lockbit | hxxps://raw[.]githubusercontent[.]com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/refs/heads/main/Encryptor[.]exe

Analysis

max time kernel
311s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/refs/heads/main/Encryptor.exe

Score

10^/10

lockbit defense_evasion discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\utZMwPnzM.README.txt

Ransom Note

███╗ ███╗ █████╗ ███╗ ██╗██╗ █████╗ ██████╗██████╗ ██╗ ██╗██████╗ ████████╗ ████╗ ████║██╔══██╗████╗ ██║██║██╔══██╗██╔════╝██╔══██╗╚██╗ ██╔╝██╔══██╗╚══██╔══╝ ██╔████╔██║███████║██╔██╗ ██║██║███████║██║ ██████╔╝ ╚████╔╝ ██████╔╝ ██║ ██║╚██╔╝██║██╔══██║██║╚██╗██║██║██╔══██║██║ ██╔══██╗ ╚██╔╝ ██╔═══╝ ██║ ██║ ╚═╝ ██║██║ ██║██║ ╚████║██║██║ ██║╚██████╗██║ ██║ ██║ ██║ ██║ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ What Happened? All your important files have been stolen and encrypted and only WE can decrypt your files but if you do not pay we will remove your unique decryption software and publish your data to the public. How do i pay? Send 300$ worth of BTC to the following wallet, then contact us on discord using the username: ballets4 we will give you the decryption software after the payment has been confirmed and delete the data we stole. Bitcoin wallet: bc1qgngtzxgt3vcgx7andfl2temn3vt4unf5lmcqkj How can i trust you? Because nobody will trust us if we cheat users and whats the point of not giving you the decryption software. DO NOT try to decrypt your files yourself as this may cause a permanent file corruption. DO NOT rename any file as this may also cause a file corruption. You only have 3 days to pay, if you did not contact us or pay us in these 3 days we will release your data to the public and remove your unique decryption software.

Signatures

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001e6d3-38.dat	family_lockbit

Renames multiple (579) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 1 IoCs

flow	pid	Process
6	3828	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation	5C64.tmp

Executes dropped EXE 2 IoCs

pid	Process
3476	Encryptor.exe
5580	5C64.tmp

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4174397412-4125106315-2776226590-1000\desktop.ini	Encryptor.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4174397412-4125106315-2776226590-1000\desktop.ini	Encryptor.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	NOTEPAD.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPlu6dt0bewynfrct0m1hvr_p6b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPerwy7yjqkr9r87xhqt6em81vd.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPlmf6_go_5udl5e1bf2bynm63.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\utZMwPnzM.bmp"	Encryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\utZMwPnzM.bmp"	Encryptor.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5580	5C64.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Encryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5C64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\Desktop	Encryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\Desktop\WallpaperStyle = "10"	Encryptor.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "247"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 362025.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1096	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5712	ONENOTE.EXE
5712	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe
412	msedge.exe
412	msedge.exe
1036	identity_helper.exe
1036	identity_helper.exe
904	msedge.exe
904	msedge.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe
3476	Encryptor.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4252	OpenWith.exe
5880	OpenWith.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2472	Process not Found
1776	Process not Found
6848	Process not Found
1800	Process not Found
3396	Process not Found
6244	Process not Found
4688	Process not Found
6872	Process not Found
1956	Process not Found
1760	Process not Found
220	Process not Found
1732	Process not Found
1092	Process not Found
3088	Process not Found
4436	Process not Found
6876	Process not Found
5980	Process not Found
3108	Process not Found
4428	Process not Found
3976	Process not Found
3280	Process not Found
3048	Process not Found
6896	Process not Found
7012	Process not Found
6912	Process not Found
6892	Process not Found
6888	Process not Found
6924	Process not Found
6968	Process not Found
6972	Process not Found
6932	Process not Found
6940	Process not Found
6956	Process not Found
7020	Process not Found
6056	Process not Found
6400	Process not Found
7004	Process not Found
7000	Process not Found
7080	Process not Found
7052	Process not Found
7024	Process not Found
5148	Process not Found
6472	Process not Found
5160	Process not Found
6256	Process not Found
5156	Process not Found
4344	Process not Found
7036	Process not Found
7040	Process not Found
6688	Process not Found
5532	Process not Found
3984	Process not Found
3476	Process not Found
7068	Process not Found
5196	Process not Found
6364	Process not Found
5140	Process not Found
6180	Process not Found
6404	Process not Found
5152	Process not Found
7084	Process not Found
432	Process not Found
5712	Process not Found
4260	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeDebugPrivilege	3476	Encryptor.exe
Token: 36	3476	Encryptor.exe
Token: SeImpersonatePrivilege	3476	Encryptor.exe
Token: SeIncBasePriorityPrivilege	3476	Encryptor.exe
Token: SeIncreaseQuotaPrivilege	3476	Encryptor.exe
Token: 33	3476	Encryptor.exe
Token: SeManageVolumePrivilege	3476	Encryptor.exe
Token: SeProfSingleProcessPrivilege	3476	Encryptor.exe
Token: SeRestorePrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSystemProfilePrivilege	3476	Encryptor.exe
Token: SeTakeOwnershipPrivilege	3476	Encryptor.exe
Token: SeShutdownPrivilege	3476	Encryptor.exe
Token: SeDebugPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeBackupPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe
Token: SeSecurityPrivilege	3476	Encryptor.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
5688	7zFM.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe
5620	taskmgr.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
5712	ONENOTE.EXE
4252	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
5880	OpenWith.exe
6160	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 3028	412	msedge.exe	83
PID 412 wrote to memory of 3028	412	msedge.exe	83
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 1044	412	msedge.exe	85
PID 412 wrote to memory of 3828	412	msedge.exe	86
PID 412 wrote to memory of 3828	412	msedge.exe	86
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87
PID 412 wrote to memory of 4104	412	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://raw.githubusercontent.com/BalletsPistol/d9fb74g8db7d8b7db48df7g8db77f4drb7er8db7fd84d7b1gdb47d8b7brt18bcy87gdfb8hfg74h87fh8bf18h7/refs/heads/main/Encryptor.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc773346f8,0x7ffc77334708,0x7ffc77334718
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:904
- C:\Users\Admin\Downloads\Encryptor.exe
  "C:\Users\Admin\Downloads\Encryptor.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    - Drops file in System32 directory
    PID:6700
- - C:\ProgramData\5C64.tmp
    "C:\ProgramData\5C64.tmp"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5580
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5C64.tmp >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:6292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12159221518848595094,240742126672149435,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=904 /prefetch:2
  2⤵
  PID:3468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5308

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
PID:6136
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{9160FD74-E044-4C18-9D28-B47D7898AA43}.xps" 133828101506560000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5712

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" F:\utZMwPnzM.README.txt
1⤵
- Enumerates connected drives
PID:7064

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\MeasureStart.001.utZMwPnzM"
1⤵
- Suspicious use of FindShellTrayWindow
PID:5688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5880
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tmp8AEA.tmp.utZMwPnzM
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa393c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4174397412-4125106315-2776226590-1000\DDDDDDDDDDD

Filesize
129B

MD5
1389b5729a44e390233cf497c81cac6e

SHA1
2296439f8680e777ea844af2444c2153adc3f628

SHA256
d44df2c741ee1157442c6eb36e4bb5657ac18703484a95801e94a3240b170eab

SHA512
b9b0d2f690c3bd4d3c6128ab8bf8a75a4b0c691125db77832e5d87643ad67153c2adeb141cc125f8c4040f705048468b0557be36b20e530be6ff62759e4dbcc0

Download Submit
C:\ProgramData\5C64.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6a53cceb7a396402c1eccd08dbe38a73

SHA1
96e06029b79791df1b1a0a7cef7508a5c44d13c4

SHA256
31c8ba2ce8a088515e4feff78968e8916c759331b7428421a990cc349a208b51

SHA512
bda381d092d0272a19350a66533ec0fac2efccfd26fc87695a8270eb3d4abec01483b31dfae75ba3f128623454d471c9e948c44df478edbdb6b5a15377637036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a451e41e51facc395053e7b74c3490d0

SHA1
c866ac24af529f0265e99bd88529da46c9ff6dcc

SHA256
cc33bfdf9c856a2e9e9aa8eeddf9723a0396fad82b0dcae7a408bb4c84fdb584

SHA512
553489450d55d7adb9c859e521d0e46961490e54c533c826adc8c546ca0b51ecda82c159801bd060a291e724355c6d4fd2ee603ff65d4a15603f34f1472664fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
394e46f9e0483fc571d5f3b990082324

SHA1
d97b30dbff5de256cdaf4292ff82624b6e524671

SHA256
d37971f252d36e8c9b7a4af1e5fda1534e8b810a868f262f753f05d7cff8dbf4

SHA512
ab0baf55030a0e377d8f63969560d9883ce450e5c851b902f71152cce893abd70ef0d6953ed92b39686016034a67138537cb78d664242ed4e49daa57e3e68817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5c1ac07261337d284c11fdff5c50a075

SHA1
4535ea40629be034fc3d80291da714162c4e41ba

SHA256
3cdcca307cda3897bbad04f8f62f62af739a2b1e21b9abe36bb6f7876d4a85ef

SHA512
799e357590cc9dd6acd04cb75f6801d02aac683afd89e922d017bb9e3474f56b3832e86f5e799ade405c202ad8de3f78f0f514588e6e0954c0e3f876e7317877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
683ccb2f6c05e5a029932ab371be6ebf

SHA1
55592883695fb2be1e88ec318a2c70d911a2f294

SHA256
1c5bb4b19339eff843aa9d8993d27a0f71711dac12a0e77f60b9bb308176f930

SHA512
4903e31f9efbeebb18a15591d659c00e7f60bdde464bf8777f9d5fab816bf5dd55004970f2e62a8f617415373971f37f05242a1219938da79c65d22850705282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d1a44dc5-9e1d-4029-9106-be6d1ff63ffe.tmp

Filesize
193B

MD5
62fc8758c85fb0d08cd24eeddafeda2c

SHA1
320fc202790b0ca6f65ff67e9397440c7d97eb20

SHA256
ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248

SHA512
ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fede091b478cec6e59aeb4da6a0037f7

SHA1
8118b4a1fb7969940bb58fcf62f84640193e636e

SHA256
775622d27cadbb03acd6f4e98f3748dc9f9a21d6ccee4f7476d77079df6ebf81

SHA512
5ebc40823e8495e546246d2a56c1d803825460e7a09f859fcd7e0fa9c427cae570637c3787735033db6a44481a2f132dc26705b639fc60955bb04438304f842a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f635003d7868656aa93bdea31c63ac93

SHA1
ece6875003d466ba2b388e6d2a7223c5820a92fd

SHA256
9eb03686cc96daf7419583d9c304f30696272c171b75a240c2de6c33733f6760

SHA512
4b5ea818f57d3980b8f3f08ad8a41235bba690915c20a8aece45401e70815a09d3795fdeab1b0d158c3ef6adc4507ddc45a1406d4641fc674fe76cf5f2938c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
41d90d34a12fbde7fe86acd151693446

SHA1
4e999251ed17ecc5fcf6a06a1ffba478a93b93f4

SHA256
b2e3f3bfa3ebae30f1e0d4a3f5a7a497f9cb8fced2c623510e6c08597fe266eb

SHA512
5c17a324871e38a54816090d63f51593d7b1f596f603f6ffefcc54c50e15276b1d7b6e4571debc81a5ae99fe71928deee81ff821a1d84a98bc05dde3c03c5088

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8AEA.tmp.utZMwPnzM

Filesize
25.9MB

MD5
815ed890b92f5da8905d9b7fdbc877c5

SHA1
0d017bd8c523a8e6cc4593f340c69d5d699b21bf

SHA256
bfebf38d7dd4e3fdacfed935818f76f9a8788d373c8ccffb39b36e374860e122

SHA512
93ff47b79a19461c3a2d55444b682825be5ae0bc9cce882702566131df4b2d3382ebe747a737aa3b3a2fe6710e2426c84de70dc985f17fbe3fa220ef4ddb905a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D4CF2F5D-4B2F-4E2F-B906-53F4598AE0FA}

Filesize
4KB

MD5
705d8f00e72915b3a0626e46ed2b74b0

SHA1
16fda4cf963cd1a9769e43b781881d83131a474e

SHA256
94fef689ac6eea74e5933bda48ac43314c04ad085addcfae4a597444b089bb54

SHA512
1ced78f4e86644f93f0892555d9eb63d13506d9a3679383a82c01704629359b7336281ef1564ee673cfb7313154593c6ec5f41da61605270e2f72d8aa9392a27

Download Submit
C:\Users\Admin\Desktop\MeasureStart.001.utZMwPnzM

Filesize
1001KB

MD5
e3715c4c002d5d6adc26c990cf812baa

SHA1
ee96c371e780d7afc222883032d175dbefd025d3

SHA256
ca4ca4e112c4064a4039e2b8bd663b043920e4d5153eb5f401ce7792159189fc

SHA512
52b67e8c4647894b2b241810064e412e62fd7c8e80ef08dd78b191950b7e4a4bcf4508bfe1a91d8ebcbf0af5b6b9aba6104b3676dfb0556cb6d279fe5a71278c

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
bd44226a0e868d42a03a3e0334b014f3

SHA1
f8d643b6f4ecb96a79e2676f2b0922fcc45df769

SHA256
943d839b36f34ae4734d999a9dfcc126865c8a3921b627ea1f03c96c63c6edca

SHA512
8e14ae0de2c2eb0fdb8a231975b775b91095640af2b1ae024cd8b09f0f6abc03a258dc49121b3cb4f6ea30e45177a93fad442ddba3a7d90dc4628a988dfe1c02

Download Submit
C:\Users\Admin\Downloads\EEEEEEEEEEEEE

Filesize
148KB

MD5
b3b56e84855e4dc57eeb93cc3c95021e

SHA1
b130e5d7b5249e831cc298ff2e9ac2175f573e7b

SHA256
2d126744e70c8cfdcb89ac27caefe07ae947a1846417c84c915a7b6f6a053bda

SHA512
48191d6ed7456dedcbd593a1647014b778bcecc5a7a0bb7034bc7e28afd5afaec2970ecc97d92e74c8d942dd7cd8a868f5c7c3888494223313217312e9c50481

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 362025.crdownload

Filesize
148KB

MD5
475f6e42f0cb53fc60fa80022826489f

SHA1
b1dc8069d4d667af8cc8cbff950dc7a67a129cc8

SHA256
5fee867e93f672a561fedf8bb2d8525ab4a9146a51f922c88d34eb5c2d60561d

SHA512
04663b3c60b26fcde8e1b30c061242ec0356b467d62b17128a4c72608e71425f43f540a41a60ba5c88b8a50f3a78bb5fcdddeea68589ac83806b24e22ecd9335

Download Submit
C:\utZMwPnzM.README.txt

Filesize
2KB

MD5
d9e1661bc09300cad8aa8d795b9ce0b3

SHA1
1676ba84687a2d7b27f73f3a37500317ba0d30a4

SHA256
e2fa3f74d96324cd7dd0d611843e8102e897a8d65beac9d9491e8c42a7ada8bd

SHA512
9fdaa9b0f68c19eba772fcb5b2ceaf371a0b78435a296765c3dbcdc5890218523d5844708473a685cf12ec559163fc3c87928b12e46bfda92faf2c5fc2d57f7f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4174397412-4125106315-2776226590-1000\DDDDDDDDDDD

Filesize
129B

MD5
339ff34ae028b57b403229ca5ef9e9cd

SHA1
e3d545d4cab6fdcd3049734c3897a2609efb5eda

SHA256
0577ea0ed3a2922d71fb5e48fe6f4bed8a4944874982e711b787df44b88058ab

SHA512
cca4bdf823813592cf437200aeaedb86da9a7f5ef92650a17b7b5a4b5ff81635f7b09307884fcc6fe84ca03e695665676fa36d111c250406da826d27a9562a77

Download Submit
memory/5620-3014-0x000002076A270000-0x000002076A271000-memory.dmp

Filesize
4KB

Download
memory/5620-3017-0x000002076A270000-0x000002076A271000-memory.dmp

Filesize
4KB

Download
memory/5620-3016-0x000002076A270000-0x000002076A271000-memory.dmp

Filesize
4KB

Download
memory/5620-3015-0x000002076A270000-0x000002076A271000-memory.dmp

Filesize
4KB

Download
memory/5620-3007-0x000002076A270000-0x000002076A271000-memory.dmp

Filesize
4KB

Download
memory/5620-3018-0x000002076A270000-0x000002076A271000-memory.dmp

Filesize
4KB

Download
memory/5620-3019-0x000002076A270000-0x000002076A271000-memory.dmp

Filesize
4KB

Download
memory/5620-3009-0x000002076A270000-0x000002076A271000-memory.dmp

Filesize
4KB

Download
memory/5620-3008-0x000002076A270000-0x000002076A271000-memory.dmp

Filesize
4KB

Download
memory/5620-3013-0x000002076A270000-0x000002076A271000-memory.dmp

Filesize
4KB

Download
memory/5712-2870-0x00007FFC46390000-0x00007FFC463A0000-memory.dmp

Filesize
64KB

Download
memory/5712-2990-0x00007FFC46390000-0x00007FFC463A0000-memory.dmp

Filesize
64KB

Download
memory/5712-2991-0x00007FFC46390000-0x00007FFC463A0000-memory.dmp

Filesize
64KB

Download
memory/5712-2989-0x00007FFC46390000-0x00007FFC463A0000-memory.dmp

Filesize
64KB

Download
memory/5712-2988-0x00007FFC46390000-0x00007FFC463A0000-memory.dmp

Filesize
64KB

Download
memory/5712-2869-0x00007FFC46390000-0x00007FFC463A0000-memory.dmp

Filesize
64KB

Download
memory/5712-2872-0x00007FFC46390000-0x00007FFC463A0000-memory.dmp

Filesize
64KB

Download
memory/5712-2868-0x00007FFC46390000-0x00007FFC463A0000-memory.dmp

Filesize
64KB

Download
memory/5712-2906-0x00007FFC44030000-0x00007FFC44040000-memory.dmp

Filesize
64KB

Download
memory/5712-2877-0x00007FFC44030000-0x00007FFC44040000-memory.dmp

Filesize
64KB

Download
memory/5712-2871-0x00007FFC46390000-0x00007FFC463A0000-memory.dmp

Filesize
64KB

Download