Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/D...

windows10-2004-x64

10

Analysis

  • max time kernel
    569s
  • max time network
    566s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 22:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke/YouAreAnIdiot

Score
10/10
badrabbitcerbermimikatzdefense_evasiondiscoverypersistenceprivilege_escalationransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___VL28I_.txt

Family

cerber

Ransom Note
Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/2EF5-F7D0-C289-0098-B467 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/2EF5-F7D0-C289-0098-B467 2. http://xpcx6erilkjced3j.19kdeh.top/2EF5-F7D0-C289-0098-B467 3. http://xpcx6erilkjced3j.1mpsnr.top/2EF5-F7D0-C289-0098-B467 4. http://xpcx6erilkjced3j.18ey8e.top/2EF5-F7D0-C289-0098-B467 5. http://xpcx6erilkjced3j.17gcun.top/2EF5-F7D0-C289-0098-B467 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----
URLs

http://xpcx6erilkjced3j.onion/2EF5-F7D0-C289-0098-B467

http://xpcx6erilkjced3j.1n5mod.top/2EF5-F7D0-C289-0098-B467

http://xpcx6erilkjced3j.19kdeh.top/2EF5-F7D0-C289-0098-B467

http://xpcx6erilkjced3j.1mpsnr.top/2EF5-F7D0-C289-0098-B467

http://xpcx6erilkjced3j.18ey8e.top/2EF5-F7D0-C289-0098-B467

http://xpcx6erilkjced3j.17gcun.top/2EF5-F7D0-C289-0098-B467

Signatures

  • BadRabbit

    Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    ransomwarebadrabbit
  • Badrabbit family
    badrabbit
  • Cerber

    Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

    ransomwarecerber
  • Cerber family
    cerber
  • Mimikatz

    mimikatz is an open source tool to dump credentials on Windows.

    mimikatz
  • Mimikatz family
    mimikatz
  • mimikatz is an open source tool to dump credentials on Windows 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Contacts a large (1112) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Disables Task Manager via registry modification
    defense_evasion
  • Downloads MZ/PE file 3 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • NTFS ADS 4 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of FindShellTrayWindow 62 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke/YouAreAnIdiot
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb993b46f8,0x7ffb993b4708,0x7ffb993b4718
      2⤵
        PID:2268
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
        2⤵
          PID:1696
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
          2⤵
          • Downloads MZ/PE file
          • Suspicious behavior: EnumeratesProcesses
          PID:3248
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
          2⤵
            PID:4464
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
            2⤵
              PID:4912
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
              2⤵
                PID:3436
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
                2⤵
                  PID:224
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3832
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
                  2⤵
                    PID:4268
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
                    2⤵
                      PID:3768
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                      2⤵
                        PID:5108
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
                        2⤵
                          PID:4948
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2280 /prefetch:8
                          2⤵
                            PID:4232
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
                            2⤵
                              PID:1668
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
                              2⤵
                                PID:1060
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3376 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2196
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1612
                              • C:\Users\Admin\Downloads\BadRabbit.exe
                                "C:\Users\Admin\Downloads\BadRabbit.exe"
                                2⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:808
                                • C:\Windows\SysWOW64\rundll32.exe
                                  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                  3⤵
                                  • Blocklisted process makes network request
                                  • Loads dropped DLL
                                  • Drops file in Windows directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:400
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /c schtasks /Delete /F /TN rhaegal
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:2632
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /Delete /F /TN rhaegal
                                      5⤵
                                      • System Location Discovery: System Language Discovery
                                      PID:1652
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2293647852 && exit"
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:228
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2293647852 && exit"
                                      5⤵
                                      • System Location Discovery: System Language Discovery
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:8
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:58:00
                                    4⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1036
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 22:58:00
                                      5⤵
                                      • System Location Discovery: System Language Discovery
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2316
                                  • C:\Windows\F1E8.tmp
                                    "C:\Windows\F1E8.tmp" \\.\pipe\{AA25E6AE-FA02-405B-9F10-F672D9A5F4F3}
                                    4⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4688
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
                                2⤵
                                  PID:2940
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5960 /prefetch:8
                                  2⤵
                                    PID:1964
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3232 /prefetch:8
                                    2⤵
                                      PID:216
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
                                      2⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:3440
                                    • C:\Users\Admin\Downloads\Cerber5.exe
                                      "C:\Users\Admin\Downloads\Cerber5.exe"
                                      2⤵
                                      • Checks computer location settings
                                      • Drops startup file
                                      • Executes dropped EXE
                                      • Enumerates connected drives
                                      • Drops file in System32 directory
                                      • Sets desktop wallpaper using registry
                                      • Drops file in Program Files directory
                                      • Drops file in Windows directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5096
                                      • C:\Windows\SysWOW64\netsh.exe
                                        C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
                                        3⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:612
                                      • C:\Windows\SysWOW64\netsh.exe
                                        C:\Windows\system32\netsh.exe advfirewall reset
                                        3⤵
                                        • Modifies Windows Firewall
                                        • Event Triggered Execution: Netsh Helper DLL
                                        • System Location Discovery: System Language Discovery
                                        PID:2892
                                      • C:\Windows\SysWOW64\mshta.exe
                                        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___HWG9_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:4372
                                      • C:\Windows\SysWOW64\NOTEPAD.EXE
                                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___S8NL1W8_.txt
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Opens file in notepad (likely ransom note)
                                        PID:1332
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • System Network Configuration Discovery: Internet Connection Discovery
                                        PID:2124
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /f /im "C"
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4808
                                        • C:\Windows\SysWOW64\PING.EXE
                                          ping -n 1 127.0.0.1
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:4676
                                    • C:\Users\Admin\Downloads\Cerber5.exe
                                      "C:\Users\Admin\Downloads\Cerber5.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Enumerates connected drives
                                      • System Location Discovery: System Language Discovery
                                      PID:1832
                                    • C:\Users\Admin\Downloads\Cerber5.exe
                                      "C:\Users\Admin\Downloads\Cerber5.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Enumerates connected drives
                                      • System Location Discovery: System Language Discovery
                                      PID:4156
                                    • C:\Users\Admin\Downloads\Cerber5.exe
                                      "C:\Users\Admin\Downloads\Cerber5.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Enumerates connected drives
                                      • System Location Discovery: System Language Discovery
                                      PID:1456
                                    • C:\Users\Admin\Downloads\Cerber5.exe
                                      "C:\Users\Admin\Downloads\Cerber5.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Enumerates connected drives
                                      • System Location Discovery: System Language Discovery
                                      PID:3132
                                    • C:\Users\Admin\Downloads\Cerber5.exe
                                      "C:\Users\Admin\Downloads\Cerber5.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Enumerates connected drives
                                      • System Location Discovery: System Language Discovery
                                      PID:1964
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
                                      2⤵
                                        PID:220
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5612 /prefetch:8
                                        2⤵
                                          PID:2552
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,290140479335751882,4560484285912316106,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
                                          2⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2204
                                        • C:\Users\Admin\Downloads\$uckyLocker.exe
                                          "C:\Users\Admin\Downloads\$uckyLocker.exe"
                                          2⤵
                                          • Executes dropped EXE
                                          • Sets desktop wallpaper using registry
                                          • System Location Discovery: System Language Discovery
                                          PID:1612
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:2172
                                        • C:\Windows\System32\CompPkgSrv.exe
                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                          1⤵
                                            PID:2832
                                          • C:\Windows\System32\rundll32.exe
                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                            1⤵
                                              PID:2952
                                            • C:\Users\Admin\Downloads\BadRabbit.exe
                                              "C:\Users\Admin\Downloads\BadRabbit.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • System Location Discovery: System Language Discovery
                                              PID:1708
                                              • C:\Windows\SysWOW64\rundll32.exe
                                                C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                2⤵
                                                • Loads dropped DLL
                                                • Drops file in Windows directory
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4696
                                            • C:\Users\Admin\Downloads\BadRabbit.exe
                                              "C:\Users\Admin\Downloads\BadRabbit.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • Drops file in Windows directory
                                              • System Location Discovery: System Language Discovery
                                              PID:2360
                                              • C:\Windows\SysWOW64\rundll32.exe
                                                C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
                                                2⤵
                                                • Loads dropped DLL
                                                • Drops file in Windows directory
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4840
                                            • C:\Users\Admin\Downloads\Cerber5.exe
                                              "C:\Users\Admin\Downloads\Cerber5.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • Enumerates connected drives
                                              • System Location Discovery: System Language Discovery
                                              PID:184
                                            • C:\Users\Admin\Downloads\Cerber5.exe
                                              "C:\Users\Admin\Downloads\Cerber5.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • Enumerates connected drives
                                              • System Location Discovery: System Language Discovery
                                              PID:1216
                                            • C:\Users\Admin\Downloads\Cerber5.exe
                                              "C:\Users\Admin\Downloads\Cerber5.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • Enumerates connected drives
                                              • System Location Discovery: System Language Discovery
                                              PID:512
                                            • C:\Windows\SysWOW64\werfault.exe
                                              werfault.exe /h /shared Global\3d1a622c0dc941df8a4e86672ba6bc61 /t 3832 /p 4372
                                              1⤵
                                                PID:3804

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Reconnaissance

                                              Resource Development

                                              Initial Access

                                              Execution

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Persistence

                                              Create or Modify System Process

                                              1
                                              T1543

                                              Windows Service

                                              1
                                              T1543.003

                                              Event Triggered Execution

                                              1
                                              T1546

                                              Netsh Helper DLL

                                              1
                                              T1546.007

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Privilege Escalation

                                              Create or Modify System Process

                                              1
                                              T1543

                                              Windows Service

                                              1
                                              T1543.003

                                              Event Triggered Execution

                                              1
                                              T1546

                                              Netsh Helper DLL

                                              1
                                              T1546.007

                                              Scheduled Task/Job

                                              1
                                              T1053

                                              Scheduled Task

                                              1
                                              T1053.005

                                              Defense Evasion

                                              Impair Defenses

                                              1
                                              T1562

                                              Disable or Modify System Firewall

                                              1
                                              T1562.004

                                              Modify Registry

                                              1
                                              T1112

                                              Credential Access

                                              Discovery

                                              Browser Information Discovery

                                              1
                                              T1217

                                              Network Service Discovery

                                              1
                                              T1046

                                              Peripheral Device Discovery

                                              1
                                              T1120

                                              Query Registry

                                              3
                                              T1012

                                              Remote System Discovery

                                              1
                                              T1018

                                              System Information Discovery

                                              4
                                              T1082

                                              System Location Discovery

                                              1
                                              T1614

                                              System Language Discovery

                                              1
                                              T1614.001

                                              System Network Configuration Discovery

                                              1
                                              T1016

                                              Internet Connection Discovery

                                              1
                                              T1016.001

                                              Lateral Movement

                                              Collection

                                              Command and Control

                                              Web Service

                                              1
                                              T1102

                                              Exfiltration

                                              Impact

                                              Defacement

                                              1
                                              T1491

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B
                                                Filesize

                                                5B

                                                MD5

                                                5bfa51f3a417b98e7443eca90fc94703

                                                SHA1

                                                8c015d80b8a23f780bdd215dc842b0f5551f63bd

                                                SHA256

                                                bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

                                                SHA512

                                                4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                8749e21d9d0a17dac32d5aa2027f7a75

                                                SHA1

                                                a5d555f8b035c7938a4a864e89218c0402ab7cde

                                                SHA256

                                                915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

                                                SHA512

                                                c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                Filesize

                                                152B

                                                MD5

                                                34d2c4f40f47672ecdf6f66fea242f4a

                                                SHA1

                                                4bcad62542aeb44cae38a907d8b5a8604115ada2

                                                SHA256

                                                b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

                                                SHA512

                                                50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
                                                Filesize

                                                313KB

                                                MD5

                                                fe1bc60a95b2c2d77cd5d232296a7fa4

                                                SHA1

                                                c07dfdea8da2da5bad036e7c2f5d37582e1cf684

                                                SHA256

                                                b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

                                                SHA512

                                                266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                Filesize

                                                1KB

                                                MD5

                                                18b9fc957d89248ffbf870cf16d236f5

                                                SHA1

                                                58aefc3c344e6c7e300c3f7b3ae14095694813fe

                                                SHA256

                                                ff3fa608ed1c109d20b6de6a9a910ce569b2ebe77e98566224a0bd8ab7c4cfdb

                                                SHA512

                                                8cf2df0be474b9b2d43fcf30d779c1d09d383c148661affbeb42b7eb2a433aae38cb0c3c17922541f0b9ffa3354110c517fc68445e1311eb3383bf44bb56a71d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                Filesize

                                                579B

                                                MD5

                                                ca3dac1178d10a645e836551a65b0332

                                                SHA1

                                                7fb32ae3ca77810f51265946218125ec1d7e49c6

                                                SHA256

                                                0fa377dfa78c020268face14a750666536e8ba935ac2275ca4c78bacb4d98c16

                                                SHA512

                                                bb5e66de5fe780b39a2521fd628e30fc9a227476bf15c80279cd03240f825e27fce96cd4c9b1ad9f5d72be49b867f9b2b319c45f4822cf01679aedf5c136efbe

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                5KB

                                                MD5

                                                783bcb59a9461d44784b05d44d31d1a0

                                                SHA1

                                                2044316dd03aaeee5648c9d1afcfc81714608a66

                                                SHA256

                                                44722a8a03f37983060a9706117a3c6c201153981672b324dc7c24a090c650cc

                                                SHA512

                                                6faf93b7fed3092ae85bee59d70080490fb041ee8e09499e1e98d0711b8a81830c2ddcda7275c56a11ee973b7cae5de3ec8ad8f711d46e287d014b006a86f4a9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                bd38891c9b78212b002f00e11a574ec5

                                                SHA1

                                                f23c7dd44f9d784612005d8a07004b79d40554dd

                                                SHA256

                                                8fde5c0fefeacfbb00b621b2825eae89c4d9bc6a9f201cd301439f047c83e4d0

                                                SHA512

                                                3a9f5f30527385a0d9e9cc3611e19a58854098a7304dd27d78768ce5b8c7df4d3f58f12aa6d5bb57eaf17a61e218037f89e30c710cf1e5c1d1610afe78681199

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                e83640c19a3764db4aa91032ca6d80be

                                                SHA1

                                                10f802df4dce20258b19627f1a1034b8fc7afb65

                                                SHA256

                                                2af89d9c119a4c1fe98fb5a640fdd062842fdc6836c4b24257febdeac53275ae

                                                SHA512

                                                74c46f0780f923c45b70e92112eb3fe84b155698d5d51e6b1f17321853fd4addbeeb873cc50f693b1059c8bd3d22cfd3fb22bd6e17e8c71e898c2b4236e8dea1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                Filesize

                                                6KB

                                                MD5

                                                7e54c57b19225dc8e937ece7939356a8

                                                SHA1

                                                3192ce6efc6fbc8e523aab6189330a5e7dc69be8

                                                SHA256

                                                cd47690f8b25dbcedbc90ddad7bb9f24e76da03ffb2e93a0459a7d2adeeb2810

                                                SHA512

                                                bdddcfc76a67bf21f2de463c226f335d0a6d63948d77f4470c4bb91424e10014ffcc6e85fb6af557962a67c6a0e3241c07a3019c19812419003e95b5583e144c

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                Filesize

                                                1KB

                                                MD5

                                                300d71a3f55e74628f73c0637f4b8c59

                                                SHA1

                                                a5181237c6723672ec3785c76af128acf7552b67

                                                SHA256

                                                1ae4024188d8ee3eccc17e46e0c3bc4988cc7536c121627ccbf7bed5c072f5f5

                                                SHA512

                                                c820c7315edb4cfc2bc64f14b3fb60e2b65f5f786f4dc854ce5b9a3de29872f60b1b760ff30a39296a7110acf6aff0b580e0354f718c4e1154fa2baf4ba34452

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                Filesize

                                                1KB

                                                MD5

                                                e88f0f40a8f6c052a81088b11d3e4322

                                                SHA1

                                                46faba32536e6491a6a13cbe5741e855e9abd108

                                                SHA256

                                                99527c0f4052753567a40117b99bfab400412a34ffcfc8f4cefeb6a5638c8663

                                                SHA512

                                                9de512c96c060c9fe723ae73b4344ee8c087dfbb089b2d1fdc680677fbb6c90f90363ec01059e9bad0d7b512c78ab3477cbf1bd8cea4f922becce89383835b32

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                Filesize

                                                1KB

                                                MD5

                                                ed8e83412ca35a951af9ace68a1abefc

                                                SHA1

                                                f4d229b3b2f39b64559cd1d22372ca9085be139b

                                                SHA256

                                                24abd48a1522a71ca41e7081b51c4822d6c036842f5c3734c26805dd2f0e42ed

                                                SHA512

                                                93614232853ed34c9669cdfb807ba7a989ec0aa4b7c782ba8ea2e65cc36f18ce847661c484c9ef8908969017eaab4ff1f83362f512165ac6c72bc3a2e3b2760b

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                Filesize

                                                1KB

                                                MD5

                                                4f51d4152327f845eb750f0cac7b1dd6

                                                SHA1

                                                8ac97f4f471302d533042b947051ae2b6c1adcbb

                                                SHA256

                                                c712c6fd71718867cecf60207e3a68f70f6c525529fac303ca177ab499bd7668

                                                SHA512

                                                127a9cd882b284451a4fa0fb0eb3b6873b83ad985b6e6a1b0465cdfb45922c471975da20917f262be0ef1003565a1c3825782c6a4fa3c37c56d6a3734df2afa9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                Filesize

                                                1KB

                                                MD5

                                                2097482e08f1109e5f9976c9599bfe01

                                                SHA1

                                                5e3f1fc4ea666ac2bf618d115bab468824cc4b4a

                                                SHA256

                                                3d8b05638c5b9419a778c3c28e5c1c1b38e17aa95a123a6b4eeaaaaaf30a8df0

                                                SHA512

                                                70e64742aefb2088ff1d40df87115e0857ca8d9d2a624e3f7abc1ec9ecee39bece4bfb49e6ff4beb06995cef6bebe4e9efe9ca0ae7be9cb1bad8b374a70cd01e

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                Filesize

                                                1KB

                                                MD5

                                                7c4d1d7f16f43b2bf44e5e83a0aba734

                                                SHA1

                                                b36e76a8a695a73041a8b9888924fa9fb1f1810e

                                                SHA256

                                                dbc5ee7e824d37fad7d3e31e23ef2950e016d97b24f97d3bc97b3d961716791c

                                                SHA512

                                                36112c5db7f61e72e664c3682c33d15777c668e744c8061db0cf5f8b1605d2ee47fc5ec0476692a92c1269592e0c0ca3f5921ed6e551415cd2405411bac50e2d

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                Filesize

                                                874B

                                                MD5

                                                0efc56bc388d480aca878d13dc34dd18

                                                SHA1

                                                b9dad0e36d4c9383afe3c85bcde52b3242cfade9

                                                SHA256

                                                29927fbf9fac57df9b79de42b248bc39da912573171c908217e94eb4ef49fa57

                                                SHA512

                                                c4b94d6c2cd9cfa183fed57b12db8e0ca5cd80d5f3915eb7d5c1aafaabc187256f0b43589f27cabf57813e39f21976faf2c33252468b2a10910ae4cfd8754d95

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58141f.TMP
                                                Filesize

                                                874B

                                                MD5

                                                e6080e51ce4b1ef9e0a5688ad2029e85

                                                SHA1

                                                a2cc3c4d69c37e714352581752e53fa7177227b1

                                                SHA256

                                                05a342029d968c26a23344066fe5e844433a7befd884b04a2d6fa8d4573e9678

                                                SHA512

                                                03eeacb7a80bc16d3dce593a6123b636cd24bbff62107eee6239f9350830f49a36c68564e8f2eb374900d37d052144ee76d77caa38e501ce1399d39624fe8a11

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                Filesize

                                                16B

                                                MD5

                                                6752a1d65b201c13b62ea44016eb221f

                                                SHA1

                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                SHA256

                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                SHA512

                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                11KB

                                                MD5

                                                0346ca638288a30af689bcd0636e2eec

                                                SHA1

                                                21435b4299737cc025732f7fa5c14745a2772a20

                                                SHA256

                                                fa80f99b88757c55d1fbfba08042183059f15ec9cd57b605315b74d421439c61

                                                SHA512

                                                35760757846686fd08e5c36016f7c33d675f39a6827d2fdb4703ddf972e9c906b709b411805dd18587b8e69339315adf479a127171ce0818c3d067b515a9ea05

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                11KB

                                                MD5

                                                3d180b37375aaea611187ecc6078a388

                                                SHA1

                                                94e05f6cb9e938f23f2a5a878a7eb102aff209ba

                                                SHA256

                                                153343287d085aa9c5706285c4d69626ff320ef39c852eb5b6ea3e0aae286d41

                                                SHA512

                                                6d5b2e5546ec99d40fc06d7ab1fedf3b0859b008a8d9f7df98c2c71b80ee6e857fd7df292703e43c5b22a8f267324a84f20270e55998dc989491e05ed6610887

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                11KB

                                                MD5

                                                3fc545c45134f82727250628fa367133

                                                SHA1

                                                9ace4ba3ba70d2e45b7656001ce55c10cce17b5a

                                                SHA256

                                                6b982f64aee9e5122a4b700d56b06856c6ecda39be7df5f167de0f73761f9a10

                                                SHA512

                                                03cc9b9064853851e46736e58bbeec5cbdbb83f01d2037fcab0845b73d0235d636ad39450efba60b41727060c4063b09f218317686e012238cca6bc8ee13a4e9

                                                Download Submit

                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                Filesize

                                                10KB

                                                MD5

                                                5dd3016e78da28b1cd9f814d58719279

                                                SHA1

                                                b931715963058c92a97f878b87ddf7394601ba3a

                                                SHA256

                                                7bd780c78338fa1eb854a271124e68866ee896558be7bbfc398e92c6b45b2b5c

                                                SHA512

                                                f6ae597afff703462452a773ef77837ebd3e87987ada8ffa88ee7cfa0eebbd423f33982ad88e0616c1edc3b9b08debbac75cf556c095c689380bc3ada2d602f1

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___BKNQPEI_.hta
                                                Filesize

                                                75KB

                                                MD5

                                                38676598ecbfe5a75441e7893dc5d636

                                                SHA1

                                                d24ecbe392f322f102af532a0ab72bfb609f3a0e

                                                SHA256

                                                82ec9b3f02968f7262d6690e94286f095ad0127492a9eb96e3c9c8f0aebfa5fc

                                                SHA512

                                                00ed438d674149ae1cb7df5b22f574965826e9585bfd4918e95fa5caf89f39838d6b081987561e02a43f93533f6ceaacc3a219a06b499fac6f3b6ce02c2833ca

                                                Download Submit

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___VL28I_.txt
                                                Filesize

                                                1KB

                                                MD5

                                                eb1e8349d5aa0c8afddf6f8bbb50a5ba

                                                SHA1

                                                7d92406734e20fc5bbb6b08e7b74d23750b02479

                                                SHA256

                                                82afa41ada7a2164a3f53a2be8fa94a9cf1787c1ecb2c540ad5891f86c83bc3e

                                                SHA512

                                                a99b4c5987edda05a93bed87be52a1e2b7c9221474ad9005c76c79e12d3f4b7524ae47e3762645c4beea2bfa002fb1cf6fec150b3126c8f88d25275b658aa2ce

                                                Download Submit

                                              • C:\Users\Admin\Downloads\Unconfirmed 333280.crdownload
                                                Filesize

                                                431KB

                                                MD5

                                                fbbdc39af1139aebba4da004475e8839

                                                SHA1

                                                de5c8d858e6e41da715dca1c019df0bfb92d32c0

                                                SHA256

                                                630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

                                                SHA512

                                                74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

                                                Download Submit

                                              • C:\Users\Admin\Downloads\Unconfirmed 845941.crdownload
                                                Filesize

                                                414KB

                                                MD5

                                                c850f942ccf6e45230169cc4bd9eb5c8

                                                SHA1

                                                51c647e2b150e781bd1910cac4061a2cee1daf89

                                                SHA256

                                                86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

                                                SHA512

                                                2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

                                                Download Submit

                                              • C:\Windows\F1E8.tmp
                                                Filesize

                                                60KB

                                                MD5

                                                347ac3b6b791054de3e5720a7144a977

                                                SHA1

                                                413eba3973a15c1a6429d9f170f3e8287f98c21c

                                                SHA256

                                                301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

                                                SHA512

                                                9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

                                                Download Submit

                                              • C:\Windows\infpub.dat
                                                Filesize

                                                401KB

                                                MD5

                                                1d724f95c61f1055f0d02c2154bbccd3

                                                SHA1

                                                79116fe99f2b421c52ef64097f0f39b815b20907

                                                SHA256

                                                579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

                                                SHA512

                                                f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

                                                Download Submit

                                              • memory/400-358-0x0000000002570000-0x00000000025D8000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/400-355-0x0000000002570000-0x00000000025D8000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/400-348-0x0000000002570000-0x00000000025D8000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/1612-1072-0x0000000005800000-0x0000000005DA4000-memory.dmp

                                                Filesize

                                                5.6MB

                                                Download

                                              • memory/1612-1071-0x0000000000830000-0x000000000089E000-memory.dmp

                                                Filesize

                                                440KB

                                                Download

                                              • memory/1612-1073-0x0000000005250000-0x00000000052E2000-memory.dmp

                                                Filesize

                                                584KB

                                                Download

                                              • memory/1612-1074-0x0000000005150000-0x000000000515A000-memory.dmp

                                                Filesize

                                                40KB

                                                Download

                                              • memory/1832-537-0x0000000000440000-0x000000000044E000-memory.dmp

                                                Filesize

                                                56KB

                                                Download

                                              • memory/4696-395-0x0000000002B70000-0x0000000002BD8000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/4696-387-0x0000000002B70000-0x0000000002BD8000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/4840-425-0x00000000021E0000-0x0000000002248000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/4840-417-0x00000000021E0000-0x0000000002248000-memory.dmp

                                                Filesize

                                                416KB

                                                Download

                                              • memory/5096-571-0x0000000000400000-0x0000000000433000-memory.dmp

                                                Filesize

                                                204KB

                                                Download

                                              • memory/5096-534-0x0000000000400000-0x0000000000433000-memory.dmp

                                                Filesize

                                                204KB

                                                Download