Analysis
-
max time kernel
254s -
max time network
354s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 16:34
Static task
static1
Behavioral task
behavioral1
Sample
.html
Resource
win10v2004-20240412-en
General
-
Target
.html
-
Size
147KB
-
MD5
762e6325bd3507c9eb306362bb3e1800
-
SHA1
702eefda1b6c20e354b1299ddc9e9dad3aee6b93
-
SHA256
8651e42d19d9faef1b642b7f2e51dd2f828ecdb3994c18a42c67f5f4e696cf3c
-
SHA512
bc4cf578d5b876535113dc31e82759ffc7df4af962cfc8e8730ce8add85902cf4a0f20a43ac0ad79ab1a118ff17db63078f45f949cd3ce0761090d65a63d48f5
-
SSDEEP
1536:oykud8LonVJoqYarK4DsYNgRyypRMPuNPV5nPztP4FPfaParP8R4DJ2PWTllU0rd:7kPL6WVMllhAYyHhqiS
Malware Config
Signatures
-
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exeflow pid process 383 3664 wscript.exe 384 3664 wscript.exe 387 3664 wscript.exe 390 3664 wscript.exe 392 5916 wscript.exe 393 5916 wscript.exe 395 5916 wscript.exe 396 3484 wscript.exe 397 3688 wscript.exe 398 6036 wscript.exe 399 5672 wscript.exe 400 5316 wscript.exe 401 3320 wscript.exe 403 3664 wscript.exe 404 3664 wscript.exe 414 1736 wscript.exe -
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 5 IoCs
Processes:
explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Possible privilege escalation attempt 36 IoCs
Processes:
icacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 4300 icacls.exe 1612 icacls.exe 4936 takeown.exe 4568 takeown.exe 3572 icacls.exe 3924 takeown.exe 3208 icacls.exe 4224 icacls.exe 2592 icacls.exe 1968 takeown.exe 3716 icacls.exe 2176 takeown.exe 5828 icacls.exe 5964 takeown.exe 2328 icacls.exe 4816 takeown.exe 928 takeown.exe 2376 icacls.exe 5172 icacls.exe 4112 takeown.exe 4568 icacls.exe 2492 icacls.exe 2840 takeown.exe 884 takeown.exe 6016 icacls.exe 5668 takeown.exe 884 icacls.exe 3976 icacls.exe 4204 takeown.exe 5624 takeown.exe 5852 icacls.exe 2376 takeown.exe 4336 takeown.exe 2964 takeown.exe 3700 icacls.exe 216 takeown.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exewscript.exeWScript.exeWScript.exewscript.exewscript.exeWScript.exeWScript.exewscript.exewscript.exeWScript.exeWScript.exeWScript.exeWScript.exeWScript.exewscript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation wscript.exe -
Modifies file permissions 1 TTPs 36 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exepid process 4936 takeown.exe 4204 takeown.exe 4568 icacls.exe 2492 icacls.exe 2176 takeown.exe 4336 takeown.exe 1612 icacls.exe 928 takeown.exe 3572 icacls.exe 4224 icacls.exe 2840 takeown.exe 5964 takeown.exe 6016 icacls.exe 5624 takeown.exe 3700 icacls.exe 4816 takeown.exe 4568 takeown.exe 4300 icacls.exe 2592 icacls.exe 2376 icacls.exe 5828 icacls.exe 2964 takeown.exe 884 takeown.exe 3976 icacls.exe 4112 takeown.exe 216 takeown.exe 3716 icacls.exe 3924 takeown.exe 3208 icacls.exe 5172 icacls.exe 2376 takeown.exe 5668 takeown.exe 884 icacls.exe 1968 takeown.exe 2328 icacls.exe 5852 icacls.exe -
Adds Run key to start application 2 TTPs 16 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bolbi = "C:\\Users\\Public\\Ghostroot\\Bolbi.vbs" wscript.exe -
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exeexplorer.exeexplorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 184 raw.githubusercontent.com 187 raw.githubusercontent.com 189 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 8 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\ghostroot\\8ydfdsE.jpg" wscript.exe -
Drops file in Windows directory 9 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exedescription ioc process File opened for modification C:\Windows\System32 wscript.exe File opened for modification C:\Windows\System32 wscript.exe File opened for modification C:\Windows\System32 wscript.exe File opened for modification C:\Windows\System32 wscript.exe File opened for modification C:\Windows\System32 wscript.exe File opened for modification C:\Windows\System32 wscript.exe File opened for modification C:\Windows\System32 wscript.exe File opened for modification C:\Windows\System32 wscript.exe File opened for modification C:\Windows\System32 wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 9 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2408 taskkill.exe 3728 taskkill.exe 3612 taskkill.exe 3632 taskkill.exe 4972 taskkill.exe 4108 taskkill.exe 1672 taskkill.exe 5752 taskkill.exe 5892 taskkill.exe -
Modifies Control Panel 35 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s1159 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\s2359 = "Bolbi" wscript.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International wscript.exe -
Modifies registry class 64 IoCs
Processes:
explorer.execmd.exeexplorer.exeexplorer.execmd.execmd.execmd.exeexplorer.execmd.exemsedge.execmd.execmd.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084619521-2220719027-1909462854-1000\{822E3E04-9B60-468C-9EAD-25DB66D9590F} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile" cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084619521-2220719027-1909462854-1000\{C3F208CC-1C99-487F-AAD5-42AE2265065C} explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084619521-2220719027-1909462854-1000\{331DC6FC-19F6-4819-938C-AB16E20B4D3A} explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "exefile" cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084619521-2220719027-1909462854-1000\{931E05C8-2EC5-47B7-9199-553A9A1A3358} msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scr cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scr cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scr cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scr cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.scr cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "exefile" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif cmd.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4084619521-2220719027-1909462854-1000\{23BC40AA-CC7D-4512-81BE-57DEC857A6E2} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile" cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "exefile" cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "dllfile" cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "dllfile" cmd.exe Key created \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.pif cmd.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 183540.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 477331.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 661656.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4704 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepid process 3676 msedge.exe 3676 msedge.exe 3012 msedge.exe 3012 msedge.exe 5028 identity_helper.exe 5028 identity_helper.exe 3680 msedge.exe 3680 msedge.exe 5548 msedge.exe 5548 msedge.exe 5648 msedge.exe 5648 msedge.exe 5648 msedge.exe 5648 msedge.exe 4976 msedge.exe 4976 msedge.exe 6056 msedge.exe 6056 msedge.exe 5292 msedge.exe 5292 msedge.exe 768 identity_helper.exe 768 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs
Processes:
msedge.exemsedge.exepid process 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
taskkill.exetaskkill.exetakeown.exeexplorer.exetakeown.exetaskkill.exetakeown.exeexplorer.exetaskkill.exetakeown.exeexplorer.exetakeown.exetakeown.exetakeown.exetaskkill.exeexplorer.exetaskkill.exetaskkill.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2408 taskkill.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeTakeOwnershipPrivilege 4568 takeown.exe Token: SeShutdownPrivilege 2776 explorer.exe Token: SeCreatePagefilePrivilege 2776 explorer.exe Token: SeShutdownPrivilege 2776 explorer.exe Token: SeCreatePagefilePrivilege 2776 explorer.exe Token: SeTakeOwnershipPrivilege 4336 takeown.exe Token: SeShutdownPrivilege 2776 explorer.exe Token: SeCreatePagefilePrivilege 2776 explorer.exe Token: SeShutdownPrivilege 2776 explorer.exe Token: SeCreatePagefilePrivilege 2776 explorer.exe Token: SeDebugPrivilege 4108 taskkill.exe Token: SeTakeOwnershipPrivilege 2964 takeown.exe Token: SeShutdownPrivilege 5212 explorer.exe Token: SeCreatePagefilePrivilege 5212 explorer.exe Token: SeShutdownPrivilege 5212 explorer.exe Token: SeCreatePagefilePrivilege 5212 explorer.exe Token: SeDebugPrivilege 1672 taskkill.exe Token: SeShutdownPrivilege 5212 explorer.exe Token: SeCreatePagefilePrivilege 5212 explorer.exe Token: SeTakeOwnershipPrivilege 3924 takeown.exe Token: SeShutdownPrivilege 2632 explorer.exe Token: SeCreatePagefilePrivilege 2632 explorer.exe Token: SeShutdownPrivilege 2632 explorer.exe Token: SeCreatePagefilePrivilege 2632 explorer.exe Token: SeTakeOwnershipPrivilege 5964 takeown.exe Token: SeShutdownPrivilege 2632 explorer.exe Token: SeCreatePagefilePrivilege 2632 explorer.exe Token: SeTakeOwnershipPrivilege 884 takeown.exe Token: SeShutdownPrivilege 2632 explorer.exe Token: SeCreatePagefilePrivilege 2632 explorer.exe Token: SeTakeOwnershipPrivilege 5668 takeown.exe Token: SeDebugPrivilege 3728 taskkill.exe Token: SeShutdownPrivilege 5660 explorer.exe Token: SeCreatePagefilePrivilege 5660 explorer.exe Token: SeShutdownPrivilege 5660 explorer.exe Token: SeCreatePagefilePrivilege 5660 explorer.exe Token: SeDebugPrivilege 3612 taskkill.exe Token: SeShutdownPrivilege 5660 explorer.exe Token: SeCreatePagefilePrivilege 5660 explorer.exe Token: SeDebugPrivilege 5752 taskkill.exe Token: SeShutdownPrivilege 3880 explorer.exe Token: SeCreatePagefilePrivilege 3880 explorer.exe Token: SeShutdownPrivilege 3880 explorer.exe Token: SeCreatePagefilePrivilege 3880 explorer.exe Token: SeShutdownPrivilege 3880 explorer.exe Token: SeCreatePagefilePrivilege 3880 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exemsedge.exepid process 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exemsedge.exeexplorer.exepid process 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 3012 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 5292 msedge.exe 2776 explorer.exe 2776 explorer.exe 2776 explorer.exe 2776 explorer.exe 2776 explorer.exe 2776 explorer.exe 2776 explorer.exe 2776 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3012 wrote to memory of 2896 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2896 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 2276 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 3676 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 3676 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe PID 3012 wrote to memory of 4120 3012 msedge.exe msedge.exe -
System policy modification 1 TTPs 64 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPinningToTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPinningToTaskbar = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = "1" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms, = "1" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Your PC has been wrecked by Bolbi!" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" wscript.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TaskbarNoPinnedList = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "ATTENTION!" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayItemsDisplay = "1" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" wscript.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\.html1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde4e746f8,0x7ffde4e74708,0x7ffde4e747182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3432 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5868 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5848 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1140 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6824 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6608 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6356 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,1821654374431289308,1375117498980060588,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs"1⤵
- Checks computer location settings
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Bolbi.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs"1⤵
- Checks computer location settings
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs"1⤵
- Checks computer location settings
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs"1⤵
- Checks computer location settings
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs"1⤵
- Checks computer location settings
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs"1⤵
- Checks computer location settings
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs"1⤵
- Checks computer location settings
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe4⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs"1⤵
- Checks computer location settings
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs" /elevated2⤵
- UAC bypass
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs"1⤵
- Checks computer location settings
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Users\Admin\Desktop\Bolbi.vbs" /elevated2⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Modifies Control Panel
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f4⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe4⤵
- Kills process with taskkill
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\ /Grant Users:F4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffde4e746f8,0x7ffde4e74708,0x7ffde4e747182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2300 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5336 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2288,825572677966922418,3580012932410466153,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5176 -s 35082⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\System32\mobsync.exeC:\Windows\System32\mobsync.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5964 -s 35402⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Public\ghostroot\Message.vbs explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
2KB
MD5f32c01527c20ac850512733f0efe18dc
SHA1d73700e2232cb87ba80630998e5e7d00ea7a111e
SHA256df16150a1eef6e4c84e64e711d991aae39ba3d720334f1e49a75544827ca4a85
SHA512e64503120fecb6ebe3d907adc835c5259a7ab72a730b831f5574937707c4fbaa4efe00f4ddaf7076004ef0eb78086b7967a96042c4abd340042712139a6540da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
1KB
MD58924827a695cc57c5a2140ced1debe3c
SHA17af9caadbc6c0134ab2bf4a2d09cf89b4c9acfe8
SHA25602c57d9f60945c549356c38376b0852bbc73ee8d8ba1b5619fb8fb1e189f8dad
SHA5121b468404c536ce0f8f15e0e0ff89d2862b08b90a0573ef4fc0a9212617b75eff8127312aead4d43dedd11a7f00ff8316d6ae94290531dff43f5106c21d80f42d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DFilesize
488B
MD54804d3843785cc6845abcc6cbde85645
SHA1b20ee117b91129827578a2bf858ae13b09c75598
SHA256a103916a50f4ffe2891f9a592f8d8dca47282105de0852ef40df3708611ced62
SHA5129e5397f81992b7a39dcc81b21813fa920cc2dccc231677d98568801914e9ee5b837b7faf850f6c7c3201c6a457b44061bfa6203420e3a87915e1c530a94c2bc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EFilesize
482B
MD517bae2af21ec6a3ce923a018dccde8e4
SHA1e10c2f6e92fa080118e4b554336b22048cda3ace
SHA2564059d87a4253e8d15406b41c0e9869d0c00bacd7de09305f4bd6d0858fffec21
SHA512deac7e79a50da4bc69f9cc681a3cfa4eae8245ad471c5325d6de557e7c62839450d34e29e054bd4a9668f2efb7cecf88f680c1684e102e22c528cf68fbf459e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a9519bc058003dbea34765176083739e
SHA1ef49b8790219eaddbdacb7fc97d3d05433b8575c
SHA256e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b
SHA512a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cb138796dbfb37877fcae3430bb1e2a7
SHA182bb82178c07530e42eca6caf3178d66527558bc
SHA25650c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd
SHA512287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD593db7bb2f19be1ba808bce6aa8ef43c9
SHA1fb8eb53354f8acab2dec8f18860c74f0efa5a467
SHA2568c92a5c0439e78a0b35fcb89878eccf07a2f3e60c945175aa91ef6798399eba5
SHA5120b7d2bd223a36d81897d930cfa6a16c9831e926db608893f770f43bbedf398ea1ca1974abe6fa10891ddefd8f8f625910d1d68ffd4185d63072e667bec752f3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ca11e9418f8566d630c53e6dfb86cf6c
SHA176bfac73d34d11e80eeb4d765abc8ed4550ffb47
SHA256938535242f0649a5b9da2ab0ad7f033a285cb3a7e119e3c77c29e4ecc52b4088
SHA5120134278fee797ee1ca01581cce1dc2c3e5f6c97adefbe87d07ff5b5f1faef2c1c97ada14216875a242bbbc72579824b6527af6289ce4b8012bdaf1f5bf6c03fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002fFilesize
200KB
MD5a484f2f3418f65b8214cbcd3e4a31057
SHA15c002c51b67db40f88b6895a5d5caa67608a65ce
SHA25679cbe928773386d07f0127f256f383debed5ccea5ff230465bf46ec7c87319d6
SHA5120be1bb8db08f6e6041a85cfee90cd36a5b595afbca34d52a125465454fc806b4bb7ae569eaf4c882922fb1b962b6060534e597791cd0ad23483be5981d9be85c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD59fa5cc9d36fe7103c470f6221daab8ed
SHA1449efd50501f7a500c75de712d0c757a7ecc40d1
SHA256763e5bfe049c2b8a70479551d3e4481c8f608e540e67f40a88e77bf7589c8691
SHA512e51478a401a51b6bb44bfcc8627e88409c2abf5d951c0a6a7d3e21a96099be315cdf171038233a3d833464b25cb07c4cbe5ae2df394b08f685e83640d9124dd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5af00446b9af21199a73fe3f21d78b8e9
SHA136407c33f70af54a4db184932b0162f2e077f004
SHA256b10024153100ef1bea44d39de87e15384810e9caf0cb877ddc7035c329adbb00
SHA512c8bd56ef9d287e6fa9a1528a49d7761a46e4c1224bef40df85d9187cd6e81c6fcb90849f94803de80987a690736d175c71f2eab383265aad25a3e387ce097bd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD570945ec6b7a6ba3e1384239c29915964
SHA1c8adecd816d8552554d5ab431fb9871aaad7cc32
SHA25682c8de32c5dd02686a4346d7b1c6082f62a5cd1ac5d627e23338c85f129a2320
SHA51266a0760a3f1305f7434a854c5cf0a8a6e85320f10eaf58af49786b5e57a7f30776e821aa46f9596d4156c8b4392a9b4d78830f794da6d7ced0c1055f51a00617
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\FaviconsFilesize
28KB
MD5d5892cf012eb5c605cf8d7cc08da5d31
SHA1af5f0d0efaffa502ca9b648c26b1a64019242e6c
SHA2565ab0b656c6525d7779ca5773a4edc9fb564d46e0cbf78634e5c9bc5d9d21d6f4
SHA512200cd5b87897f5a89355208b7631ce20dc90a299a731606e81bca0b37ef953328ebeeed766bfeb9b24f3c4d60204f7827aa6193b6075b9a1b98bc4de163d7fc1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD55cf9492a22d63379bd6c03b5418e9841
SHA1000988f791dfef586548045aefdca7c5c9dbbb4d
SHA256c04adb67a292b615083ced7802f3a5651cb6c1ee1467365094663563cfde1585
SHA512e9335ed0f083a66478e7250f47be4be86fa075cd0a5b1e2f7abed4bd789ff88895ab9e88ff6200b4aff5286925eb76cadb9596f44640730d42bafe09f30de798
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
556B
MD51435f63842782a02b2c974c97ab7c578
SHA19e23b55c74a0688fd39f77f1f5550925e854d2b1
SHA256417ed742bc165827ca4eb65856f01a2a6073f94a1c33981770fb7f2d9f27e830
SHA5129403ab60a88ff5278640d793616d499e93531282751793a761f5d5369dd903f8b315a5e7b7528e48e035d681fe40c1104daab283147fb041a3a937a9d700c3a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
4KB
MD5039e33c129d64cd5013e013af38b7074
SHA1eea34a52ff97e31f57eb6381da2ac40dd9bc7bbb
SHA256654979040a1608d8eb112f25733718e76a2b9bf6ea6fb6597a2de58e3843bcc3
SHA5125027526215f3e49e63c5e4f3b900119725027e8e0c73aadcf01f300d1871bb48db1e29f0cabe9b91dbe7f090072f16aad2d048ded528b560f29f96efff00b558
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD517b8afaffbbb46f52092a43df7a41c7e
SHA181097b7c691a32cacbe658ec07c7b3edeec3c632
SHA256bd89392154419738cc178f863635cd4fad431999a84d44c59dc9e3089855caa0
SHA5122429a98200118a7e2b6939ebcb6535145543c9e88ecd98522d0f35af88989ee5688488d56fe80918768e74855a0fc8d69c27c71a46402caaf38c9acc90b18998
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ec4f14de788459793e2672212dcbe386
SHA1eef6a7701e0fe4ad0718f6d886daf0f266b90868
SHA256b7bd092d1e1d64bdffe6ec413b1987ea5579e70d7eabd86e837935f52243d674
SHA51259fcc7ea9aed1c93fc7063b7ab81d9b6da8a6fcfdccfb43ef8f801072ce8e56b12af90d03b6c64f30e63e1115fd13ecfef682817e8f61172fa784e5e0c9f3c66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5d48cad8c118f5d5ebbebfd736428ddb4
SHA154b0240fe381242e64b19ee8a8831cb7b323e177
SHA25646247571b70c8621822a95c336eb8162f2d3fb70d0bbd346ff604b28708ed82e
SHA512d3245c5008ff7f23073b5b622fac1277f299d97381546f2bd6c8e8bbda37274f719feb21effe3815d6f6a6cbb7d14b939fd8e78e46f50153b396ce1a19f93ea1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5ac108f1e0e62cf1ea183cb95e6cea307
SHA1e0c91df84cd0955d70ed61262e2df2c98199be57
SHA25667baacf75666f36b66db7f4d01670fd43a6aae573f64a81a87e1a527baf26292
SHA512bfa53da9d9ba6d0f36f4b1d63ebd784861528b5ad7c4bd8671430a11227133608a6673684e60ef99ad037ecd9ed7cacd5db65932f85662ffe222303b98d0f68c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD50a6d0d6a30f7fb2c66d24c25ea8dc822
SHA1247ec6d31ac331b0315ecedfe6ef1709e8bfb180
SHA256753e6120d705455c525f37e536fe85629ee3113b3e7d0a8a398ae7c49e644acc
SHA512a1b2da89347ca4aad8c6656fec3914996d1babeccda3c66838d16f072e4ac0c481d626ab9a97d3e1d44a700c1245c506c5b7349bfc62b7425c99f2bc3371ca09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD5d29a74e45afc116c51509460e768d9df
SHA1761dfc8107418bd0695462b14de886bfd8d4a8c3
SHA256476fa5e3f028d445f36532071b2e1aa4da92ce8cba39d0580cb6dead2c8a9d3a
SHA512981d7ff5fe80247d93918f890fa1e30931563479094bf0649c0fb2b1d2722bc66ac14238eef082326ef8b7f8873ac8f222030a0114bb1fbb7927b2320db3dc48
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b1f970a301c496e55f71f92f199ae374
SHA19eb34de7aa523c3c861c2585960bf7077f28c238
SHA2565f62fddffd89e29660d5aee65e2ac46184251bfd7988f40c9359d4232329d50e
SHA512934849b81b321591ef17d283d49cbc297be19574598b45c4e2fd8c02a14b06c8c83ece3ab26ec2f9f7c6c00fb89f6b84383ffa11c3f809f331803de08c3e0c50
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f281886a67677778217b1b61c51c4f54
SHA126ed6c0b26c2c5d288ddda52e1c0554093e9bb63
SHA256c9d1680045e446ce60e1a6c5d6719aec4a860584e8b7e4201a0e57f3fe4e32ad
SHA512e03d0f57f5b6af41b0f68aad6b783768bc88cc082521e1b668f4777da7557dc99a2ba420a23ecb8448014be3ebe16be304fb7dfafcb4eec10fe5e755dc721b4f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c093649ae7db87bee611da9e4f10ef0a
SHA13c336a1530974db33ebb2f0f4881b641b136ca10
SHA25610a498fd4120d402e6ad4e8886cc49d286c5a1678de0d1d22722c848ed32d091
SHA512e566c38295a346890aaba430ceae72627adf0420f16abea2b8d40dd9854980e0d3ffd8cc549fd35acbb0af786c071149a29107730ed70d267336a598a2d84d23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD507d5ab7cdf397a651dbebf39a6fb8aae
SHA11371f4f9d99cc982a0fbc8f2932ff0abbafb517f
SHA2569b6ee523c507a16db1702dcb085deafa45a1babdec5fec5accda97e2c4197911
SHA5123a5c855bdb69db0f1e00e62b79a8a5608dd132ef47d076dfe0ace7353d348e3cbc8fc0952813b30a178cd09261872c3666dda37a8d68cc6d51097a4a9b74d832
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD50ad35d4c738d51fd0a7b1a9b47e4f681
SHA1e9e25e75eb57c4d0d0b06a5c6684da8273333c04
SHA2562742d63c0a26415fbf68fb6b781ab290a30fb922f2bc9a3a7eac07105b19446b
SHA512b847f744577f02f9b318ca2e79126ead31fad7139b6b8dd36c80a9fab8697d6fa441eea2c262d479caf9b497e3e8d3974bf9665d284e5b30701258a9114ceee2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD52552e55aa891282ffb39de1190f99da1
SHA149689f6ecff6fac87edfe92683e5b988bc6da3a1
SHA25622283085f9053508880fdce58d1e52093b777756499123f3114b36e1bf32af1c
SHA5122d471f18c47afc1ff8ab5392334e07d016c1b477f6de9a57626b8bbea93caefcfdfd0de702532aa2a6564f241d66fbbfb8e8d45b6425a8edbec0a1d437482d38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5778c737fab4e0c8503451b3c76de613d
SHA17ddb8443dbe9cf67d07a2910bc06d843504f96ca
SHA256ed56772ae875bbac247494c3455b8f9395096d9c2ea78975cef5c279ecaad3a5
SHA512594f4d9a69e09b5cdd9ee28e9d0a99f401b31090164fad573339a0ec2058ce9af55adbcb811c5ce7b33fe7276f780731b4cfec71e63e78da3f49f6388fe5f06c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD531c5fe38878608a950199572246fbd64
SHA11fd8c83c85e383d170bfe862d305014553f2bcbc
SHA25657c0b81929933a03173c4c219de434a97d1cb9e7dc2b4c0a9be6e2805b9d8b68
SHA5122a5153882186e95f93a8dea1a782cc5c1879c082ab91e5a29784ff21efb6c5c176bffadcb2f5e098fd9b9cf6f79e091842d8c181689d93a84b531058b786efcc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD58036de0025d8d867a47df7a092062b11
SHA1010d2348071d462041f381733e006bb7aba744ad
SHA2565a15cc0581fa3d3f5d429995a46f2f3ca879a478bbcf65e6d540ec00ea53968e
SHA5127a6aa92a98eb2707dda3face0d5f10ccf9e33d0eaa403477a73f4743ce34b6b49277cfcdf78c59feef122aedfda34d0b2d5b41cd86f3d0f2dd7ae7194f275cdb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD57c3ab280b31bfed27bb98c9d760ff13f
SHA10e31e453da8097f33ba835673772284abb9b1be2
SHA2563ffda9fe4884c3b0f93fd0d19dbb8fe2bbae877957dbaa0ffc8941890c603555
SHA5120e4606950a22fecbf1953d72ddaa4584fefe3c61c03e9f18d78b0724221c4d64100ce9128b3aa68af2d59af9db813f59beff2dac3c674ab6a82329e726ecffac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network Persistent StateFilesize
59B
MD578bfcecb05ed1904edce3b60cb5c7e62
SHA1bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA5122420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Network Persistent State~RFe5b59c5.TMPFilesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD55a1e825eee291d56d31396e78050bd89
SHA159f47abb97d791da4fbb3ef2d70486a92498f7c2
SHA2562891d95cf167c0be8de0590ed968e7576e5b75fdba4e7ea709d97044deeeadb8
SHA512ff4f27de8ca1e7869f7d46edb58d16032199c1c54fab8d0af77449ef310c65ac4b1723ea83cf482b81d2c45a387dde85062f96c8defa48498a64699e2c7c329f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD582a8ca80971a92e3f3b70831f7e6aa5a
SHA1831bb3067500f0a32f671cfc63c6d30edb28e476
SHA256894c0994b5bb95d72cbbc330b90897cc190c4d9d0d9e49ab864ae6aaa4b2f902
SHA512ac3a6d4ebaff9ae4c0089d78bedfc1a7ab5688946c76bad9d3da11a7547e0cf0720791d93678661871f95c752489788fb015e0f8e922e4e9fb23ce804c3fdd1c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5439d6e366e284797117067ab4eec21a3
SHA19be0a3523ddbf91b8f008a41f384e9781bee9f16
SHA2566d072f33e2ebce430846e728ac7d759020a5d5cf2ae1cfe95c055bb364142674
SHA512804871119d3a0381c9e2be9deed45824316c19547bcfd1c17c8da0f914c3d573f22f7c291bcb03f7cd90e701a872c34925248c2506eb3f371c8d5f0c7a83bc18
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD55346253a90b3965ac573f6232b5ee800
SHA16e5fb5041a177e407575b1dba497d028c06cc26d
SHA256c930bbba849b34d99cdac87d8a1cc67f5bbe794dbbbdda5c786aa02c360b7627
SHA51251c32721d1f6033497dcf87f09f0044dc36033501e4af01d322791ec7a1d239ae75a99af82d3ec89974c65102a9c610b416c47884d6d3b8224a51aee69fd4dc4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54bedd439cf5c95486cb51b39c6cc1ddb
SHA1ade4f693e6aa66fbee39ad65ab43b6b5e021cafe
SHA256824e7b19476fdfcad04952db2a64174ba9f4934e039d2bbe07c5bad39b449dc6
SHA512eb9cf6706707982ae326b0b56fcb3efefe397ecf2c2626a485e2bb13529d11c7da080669581f1b4e4726ec96943865194d42659a5591a0cc609fd14aa3c60c96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD55eeebd3559ca080ef71777b5662cd47e
SHA113aced617559206ac8791924e0ef92dba456b2f5
SHA256d938a32952ae2551db037ec3e7d1e7a86bcf555173e55c6fb1cf3abc14842648
SHA5123fe3b406b7b796a28586cf8ad734ddf9976c8da79a45d38464f61ddb85c7c78ee3f4e71b0db362fd7c2286086804ccb24b9f7248235860127ee5994f14371c0a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5eb8b9210241873305add5ff717d852bf
SHA107a2dc1270040c79bcf38d81260970b07e20085d
SHA25634b9d16524ea834d18946340762af95eb95f8ede2a95ea45607775cdf07513b5
SHA51263fa817a99701cbd070202689f96aaf08fe496c45051bb62f924b8e03c6499393f1c5eff321ffb6d0c4cda10f780d23b80febc9862a8b6592d61e528b8d03379
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD53eeb3e980f2d10a41bfe9d881dcd5f09
SHA1abf04d49736d04c0c7df7e853b12f279ceaebcb6
SHA256f570bd3d66ac273eec2c6bbcd45f0474ad63e2bb0511c2443f4077a6672f4d08
SHA5129187630899bdf80c0802a64e697e19d58d92e875711c7bf1f3423b6d2ad3ce7ffbad85c78c02da548f597a0810d7ded7996785a5b4a3ebc7e4acbc80656e94c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5b1f32205a3c4256c732b584546669298
SHA141d4d9c443c9aea796293ea506b5e271c018c322
SHA256e8be9dfbfbb2e314c82d23be6342ec81ea31d782d71eb16afeba8dd9701b0597
SHA512ce3f51027b8a2e6cc906c9af4416a77b06cfed288b2116bbeaa7ac2b082110cf59efadbd6ccd17dae0963fdcd5b25095d7d50f4911d5096ece6aeb71f07e1b19
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5b2b18befd0c2bfff4d1dafdff88fca18
SHA1984a53bb266f0d8069002675fd78ba74e9c101e4
SHA256d7b84d601b6e5fa5582f6bba832b0c4095177ba3fceec2c653631e847bede7d4
SHA512dfc26dbbb1e723e5d5600fb2b5fa320d76f6dcb3da185d9cfd19dcb0dbd857d332983aaf5bc1654da2ffe6006206e64d0fdc9ff1c694182baa67d218d74758ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD56025a0b8e5a0989e24d1ece92296a63e
SHA106bbce20bc9da086cc0c79668e20d47d2d198537
SHA256d770b124e137da3fc4abee54c8ff60f9d0b42ee6149b39dbb50629a0cc3b6aae
SHA5123a62c09f15268a6efbfe0d2464c4686f31857bb2af77f1affebe75e69d51a03489f2486af8fed164533c7de3470604e08ea736a54a57eb840b584fb5f28ce1b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD56aeb7cc5c36c7f197d2fcf3f1c5888e0
SHA1b7a50e93655f91c48293897a5b117effb6a2d87f
SHA256a27c6cab9113625963310810dd6620cef6569c99ee4efeb2c8ca277b14834a41
SHA512bc121996a9a7408f4191a2efa5ca619bad9b1a24beffdab70040e40f26b5fde0a6725c1e5f45ed1cd284cdc2bebf28598814f94ee43abb8aa2807b2218bdb34b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58af75.TMPFilesize
538B
MD5f18915999f4aab93b6bee971182daa7f
SHA1943ee2d9378246e117e9f89dd1941ded8810ff44
SHA25680c0903002d278a8cd7a1bab3b7c20194e12b5a470ef3f18a9121a49d6ced785
SHA51242352cfa5cb87a18f97f77dbf419be5a0d63f41215bfe050f63504a6750081d9e3d2faed3916dd90d82a723fd8dd8f668c3bfc66723d1148e20ac91e569d418f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD5414236de0044bd3ecadeb13df7e07bad
SHA167d1b7a393ec1291c9d6139d336a8cd4dcc5a2a5
SHA2568e9c720a26052dd3c8f3f17a593e307af66bcd4a0f3d5ac6fa7774cef1e8c822
SHA5126e95208085e95cb420da8795f4178ecbd7d79f6fc524f291c788eeedfac4f3c0da34ac97d10fa3bfcc6dcb65f2bac150b8660ec1e63bbd3fde762cf7ce7f9591
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD558c9c4fc00aea8c1d0faca56d5d32405
SHA10dfc503d62a9e100c06d576a56484bc1a725542b
SHA256d143abccef9519af01c10847beedf7f4aae2721ac131e6d015af8b7d52d57ee5
SHA51220669d2f707be90794596958593e29b3234f478c254f66780ab8ca82368bb57bab91ae3f6e6966070cd05d1d42004a062da3c2be0426524d24f00fe1b8de1092
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD597a876d70aa1369548109c3cff18114b
SHA172864e4ba7378fa44600d3b05de3522d01eb3918
SHA2560654dcb830144fa6cf2752421fc770629cc0d02aec566fd31d5c99e60145717c
SHA512930130c7459f3935734e51204d60a942b8d4982dc2c2e0488ab5e4bf27410e006605c8120df6cdfde87ab655d2fb293ebb58355662ae8fdb5453ec569da3cc22
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5cbcdf77d364691132486ac1ac08bc419
SHA1e306d41125e7683d94ab938149308a679633532f
SHA256e9193a70c0bc2f1680fd59a40f54d45ea889c10a2b38fcbb409bdac2600c2806
SHA512e901b4ccf4035d3f6beb38486f8d1003a484f939e17c468a15d0838c57ebdf22c8b3f3e1c4743cf2421dcf432af2ea032a99937b619f7160b03878fcd3e63f61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5cf20b2174efa9dafe744c643601a54f0
SHA14bc47b45ab63e9b28e588aada2c8e1de9cbe9f50
SHA2568a3b843b4527b359aef3c5e914067360fd0ff696601415dd5642ca62cac3dd00
SHA51244d0d67f50e5f456878cf3957a79d5798e76778cd3ef67ed43f535abed1276007a63a61a808fe8eb6fc291229c5fbe1660df5487e60ae3671659ff907f15aa1e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
56KB
MD5d58f64a0b9b84a4c99f58204d4e26fbb
SHA1f7ae97d883cd292990c8a9847230513ffefa66c3
SHA256d4b348bdf8e60961d1828d4322760652052f6c32cdeb42eae6da201d15d300fe
SHA512c3f22918728d95ea2d657a98b89480a33c67a352c8eddf25fa48bfad4c15d4ddcea06e4bc1cbc340f026ceab35b0b05136a97bfb106193f2d412ac48cf9e4649
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UWHIVHCX\8ydfdsE[1].jpgFilesize
59KB
MD51e8cd861c7919b862a9c47abae3dcce3
SHA14d44512ae2da33a9355463231184bbbfdc4396f2
SHA256cba3db7504d0b98a3bc5bebc7d4479360f4535378a9ee113c2269811d0a8d6d9
SHA512ee06887355aeff3fe2865bcde6050d8d139668e78bb352a6a0f32b36446887dab78e50a88c0762e3b3d36dd3288546a6283e2f19a7873f01733666046be60e48
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0EW0N8AZ\microsoft.windows[1].xmlFilesize
97B
MD5fd6c4a9882a80899b842ec0123e96af9
SHA1c3f02fac5650fddae0c8fa80fc9d96189814b55e
SHA256aed8da23b28d108a00874fb6096984b792aaf9f4e0d87636ef5559f7e37a20ce
SHA512ab18e5d810d9e7970332d695c424e7e2665a8af5e0f723ef84a36194caaa949fafa21d7766b368f71a36de955dc36e6b68bcf0914c37c64a38912859522de568
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133585368174539141.txtFilesize
75KB
MD519b152d67d1ff4d6ae7839ace6124e28
SHA1c00305bf2d2be33edbc3092b724279fd51c87679
SHA256e72a4a9a019adcf2d99dc6aba9feb9a8657db8265b337edfe69a21931453b6b4
SHA512bcf71648cd5a1716a5b1bb66db1712df6274d7b406f5ea9c2991e3c72994e84f19e8a29241d251a4add450428cf78266adc7b310d325ba350b2c86403d44b05b
-
C:\Users\Admin\Desktop\Bolbi.txtFilesize
29B
MD5b37ed35ef479e43f406429bc36e68ec4
SHA15e3ec88d9d13d136af28dea0d3c2529f5b6e3b82
SHA256cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c
SHA512d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7
-
C:\Users\Admin\Downloads\Unconfirmed 183540.crdownloadFilesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
C:\Users\Admin\Downloads\Unconfirmed 661656.crdownloadFilesize
46KB
MD599ec3237394257cb0b5c24affe458f48
SHA15300e68423da9712280e601b51622c4b567a23a4
SHA256ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51
SHA512af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb
-
C:\Users\Public\ghostroot\8ydfdsE.jpgFilesize
16KB
MD57ba7736160c8817fb1228635fd56080a
SHA12c896763cd154c5602f00c3d6de8e83bf3e169f4
SHA256d7d1cf166faa5aa9fad6311201ce40b00bf1fb0bc345fbe98c5a0260c4db7001
SHA51273d5b1ed7114d15ce626dd53b50453c40afccda427b80884d6338d8cf79526762bbd23b2dae307c5b1aaf8c92c9ff01b44d4a55d3e8f0c1fdb4ac4ce49ec4729
-
C:\Users\Public\ghostroot\Bolbi.vbsFilesize
462B
MD5de41c9172365499ef98449023dd75699
SHA1f2a94f1ac182d9ecb0a3b3fc8e45540a9a46fb3e
SHA25667a66e2e73c7543b0ccc82a4f6892fb4669aa476cb654d3c597609ec16d1943e
SHA512335804bdbe623244b97eb687906808ad508ca6358457cfee89bb5b8cdbbee5399e38d71ed7c808b89f070671c52fa403c33adbd20871e6dd2e9ff079bd54076f
-
C:\Users\Public\ghostroot\KillDora.batFilesize
482B
MD54f08159f1d70d41bf975e23230033a0f
SHA1ea88d6fbdcf218e0e04a650d947250d8a3dfad40
SHA256d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e
SHA512958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a
-
C:\Users\Public\ghostroot\Message.vbsFilesize
55B
MD5302e08c86880a39ca55f21cabfa7c5de
SHA158d56c0eb14fc0401cda7c48d6df9d23f6e9b7e3
SHA25665cfb12baaa6f5891bcd7fda727933a4a12f6dbfa9a6717549eacc6dee9436c7
SHA5129aac68a57cea3d00b956ff82ce443600a969dbc3e4eb2b7b12902f70e318c7dbbf7378b375dd28c0d3be0a0515c5c69d4dd5610d5778f22c4e33765d704f8ff7
-
\??\pipe\LOCAL\crashpad_3012_QJLZXLQFAZKAOQJQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/244-1328-0x000002095D990000-0x000002095D991000-memory.dmpFilesize
4KB
-
memory/244-1294-0x0000020955540000-0x0000020955550000-memory.dmpFilesize
64KB
-
memory/244-1310-0x0000020955640000-0x0000020955650000-memory.dmpFilesize
64KB
-
memory/244-1326-0x000002095D960000-0x000002095D961000-memory.dmpFilesize
4KB
-
memory/244-1330-0x000002095DAA0000-0x000002095DAA1000-memory.dmpFilesize
4KB
-
memory/244-1329-0x000002095D990000-0x000002095D991000-memory.dmpFilesize
4KB
-
memory/1408-1363-0x000001C553CF0000-0x000001C553D10000-memory.dmpFilesize
128KB
-
memory/1408-1361-0x000001C5535E0000-0x000001C553600000-memory.dmpFilesize
128KB
-
memory/1408-1358-0x000001C553920000-0x000001C553940000-memory.dmpFilesize
128KB
-
memory/2464-1404-0x00000140B49E0000-0x00000140B4A00000-memory.dmpFilesize
128KB
-
memory/2464-1393-0x00000140B4D20000-0x00000140B4D40000-memory.dmpFilesize
128KB
-
memory/2464-1406-0x00000140B50F0000-0x00000140B5110000-memory.dmpFilesize
128KB
-
memory/3352-1225-0x0000020246820000-0x0000020246840000-memory.dmpFilesize
128KB
-
memory/3352-1227-0x00000202465E0000-0x0000020246600000-memory.dmpFilesize
128KB
-
memory/3352-1229-0x0000020246BF0000-0x0000020246C10000-memory.dmpFilesize
128KB
-
memory/3608-1341-0x000001D7C65A0000-0x000001D7C65C0000-memory.dmpFilesize
128KB
-
memory/3608-1339-0x000001D7C65E0000-0x000001D7C6600000-memory.dmpFilesize
128KB
-
memory/3608-1343-0x000001D7C6CB0000-0x000001D7C6CD0000-memory.dmpFilesize
128KB
-
memory/3636-1431-0x000001FE52F20000-0x000001FE52F40000-memory.dmpFilesize
128KB
-
memory/3636-1434-0x000001FE53370000-0x000001FE53390000-memory.dmpFilesize
128KB
-
memory/3636-1428-0x000001FE52F60000-0x000001FE52F80000-memory.dmpFilesize
128KB
-
memory/3820-1258-0x0000000002EE0000-0x0000000002EE1000-memory.dmpFilesize
4KB
-
memory/4056-3470-0x0000020571F50000-0x0000020571F70000-memory.dmpFilesize
128KB
-
memory/4056-3473-0x00000205725A0000-0x00000205725C0000-memory.dmpFilesize
128KB
-
memory/4056-3468-0x0000020571F90000-0x0000020571FB0000-memory.dmpFilesize
128KB
-
memory/4540-1213-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/5176-1280-0x0000029F5AEB0000-0x0000029F5AED0000-memory.dmpFilesize
128KB
-
memory/5176-1278-0x0000029F5AEF0000-0x0000029F5AF10000-memory.dmpFilesize
128KB
-
memory/5176-1283-0x0000029F5B4C0000-0x0000029F5B4E0000-memory.dmpFilesize
128KB
-
memory/5964-1453-0x000001CBAB7D0000-0x000001CBAB7F0000-memory.dmpFilesize
128KB
-
memory/5964-1451-0x000001CBAB3C0000-0x000001CBAB3E0000-memory.dmpFilesize
128KB
-
memory/5964-1448-0x000001CBAB400000-0x000001CBAB420000-memory.dmpFilesize
128KB