Overview
overview
10Static
static
VirusShare...3a.exe
windows7_x64
10VirusShare...3a.exe
windows10_x64
10VirusShare...3a.exe
windows10-2004_x64
10VirusShare...3a.exe
windows11_x64
VirusShare...3a.exe
macos_amd64
1VirusShare...3a.exe
linux_armhf
VirusShare...3a.exe
linux_mips
VirusShare...3a.exe
linux_mipsel
VirusShare...3a.exe
linux_amd64
Analysis
-
max time kernel
1814s -
max time network
1819s -
platform
windows10_x64 -
resource
win10-20220331-en -
submitted
07-04-2022 19:41
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
win7-20220331-en
Behavioral task
behavioral2
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
win10-20220331-en
Behavioral task
behavioral3
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral4
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
win11-20220223-en
Behavioral task
behavioral5
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
macos
Behavioral task
behavioral6
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral7
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral8
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral9
Sample
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
Resource
ubuntu1804-amd64-en-20211208
General
-
Target
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe
-
Size
324KB
-
MD5
0d8ff116ce8976fc820c996a6ee90c3a
-
SHA1
f04aa63508e99c54095cba747f31fb28fbfd392e
-
SHA256
25c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e
-
SHA512
2c2c7b2eac7ac70d0bba26821a52e72e443428c154368c0ca173ff9901bcfdab386d81a759478ca6e85211003eb5fe3bebef076533eed647ad4803054a38311a
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3729659790-1998850411-3319863756-1000\how_recover+aqr.txt
http://gfhshhf.home7dfg4.com/A1C3162A4A639533
http://td63hftt.buwve5ton2.com/A1C3162A4A639533
https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533
http://tw7kaqthui5ojcez.onion/A1C3162A4A639533
Extracted
C:\$Recycle.Bin\S-1-5-21-3729659790-1998850411-3319863756-1000\how_recover+aqr.html
https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533</a>
Extracted
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
http://tw7kaqthui5ojcez.onion/A1C3162A4A639533
http://gfhshhf.home7dfg4.com/A1C3162A4A639533
http://td63hftt.buwve5ton2.com/A1C3162A4A639533
https://tw7kaqthui5ojcez.onion.to/A1C3162A4A639533
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 2308 bcdedit.exe 3840 bcdedit.exe 4136 bcdedit.exe 4332 bcdedit.exe 4428 bcdedit.exe -
Executes dropped EXE 2 IoCs
Processes:
giiit-a.exegiiit-a.exepid process 2108 giiit-a.exe 2676 giiit-a.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
giiit-a.exedescription ioc process File renamed C:\Users\Admin\Pictures\RedoRestart.crw => C:\Users\Admin\Pictures\RedoRestart.crw.vvv giiit-a.exe File renamed C:\Users\Admin\Pictures\WatchSearch.raw => C:\Users\Admin\Pictures\WatchSearch.raw.vvv giiit-a.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
giiit-a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Control Panel\International\Geo\Nation giiit-a.exe -
Drops startup file 4 IoCs
Processes:
giiit-a.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+aqr.html giiit-a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+aqr.html giiit-a.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+aqr.txt giiit-a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
giiit-a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Windows\CurrentVersion\Run giiit-a.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Windows\CurrentVersion\Run\hgjuy78gfh = "C:\\Users\\Admin\\AppData\\Roaming\\giiit-a.exe" giiit-a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run giiit-a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hgjuy78gfh = "C:\\Users\\Admin\\AppData\\Roaming\\giiit-a.exe" giiit-a.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 myexternalip.com 4 myexternalip.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exegiiit-a.exedescription pid process target process PID 1744 set thread context of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 2108 set thread context of 2676 2108 giiit-a.exe giiit-a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
giiit-a.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\Office16\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\bb_16x11.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsLargeTile.contrast-black_scale-200.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\Common Files\System\ado\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\OptInPopup\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\11891_20x20x32.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSmallTile.scale-400.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png giiit-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\EmbossBitmaps\Donut_icon.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-100.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\SplashScreen\PaintSplashScreen.scale-200.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\nu_60x42.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\qa_16x11.png giiit-a.exe File opened for modification C:\Program Files\Common Files\System\fr-FR\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Tab\TabTiles.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\hm_60x42.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-white_scale-200.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-256.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\sr-latn-cs\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxAccountsSplashLogo.scale-180.png giiit-a.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Tab\TabMaster.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\1249_72x72x32.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteMediumTile.scale-150.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\osf\moe_default_icon.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6478_24x24x32.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\8577_24x24x32.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Sunglasses.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNotePageSmallTile.scale-400.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-200_8wekyb3d8bbwe\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-60_altform-unplated.png giiit-a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\TriPeaks\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\icon_windowed.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-180.png giiit-a.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\how_recover+aqr.txt giiit-a.exe File opened for modification C:\Program Files\Windows Defender\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Aquarium\aquarium_13c.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\am_60x42.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\5664_32x32x32.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-40_altform-unplated_contrast-white.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] giiit-a.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.map giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\Workflow\Density_Light.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\jumbo_13s.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-400.png giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\sv.pak giiit-a.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\how_recover+aqr.html giiit-a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\how_recover+aqr.txt giiit-a.exe -
Drops file in Windows directory 3 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1324 vssadmin.exe 2768 vssadmin.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exegiiit-a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings giiit-a.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "355529990" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = fce44b2cf544d801 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3729659790-1998850411-3319863756-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1708 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
giiit-a.exepid process 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe 2676 giiit-a.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MicrosoftEdgeCP.exepid process 792 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exegiiit-a.exevssvc.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription pid process Token: SeDebugPrivilege 1804 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe Token: SeDebugPrivilege 2676 giiit-a.exe Token: SeBackupPrivilege 4648 vssvc.exe Token: SeRestorePrivilege 4648 vssvc.exe Token: SeAuditPrivilege 4648 vssvc.exe Token: SeDebugPrivilege 3748 MicrosoftEdge.exe Token: SeDebugPrivilege 3748 MicrosoftEdge.exe Token: SeDebugPrivilege 3748 MicrosoftEdge.exe Token: SeDebugPrivilege 3748 MicrosoftEdge.exe Token: SeDebugPrivilege 2172 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2172 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2172 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2172 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1816 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1816 MicrosoftEdgeCP.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exepid process 3748 MicrosoftEdge.exe 792 MicrosoftEdgeCP.exe 792 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exeVirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exegiiit-a.exegiiit-a.exeMicrosoftEdgeCP.exedescription pid process target process PID 1744 wrote to memory of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 1744 wrote to memory of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 1744 wrote to memory of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 1744 wrote to memory of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 1744 wrote to memory of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 1744 wrote to memory of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 1744 wrote to memory of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 1744 wrote to memory of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 1744 wrote to memory of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 1744 wrote to memory of 1804 1744 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe PID 1804 wrote to memory of 2108 1804 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe giiit-a.exe PID 1804 wrote to memory of 2108 1804 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe giiit-a.exe PID 1804 wrote to memory of 2108 1804 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe giiit-a.exe PID 1804 wrote to memory of 2544 1804 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe cmd.exe PID 1804 wrote to memory of 2544 1804 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe cmd.exe PID 1804 wrote to memory of 2544 1804 VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe cmd.exe PID 2108 wrote to memory of 2676 2108 giiit-a.exe giiit-a.exe PID 2108 wrote to memory of 2676 2108 giiit-a.exe giiit-a.exe PID 2108 wrote to memory of 2676 2108 giiit-a.exe giiit-a.exe PID 2108 wrote to memory of 2676 2108 giiit-a.exe giiit-a.exe PID 2108 wrote to memory of 2676 2108 giiit-a.exe giiit-a.exe PID 2108 wrote to memory of 2676 2108 giiit-a.exe giiit-a.exe PID 2108 wrote to memory of 2676 2108 giiit-a.exe giiit-a.exe PID 2108 wrote to memory of 2676 2108 giiit-a.exe giiit-a.exe PID 2108 wrote to memory of 2676 2108 giiit-a.exe giiit-a.exe PID 2108 wrote to memory of 2676 2108 giiit-a.exe giiit-a.exe PID 2676 wrote to memory of 2308 2676 giiit-a.exe bcdedit.exe PID 2676 wrote to memory of 2308 2676 giiit-a.exe bcdedit.exe PID 2676 wrote to memory of 3840 2676 giiit-a.exe bcdedit.exe PID 2676 wrote to memory of 3840 2676 giiit-a.exe bcdedit.exe PID 2676 wrote to memory of 4136 2676 giiit-a.exe bcdedit.exe PID 2676 wrote to memory of 4136 2676 giiit-a.exe bcdedit.exe PID 2676 wrote to memory of 4332 2676 giiit-a.exe bcdedit.exe PID 2676 wrote to memory of 4332 2676 giiit-a.exe bcdedit.exe PID 2676 wrote to memory of 4428 2676 giiit-a.exe bcdedit.exe PID 2676 wrote to memory of 4428 2676 giiit-a.exe bcdedit.exe PID 2676 wrote to memory of 1324 2676 giiit-a.exe vssadmin.exe PID 2676 wrote to memory of 1324 2676 giiit-a.exe vssadmin.exe PID 2676 wrote to memory of 1708 2676 giiit-a.exe NOTEPAD.EXE PID 2676 wrote to memory of 1708 2676 giiit-a.exe NOTEPAD.EXE PID 2676 wrote to memory of 1708 2676 giiit-a.exe NOTEPAD.EXE PID 2676 wrote to memory of 2768 2676 giiit-a.exe vssadmin.exe PID 2676 wrote to memory of 2768 2676 giiit-a.exe vssadmin.exe PID 792 wrote to memory of 2172 792 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 792 wrote to memory of 2172 792 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 792 wrote to memory of 2172 792 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 792 wrote to memory of 2172 792 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 792 wrote to memory of 2172 792 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 792 wrote to memory of 2172 792 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 2676 wrote to memory of 8 2676 giiit-a.exe cmd.exe PID 2676 wrote to memory of 8 2676 giiit-a.exe cmd.exe PID 2676 wrote to memory of 8 2676 giiit-a.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
giiit-a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System giiit-a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" giiit-a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_0d8ff116ce8976fc820c996a6ee90c3a.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\giiit-a.exeC:\Users\Admin\AppData\Roaming\giiit-a.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\giiit-a.exeC:\Users\Admin\AppData\Roaming\giiit-a.exe4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} bootems off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} advancedoptions off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} optionsedit off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SYSTEM32\bcdedit.exebcdedit.exe /set {current} recoveryenabled off5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt5⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\giiit-a.exe5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+aqr.htmlFilesize
6KB
MD5e18dba1ebbcab07a2b7185a9f2153387
SHA1a50ad8974c5d22deace6eace082213bf10268df7
SHA256c555e14994754b6c36bcdd0bbcc3764a377c91ca42e6a99f1238bc051502b03b
SHA5120f335cf12265fc0bfe634eb491803e89c6aa131348590b49c35566240810c87b2b848c11444999275f58ed2841d6f1e7af7d3ce2ecf8aeb6f307f797a6946ea6
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+aqr.txtFilesize
2KB
MD5b66aa2f0d1e866cb2cff6f450c96032c
SHA1077c6ef88987c26d01a94eeadd9453f82e66a045
SHA2560f941d99308f47505a2ca3d72addd1baf5684c58a388e88875766d12e524ce77
SHA5128ba0459a1dc6f797b795769afbe5dd4862c0107ae173b87caac5cf126ac797ae0e4737024de6e15c890c8f0a10570c8f635d412c9b3eb374d9d0b8f13a74057f
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+aqr.htmlFilesize
6KB
MD5e18dba1ebbcab07a2b7185a9f2153387
SHA1a50ad8974c5d22deace6eace082213bf10268df7
SHA256c555e14994754b6c36bcdd0bbcc3764a377c91ca42e6a99f1238bc051502b03b
SHA5120f335cf12265fc0bfe634eb491803e89c6aa131348590b49c35566240810c87b2b848c11444999275f58ed2841d6f1e7af7d3ce2ecf8aeb6f307f797a6946ea6
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+aqr.txtFilesize
2KB
MD5b66aa2f0d1e866cb2cff6f450c96032c
SHA1077c6ef88987c26d01a94eeadd9453f82e66a045
SHA2560f941d99308f47505a2ca3d72addd1baf5684c58a388e88875766d12e524ce77
SHA5128ba0459a1dc6f797b795769afbe5dd4862c0107ae173b87caac5cf126ac797ae0e4737024de6e15c890c8f0a10570c8f635d412c9b3eb374d9d0b8f13a74057f
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+aqr.htmlFilesize
6KB
MD5e18dba1ebbcab07a2b7185a9f2153387
SHA1a50ad8974c5d22deace6eace082213bf10268df7
SHA256c555e14994754b6c36bcdd0bbcc3764a377c91ca42e6a99f1238bc051502b03b
SHA5120f335cf12265fc0bfe634eb491803e89c6aa131348590b49c35566240810c87b2b848c11444999275f58ed2841d6f1e7af7d3ce2ecf8aeb6f307f797a6946ea6
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+aqr.txtFilesize
2KB
MD5b66aa2f0d1e866cb2cff6f450c96032c
SHA1077c6ef88987c26d01a94eeadd9453f82e66a045
SHA2560f941d99308f47505a2ca3d72addd1baf5684c58a388e88875766d12e524ce77
SHA5128ba0459a1dc6f797b795769afbe5dd4862c0107ae173b87caac5cf126ac797ae0e4737024de6e15c890c8f0a10570c8f635d412c9b3eb374d9d0b8f13a74057f
-
C:\Users\Admin\AppData\Roaming\giiit-a.exeFilesize
324KB
MD50d8ff116ce8976fc820c996a6ee90c3a
SHA1f04aa63508e99c54095cba747f31fb28fbfd392e
SHA25625c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e
SHA5122c2c7b2eac7ac70d0bba26821a52e72e443428c154368c0ca173ff9901bcfdab386d81a759478ca6e85211003eb5fe3bebef076533eed647ad4803054a38311a
-
C:\Users\Admin\AppData\Roaming\giiit-a.exeFilesize
324KB
MD50d8ff116ce8976fc820c996a6ee90c3a
SHA1f04aa63508e99c54095cba747f31fb28fbfd392e
SHA25625c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e
SHA5122c2c7b2eac7ac70d0bba26821a52e72e443428c154368c0ca173ff9901bcfdab386d81a759478ca6e85211003eb5fe3bebef076533eed647ad4803054a38311a
-
C:\Users\Admin\AppData\Roaming\giiit-a.exeFilesize
324KB
MD50d8ff116ce8976fc820c996a6ee90c3a
SHA1f04aa63508e99c54095cba747f31fb28fbfd392e
SHA25625c1c67de6ead9c4efd8372caccfbba80cc77667dd9b172e5535b1c7a7b81a5e
SHA5122c2c7b2eac7ac70d0bba26821a52e72e443428c154368c0ca173ff9901bcfdab386d81a759478ca6e85211003eb5fe3bebef076533eed647ad4803054a38311a
-
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.htmlFilesize
6KB
MD5e18dba1ebbcab07a2b7185a9f2153387
SHA1a50ad8974c5d22deace6eace082213bf10268df7
SHA256c555e14994754b6c36bcdd0bbcc3764a377c91ca42e6a99f1238bc051502b03b
SHA5120f335cf12265fc0bfe634eb491803e89c6aa131348590b49c35566240810c87b2b848c11444999275f58ed2841d6f1e7af7d3ce2ecf8aeb6f307f797a6946ea6
-
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txtFilesize
2KB
MD5b66aa2f0d1e866cb2cff6f450c96032c
SHA1077c6ef88987c26d01a94eeadd9453f82e66a045
SHA2560f941d99308f47505a2ca3d72addd1baf5684c58a388e88875766d12e524ce77
SHA5128ba0459a1dc6f797b795769afbe5dd4862c0107ae173b87caac5cf126ac797ae0e4737024de6e15c890c8f0a10570c8f635d412c9b3eb374d9d0b8f13a74057f
-
memory/8-142-0x0000000000000000-mapping.dmp
-
memory/1324-136-0x0000000000000000-mapping.dmp
-
memory/1708-137-0x0000000000000000-mapping.dmp
-
memory/1744-116-0x0000000000500000-0x00000000005AE000-memory.dmpFilesize
696KB
-
memory/1804-118-0x00000000004097F0-mapping.dmp
-
memory/1804-117-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1804-119-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/1804-120-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/2108-121-0x0000000000000000-mapping.dmp
-
memory/2108-124-0x0000000000830000-0x0000000000833000-memory.dmpFilesize
12KB
-
memory/2308-131-0x0000000000000000-mapping.dmp
-
memory/2544-125-0x0000000000000000-mapping.dmp
-
memory/2676-127-0x00000000004097F0-mapping.dmp
-
memory/2676-130-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/2676-129-0x0000000000400000-0x0000000000486000-memory.dmpFilesize
536KB
-
memory/2768-140-0x0000000000000000-mapping.dmp
-
memory/3840-132-0x0000000000000000-mapping.dmp
-
memory/4136-133-0x0000000000000000-mapping.dmp
-
memory/4332-134-0x0000000000000000-mapping.dmp
-
memory/4428-135-0x0000000000000000-mapping.dmp