badrabbit | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WinlockerVB6Blacksod[.]exe

Analysis

max time kernel
88s
max time network
86s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-12-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WinlockerVB6Blacksod.exe

Score

10^/10

badrabbit discovery persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
5636	WinlockerVB6Blacksod.exe
5936	WinlockerVB6Blacksod.exe
5128	BadRabbit.exe
5784	7EEF.tmp
4140	BadRabbit.exe

Loads dropped DLL 34 IoCs

pid	Process
5636	WinlockerVB6Blacksod.exe
5636	WinlockerVB6Blacksod.exe
5952	MsiExec.exe
5952	MsiExec.exe
5952	MsiExec.exe
5952	MsiExec.exe
5952	MsiExec.exe
5952	MsiExec.exe
5952	MsiExec.exe
5952	MsiExec.exe
5952	MsiExec.exe
5952	MsiExec.exe
5940	MsiExec.exe
5952	MsiExec.exe
5636	WinlockerVB6Blacksod.exe
5952	MsiExec.exe
5936	WinlockerVB6Blacksod.exe
5936	WinlockerVB6Blacksod.exe
6100	MsiExec.exe
6100	MsiExec.exe
6100	MsiExec.exe
6100	MsiExec.exe
6100	MsiExec.exe
6100	MsiExec.exe
6100	MsiExec.exe
6100	MsiExec.exe
6100	MsiExec.exe
6100	MsiExec.exe
5148	MsiExec.exe
6100	MsiExec.exe
5936	WinlockerVB6Blacksod.exe
6100	MsiExec.exe
5464	rundll32.exe
5452	rundll32.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
72	5952	MsiExec.exe
88	6100	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\H:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\N:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\S:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\I:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\T:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\G:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\N:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\K:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\R:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\W:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\R:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\X:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\O:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\U:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	raw.githubusercontent.com
55	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4aa6d978-42d2-481c-a726-62820d03f5c6.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241229074535.pma	setup.exe
File created	C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe	msiexec.exe
File created	C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe	msiexec.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1213.tmp	msiexec.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIC9F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBB6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE06.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1738.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAF7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e57c96e.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c96e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE36.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1503.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c96a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA97.tmp	msiexec.exe
File opened for modification	C:\Windows\Tasks\sys.job	MsiExec.exe
File opened for modification	C:\Windows\7EEF.tmp	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICA47.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1147.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12EF.tmp	msiexec.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\Installer\MSIC9C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI169B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBF6.tmp	msiexec.exe
File created	C:\Windows\Tasks\sys.job	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI1146.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c96a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAC7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB65.tmp	msiexec.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File created	C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC55.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCD3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4E.tmp	msiexec.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\Installer\MSICA87.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB76.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB96.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinlockerVB6Blacksod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinlockerVB6Blacksod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5252	schtasks.exe
4516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3384	msedge.exe
3384	msedge.exe
3080	msedge.exe
3080	msedge.exe
684	identity_helper.exe
684	identity_helper.exe
5468	msedge.exe
5468	msedge.exe
5820	msiexec.exe
5820	msiexec.exe
5820	msiexec.exe
5820	msiexec.exe
6124	msedge.exe
6124	msedge.exe
5464	rundll32.exe
5464	rundll32.exe
5464	rundll32.exe
5464	rundll32.exe
5784	7EEF.tmp
5784	7EEF.tmp
5784	7EEF.tmp
5784	7EEF.tmp
5784	7EEF.tmp
5784	7EEF.tmp
5784	7EEF.tmp
5452	rundll32.exe
5452	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5820	msiexec.exe
Token: SeCreateTokenPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeAssignPrimaryTokenPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeLockMemoryPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeIncreaseQuotaPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeMachineAccountPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeTcbPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeSecurityPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeTakeOwnershipPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeLoadDriverPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeSystemProfilePrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeSystemtimePrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeProfSingleProcessPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeIncBasePriorityPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeCreatePagefilePrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeCreatePermanentPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeBackupPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeRestorePrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeShutdownPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeDebugPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeAuditPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeSystemEnvironmentPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeChangeNotifyPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeRemoteShutdownPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeUndockPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeSyncAgentPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeEnableDelegationPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeManageVolumePrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeImpersonatePrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeCreateGlobalPrivilege	5636	WinlockerVB6Blacksod.exe
Token: SeShutdownPrivilege	5860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5860	msiexec.exe
Token: SeCreateTokenPrivilege	5860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5860	msiexec.exe
Token: SeLockMemoryPrivilege	5860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5860	msiexec.exe
Token: SeMachineAccountPrivilege	5860	msiexec.exe
Token: SeTcbPrivilege	5860	msiexec.exe
Token: SeSecurityPrivilege	5860	msiexec.exe
Token: SeTakeOwnershipPrivilege	5860	msiexec.exe
Token: SeLoadDriverPrivilege	5860	msiexec.exe
Token: SeSystemProfilePrivilege	5860	msiexec.exe
Token: SeSystemtimePrivilege	5860	msiexec.exe
Token: SeProfSingleProcessPrivilege	5860	msiexec.exe
Token: SeIncBasePriorityPrivilege	5860	msiexec.exe
Token: SeCreatePagefilePrivilege	5860	msiexec.exe
Token: SeCreatePermanentPrivilege	5860	msiexec.exe
Token: SeBackupPrivilege	5860	msiexec.exe
Token: SeRestorePrivilege	5860	msiexec.exe
Token: SeShutdownPrivilege	5860	msiexec.exe
Token: SeDebugPrivilege	5860	msiexec.exe
Token: SeAuditPrivilege	5860	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5860	msiexec.exe
Token: SeChangeNotifyPrivilege	5860	msiexec.exe
Token: SeRemoteShutdownPrivilege	5860	msiexec.exe
Token: SeUndockPrivilege	5860	msiexec.exe
Token: SeSyncAgentPrivilege	5860	msiexec.exe
Token: SeEnableDelegationPrivilege	5860	msiexec.exe
Token: SeManageVolumePrivilege	5860	msiexec.exe
Token: SeImpersonatePrivilege	5860	msiexec.exe
Token: SeCreateGlobalPrivilege	5860	msiexec.exe
Token: SeRestorePrivilege	5820	msiexec.exe
Token: SeTakeOwnershipPrivilege	5820	msiexec.exe
Token: SeRestorePrivilege	5820	msiexec.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
5860	msiexec.exe
5860	msiexec.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
6044	msiexec.exe
6044	msiexec.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 3492	3080	msedge.exe	81
PID 3080 wrote to memory of 3492	3080	msedge.exe	81
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3584	3080	msedge.exe	83
PID 3080 wrote to memory of 3384	3080	msedge.exe	84
PID 3080 wrote to memory of 3384	3080	msedge.exe	84
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85
PID 3080 wrote to memory of 1916	3080	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WinlockerVB6Blacksod.exe
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffffa1946f8,0x7ffffa194708,0x7ffffa194718
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:412
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7b06f5460,0x7ff7b06f5470,0x7ff7b06f5480
    3⤵
    PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5468
- C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe
  "C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5636
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Downloads\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:5608
- C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe
  "C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5936
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Downloads\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6896 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,11540240531055722003,8512108182207460211,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6124
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5128
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5464
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:6012
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6120
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1977251904 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5860
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1977251904 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5252
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 08:04:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:6036
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 08:04:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4516
  - - C:\Windows\7EEF.tmp
      "C:\Windows\7EEF.tmp" \\.\pipe\{D95409C8-57F3-46B5-BB76-339066D1E4A6}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5784
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4140
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1220

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A25DB856439610E41F8A139538A9DBB3
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:5952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 071B11AC9B409E890D01282A47792F98 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5940
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7AE59FDD2AF4C5149CAE06F6E3118B08
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:6100
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C326AE9237C41C64F98558CCB7971C10 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c96d.rbs

Filesize
99KB

MD5
7e8ff174f03b4fad7e5e44e1577c185e

SHA1
3856a8f65bc69f0829dbebb066e45fd9d2fccbf3

SHA256
5cb85f26ca454039c1221404eac22c1a1c7ffbd1d3fc44f22d30a3fd2983b896

SHA512
21a4427f9a4d4b509c67d8c3d51c7a1311010d01ecefdb69d0f984a25daae3a930058a30acdac33302b7bc5045af824046ae605a49fd211cca5f8428a92c01fc

Download Submit
C:\Config.Msi\e57c971.rbs

Filesize
101KB

MD5
d395146751801d8b9d565af198f00d85

SHA1
707d4f41734b84284d8060e8f10163d4a0107720

SHA256
3f29508dab1cabb5741bb8cc532d2d32984ee88194df48570b67f633a3eab028

SHA512
a19829086e46e3547a60053e46e1b05e9a8136a7c614c0fd6599c5333fbc2fb5f6c8e96791ce289da253761718839c4da8958645004c8ccc459a946ee78c0de1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_EFB75332C2EEE29C462FC21A350076B8

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
69cd4fbd25488dc00a347c8a390c8652

SHA1
22cf04f96e4af55a94c87105201f08cf7ff47aa5

SHA256
23ef6c8a50cc68d03460913947c655fb7c62854cca6108e5c85cc472edcdd5cf

SHA512
02ef1bcd904dcba1f0f035a61593dab52eff317762cebd59261b0d211b0b7f7447814ac5ec6c47481088761a338b6ea00a2865e759565980043b47bc4f60f5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
90d9cc370060ef5ae526755155220c89

SHA1
3d536fcef3ebde92ca496819539288686ba8528e

SHA256
db4df83a39030515b39da7becb9f640e86fe6daec54296ce4fccaf9423c29e27

SHA512
5179e5b0093b160b3f67fed92fb4edf97ff7439d970dce46c281cdcbf4589f157f7bcd1d8608cef03cc81258f3c0744f31b95db8c70f162bed255efad48e37b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\249c3425-3e3f-4548-a2b3-df748d08bcf9.tmp

Filesize
5KB

MD5
c6c9a386b061a7666628f07166d589ea

SHA1
82c5cc8d9b00729f86363defe67a905a5f06a2fd

SHA256
7026cd1254c50dd3e3eb9d883375bc092860628d999a1bbca39c26d0eb2321a0

SHA512
a8caf8e0dd75a39daa8f07aaa599a2c9a149f9c190a1fb42b08ade3beead2b957bd91ea813c7c73d0f6c1d3b43e8fcfab1ababa6509d68ad630ea841e78b1314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6afe7c02-a0b7-4059-8bd0-91bea26fc7bb.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
7f8a0fa7bd66075ecb7996fa7fba7af2

SHA1
347c76127ee31fe7ecaa9734d543220079cf70e0

SHA256
76456f94b52a19a749c169626f89990f02b4f8236244e9a4efbdf0a027bc3993

SHA512
b815dab0fbc0da5dd41d822ba9c4e9b9b77f3db25f63f4636d63590548a4c7f8d29927bbbf01c503de21f74fcd8ffa680f0e98b226ce8b47922cb6113af6cecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f144e272259c72d264d16f69e4c883c0

SHA1
06b5e78226d1edabe864ffdb6a8d9ca2906bf0bc

SHA256
678c600d9011de0afbe71129d7fd65806c09602ac8edac702f13c3416ce3bdae

SHA512
cdda4665da9eaccc8138e09fd853bbdce71b28322e72ede932b95626d320bbb2346bc05a05cf057a31959e3f86c9efab7ea3ada53b765139213b71871fbf9f16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe589611.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ea880340d298510e3ecb2507b471330

SHA1
6bf2998d5c8c5ea7bbef14a25ea7ae8b139972e1

SHA256
2d3cf25c60b09fc4d3e1869558834409e75deef2a1f36d2ff3b092951b44fa2e

SHA512
b3c672e310d0bc8dad8e95a7d8383267e3cefd16212d9ee49eccb1325fea3c016d13083dd3739cedeedc24bd3c125c3558b893344f0bcf4929dc3a2080564d41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b3022a3315b1f0be87b9275bee182656

SHA1
89ae5025771d8f6b0b2438762ca927de5543d7cd

SHA256
db631e7d22bcb5009d127d91ae28beb44cb0476bf0de4d4eb00028b09e9ad4e2

SHA512
b42d4f0f51e6671e058379b249a91e24e7969ddb8574802db4110f2ae6d5d407851c7818937bf7fcd542e2ed7c10ac228db1711cff996434edf1c6fb2ada963e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
672d8e5eb505f4c7ab0d681c2ffcd7ff

SHA1
662e6d516f51214821b45648a1909b3a2287e8e7

SHA256
3fbb7fe3000449c0ec3baeeeff4fc9e80ee4c9705e2b901a9cf6500ed890f7e9

SHA512
cea4639f69c983f033cce7e7cf01fdf4f2e48f9e5cd10925e51b5f4b59a18c958e6d73a86b612839be72e1efc0c2f1412f8928c10e63afd0dbf2fff07516c080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
105fa9e805c318f32af7ce41cf75309b

SHA1
72b81ff54f3efabc27ea28ef222a153717a1c650

SHA256
d746e7f80ce6a9987b292f80b6421b398da3b4a0cef1aec8641b3a6227ac315e

SHA512
424f4b4f31bdd892502e54e678ea4ab30d2caaa09a0a8edb9294ca31801f91518cee402c441111ea50e458e82be864bab03149d63eb90cabc1e1f5c04413d5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43dc959f2d16ce5881317d7676d91c57

SHA1
331378bdbd6db12dd52ddcb943a883acf38feaf4

SHA256
5a27b2ac03ad5cc7abca276201acd504587eff350afd37fce63424a353021cad

SHA512
40215a1ccc40db3b0c4caebf567c47cdf6167c453df8a25fe686c90b08d103aa509048b4d0d0ad53d274b1f8336481be4d933ad7477b930d67575cf37f879dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
2cad20898338fbc7fb993756151e2fe1

SHA1
740566d988a46b18920bbb42ff71eb145a931aee

SHA256
4c2f60eb2a2e891ea30a7eed7813758fb7d3200f5938e7012a22233b26b9dfa6

SHA512
e1a82109629e89a57d803f1bf0433c07d01a1fcc9db30ca81eff4a415bb4f36dd772bc05272538fc0db97a20f7475f172164fbe3142d507088770a53ec1a0796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d8c86e7d523ce692226bc2731ee03459

SHA1
a63bb7eba70e607d9557d5f59caf383b5a66161e

SHA256
9c2edac30eb6825a955114fcb679842a742cbba2a06413d3976047c8f1250261

SHA512
e2342039ba773cb0121540b8eb2e2b421db155384c7e48d4e40267f95759120782a905cfcdfc96931f1908f24d0d7eb5179e15e121592c3efd3e812998019f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9bac5e5869f8a8b7d27ea2347b6d5e6d

SHA1
717bdb950e9e697bf16614b3557d5e91d1fc6c1f

SHA256
af5969e224d7964ab5e9d4b23d2f9a33c0626d52bdc60baefa665941158b36d2

SHA512
fedc4826b37dc352ab0fa0af3200c7335c36a8d946366409b501b15b0c2ba34dece3d197ed17e8010e2c5c01dfec9c43e153f7ee90edfa56e570bb0d29788d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
40f4e6489caa6eab2e4486a5531034c8

SHA1
0464ea9101539e7feb8b09e2704f40d5bd937ce2

SHA256
a45ea7f613c51c2e908b4036fedcdffc44165b20863ecbd38d9177b02e93005b

SHA512
94378aa85132b235cb65ed6f0e11f7163399a8da7eaf54c64697e6e888c11dd91ef571b88fa06f09f494f5c2283cafa34f01eb7ddf8832d8c0baf25c0ec0ffcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58050c.TMP

Filesize
1KB

MD5
c6a71b72bced0e62730580ff10b8483a

SHA1
e56cf5875ca9ca83c6803414071d663b0af800d6

SHA256
cbb7d74a03c5f41ebdc93e13f07dea156a12f4fb513ebbfa56c6f901df11c436

SHA512
526d674722e48c79f5b0946b651aaef8d77807ab9fac43d466f9dc591f867cf5fbd5a17639014f6d3ae3b1266baa4a66d3fcf16364441751e03910695f5ff92e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a4923eb2901f16f73a7ff09c0f19ca94

SHA1
627625ed94b166936563abf7fc31f66bfe4a7afb

SHA256
3c242a7be38f54bdcd99c6157572f68ecde85145a140325e348bd8c9b330dc5b

SHA512
afca5a9fd2b91edd736d91b7c2eea6bb80ee74f17f5b6566fd23273355bddb819e4dd9beb525dbb0ed82ad0332ea7a91f9c1dbcd30ae7b81b26a958c6def10a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6fe075cd239609ac69cc8d62641098dd

SHA1
e1af49403c2a41d3b31ee11f147a40dc8bc7143e

SHA256
e3fa9bd5e44e73c0f5b5ba2a0da384d421f42d1d32a04dbc3e13981b8f7dcfca

SHA512
7b6078577f3d1f0ed677c0adf71b48d2297c631676ecb4464b75ea1e97a725a559bd5b6ff045642c8ba9d6a37afa26c2fc895ede149fd76eb517acad8bd4f121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
058aa88d7f08c22ab9fc6d6cec87e1fa

SHA1
ece1105b5b42cc54734d4dac4eb87122958eee79

SHA256
6e75ede2e18c4174789122428d06694ae59ef0924410c294046a9cf24221354b

SHA512
4e6d91433c874d6aa9198548981b5317af66d3c071da6bcf1074b4f06476083271ac81278ac662a5d0e1bb28895f04a023149087379a48ccbbe4d570dd2aa9c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c4fc2881-fa7d-4bb5-951f-e54c2844ff7f.tmp

Filesize
11KB

MD5
b215a226fc231be037a06f086a46fe05

SHA1
58d9d150a12d28e666f56053e4dbc5e9f45fc5dc

SHA256
a6ed5109ea1274bb1ba7fe243f0e17148396a172e1a484f0deb84f3384011507

SHA512
65b507a3cc0ce7b2faec7e21c91fe71e34490d0eb1312faba695e57e45567d16ff4b20797aa97b266ee65ad1b43a9d565b9d29505bf8a597a5cc175982dd7716

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
3a3c227d7c0420bf3fc440b8329bfb4b

SHA1
4cf46b6b41c768d3ed2e1c751766f6a157e38c05

SHA256
21883a333efee01100021f0b615e110703a8f819a860e647778db33cb48b0eec

SHA512
48792c94ac4a47ab8ee6ffe1dd5d47427587b162176d3ccb0ba3b6ccb9f43faaedd6065b3f023fb9c4b74e93a17f05f659b7bcd553ce3974099c30831cec5910

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
13977b68edaad24ff9a150cf2effdb25

SHA1
8b02cde2d0424f6332ffd6b1f8988ec5f3a9c268

SHA256
e1ec94876b92bdb82fd1619f31f4b7f5d7beea9a1413ff1c255c2d0f7d909b25

SHA512
079bb3d78db334697bc56caa771434cbd8853b3fd5a472ac419ba569438fef75b765753b2ed290843ef3407b386e0c7875c09a492e1717f56041a2994b56849b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
71a85792436c604ce0cd8c7c2f6a1a17

SHA1
17faf1236e4c05b469797a59d864871c1d7dc015

SHA256
d4ab44c09f1bf3d90ae2fdb89b3e4d26b462954707594a49f11bc44433ddbc53

SHA512
31765850e2026933f2423dfaf865f4d90d9e5112abfd497ce30339ca55a96ae1be91c6256185810d72cba1af375c34641107877f667c51484c4d91b8ac540fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
84B

MD5
8b4a05ed1b61e0829d3c89da4a4eb838

SHA1
d3517f568e6f176ef28cc1c4f167dd08008661d2

SHA256
824afd170b4b490b1a10791db750657e432c8177d3f1d7b1767b3d1c193e10fc

SHA512
1bb6fe359533da982ad9a612c0de9bf6d66d847f32ff286fd66491b72966d75944cf238fe9f95b005e359a9cc144b33c717cf2562360590f213a3c5cdbc80b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

Filesize
26B

MD5
6bc190dd42a169dfa14515484427fc8e

SHA1
b53bd614a834416e4a20292aa291a6d2fc221a5e

SHA256
b3395b660eb1edb00ff91ece4596e3abe99fa558b149200f50aabf2cb77f5087

SHA512
5b7011ed628b673217695809a38a800e9c8a42ceb0c54ab6f8bc39dba0745297a4fbd66d6b09188fcc952c08217152844dfc3ada7cf468c3aafcec379c0b16b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{654631AC-8F9D-4B39-A1B1-8347A1AD1FC6}.session

Filesize
1KB

MD5
d7d845e928f29a417ec6e907e54c3df9

SHA1
495a2dcd577de5fe24ef87bba340885d9f132bd9

SHA256
5ddf64a60374b53194ba93f6b865953e8c59998cbabc6eea7217dfaf60185406

SHA512
019186acb237f578c6e0f53c622dba5a814c6d0133a559f8bba7777230e3ff01fbc29125efc05303e1a88f016ad499bb5a6cbfd6ad4371478ba4a6622b999192

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{654631AC-8F9D-4B39-A1B1-8347A1AD1FC6}.session

Filesize
2KB

MD5
42f6f5a633808a2a081ca4a77d6ed8d2

SHA1
a5f20b38f5e3869c8eb92bee6b1281414f2c04f4

SHA256
664066ef95fac3f18ac311c6dfef5229286b45b48ff66e14f7a612c6ad12b89c

SHA512
ed77b82752204ad58f5e7c482bba56290540e278238fde183039e2ed5d153dbf0a2ca03788b82f4599695304adb5ab34550d43bfcd26140ad9ae70bc312718b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{654631AC-8F9D-4B39-A1B1-8347A1AD1FC6}.session

Filesize
3KB

MD5
d2a83852bf674c6b64c01b31c2b36c8c

SHA1
8d331151bf67542d7a560b7455039e39423447b1

SHA256
20ecfb88d147b7b216db8116dea6f323ea3376e11dc09c0d4ce4cbedfd0a8574

SHA512
26c4a480e57b47d2a457ae811b6891ecefd587e995cbfcf0bd83ea8496985661dc230a8bd05c306fa62868fdac7a92aa53df1c1f2267954f74ba5b9066f49703

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{654631AC-8F9D-4B39-A1B1-8347A1AD1FC6}.session

Filesize
4KB

MD5
f9a0285c33f8400b6674f92a6b9f2a6d

SHA1
8fe7911c0996af4ee34577e94b0b9567a694d7cb

SHA256
05ae546d6736a5be25b206f0afbce95cb0fa582e3daa3734661f97357d139a7d

SHA512
2dbfacf255306480548de4dc6d70bc00f496f0fece7aa4a09e3cf1184e38af70ce1ad22397483ae85c9fabc374f055ca87bf391778f1323b884c451c47485d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{AE80F181-AD8A-471C-BF4A-62DFDAAF9800}.session

Filesize
4KB

MD5
3d9ddd32cd9372a38c95cd8f4a965172

SHA1
72ac57974b7afe2cdd8023b871823298d168f5b9

SHA256
945722742bd2ddc812fe0b9b00f55c23e77828436867e2f198ab330556e006d6

SHA512
17157d56d5e572d3f42885ab06bb51db3416d2b46fd0333e8d968b8e6391465979d20dd48b55fbc8c34f707a4be99a630412a1462eea8566f8777a9101719935

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
cd3bf06f13690dc4962f7014c707585c

SHA1
2fe6257d3b29f5bf9841a5575e1e53000711a766

SHA256
889bb84e3253b65963446d5589da8207d464d8a76aa2d7497c01419b94a61d74

SHA512
24570b95ede5302be744d23cf9e37099b60dc50627c0920eb0cc831d4200eace43323e14fabbe7b5e42ad4afa1534a1d725a4175bd4e47516f272947fa7ba7ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ac343722991a25251a56f94e2dafa867

SHA1
591b733253ac4a77b12e2d89cb453c585fdfa742

SHA256
7c7230c0daf363e9c65e00aae4dab21feb20116d8ff4ea4061d75c703d0d4c8b

SHA512
56f2fe0f99fd34beed6daadffddcd1201620c31ca3e2370f9b821f625a33131e4f16cbb1c83f9bd779e62865e677d0b025cf27aea19d1e8199a78fd0fc7cb1b8

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi

Filesize
1010KB

MD5
27bc9540828c59e1ca1997cf04f6c467

SHA1
bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

SHA256
05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

SHA512
a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav

Filesize
724KB

MD5
bab1293f4cf987216af8051acddaf97f

SHA1
00abe5cfb050b4276c3dd2426e883cd9e1cde683

SHA256
bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344

SHA512
3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe

Filesize
24KB

MD5
e579c5b3c386262e3dd4150eb2b13898

SHA1
5ab7b37956511ea618bf8552abc88f8e652827d3

SHA256
e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2

SHA512
9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

Filesize
126KB

MD5
3531cf7755b16d38d5e9e3c43280e7d2

SHA1
19981b17ae35b6e9a0007551e69d3e50aa1afffe

SHA256
76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

SHA512
7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 179840.crdownload

Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 61452.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Windows\Installer\MSIC9C8.tmp

Filesize
88KB

MD5
4083cb0f45a747d8e8ab0d3e060616f2

SHA1
dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

SHA256
252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

SHA512
26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

Download Submit
C:\Windows\Installer\MSIC9F8.tmp

Filesize
180KB

MD5
d552dd4108b5665d306b4a8bd6083dde

SHA1
dae55ccba7adb6690b27fa9623eeeed7a57f8da1

SHA256
a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

SHA512
e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

Download Submit
C:\Windows\Installer\MSICB76.tmp

Filesize
96KB

MD5
3cab78d0dc84883be2335788d387601e

SHA1
14745df9595f190008c7e5c190660361f998d824

SHA256
604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd

SHA512
df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

Download Submit
C:\Windows\Installer\MSICB96.tmp

Filesize
128KB

MD5
7e6b88f7bb59ec4573711255f60656b5

SHA1
5e7a159825a2d2cb263a161e247e9db93454d4f6

SHA256
59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f

SHA512
294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

Download Submit
C:\Windows\Installer\MSICBB6.tmp

Filesize
312KB

MD5
aa82345a8f360804ea1d8d935f0377aa

SHA1
c09cf3b1666d9192fa524c801bb2e3542c0840e2

SHA256
9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437

SHA512
c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

Download Submit
memory/5452-1105-0x0000000002CC0000-0x0000000002D28000-memory.dmp

Filesize
416KB

Download
memory/5452-1113-0x0000000002CC0000-0x0000000002D28000-memory.dmp

Filesize
416KB

Download
memory/5464-1070-0x0000000002F80000-0x0000000002FE8000-memory.dmp

Filesize
416KB

Download
memory/5464-1078-0x0000000002F80000-0x0000000002FE8000-memory.dmp

Filesize
416KB

Download
memory/5464-1081-0x0000000002F80000-0x0000000002FE8000-memory.dmp

Filesize
416KB

Download