Analysis
-
max time kernel
510s -
max time network
513s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2024 20:49
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
darkcomet
Guest16
6.tcp.us-cal-1.ngrok.io:12638
127.0.0.1:1337
DC_MUTEX-RSWN5YL
-
gencode
7gEewe3dp4fF
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
prevmkali.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" prevmkali.exe -
Modifies security service 2 TTPs 10 IoCs
Processes:
prevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "1" prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" prevmkali.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" prevmkali.exe -
Processes:
prevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "0" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "0" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
prevmkali.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" prevmkali.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 9 IoCs
Processes:
prevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exepid process 4016 prevmkali.exe 2640 prevmkali.exe 4628 prevmkali.exe 5588 prevmkali.exe 4520 prevmkali.exe 5832 prevmkali.exe 5248 prevmkali.exe 5920 prevmkali.exe 5004 prevmkali.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe upx behavioral1/memory/4016-106-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/4016-112-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2640-114-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2640-116-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/4628-130-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/4016-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/4016-224-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5588-261-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/4016-262-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/4016-263-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/4016-264-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/4520-267-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5832-273-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5248-290-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/4016-294-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5920-298-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5920-303-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5004-313-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5004-314-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5004-315-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5004-320-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5004-322-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5004-325-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5004-326-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/5004-327-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Processes:
prevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "0" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "0" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" prevmkali.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
prevmkali.exedescription ioc process File opened (read-only) \??\E: prevmkali.exe File opened (read-only) \??\H: prevmkali.exe File opened (read-only) \??\J: prevmkali.exe File opened (read-only) \??\L: prevmkali.exe File opened (read-only) \??\M: prevmkali.exe File opened (read-only) \??\P: prevmkali.exe File opened (read-only) \??\U: prevmkali.exe File opened (read-only) \??\I: prevmkali.exe File opened (read-only) \??\S: prevmkali.exe File opened (read-only) \??\Y: prevmkali.exe File opened (read-only) \??\Z: prevmkali.exe File opened (read-only) \??\A: prevmkali.exe File opened (read-only) \??\O: prevmkali.exe File opened (read-only) \??\Q: prevmkali.exe File opened (read-only) \??\T: prevmkali.exe File opened (read-only) \??\V: prevmkali.exe File opened (read-only) \??\W: prevmkali.exe File opened (read-only) \??\B: prevmkali.exe File opened (read-only) \??\G: prevmkali.exe File opened (read-only) \??\K: prevmkali.exe File opened (read-only) \??\N: prevmkali.exe File opened (read-only) \??\R: prevmkali.exe File opened (read-only) \??\X: prevmkali.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 94 6.tcp.us-cal-1.ngrok.io 98 6.tcp.us-cal-1.ngrok.io 64 6.tcp.us-cal-1.ngrok.io 82 6.tcp.us-cal-1.ngrok.io 90 6.tcp.us-cal-1.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 6 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 2372 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeprevmkali.exeprevmkali.exepid process 4540 msedge.exe 4540 msedge.exe 4368 msedge.exe 4368 msedge.exe 4344 identity_helper.exe 4344 identity_helper.exe 4628 msedge.exe 4628 msedge.exe 5960 msedge.exe 5960 msedge.exe 5972 msedge.exe 5972 msedge.exe 2548 msedge.exe 2548 msedge.exe 5940 msedge.exe 5940 msedge.exe 5940 msedge.exe 5940 msedge.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 4016 prevmkali.exe 5920 prevmkali.exe 5920 prevmkali.exe 5920 prevmkali.exe 5920 prevmkali.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zG.exeprevmkali.exeprevmkali.exeprevmkali.exedescription pid process Token: SeRestorePrivilege 1744 7zG.exe Token: 35 1744 7zG.exe Token: SeSecurityPrivilege 1744 7zG.exe Token: SeSecurityPrivilege 1744 7zG.exe Token: SeIncreaseQuotaPrivilege 4016 prevmkali.exe Token: SeSecurityPrivilege 4016 prevmkali.exe Token: SeTakeOwnershipPrivilege 4016 prevmkali.exe Token: SeLoadDriverPrivilege 4016 prevmkali.exe Token: SeSystemProfilePrivilege 4016 prevmkali.exe Token: SeSystemtimePrivilege 4016 prevmkali.exe Token: SeProfSingleProcessPrivilege 4016 prevmkali.exe Token: SeIncBasePriorityPrivilege 4016 prevmkali.exe Token: SeCreatePagefilePrivilege 4016 prevmkali.exe Token: SeBackupPrivilege 4016 prevmkali.exe Token: SeRestorePrivilege 4016 prevmkali.exe Token: SeShutdownPrivilege 4016 prevmkali.exe Token: SeDebugPrivilege 4016 prevmkali.exe Token: SeSystemEnvironmentPrivilege 4016 prevmkali.exe Token: SeChangeNotifyPrivilege 4016 prevmkali.exe Token: SeRemoteShutdownPrivilege 4016 prevmkali.exe Token: SeUndockPrivilege 4016 prevmkali.exe Token: SeManageVolumePrivilege 4016 prevmkali.exe Token: SeImpersonatePrivilege 4016 prevmkali.exe Token: SeCreateGlobalPrivilege 4016 prevmkali.exe Token: 33 4016 prevmkali.exe Token: 34 4016 prevmkali.exe Token: 35 4016 prevmkali.exe Token: 36 4016 prevmkali.exe Token: SeIncreaseQuotaPrivilege 2640 prevmkali.exe Token: SeSecurityPrivilege 2640 prevmkali.exe Token: SeTakeOwnershipPrivilege 2640 prevmkali.exe Token: SeLoadDriverPrivilege 2640 prevmkali.exe Token: SeSystemProfilePrivilege 2640 prevmkali.exe Token: SeSystemtimePrivilege 2640 prevmkali.exe Token: SeProfSingleProcessPrivilege 2640 prevmkali.exe Token: SeIncBasePriorityPrivilege 2640 prevmkali.exe Token: SeCreatePagefilePrivilege 2640 prevmkali.exe Token: SeBackupPrivilege 2640 prevmkali.exe Token: SeRestorePrivilege 2640 prevmkali.exe Token: SeShutdownPrivilege 2640 prevmkali.exe Token: SeDebugPrivilege 2640 prevmkali.exe Token: SeSystemEnvironmentPrivilege 2640 prevmkali.exe Token: SeChangeNotifyPrivilege 2640 prevmkali.exe Token: SeRemoteShutdownPrivilege 2640 prevmkali.exe Token: SeUndockPrivilege 2640 prevmkali.exe Token: SeManageVolumePrivilege 2640 prevmkali.exe Token: SeImpersonatePrivilege 2640 prevmkali.exe Token: SeCreateGlobalPrivilege 2640 prevmkali.exe Token: 33 2640 prevmkali.exe Token: 34 2640 prevmkali.exe Token: 35 2640 prevmkali.exe Token: 36 2640 prevmkali.exe Token: SeIncreaseQuotaPrivilege 4628 prevmkali.exe Token: SeSecurityPrivilege 4628 prevmkali.exe Token: SeTakeOwnershipPrivilege 4628 prevmkali.exe Token: SeLoadDriverPrivilege 4628 prevmkali.exe Token: SeSystemProfilePrivilege 4628 prevmkali.exe Token: SeSystemtimePrivilege 4628 prevmkali.exe Token: SeProfSingleProcessPrivilege 4628 prevmkali.exe Token: SeIncBasePriorityPrivilege 4628 prevmkali.exe Token: SeCreatePagefilePrivilege 4628 prevmkali.exe Token: SeBackupPrivilege 4628 prevmkali.exe Token: SeRestorePrivilege 4628 prevmkali.exe Token: SeShutdownPrivilege 4628 prevmkali.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exe7zG.exe7zG.exeexplorer.exepid process 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 1744 7zG.exe 5460 7zG.exe 2372 explorer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe 4368 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
prevmkali.exeprevmkali.exeprevmkali.exepid process 4016 prevmkali.exe 5920 prevmkali.exe 5004 prevmkali.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4368 wrote to memory of 4636 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 4636 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 3972 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 4540 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 4540 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe PID 4368 wrote to memory of 1836 4368 msedge.exe msedge.exe -
System policy modification 1 TTPs 28 IoCs
Processes:
prevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exeprevmkali.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern prevmkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "0" prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion prevmkali.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern prevmkali.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filebin.net/iupwjvd2xjkgmhs2/prebuiltvm.rar1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec4c346f8,0x7ffec4c34708,0x7ffec4c347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3336 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,17418559034310579683,4651899115517635121,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5760 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\prebuiltvm\" -spe -an -ai#7zMap27370:82:7zEvent222471⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd2925772h6894h46cch93c3h1d5d246cd2ca1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffec4c346f8,0x7ffec4c34708,0x7ffec4c347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6055774406263957736,1866925422703203876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,6055774406263957736,1866925422703203876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault23868d4ehd2c4h4a9ahaf0fh7b4c634528381⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffec4c346f8,0x7ffec4c34708,0x7ffec4c347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4301013324815310568,3446095526262378034,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4301013324815310568,3446095526262378034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault204fa05dh1dd4h4606h8e51h298a082da7d01⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffec4c346f8,0x7ffec4c34708,0x7ffec4c347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8692128357583523852,10144765486392426305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8692128357583523852,10144765486392426305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System policy modification
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System policy modification
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System policy modification
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System policy modification
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\prebuiltvm\" -spe -an -ai#7zMap10624:82:7zEvent231161⤵
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exe"1⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59b37f45bb53621bde641ecf0ac95c43f
SHA1e6658fd3fa342cc7db071ee71e2c7d8883acf778
SHA256ee75f334d75da011888ba9306ac27d037271e9cb3c0989f9eecee4af9426b2ea
SHA5121d0b75231473958644270ad991275a1c8ded521d3f6b3da244e714627d640a7c0a523674b4ecf58a0fd6fa52ac1bd3a2e517311f741430bd6ddb4a45bb1f789f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dcf7b7f6db8648c9118903ae11d4ba7f
SHA174265dafa33994ef7148111bef9efbab6e3795bf
SHA256e37da26dd87b61af0f60814c294039c308daa1d9854b4b9329d4f0f73390fbc0
SHA512af9feca3a642b8b75de639cf8652772b3cd8af45071125b2f0e3a6c9dec6f29d304ce6d73c43fdb43d0ee1d10295700658104d5b0b6ab775440f2b9ded3ba406
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD521ffdc8d160d3f5a62b2d1e1203565be
SHA137e49ff09a6c4037e2a1d0aeeefe7c886c0b281c
SHA256fa7eecffe4fb71cd0d0aaf77627209cc6b97115915d9d3c2c7b06ad93affd2a5
SHA5123fb8fe31ff8995fd624b2857b2359c47bffb6703fa2fc139108a184d27e4bc033ad9518616179cb2779f1bc591552c7cbbd6c19729947898a3fb1f0b20ce3bd5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a1c7c8628309cb2cba92459fe2e71e8e
SHA1baac2923b088bba88dfd7a31f555fc3cd2c3c377
SHA2560090e38f869c2dd4de536e6753758ba86bac959f299004a1ab3755f3e11a7657
SHA512c958c4e8ed85749be852fe1c1d53f97b23e76d9bfabf0073a5a3a7c5b12f556da74770fa748b5943723c5f8b7b87bdb6bad35c4adff4f89909e37381763f3e92
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD584c82ea2eb08347faafa7e71faca2cd6
SHA171f15599f5fa6bed2f5660245e88c228e0bdb56e
SHA2563c79926f80053886507f4ee7d01f251043bec1a115bfff98da6e67cb1ab6f1d9
SHA5123e7653e0a3826c25faa0169d09792de45abfc013c1c470e0e0ca801489819ae153de07717e1a2f1bb6fe319b479bc9c5c0110a34268031d73da4bec48990e80b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD572c2eeabac1d50a2de4b2c83fe2dfaf3
SHA11d1f959b1160826be45bd760453ec68c9c1eaa03
SHA256025c9732be204d6d20f4ea1d32d76cf31e60ac5b31e6e4fa3dd1c0cb6887726f
SHA512ea923c2e0c18f69086d84332b7cc3e31f334310f1a93625dcefbe8dcd1a81170b445ea3db00619f99e1337fd27c45e141ad18fb94a086dba85ce3bdbb04a7119
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD5f62f39afecefb4d599158edd0c332ce3
SHA1c204efb7df0bfa812978506a3e6fdb88dbb2e2a6
SHA256d0bfca70a679b26ea7ce6cada90113f728e32af376c90fdaa6b9f8e1c0e316d1
SHA51209ba87ba4c25971482b8c7cd78361f9cf188861b36f72c0391bcf8d8cfe2e362a17c281e044207fafedbbf863653185bf19cfbb79756a8bebe7f57befb9a771c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD50b7b5acb61dfebe1b7d2182455b0e757
SHA1e12f647c7b2d0c55d971ef1aa70e2e688b040a0f
SHA25637ea3eecbc7e4120302585e0eada3640bf83435d033c693967e7f70cb54df1b2
SHA512a5dd26a16081cf5161afc9470f8cbe96b1ba20a29248668a22ecea13d44871e6d75ce0d7a16aa560d0512eacaa2c9154b38eba9e63f30c3f80eb0b7be08c9c5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5fc3c13af9e37a6a39f9996cfa50c5402
SHA1dc6c4f93cc8df21cb351e6f3209b66a2797f9361
SHA256448916982a9ee944acda4188458ff43253a7770ce95cd7ed01fd273ada9062ee
SHA512965993cadcf909cb76643ac32e3ccb540459a2aaf576163185dd3815eb2e4821f23bb3315a6d82bbc163411fae46008f44fa9fea2d713a8170385bf75e2def90
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5d53f6f8f0a1213e3f3d3a1becaefa4c0
SHA1c5a3a695024cc1088a651ed5581996d225093569
SHA256be5a9fcd3320882a0aa7993c7a36957f52784bb9b67c8358dba432186142f77b
SHA512e42156a9924785f707ed8320411abe6a805c76046441fa8870407477a6a4b6ddebfc231703ae56ef7963f27999b49696ee4bf0bd2e002391b42803d0a4b9faf0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD5948936fe87b0efe66113314c4872ba6c
SHA10d3d3f4a0002d5d5ca77d59cefef37a15aeb5d3e
SHA256bbc462bf126c130aa29aaebc5888f083ba4692c1feaeb4e8a83a342b92266b36
SHA5123f617825c2ea9433a147472e64edded924442ccf9abc349c84dd3e1166ff98a50174d19b4954a9efc515b0111adb4036229a285e031056261c03b0b8caa9b4f9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD54f0c9bd1b0e1430dd12fe6c4fdb76647
SHA1fadb188f9c80547499c4c2008880f0fbc8491028
SHA25626e3e89a204b00eff3b26f1b824605ddd0af08b85cc46ba0cf92bf248ab27a55
SHA512c9560af6f7057da1c7a8418bd7a9751ba64c35d10d10cfd0a4feab9442273e9d5abc5b6bd01f955d5e6409e5bf1593b8c01afd4a90a94a5d186ff435df0fac0f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5dd6b74acbe8d2d4bc6a5a4b76f7509a4
SHA1e4b5f79dc890d615a8159510e06050f9b051d827
SHA256cb95b98733643ed127dc9aee6eea8ad4b2f0cbe3cc7ab56c035df2b845827d36
SHA512ca42d6ce3509f8f0c47971a4ea7a3477c5494a289bfc00b45c1bf43a2da39fd7ba19db03e2ac3f22540489a37c07a7b56f3579063201ed0f8e14771554a1b732
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56d45ee65503d3cf261f47e1c3c51c525
SHA1aa451d26305b5446e89588948baa2ba189bfbb62
SHA25605dfb6997ccb52f92e45cc6bb69d9b2d28a754107a823ef86812500c321b891e
SHA5129e18c797454547ec410619efe246edef808b911ab07586adbec2ca1b6491ea045c10d7a207326f681448051ae8b36d22d9e077fe3ed7eebf03e8dbc40b8d24f0
-
C:\Users\Admin\AppData\Roaming\dclogs\2024-04-13-7.dcFilesize
64B
MD567777c773334a2a45cabc268441626af
SHA1a01b885b8d16044bbd41fd56625ad9dccdbf315f
SHA256b11b376ffc127201b99452008c3e47ccdf974925f4760624b2e29cdaafd4fecd
SHA512cd8017c18bcba9a19e51b27b5a7596596a6a342a33bd089a4b3a1b411210693b75e0594d9aa64855355b9cd38684a8bd6677d51ba300f4f2a1ef054ee5454821
-
C:\Users\Admin\Downloads\prebuiltvm.rarFilesize
246KB
MD56ccd4a9dcbc5a64036149722d84ac93a
SHA123f9d578d279f196e3026728e2503283393ccf3b
SHA256aecef6d3695122c47aa63b8987aad0155c36b54016a3bab9b59c216ac8e53027
SHA51262fac7b6dce8125a6f5f881dc23fb2427d7e8d1ed4b38f29ccd6b39f998330aed6beb7f66e353906765b40791b979a2937b3f1427bd99b4bd58d94869871ddc1
-
C:\Users\Admin\Downloads\prebuiltvm\prevmkali.exeFilesize
251KB
MD5e556b66a52ae28b3c877a9f3c419c5e3
SHA13a71dfde7b64c92cca1a023d0c807364d7d4cc1f
SHA2561993dacf9211a1dab3c7cca176add0714f3061a7c9cb2edaacd31448c16c746a
SHA512cd8b4a5ba819848cf48b8e59da0099324b06c54bb913381720e612e003a47cef583b4f96947d70a40e41445a802d4368835d339c0a2a2b5c7b91bfbd604df277
-
\??\pipe\LOCAL\crashpad_4368_HABINBDQTBVYJFIOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2456-109-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/2640-116-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2640-115-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/2640-114-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-224-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-262-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-294-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-264-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-112-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-106-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4016-108-0x0000000000B00000-0x0000000000B01000-memory.dmpFilesize
4KB
-
memory/4016-263-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4080-302-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/4520-266-0x0000000002700000-0x0000000002701000-memory.dmpFilesize
4KB
-
memory/4520-267-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4628-129-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/4628-130-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-308-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/5004-314-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-327-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-326-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-325-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-322-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-320-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-315-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5004-313-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5248-290-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5248-289-0x0000000000B30000-0x0000000000B31000-memory.dmpFilesize
4KB
-
memory/5588-260-0x0000000000980000-0x0000000000981000-memory.dmpFilesize
4KB
-
memory/5588-261-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5832-272-0x0000000002390000-0x0000000002391000-memory.dmpFilesize
4KB
-
memory/5832-273-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5920-303-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5920-298-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/5920-296-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB