf0844ec2e9961d92217f34e279894445fa3a0130134ca6f493e2328788c4e5e5bffb13c5e6710342b54e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3c52a64a215183933532ead038ec1ba5

SHA1
56ad66ab9fa7bbf97fc91a2d2d2f72bfae6c9d42

SHA256
8125058deeea0c841a4a79fe8ec37ed90bdd807de7024e947ed9c505fb46eb9e

SHA512
f5768d86dde1e77f72b902dc366606db11e784dd2c6120a0a75b40a612b1483c2b15895a81a99bc5012a887ab5962455a7b832322efbc7c29a84609889d0f74c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cacd22a3533ea87236d30a5ea00c5d97

SHA1
a73007f31df8f9d3a76c8e8c2ee15ed33b0f52ad

SHA256
d8684d633ad39da7b35d276133901783de104d49a452d72b888d4091e7fc5768

SHA512
e3e812f49b58d03649b41034e4a792f1d70bdbc5596d1ac116435eec0cb228c25a373253f626b0623b5a22b293661327581fc0890aa510517063c73b5907cd79

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\e8ebaf15-6938-4750-abe1-9b95541853ce.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Desktop\READ_IT.txt

Filesize
108B

MD5
d845190db42d07b1f4a34292d8f335c7

SHA1
fa97f5c6d4aa832a0a1451730e8ba2a32b2f9339

SHA256
6bd70f8e5afcaf2bac76a5e40649be7ad4d59fb10d37e4f18ed3b1027b714b9a

SHA512
9d9310f6885084665a54cba5c33ce55d2de89978b82d59c70746f1e9ca2abdd094713e562f802f5e723654824ab872b9ab453cb32e279b5960edc196f683a08c

Download Submit
C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Cerber5.exe:Zone.Identifier

Filesize
229B

MD5
ce1b8e61e797dae6935c606497dbfa50

SHA1
b85ff4f9b9a6edae9d28b334ed8dacf89fbb137c

SHA256
8fbfe72b2686f21268b02aad1fa4614f43ef5ad043a697064ccc7868f42418a2

SHA512
ea0becf12157723bd30a4a41fdc38c1fce35a87a959e589110f1d4636c563ca6ca2316d5a0053db03c13c912750983004c705ef3054029df695d8211dc85ea42

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 101880.crdownload

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 813180.crdownload

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
memory/1844-886-0x0000000004AE0000-0x0000000004B72000-memory.dmp

Filesize
584KB

Download
memory/1844-887-0x0000000004A70000-0x0000000004A7A000-memory.dmp

Filesize
40KB

Download
memory/1844-885-0x0000000005090000-0x0000000005636000-memory.dmp

Filesize
5.6MB

Download
memory/1844-884-0x00000000000A0000-0x000000000010E000-memory.dmp

Filesize
440KB

Download