Analysis
-
max time kernel
1200s -
max time network
1205s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
02-05-2024 15:34
Behavioral task
behavioral1
Sample
Xone.exe
Resource
win10-20240404-en
General
-
Target
Xone.exe
-
Size
70KB
-
MD5
d6ec9094de6462e9e424c5a5895652be
-
SHA1
913468ec95a9fc7177e1bfa854be91e0edc5e369
-
SHA256
b3181abef94bdb7d805cc96e20b9d4ae16c02f37fa5c8aa71fdc96fcf113b492
-
SHA512
9c910ff3d53d557c01e55681414b735dfa837182058f98858b414906b78ae85ac5b6986fdabe4b324d33c5d6716c0d66c152834818bc7ee5b1e739f769b64f83
-
SSDEEP
1536:fmbtyRj5ZiA8IhD8qXLIqGFbMfeLbthijHMxfQZ964kaO6UA6:5R/iA8IhD8qX72bceftjQZsaOFr
Malware Config
Extracted
xworm
lesbian-organ.gl.at.ply.gg:38343
-
Install_directory
%Temp%
-
install_file
Xone.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/3564-565-0x000000001C5A0000-0x000000001C5AE000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3564-1-0x00000000007A0000-0x00000000007B8000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3564-1421-0x000000001EE10000-0x000000001EF2E000-memory.dmp family_stormkitty -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Xone.exedescription pid process target process PID 3564 created 644 3564 Xone.exe lsass.exe -
Processes:
Xone.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" Xone.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Xone.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3428 powershell.exe 368 powershell.exe 2876 powershell.exe 4676 powershell.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Xone.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0" Xone.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Xone.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation Xone.exe -
Loads dropped DLL 1 IoCs
Processes:
Xone.exepid process 3564 Xone.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Xone.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xone = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Xone.exe" Xone.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in Windows directory 10 IoCs
Processes:
taskmgr.exeexplorer.exeMicrosoftEdge.exeSearchUI.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\2717123927\1590785016.pri explorer.exe File created C:\Windows\rescache\_merged\4032412167\4002656488.pri explorer.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 2304 sc.exe 2224 sc.exe 3736 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 29 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exetaskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Xone.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Xone.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Xone.exe -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
chrome.exechrome.exeXone.exechrome.exeSearchUI.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Xone.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion Xone.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate Xone.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Xone.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 600 taskkill.exe -
Processes:
SearchUI.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 51 IoCs
Processes:
powershell.exechrome.exechrome.exechrome.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133591379397188451" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exeexplorer.exeMicrosoftEdgeCP.exeSearchUI.exeMicrosoftEdgeCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packag = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e80705004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000061fd4198a69cda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80705004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000b764e797a69cda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0047006e00660078007a00740065002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000e80705005000430048002000380025000d000a005a0072007a00620065006c0020003600300025000d000a0051007600660078002000330025000d000a004100720067006a0062006500780020003000250000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000009e6cb79aa69cda0100000000000000000000000047006e006600780020005a006e0061006e0074007200650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000007f7f58e8a86da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d0000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\exmple.com\NumberOfSubdomains = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\exmple.com\NumberOfSubdomains = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\exmple.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\exmple.com\Total = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Xone.exepid process 3564 Xone.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exeXone.exepid process 3428 powershell.exe 3428 powershell.exe 3428 powershell.exe 368 powershell.exe 368 powershell.exe 368 powershell.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 2876 powershell.exe 2876 powershell.exe 4712 taskmgr.exe 2876 powershell.exe 4712 taskmgr.exe 4712 taskmgr.exe 4676 powershell.exe 4676 powershell.exe 4676 powershell.exe 4712 taskmgr.exe 3564 Xone.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
taskmgr.exeexplorer.exeXone.exepid process 4712 taskmgr.exe 4092 explorer.exe 3564 Xone.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
MicrosoftEdgeCP.exepid process 3992 MicrosoftEdgeCP.exe 3992 MicrosoftEdgeCP.exe 3992 MicrosoftEdgeCP.exe 3992 MicrosoftEdgeCP.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
chrome.exechrome.exechrome.exepid process 3560 chrome.exe 3560 chrome.exe 3560 chrome.exe 3560 chrome.exe 3536 chrome.exe 3536 chrome.exe 3536 chrome.exe 2920 chrome.exe 2920 chrome.exe 2920 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Xone.exepowershell.exepowershell.exetaskmgr.exepowershell.exedescription pid process Token: SeDebugPrivilege 3564 Xone.exe Token: SeDebugPrivilege 3428 powershell.exe Token: SeIncreaseQuotaPrivilege 3428 powershell.exe Token: SeSecurityPrivilege 3428 powershell.exe Token: SeTakeOwnershipPrivilege 3428 powershell.exe Token: SeLoadDriverPrivilege 3428 powershell.exe Token: SeSystemProfilePrivilege 3428 powershell.exe Token: SeSystemtimePrivilege 3428 powershell.exe Token: SeProfSingleProcessPrivilege 3428 powershell.exe Token: SeIncBasePriorityPrivilege 3428 powershell.exe Token: SeCreatePagefilePrivilege 3428 powershell.exe Token: SeBackupPrivilege 3428 powershell.exe Token: SeRestorePrivilege 3428 powershell.exe Token: SeShutdownPrivilege 3428 powershell.exe Token: SeDebugPrivilege 3428 powershell.exe Token: SeSystemEnvironmentPrivilege 3428 powershell.exe Token: SeRemoteShutdownPrivilege 3428 powershell.exe Token: SeUndockPrivilege 3428 powershell.exe Token: SeManageVolumePrivilege 3428 powershell.exe Token: 33 3428 powershell.exe Token: 34 3428 powershell.exe Token: 35 3428 powershell.exe Token: 36 3428 powershell.exe Token: SeDebugPrivilege 368 powershell.exe Token: SeDebugPrivilege 4712 taskmgr.exe Token: SeSystemProfilePrivilege 4712 taskmgr.exe Token: SeCreateGlobalPrivilege 4712 taskmgr.exe Token: SeIncreaseQuotaPrivilege 368 powershell.exe Token: SeSecurityPrivilege 368 powershell.exe Token: SeTakeOwnershipPrivilege 368 powershell.exe Token: SeLoadDriverPrivilege 368 powershell.exe Token: SeSystemProfilePrivilege 368 powershell.exe Token: SeSystemtimePrivilege 368 powershell.exe Token: SeProfSingleProcessPrivilege 368 powershell.exe Token: SeIncBasePriorityPrivilege 368 powershell.exe Token: SeCreatePagefilePrivilege 368 powershell.exe Token: SeBackupPrivilege 368 powershell.exe Token: SeRestorePrivilege 368 powershell.exe Token: SeShutdownPrivilege 368 powershell.exe Token: SeDebugPrivilege 368 powershell.exe Token: SeSystemEnvironmentPrivilege 368 powershell.exe Token: SeRemoteShutdownPrivilege 368 powershell.exe Token: SeUndockPrivilege 368 powershell.exe Token: SeManageVolumePrivilege 368 powershell.exe Token: 33 368 powershell.exe Token: 34 368 powershell.exe Token: 35 368 powershell.exe Token: 36 368 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeIncreaseQuotaPrivilege 2876 powershell.exe Token: SeSecurityPrivilege 2876 powershell.exe Token: SeTakeOwnershipPrivilege 2876 powershell.exe Token: SeLoadDriverPrivilege 2876 powershell.exe Token: SeSystemProfilePrivilege 2876 powershell.exe Token: SeSystemtimePrivilege 2876 powershell.exe Token: SeProfSingleProcessPrivilege 2876 powershell.exe Token: SeIncBasePriorityPrivilege 2876 powershell.exe Token: SeCreatePagefilePrivilege 2876 powershell.exe Token: SeBackupPrivilege 2876 powershell.exe Token: SeRestorePrivilege 2876 powershell.exe Token: SeShutdownPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeSystemEnvironmentPrivilege 2876 powershell.exe Token: SeRemoteShutdownPrivilege 2876 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe 4712 taskmgr.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
Xone.exeSearchUI.exeexplorer.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMpCmdRun.exepid process 3564 Xone.exe 1848 SearchUI.exe 3564 Xone.exe 4092 explorer.exe 3816 MicrosoftEdge.exe 3992 MicrosoftEdgeCP.exe 4112 MicrosoftEdgeCP.exe 3992 MicrosoftEdgeCP.exe 1884 MpCmdRun.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Xone.exeexplorer.exechrome.exedescription pid process target process PID 3564 wrote to memory of 3428 3564 Xone.exe powershell.exe PID 3564 wrote to memory of 3428 3564 Xone.exe powershell.exe PID 3564 wrote to memory of 368 3564 Xone.exe powershell.exe PID 3564 wrote to memory of 368 3564 Xone.exe powershell.exe PID 3564 wrote to memory of 2876 3564 Xone.exe powershell.exe PID 3564 wrote to memory of 2876 3564 Xone.exe powershell.exe PID 3564 wrote to memory of 4676 3564 Xone.exe powershell.exe PID 3564 wrote to memory of 4676 3564 Xone.exe powershell.exe PID 3564 wrote to memory of 600 3564 Xone.exe taskkill.exe PID 3564 wrote to memory of 600 3564 Xone.exe taskkill.exe PID 3564 wrote to memory of 4092 3564 Xone.exe explorer.exe PID 3564 wrote to memory of 4092 3564 Xone.exe explorer.exe PID 4092 wrote to memory of 3560 4092 explorer.exe chrome.exe PID 4092 wrote to memory of 3560 4092 explorer.exe chrome.exe PID 3560 wrote to memory of 1200 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 1200 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3872 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3692 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 3692 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 4072 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 4072 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 4072 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 4072 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 4072 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 4072 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 4072 3560 chrome.exe chrome.exe PID 3560 wrote to memory of 4072 3560 chrome.exe chrome.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Xone.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Xone.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system Xone.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" Xone.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵
-
C:\Program Files\Windows Defender\MSASCuiL.exe"C:\Program Files\Windows Defender\MSASCuiL.exe"4⤵
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
- Launches sc.exe
-
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -DisableService3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Xone.exe"C:\Users\Admin\AppData\Local\Temp\Xone.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xone.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xone.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xone.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xone.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffff7b99758,0x7ffff7b99768,0x7ffff7b997784⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1696 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4364 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4636 --field-trial-handle=1880,i,16420929775219472810,13417126291061388933,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffff7b99758,0x7ffff7b99768,0x7ffff7b997784⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2988 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4504 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4592 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5208 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 --field-trial-handle=1748,i,9289708458543488443,16778328102674201772,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"3⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffff7b99758,0x7ffff7b99768,0x7ffff7b997784⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1996,i,3792715119093473593,6852771140810828381,131072 /prefetch:24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1996,i,3792715119093473593,6852771140810828381,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1888 --field-trial-handle=1996,i,3792715119093473593,6852771140810828381,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1996,i,3792715119093473593,6852771140810828381,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2948 --field-trial-handle=1996,i,3792715119093473593,6852771140810828381,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4012 --field-trial-handle=1996,i,3792715119093473593,6852771140810828381,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1996,i,3792715119093473593,6852771140810828381,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1996,i,3792715119093473593,6852771140810828381,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1996,i,3792715119093473593,6852771140810828381,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1996,i,3792715119093473593,6852771140810828381,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffff7b99758,0x7ffff7b99768,0x7ffff7b997783⤵
-
C:\Windows\SYSTEM32\CMD.EXE"CMD.EXE"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 62⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 02⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 62⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 62⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 22⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend2⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"2⤵
-
C:\Program Files\Windows Defender\MSASCuiL.exe"C:\Program Files\Windows Defender\MSASCuiL.exe"3⤵
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups2⤵
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller2⤵
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start lsass2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3b01⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4401⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD52d9f034fe011a3626c641622da4e1fe2
SHA1e79ffce5333c61d94a36ccaf9cf1a72e03268656
SHA25634b2d6b896be4a5c8771e65da5d9342ef5f69880e9948b6a9522c06ca50efc00
SHA512703dae4d2a4f7ece62ef72c964d232b229964ca84638c916804a983bab85c5da30a2af269359261c3044a56e362341f442e0137eeef6f82ddb4fc97b358fd580
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\482540f8-0498-478a-9ec9-9e44d4561867.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0Filesize
44KB
MD55910ca7ed0d7c67b8da703e8e3548bb2
SHA100901a70c5c70a2e4627420b888b820647962c45
SHA256a49e3e4b834afed10b272882366113f431c0523ca2c51378514c3b8e16ad749d
SHA512ffaa12fcf04846a9f64b278cb20ffce7778b3d4613f70cf3426ac9229b25e585b95a4a51b8ae984acedb5c908cf19f8cdc869871a114441eb07481769f9bc996
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1Filesize
264KB
MD56f4046b84e0164e405dee21eb9ae96f1
SHA1d358a439530e452814be84da7ffe905447067dcb
SHA256d0a5a2707cfcfce57cd4b333c53587fa57e50137899244ef98d822968bfc9af2
SHA512f2e057d1bfd5c12f07a991abef12117d78ae61a2a12a142613d0ce02a6e0293b3bbcb66480caa9ebffe2e8cf1d6d20eebac59776f0deebc1f7b18cfb1ea29e41
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2Filesize
1.0MB
MD58efde4f72d783571c6a9ef1e5beadfd5
SHA1b2f95af9cf9182e503986676644305a9b584a2f9
SHA256b7dd8132b86ea18fe28662bb99cd969e5526b42ce617d034180d03c670c455fa
SHA512f1a26f66f21019be6f1356e772c74db111637806b0f7f5a92acfe63983df646b370dc82aea489824f4b4258f1069098961f38cac9a78756fa764a0585cd33fd0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3Filesize
4.0MB
MD53bdcd27a34cf33c6188b2638d7bb64f8
SHA152b41544ae4d23e8319d3e4deab001c9274362fd
SHA256d50da802f274905659a35b96a3b2a5afec3c4e4ce6b1053a7a46c617f009b930
SHA512f7d40b78ce0a8a1658190debe088847b81cfc5708952aed323dbbb607346f4455f39076c43072250a73ffa6b706f38af5e4942dc8624c0c5ef6a5643af99328c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD51715dd73332258a48c2f03b442c42649
SHA12eefd6f39238f86b13af73e6e0eb25b472c2d82f
SHA2569d26751cb671d6479e4c013a8f46ea2fe99ac356310876f2bc828e2a08ab7872
SHA512cf7dd95d49bbdd26898c6d6f120a6f164423e87bb4c880989b4c0a7711b42b7594d940e7059db1f00b170cca9e09a4e07b0abab46dabbce9c87cc532e9f6a7e3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1Filesize
264KB
MD5ceadc18a0d919754d72276aabd850878
SHA12a5825862dd4eb6a50eaf1b14bf4b48139d011cf
SHA2560860c6277a9d3a3dbd81c708ca959a8d1b62d1f8f2a32373363ade741d9f2dcc
SHA512bfd6bdf08086475bb8a7c9a7b69baa3131e1cbd123c128ee54c754961e85e3b249b55c9faec6ea1b4d8cb4ab0831967d06b3bf5a76b8c0ecee836d276c320e17
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\FaviconsFilesize
20KB
MD556d0bfe66732ff98f3883c6d75bc7ec6
SHA101cf4133966638a5e473d7680c850831a3ef7c98
SHA25624a9cfcfaf3ebb87c9e8d76d893fc56083bd78a1a7d1f360fb2a3f5913370184
SHA5123b5a176f791c3b51f186c7acb08c55999eec0508b7542d70992654fc43ae565484ad6156bc6ef3a67b403942ac3989d75585770b9093a231fd3356f7a8c07a79
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\HistoryFilesize
148KB
MD5a8fc413104d4d37b318fd7e59b039003
SHA1a44ce640d452017dfca6978dd34737d1b4cbb876
SHA25626d7d16b27150b63ac92e4d0309f7c5695ec9207d2244a038357dcf1a6c9789d
SHA5123eef96268daf172c2e666ef210f06b15b11abc56619a65f3d158966731babb6089956f45582c9334d4b12e1f588f34df4d83228a0c29ea396e3dfa09407f4b27
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGFilesize
326B
MD56c78e3ea565e3a687dc3af82d2c32a08
SHA1d5b31bc062cffb4890daddd7c5aeec19aff9a897
SHA2565c304286b7e0f6ff8ecdc8f51fb639266c04d829d8f9a1b7d2e504bc00da92de
SHA5129bf371784394d7817fc350245184425c0f0b202687478a662f15615739c6920ff804290b5a9acc637143102dfa3030669b7b90074da8c44c786438a643366a97
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesFilesize
20KB
MD59727b3e7153497d1321c64549408dd09
SHA123b8d0d5f044d9223d2bbfb59c9dae3cbfc373f7
SHA2567f9e65ddf6d41165152cfc76163b4358f7370531d4eb94ec36ed0c54bb36dd2d
SHA512c4f9a63dc0557a80f4102f687e2587ac2dd7a56e0ea02399a51f58212041058c117ba4496c269ea7fe7b62caf090857388273a3274986184cbd6dd1fddac661c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD53f1e15d8d640dbf37e8b6d6a6107a280
SHA1400451a338cf9ba509a267d1911db4ceca1b52db
SHA2562b3119325bb19e19a9b3923e4fb6c922b264c7e44acec3fafb1f91885c7181ab
SHA5126d165d31b07fd8ea94f589c47a6e8e62e4ba35dd15a69d25574beaf1cc383d393d3cd41df48ca9f9fd10d85ee06f2cd10441ad290a95a88207a08b90931fee4b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD5bf83b3f36fb1691bad7a6d1502e8ee3d
SHA127191c9867c89181b2eed2b7d34273f8efee7107
SHA256e68b6e8260dc3c213e6e53192fa11c89f8d42c8c1f81db1b26a4f686410ae95f
SHA512e6d9d1ac603004269accd8b5ac6640ae4768274d92d3dd9834b0e775ab150073873951cf1f8212a34345d16285e2a54825965198421d63f42fccca25d25cc641
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
369B
MD53731728e59d648908b7cf5737bb10f2e
SHA193040c5ee8603d2f317e26d98db4e4c7059ec82f
SHA256130e75a81b21dff5402517c11450641528d08755f226df9bb9121a8697d8074d
SHA512056b1b5a4a3a516320b437a4f07627a2da0f5237f5fb6c94baf2b3cedbba741d9cdacde588a85a8378d6f7f621f240f32753f6df7b166ad8b22220943c0c8796
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
371B
MD55422cc53be28654ce8ba82d4dde3a46d
SHA1367c1822e041769590eedc0463e13e37794031ac
SHA2565063d4087ed27f60a6f9d947372ab466f4b411cd0a4c3f0e30e70bcddd84d806
SHA512abff02a7cf99552d4e65e4c8773624ec508812ecfe3b187661fc36e7c5f5d6ac8d992aae064dc06b0b85263ea4e0cb9d36afa7d50851c78145627ae0a5eb2eff
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
369B
MD5001f03ec0f8d0645ccff8573366cf46f
SHA1d200d40681087376dc1b9e840c592975cc8a5628
SHA256c483b32aeeb53538a9663563ce6eed98807826985cd087cc071ebcca63d373fc
SHA512220bdca62266f527843168949fc3013c29d553e6cab664860228aa67683e167bf9c632510ae947ee2800147aae34a439b10ae919b372465799e53ebf7f9549bb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD5280c1ab35197c4d070092c9ffbc7b668
SHA1357e9bd6b921dba24cb8323e1a10d54dcecab857
SHA25654180979c2fd0746482c80f5e28eddb3c4bff1d562775a23bcd5c730b78fb540
SHA512c74fe84dba2c6fccfc6b0194f39bef5095273a7000cd1c8d4be50a789024ed40c347548c7043036249dcbbef6bf1ef741c6c11cb8c14da71eb7ebd13d32586c2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD574776e4aade8816905b1c189e744ed0c
SHA1aa321f92e66de4aa2d267a1896273090d0f56626
SHA25654978ca29062f92c180a489a185ce5046c37a73f93136eed820331dda8b3f018
SHA5124816a0613ecb59e95ac1f7206a5af40e08048c2a49b18b73bb3e87fb41e1b31bc0a4aad8d9f49fe49d853f66f1edfd3873dcb34d28853b85935aa440a8ddd1ec
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5110d5b706aa6ed2cdefc62abdd19939f
SHA1c2231a4cc8402ec9e9a360529b17f4c8e54cc6a8
SHA25641b740da587e86d6eaf96aa9df6f589ce89e41d16b7ec2e6d409af0e666bdd51
SHA5125377a46e2a46c086df5aba925cca21206c9689247b9a088c88f32c6929f8d02c6174fe4af2671c4392355dc7741ffbcb218a76908fdde666fb84dc312cb8dc41
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5d29b918e0700e8cbdf984fe9c26236c9
SHA15e2bee00b896166f8cdc62617216a1782568770a
SHA256eb5f18677dfc51986ab2ba7270159633dca17ca45acfcda5b6800dffbe23a5aa
SHA512adbe6206cd06f751f40518e951c8c28582d924d5dc343a5908112cb71bfbb09d11eac5bf06f24dc19a820fc53364d0ce356d7ad97e96f5944713c9fef0ffa6b6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.logFilesize
393B
MD58c1d5b420ec68ed154b3d626ab522265
SHA1a68cd85822bbc3fa9c3dec76c8f4c78dc7e8a09a
SHA256c93d68cbeeb5df31457cf4ddb7c0b71e27f407b0627f8cd50b1ba003d1bbb475
SHA51237997e3f8c0e6edcd446a8a1e23c27971dcf6305135bb9da5447e2a64ca1d7d1ee1ae7836a4e0b133b0ac95bee7c2fb1b06e6309ac9ed811db61b7263b6128a3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOGFilesize
314B
MD532cc01785202f533b69642d6c9dc8821
SHA1d41b6c6260a0a6c5e76adcca9ffa5fb825fa5e0e
SHA25626cc135e18432774cb510d84c47819cff27317915c4c47c6352b38e1ba743b96
SHA512d63e1db9bf1530b6b3f4f1b116b8990b620ec2f332b88c988c9ad4fe2593f1eb3590ca3fc4eae1ba8509ed2d9083b5bfb63a52082d168d05767827bdf98482cf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13359137994238512Filesize
2KB
MD5cd8f71a1b9d3bd534ce677a0a0f3a3d6
SHA19871182aabbcb03f90dbb011def62b1f56c3368f
SHA256ed29a0a3d08152a347cf41233b2e9f019a8f2c9515410147980528d39b5e7453
SHA512c119abd8c3c5a4cde5d239df905d4fcbf217f10e7eb0b34f11739c0900eef68aa61060adfa691229d621e96122c9f09fb9006636aeb8783d9d3e474446debe44
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.logFilesize
112B
MD585c643749ed7410f5e103459920391a1
SHA1dcc34a22883b0edea52b46736ee318a036fe27f9
SHA256964ffdffc40152d5b39fc9c71a3ecea1893899de1d352df75932973c6d423f7b
SHA51276fff9b457da6b88aa8f94d6f525d130318d55beb363e40866e77b8c78e697b50642b81602bb10f63430755036059ddbad861670853ac53d973f88dd4106f754
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOGFilesize
345B
MD51817fa88a064b8efdab2723e65d79b57
SHA13c0514cc10cbf0dbdb0d19561b08678080e20b31
SHA25617eca35081676f8bf34eb482beaecc15618dce41c93dbd43cf4345e9a25fbb2f
SHA512d43bff708ed2c439097388fd19a839e4b42175c8e69f53e58d74c5b371c10dc3a0cd57621ccd2483ee4d9b911448446513253554c428e0278449ba13fce969c9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logFilesize
8KB
MD5a93b6371f28454844ba9adff33ac7b66
SHA1c94341415eb9fb238e66d2c59e1e6cbb7143042a
SHA256794d0f1affae4eb7d2bf89f04688fdadbfaf561a4d42fb56ef6255b359f31d2c
SHA512d5279669476fb41a55993ff54fcf0ba1633dad65238fbbb83f29270fe22e3542a4ceb593705dc89e44c88079e9e4c929cce37cf9ba0aa2a33fb8b22356a8bae5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOGFilesize
321B
MD5e5b5b96f0d4726681ab45b129133b14d
SHA1ee3d295959295a510eb3ee044c804092ebb880c5
SHA25677749198d3b709333a061e025e861889d611f59ce772e75ab47488b2e77f947d
SHA512ec58df5e983cd4caa7d21a72285a17ff1eb518eea9d2ad01b31b376268a94fcdc113993be565180e2f587de0f8fefb30b1e82b3ffabf76e5c1ef0573ce508591
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited LinksFilesize
128KB
MD5430b4d232cd6466242cd20bb399b45f9
SHA15a8f2defa7221c73b6376696e0d30bff72dab3f0
SHA256b187ec0544354691494a77d11911830d1dafb6ed51fefaab5382709b69c9d008
SHA5120acd070fe405cab2ca01438c5103c63e81b1bd18071edfb60986cc16cf6209323609f2e91c4e69967a4a91e58b836d0e5d5622fc78984c7a879d9f06004b88b4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web DataFilesize
92KB
MD55de93e2888050ab8e1442244c01d230c
SHA19c9edc02f2e74bae6bd9b22144f71935d91f56b7
SHA256c2ef15a45ed34ce526e1bd331bf02fd0a7c4928f0bbe209905740f51925877f6
SHA512a33f93b89e4748b7046ddff9347f777a51055d953eff6c7daf9f8bbbf077814aae9d92f3d7b7a1617ee2b461b1e7e03d9b50b91ba2eedb5d15d8dc64759fc7bd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.logFilesize
1KB
MD562fd2e19b19d013c6bd44a0c217e2bac
SHA10694f5ec64f5b72173583f73a81bc1b48657e2b3
SHA2561406a8d387b9089300072a4c4460d01d868578f5787cf014563f776db84cf7a7
SHA512c7b55ed8246a0af1e93c98fd7967ee7178b70ae4395505f93d2b855b88245457073833e0e0c4cff8e5e009ca280304dede060aeb897304f40cd56bbbb04abe84
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOGFilesize
317B
MD535b4b721c0d6c2931bd35f5a5130c224
SHA1b22c9c7ef5db7b59c1fc2f34583b641ab0af4e68
SHA256e76d39de4d03a0f10a4f68942be03026c3d5744bfca943f75393950507d0d738
SHA512adbd2900b8f1656a13e4f23a9e63ea38ede56cc81fbcf5661754714fcb21f8d306e21edddf8d9888b82cf2914f6bb8c73eef2f56147a50f4514df1efb2acf95f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.logFilesize
918B
MD5a9790028cb8aa77b6dc8bb95a6c51bd4
SHA115518f64c1bcad040c3cda2b19b994148b1ea3ae
SHA256335c04c8eab42d213d24a71fcad2d288de5070598c2be0ae8089ea17988767cf
SHA51249eb2aa17b37909f21f56c17e97b45411b929bd8638f092e2cb3e8fdd88f31022aba90e98ee870d6dd3dc63d52776f6c2b579f8a287b4db5f508f71734949ae0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOGFilesize
335B
MD5f83387075f542e3d8c2828c08223dd7c
SHA1770ab7fc4588e3c405453b524a8324d13315272f
SHA256fdb3cee7777ae24083eeda1ab9565ac8d22f2b735a9d5b7534072167865253e0
SHA5123303010c975b68117fd914aea3374cca848e1fe0260ca23e9fb6a38442c4ac71b40b09126da7faa8c53a67d1a32ba23c8b017a4766f53909aad13040b900ba56
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0Filesize
44KB
MD54aa170f0f300f4bc297c610fdcf0a9cd
SHA1659f73eb42f77dbb3358d06374055b7f4d6f2110
SHA2567ca87445fd89a74bb63c4e7413a05a498bdd98ff934d8b019a0d232206d5f2f1
SHA51221c89695063f7c94e5e15c09b041920e2a70e1d0b00cd97ae5845241a24b49eb3342519b47a1e389d3315e6df51b1d7a096bf753806a1f88c94d221c6deaacdb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1Filesize
264KB
MD58f668671f283d99545fed4f4b4382f32
SHA19f7ebeeaacfbbf846064c96ead7c7a2ecd993e69
SHA2567e9a9f51ad1b3d82c3271a510a352d522bce417b3e14b453159144aece802e27
SHA512eabc738c868b2a837f33c2e46508e4c7d9f3138d19304ab0333e1df120186deead2fe53527ca1876c2002e5af8e90a7c5d461d6783974de835bfbe6b08071726
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3Filesize
4.0MB
MD5e09b4dfc069b22e68bc02a4073f3181f
SHA13d5802b4a711cf0823839bd9c047eed8c9ba22e4
SHA25605314af8dd28b6f8e997361dfbb5ad748e24481cdad4db2579188867f0dd25c9
SHA5123f4045f3276c32b7383f8b3e4e86ebf18dcd3f1fc61b9fc109dc94c6fde9781dc2c58f3841b50673b93ef9a1235f51c09564be9c78c6344dd5c16bff65a1d41d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\f_000003Filesize
18KB
MD52def9f0f436ead1749a833e3b0a394cc
SHA1e2ad6db20cf7dd358ce4614d10ed2a1d6f2ebdd9
SHA2564995c3595811bf9daf240692790c082b26d54026bf30583fc6f26defa72a8e2c
SHA512a3d67cb60e5cc046d8a72946ecdd382f5197a34297af0f7012934e9f2907245133c1a7caf1800a1d04b04fcc056722b59ad4a68b819401f56e9aaa7ecf92a7b3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last VersionFilesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
272KB
MD583a4a9c8d3659973bc0dcba70b5e3bab
SHA1b2d5ffb684c9eeb452d1105f5668dbc1c0612b86
SHA256dd542a93fe4b4d263a619e1020975630f7b4e377e88a012a43fba6e22764a1a0
SHA512c45c98f15784c62101ee03be22001855ea9db81e536bae92fb5279c8b8749a2c97fd7352d5dcff5ddbf7aa6f680819ff73d92fbf26ae224e14ae3bcabfe7e2b5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
140KB
MD5f794c8646a9306c239a1287c26dca506
SHA17d273ee5cafcea41796c4b5036019cbc4eb24997
SHA2567fb0a10730c2841168554f7613259580420fc170c72ef6f3d58c329a604fbe30
SHA51274b0c4b6033a5d135737460847f9cdaa6d37502859abb965b8cb24876bfef96c4b894cfd5e29fc06edbdbf2935bc79a2d384134bf4f2903da80949f2979791ef
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
272KB
MD53d6c76c2e3eb6c58f836802d710ee736
SHA123c9dbeebf12448c2956ca5d3fc77fa1aae63518
SHA2561aaf6c536fd3170aa329e4ae7d2676b6da2a87c515be2ed87cf47db4bea8b26a
SHA51275b8f83151595d7c5cc9783520d3ac5a289ea4e2d560287fc22cd56c214ef09c1e31e84c73cb55190331d304ed080ac8430a98235a29192adb001253d1fd0048
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1Filesize
264KB
MD555bcd7e87e34dcc12ad8090b8e0e32b2
SHA1232d3704ca99a234b50d2d56bd7fd65df6ce03d2
SHA256eea03543fad0a0b34ec75a8113154c92192c56586c08c647ecac0e09ef446e1d
SHA512bdc6ef6bd4c1f09bcb5ba25264c922813d458c2f9fd2061a844e9fec5718e4c020b6475a49ea56d04c6d471cba74d1d2a763712db6037dce3d813a71cbd5e165
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\VariationsFilesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f6f3c242405b108569f8c1dff25c2925
SHA171393cd1b0948794e0868aec91743dffd4bf7406
SHA256dba6a5246a371436f60cdbcdcdf8f018caa354f331e503b8bfd340e9a981b2cc
SHA5122ac3d96095e60c75b6806262a0c4f9985a49b3028bb33ca825a30162a520cf70eb39f39b928db2271a6970f3745e346ea273debffc1948a887b333801142c90d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aeefb5c880f799aa28d83922e5e02872
SHA19557a5ad17964bc9dea3507b0cba20417bcb1767
SHA25665c300776e202fdba21d88ef0f86c48aa5a7377546af824ca2737a3359ffbaf6
SHA51215de729b05ec0fd1c3383f66d6a2eed683d38d0c76989f026eb3b25a9e95bcb7a4e1948ca46e2dff2ab5877e5d3d3abd4ca9d4d4519192e84e296e95991a4a7d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f4573292d6ebb351a3c68186980e5d7c
SHA1a64f41d29fdf10c1fbf880859c0076e86b611c6e
SHA256fad1a14cdd5f9d8b7bb8127ea39a7c788fa2e15dd937952b0eedb4e1e51ce67e
SHA512f4a8de6525e0e899ca3ab0c5b65c3295f03d651ab5b9b3d3d5389a964bcf17967fd63881d480f1330c9304b03c273bda0aea5211617bcece253aedca367e0673
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\E81C7T4Q\favicon[1].htmFilesize
1KB
MD5e0dc97debdfae982ba9dabbecfac652a
SHA1f5dc07e878fb3b4ca3ed0a12e2b6bfd0736a04e4
SHA25693c9b4deedd8116f7e455d5d87ac74c50cadfde9e198af6607f4ad2250cd3ee2
SHA5122c792cb18141e0129290ee82e81956398c405b575ca6d8b4d00253435e13351faf79f0dbf4237d3eeb9dba5e9d477f07d1528c479a16d73a48a46539287bbd61
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFE2CBF69230B98904.TMPFilesize
16KB
MD51955fb4351b115fa38ad3b0436bcf592
SHA1caed8d15684a9e5afde1af26917eb05d50a74af3
SHA2564faa2eaf91e9feb59a75474b436dadadc12eeab06efbe0fe44564eb2fe005656
SHA51206c27c78137964141ec9667885c466699691c5ee9812075929ec0071f80d77eb401745c84d060e9ee03d287077f6c18cf11853deb96e2d6686d13b024dc567d3
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5w3qn0lg.sdj.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
\??\pipe\crashpad_3560_ZAEYYSUQCIGEUDTFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\tmpE8A6.tmpFilesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
-
memory/1848-203-0x0000020C11300000-0x0000020C11400000-memory.dmpFilesize
1024KB
-
memory/1848-206-0x0000020C11870000-0x0000020C11890000-memory.dmpFilesize
128KB
-
memory/1848-227-0x0000020C119F0000-0x0000020C11A10000-memory.dmpFilesize
128KB
-
memory/3428-12-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmpFilesize
9.9MB
-
memory/3428-11-0x000002237E500000-0x000002237E576000-memory.dmpFilesize
472KB
-
memory/3428-21-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmpFilesize
9.9MB
-
memory/3428-51-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmpFilesize
9.9MB
-
memory/3428-8-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmpFilesize
9.9MB
-
memory/3428-7-0x000002237E210000-0x000002237E232000-memory.dmpFilesize
136KB
-
memory/3564-565-0x000000001C5A0000-0x000000001C5AE000-memory.dmpFilesize
56KB
-
memory/3564-1226-0x000000001CB00000-0x000000001CB12000-memory.dmpFilesize
72KB
-
memory/3564-188-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmpFilesize
9.9MB
-
memory/3564-189-0x000000001C330000-0x000000001C33C000-memory.dmpFilesize
48KB
-
memory/3564-191-0x000000001B840000-0x000000001B87A000-memory.dmpFilesize
232KB
-
memory/3564-196-0x000000001BFE0000-0x000000001BFEA000-memory.dmpFilesize
40KB
-
memory/3564-562-0x000000001C3D0000-0x000000001C3DA000-memory.dmpFilesize
40KB
-
memory/3564-563-0x000000001C3E0000-0x000000001C3EC000-memory.dmpFilesize
48KB
-
memory/3564-564-0x000000001C590000-0x000000001C59A000-memory.dmpFilesize
40KB
-
memory/3564-486-0x000000001C390000-0x000000001C39A000-memory.dmpFilesize
40KB
-
memory/3564-567-0x000000001CA00000-0x000000001CA0C000-memory.dmpFilesize
48KB
-
memory/3564-576-0x000000001B640000-0x000000001B64A000-memory.dmpFilesize
40KB
-
memory/3564-1421-0x000000001EE10000-0x000000001EF2E000-memory.dmpFilesize
1.1MB
-
memory/3564-1420-0x000000001CFD0000-0x000000001CFDA000-memory.dmpFilesize
40KB
-
memory/3564-1417-0x000000001D030000-0x000000001D0BE000-memory.dmpFilesize
568KB
-
memory/3564-1337-0x000000001B730000-0x000000001B73A000-memory.dmpFilesize
40KB
-
memory/3564-1336-0x000000001D2D0000-0x000000001D620000-memory.dmpFilesize
3.3MB
-
memory/3564-1-0x00000000007A0000-0x00000000007B8000-memory.dmpFilesize
96KB
-
memory/3564-2-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmpFilesize
9.9MB
-
memory/3564-485-0x000000001BD50000-0x000000001BD5A000-memory.dmpFilesize
40KB
-
memory/3564-384-0x000000001D800000-0x000000001DD26000-memory.dmpFilesize
5.1MB
-
memory/3564-383-0x000000001C690000-0x000000001C740000-memory.dmpFilesize
704KB
-
memory/3564-187-0x00007FFFED903000-0x00007FFFED904000-memory.dmpFilesize
4KB
-
memory/3564-1225-0x000000001B720000-0x000000001B72A000-memory.dmpFilesize
40KB
-
memory/3564-1224-0x000000001B710000-0x000000001B71A000-memory.dmpFilesize
40KB
-
memory/3564-0-0x00007FFFED903000-0x00007FFFED904000-memory.dmpFilesize
4KB
-
memory/3816-1134-0x0000022C6B8E0000-0x0000022C6B8E2000-memory.dmpFilesize
8KB
-
memory/3816-1217-0x0000022C6D3F0000-0x0000022C6D3F1000-memory.dmpFilesize
4KB
-
memory/3816-1221-0x0000022C6B8D0000-0x0000022C6B8D1000-memory.dmpFilesize
4KB
-
memory/3816-1179-0x0000022C74ED0000-0x0000022C74ED1000-memory.dmpFilesize
4KB
-
memory/3816-1180-0x0000022C74EE0000-0x0000022C74EE1000-memory.dmpFilesize
4KB
-
memory/3816-1099-0x0000022C6E320000-0x0000022C6E330000-memory.dmpFilesize
64KB
-
memory/3816-1115-0x0000022C6E420000-0x0000022C6E430000-memory.dmpFilesize
64KB
-
memory/3816-1214-0x0000022C6D450000-0x0000022C6D452000-memory.dmpFilesize
8KB
-
memory/4092-199-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/4172-1159-0x0000026E7B2D0000-0x0000026E7B2D2000-memory.dmpFilesize
8KB
-
memory/4172-1153-0x0000026E7B270000-0x0000026E7B272000-memory.dmpFilesize
8KB
-
memory/4172-1155-0x0000026E7B290000-0x0000026E7B292000-memory.dmpFilesize
8KB
-
memory/4172-1150-0x0000026E6AD00000-0x0000026E6AE00000-memory.dmpFilesize
1024KB
-
memory/4172-1157-0x0000026E7B2B0000-0x0000026E7B2B2000-memory.dmpFilesize
8KB
-
memory/4172-1161-0x0000026E7B2F0000-0x0000026E7B2F2000-memory.dmpFilesize
8KB
-
memory/4172-1163-0x0000026E7B4B0000-0x0000026E7B4B2000-memory.dmpFilesize
8KB