icedid | 1d769af38bea969c00501ff64b51f4e4fd2de2bedc7785b3471b7d12765c1a7d

Analysis

max time kernel
300s
max time network
298s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
12-01-2023 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document_251_Unpaid_-1-12.pdf
Size

136KB
MD5

1aaa86ed07b42bad2787fa25011e9e5a
SHA1

2d01f27a42b2aef8fc0664d593d67a08f9ec94ae
SHA256

1d769af38bea969c00501ff64b51f4e4fd2de2bedc7785b3471b7d12765c1a7d
SHA512

92b1170d14c91ef94f1693df3be90c86489dd00a596ed8e0de427ea958ec30e4fbed72a2c544239a917903475d5e8b295c7595e16e2804a9406aa1a959a96ff3
SSDEEP

1536:Yua8p56y2ZyTPAV55JI8i2RAFg9NjRbiZu5YhDpbFJjnR4f9e++aX6GkZ4vjXmA/:ryZiY55y8ivF00EoDJs1X0Z4LHOW

Score

10^/10

icedid 1387823457 banker trojan

Malware Config

Extracted

Family

icedid

Campaign

1387823457

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

112 2664 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2664 rundll32.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

File opened (read-only) \??\E: cmd.exe

flow	pid	process
112	2664	rundll32.exe

pid	process
2664	rundll32.exe

description	ioc	process
File opened (read-only)	\??\E:	cmd.exe

Drops file in Windows directory 7 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0012	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\en-US	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exeAcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exebrowser_broker.exeAcroRd32.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000ed15b192fd50ad934b9a954156c735ccc5207a3a8280ae23421dbd70b4127e41aecd94f172c9505bc45278cb9b4164e11ad10ae70c0f8e51dc90d4602f588abe8a1e605bea76bc1a5e6ba3b720997b43bcea1b5f21633fd8a2b5b2a7488ab46ae7a87bb3917837710684d047eeed17cdf90ce635d89bdc903b2b78fe12c9ef3c8d0b209b1cf07ad46f3e2cf7765fbbff61d8bd5ca0d9d9488a916f197d358bd574e7ed182afc369dec3988b8c80d3c72faecefd32d3c5fb2b8891ac666ee9e0a6adcf9cd81bd62628815ba1ce019bf1170eaf9e676e4d6ac1eb2e5231b14075b748a50bcb65344a6a572e80e4ba2e232d8709afcf8f027d5dbaba0df32c76e222d91559f3cdfbfd40ff11080e2c78471712069f6fa82746eac16788c4d270aa13b91aacfed7ffb8a5030ff947daa49630498131afbb942934a92fd002154a4d7c22998bbf154f2392cd011ccc7694c13b279059704b5c9bba1be54cd396edf2bc3fb2eed5b7fd10eca71a43f552665585c64e9907d96b091093c60bd2095a2e2bea6939f291e9430ccb3fde8cbff23f1a3f7c8bbee7b751569dc7f2d2d912859e2a685c29736	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 12efb1e200aed801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 365330e300aed801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b2bf59ea00aed801	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = f04e7f156ec0d801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = d581f14b6daed801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\AppData\Local\Temp\Document_224_Copy_01-12.zip:Zone.Identifier firefox.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\Document_224_Copy_01-12.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exerundll32.exe

pid	process
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
2664	rundll32.exe
2664	rundll32.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid	process
756	MicrosoftEdgeCP.exe
756	MicrosoftEdgeCP.exe
756	MicrosoftEdgeCP.exe
756	MicrosoftEdgeCP.exe
188	MicrosoftEdgeCP.exe
188	MicrosoftEdgeCP.exe
188	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	3360	MicrosoftEdge.exe
Token: SeDebugPrivilege	3360	MicrosoftEdge.exe
Token: SeDebugPrivilege	3360	MicrosoftEdge.exe
Token: SeDebugPrivilege	3360	MicrosoftEdge.exe
Token: SeDebugPrivilege	4944	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4944	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4944	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4944	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4720	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4720	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4720	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4720	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3360	MicrosoftEdge.exe
Token: SeDebugPrivilege	1816	firefox.exe
Token: SeDebugPrivilege	1816	firefox.exe
Token: SeDebugPrivilege	1816	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

AcroRd32.exefirefox.exe

pid process

4936 AcroRd32.exe
1816 firefox.exe
1816 firefox.exe
1816 firefox.exe
1816 firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

AcroRd32.exefirefox.exe

pid	process
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

AcroRd32.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exefirefox.exe

pid	process
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
4936	AcroRd32.exe
3360	MicrosoftEdge.exe
756	MicrosoftEdgeCP.exe
756	MicrosoftEdgeCP.exe
4720	MicrosoftEdgeCP.exe
3200	MicrosoftEdge.exe
188	MicrosoftEdgeCP.exe
188	MicrosoftEdgeCP.exe
2912	MicrosoftEdgeCP.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe
1816	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4936 wrote to memory of 5088	4936	AcroRd32.exe	RdrCEF.exe
PID 4936 wrote to memory of 5088	4936	AcroRd32.exe	RdrCEF.exe
PID 4936 wrote to memory of 5088	4936	AcroRd32.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 4876	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe
PID 5088 wrote to memory of 884	5088	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Document_251_Unpaid_-1-12.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4936

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E8D43548AAB590F77C318360AADE6F2D --mojo-platform-channel-handle=1624 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4876

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5AC00D3F12BC83FA3E41889642EBB821 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5AC00D3F12BC83FA3E41889642EBB821 --renderer-client-id=2 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job /prefetch:1
3⤵
PID:884

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FF24C0F872866C255904A1F004D3D1A8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FF24C0F872866C255904A1F004D3D1A8 --renderer-client-id=4 --mojo-platform-channel-handle=2072 --allow-no-sandbox-job /prefetch:1
3⤵
PID:344

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8442C77409B6017FBE4928F75BC336CC --mojo-platform-channel-handle=2480 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4568

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F3F0E3B54100B9DC7FE3D1EBFC61EED7 --mojo-platform-channel-handle=2600 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1076

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B822C788D9C643AAF99F40B8EAC8929D --mojo-platform-channel-handle=2604 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4648

C:\Windows\SysWOW64\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://firebasestorage.googleapis.com/v0/b/cobalt-nomad-372419.appspot.com/o/OwSq1IMH1D%2FDocument_224_Copy_01-12.zip?alt=media&token=aa49349f-ed98-456b-85c4-ce74daf4a0e3"
2⤵
PID:4276

C:\Windows\SysWOW64\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://firebasestorage.googleapis.com/v0/b/cobalt-nomad-372419.appspot.com/o/OwSq1IMH1D%2FDocument_224_Copy_01-12.zip?alt=media&token=aa49349f-ed98-456b-85c4-ce74daf4a0e3"
2⤵
PID:2876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3360

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3200

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:640

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1816.0.1333671623\1681624872" -parentBuildID 20200403170909 -prefsHandle 1548 -prefMapHandle 1540 -prefsLen 1 -prefMapSize 220115 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1816 "\\.\pipe\gecko-crash-server-pipe.1816" 1632 gpu
3⤵
PID:4044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1816.3.1660434897\439529619" -childID 1 -isForBrowser -prefsHandle 1456 -prefMapHandle 2124 -prefsLen 122 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1816 "\\.\pipe\gecko-crash-server-pipe.1816" 2352 tab
3⤵
PID:4672

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1816.13.1506564379\1949319110" -childID 2 -isForBrowser -prefsHandle 3460 -prefMapHandle 3456 -prefsLen 6904 -prefMapSize 220115 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1816 "\\.\pipe\gecko-crash-server-pipe.1816" 3472 tab
3⤵
PID:4764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c negconrodl\bogpacsipr.cmd A B C D E F G H I J K L M N O P K R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Enumerates connected drives
PID:2668

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h negconrodl\outgoing.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:3004

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\outgoing.dat,init
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
136419344d2462df5856efa6ccfbb7e4

SHA1
d9034d754c65cc630a0d6f0efccb17016be876e7

SHA256
fc47afb1aabecc69fff0c95ea3a8eaf493927a0de0e595dceb21aa64af36eece

SHA512
f1acaa79b4e977fd9399746edf7bea9108be6b8a51e9114b9a65969d3e71d6e2343e6b76a00e9e97587f843cab86a1c3dca8eb5215cfd33e3396beecd3810bf1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_ACA51E1ABBF1573BBD9B48CF6AC4217D
Filesize
472B

MD5
b1f465f2178efe2786ee28d13fb5e76d

SHA1
777860d696be5da2a3e844ff1d29e8589cafe5a9

SHA256
27d9f7abe75dd3a91116324e0f0769191432f1425ebdc17ffa67085e7c747deb

SHA512
e229fcdd79f4bf030aff0bb51a93d029d6291ee1d98cdc24088608417609bc487b852d679b0fe15327faa6c83a3d25fe3d7aeebb6b9171e6d80928b468c9972a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
5143d25d0af3419af7626208683e80ab

SHA1
21c8168086e9b87ad8e36faed444ee63831dd15e

SHA256
a33dcc6c1e8f4a768d495a8afe18b778223b56a16e28e8f3d794cd74c3e6dafd

SHA512
c2abd1fb17256a4f097b8cbc5cb42f39380fb52f48efe6c6d2cc45d1a1edeb54f74174a04e0914edfb968b2983153e320c6864a7ea5f218df8be00c1952bfc7b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_ACA51E1ABBF1573BBD9B48CF6AC4217D
Filesize
402B

MD5
78194fc9dd420878cadaeb2bf32bfb19

SHA1
013986a1e5a31debd30c0217135e32c4f94540f6

SHA256
327896e2b2bf626d2af0e57563df498de373ab61db4d163704a69a0694fed568

SHA512
20850e4ee2cc804cb15c8b05f567d46565026133dd80d025def78ca6c42f4e06dabdc1123a6ccf66a4e4eb0c46e839524e0ee2dca57be45f7737c8a29561fc93

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
8a5824a9f8477d94db97453da51df990

SHA1
d14fad956e3c56ba33909689193afcca4cc32806

SHA256
6a8921da546b40f9c85e7c24d9b8bb7c93f53b6c16717ebdbb51cdd0e540b9fb

SHA512
2cda96efe779c7974bdf2e1ded67df4aa1b0e568767d80bb904dbc327952c5e0739db9140fed0f48ee1f4ecc95ba96a24df390c315c340c0ea38c15b72a5a6ae

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri
Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
Filesize
512KB

MD5
22981aa592e82e8a2e193fb525eebc14

SHA1
1a53e68f069dbf32ce0aced14dd1f21715519abb

SHA256
74c232a2654fce43405e1a668432d15bdedb7b9f1e26139e75caa5d39d01c354

SHA512
16837dbcd0e1574a02fba47d8873b6db4f0fcbc0603a9ef137d3c9660a859f790eb8b57a6aec835634c2863f317dc227651d6c9ad37ebbfde5da58f02e4677f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
Filesize
8KB

MD5
b6aab4d16a8d32cc22f7f5286ab78d0e

SHA1
08a7bdd626f1e45430faf42739ece59695910ff5

SHA256
4e4726a08fbc1ec57ced52376891c3079f7ff7427d32bbe5f97cff94b4361438

SHA512
b2d5e373f49be762256727e4efb94cac0ecdacfc782aff74cf64fc8f8d19eec069a8e9106f1a72d8f55cd4c13d90169fe026d669bd94893881ea43859e51665f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
Filesize
2.0MB

MD5
8208e9d2e37b8179d3385ae7c9f97e8e

SHA1
464c00527e7b965563551525e3b89e160d02fb58

SHA256
95549a7ac0f41074881157fe9b5d4a71a9f143417a68b82604e1eac1cbeef21e

SHA512
b3dacb41e4e542142306a26593fe744ab692ba7788f26eaef7b0bcf2d16ae37a30fd5cad71e20f20a356f621c325c125c1f108fa591b71d638e30d72fc287e57

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
Filesize
16KB

MD5
61c32369af242d7374728c147151a83f

SHA1
9dbad232eae9d22a2b62b840912d00c9fce62e14

SHA256
6a60e629058d24d58081ff99ddddfdcb85cda722ace83d46c3eba557183b7bbc

SHA512
12ebc88acf31a6562fd204ec572a2c2e709f76caa82b870b7ca7a8a6bcb37f54e85c81e045129d39326f4665e340cbced3818a880228c976904fa44143129252

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{445CE37C-4400-4D17-B363-75BA396D0D30}.dat
Filesize
5KB

MD5
ab9ce16c9a4887fbe502bb50d951bfa9

SHA1
d516a658cecf9d5d8d7d505ce942db8a174f3f2e

SHA256
762422ea4546e6f2adab17e69e837e2f94a80beba54ac74085380720f1a65ebb

SHA512
13b1a5c85ac572c99818339106e01f058a123c1fdd8474efaa443253951843f52e520b19953ac0f42002b126a2da3bd21610366e7fd61af749836cabec077048

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{A1047262-2382-4955-89E5-F44EABB42D7B}.dat
Filesize
6KB

MD5
ca87b47678a0664f8df625a41f922614

SHA1
02b66e4de064047c48ab42ceabdb5cee41b14177

SHA256
373c7b0a487aab44e87fb110a1f395960c1b618eeec4c6c9228d388952ec4948

SHA512
261d9de5d7f038373fc55d77e99c34ea580af5151f5f8905921b7aabf84f305995b3b5a57aecdc539470f6fc554a28cd95b8e160bad8a3a2568feb7fc1d48eb6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{CB1D4813-53AF-4332-B821-7691CFC02391}.dat
Filesize
8KB

MD5
53222d4d4c5615f05b598299f6cd4add

SHA1
9d08357cf97e57e626cb3f2b55f1ac928eae30d7

SHA256
b2acb507d1005291295f39609bbc1d98bb94788c2ecb01ad15e0beb4d327f80b

SHA512
579f19d3e7dc01d548fdbade131f3e358af936aa05b29adfe48f31053f108d828d84499da64b695a432f08c14e80ceaa006319f2d10fe5cddcb94fd122546638

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.pri
Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
C:\Users\Admin\AppData\Local\Temp\outgoing.dat
Filesize
189KB

MD5
c9f3dd6dddcd3beb7070d9f915219034

SHA1
c3f080523dc1b8c444742f372b9d212743b8a503

SHA256
65281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984

SHA512
41c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b

Download Submit
\??\pipe\chrome.1816.10.73057668
Filesize
452B

MD5
0e010c95dd402583b5f7f1ed9ce21cb8

SHA1
6bea314c73a7b3aa3ca43e7d36608480a8a3a69d

SHA256
0783202fa0e01b5b631990f8f57c98afdf8bf8709ec660aafcb47d36f057d360

SHA512
018ea975cf73b8606c58b5dca772decf6f9a1ff0920c604923c604084e1238eff9a00f374cfc624414e628c385967d0b2cdb17595b0aece82ac6bbba26ab977a

Download Submit
\Users\Admin\AppData\Local\Temp\outgoing.dat
Filesize
189KB

MD5
c9f3dd6dddcd3beb7070d9f915219034

SHA1
c3f080523dc1b8c444742f372b9d212743b8a503

SHA256
65281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984

SHA512
41c4bc71788b5c48cdce3337f281c886c38cef0d139bdaa7d90250418df7582663ccc298c04b8e52c0d5f4da1ecd34fb82dd424aacc67d8559bfdc2e2caf160b

Download Submit
memory/344-364-0x0000000000000000-mapping.dmp

Download
memory/884-339-0x0000000000000000-mapping.dmp

Download
memory/1076-679-0x0000000000000000-mapping.dmp

Download
memory/2664-1098-0x0000000000000000-mapping.dmp

Download
memory/2876-998-0x0000000000000000-mapping.dmp

Download
memory/3004-1097-0x0000000000000000-mapping.dmp

Download
memory/4276-896-0x0000000000000000-mapping.dmp

Download
memory/4568-575-0x0000000000000000-mapping.dmp

Download
memory/4648-799-0x0000000000000000-mapping.dmp

Download
memory/4876-313-0x0000000000000000-mapping.dmp

Download
memory/4936-139-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-177-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-146-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-147-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-148-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-149-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-150-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-151-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-152-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-153-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-154-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-155-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-156-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-157-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-158-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-159-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-160-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-161-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-162-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-163-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-164-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-165-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-166-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-167-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-168-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-169-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-170-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-171-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-173-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-174-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-172-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-175-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-176-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-145-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-178-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-179-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-117-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-144-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-143-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-142-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-141-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-140-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-116-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-138-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-136-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-137-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-135-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-134-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-133-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-132-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-131-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-130-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-129-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-128-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-127-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-126-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-125-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-124-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-123-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-122-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-121-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-120-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-119-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/4936-118-0x0000000077520000-0x00000000776AE000-memory.dmp

Filesize
1.6MB

Download
memory/5088-203-0x0000000000000000-mapping.dmp

Download