Analysis
-
max time kernel
1246s -
max time network
1244s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 17:29
Behavioral task
behavioral1
Sample
MLClauncher.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
MLClauncher.exe
Resource
win10v2004-20240426-en
General
-
Target
MLClauncher.exe
-
Size
66KB
-
MD5
23e7e5af720dfc90b86294a8a7800c76
-
SHA1
e674bd73e3c9a496c9b5422f43874fcfc9f5510c
-
SHA256
1810fc024d4da8c805bdf76c8152ec68615c33676c4bee025d889de89af3724f
-
SHA512
0bb3731bfd6601b9b903ce93aa3fc493d063d5ddb20b7e2277808205bcde96f5cc7dafc94caf59ec5e7d0b8a44aa6b739cc6f326d29aaa03c3b85c090cab3681
-
SSDEEP
1536:rttwy1I4PKiFM8tBb1L1JmX2npd6KnXOUVBCIu9BE:BBRPXb1L22pDXOUPCpBE
Malware Config
Extracted
xworm
127.0.0.1:2832
20.ip.gl.ply.gg:2832
financial-merchandise.gl.at.ply.gg:64299
<Xwormmm>:1
-
Install_directory
%Temp%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3612-1-0x00000000000A0000-0x00000000000B6000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\svhost.exe family_xworm C:\Users\Admin\AppData\Local\Temp\bahrwq.exe family_xworm behavioral2/memory/3960-107-0x00000000007A0000-0x00000000007D2000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\7zO801E4EFE\.text family_xworm -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3612-276-0x000000001D130000-0x000000001D250000-memory.dmp family_stormkitty behavioral2/memory/3960-317-0x000000001D5C0000-0x000000001D6DE000-memory.dmp family_stormkitty -
Processes:
wbykee.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wbykee.exe -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4776-377-0x0000000000400000-0x0000000000487000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1196 powershell.exe 2492 powershell.exe 2536 powershell.exe 4740 powershell.exe 3952 powershell.exe 4200 powershell.exe 4976 powershell.exe 1684 powershell.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
wbykee.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wbykee.exe" wbykee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe wbykee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wbykee.exe" wbykee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe wbykee.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\eymuur.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MLClauncher.exebahrwq.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation MLClauncher.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation bahrwq.exe -
Drops startup file 4 IoCs
Processes:
MLClauncher.exebahrwq.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk MLClauncher.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk MLClauncher.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system_2.0.lnk bahrwq.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system_2.0.lnk bahrwq.exe -
Executes dropped EXE 16 IoCs
Processes:
bahrwq.exesystem_2.0.exesystem_2.0.exeawtidx.exesystem_2.0.exesystem_2.0.exesystem_2.0.exewbykee.exesystem_2.0.exeeymuur.exesystem_2.0.exesystem_2.0.exesystem_2.0.exesystem_2.0.exesystem_2.0.exesystem_2.0.exepid process 3960 bahrwq.exe 1140 system_2.0.exe 4696 system_2.0.exe 4776 awtidx.exe 4812 system_2.0.exe 4896 system_2.0.exe 4592 system_2.0.exe 432 wbykee.exe 2696 system_2.0.exe 4488 eymuur.exe 4108 system_2.0.exe 848 system_2.0.exe 2828 system_2.0.exe 2108 system_2.0.exe 4576 system_2.0.exe 4900 system_2.0.exe -
Loads dropped DLL 3 IoCs
Processes:
MLClauncher.exebahrwq.exepid process 3612 MLClauncher.exe 3612 MLClauncher.exe 3960 bahrwq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\awtidx.exe upx behavioral2/memory/4776-376-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral2/memory/4776-377-0x0000000000400000-0x0000000000487000-memory.dmp upx -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
MLClauncher.exebahrwq.exeawtidx.exewbykee.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe" MLClauncher.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system_2.0 = "C:\\Users\\Admin\\AppData\\Local\\system_2.0.exe" bahrwq.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\awtidx.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awtidx.exe" awtidx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wbykee.exe" wbykee.exe -
Processes:
wbykee.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wbykee.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com 63 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
wbykee.exedescription ioc process File opened for modification \??\PhysicalDrive0 wbykee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MLClauncher.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MLClauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier MLClauncher.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5016 timeout.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
Processes:
msedge.exemsedge.exeMLClauncher.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS MLClauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion MLClauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate MLClauncher.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName MLClauncher.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 20 IoCs
Processes:
OpenWith.exeexplorer.exe7zFM.exebahrwq.exeOpenWith.exeOpenWith.exetaskmgr.exe7zFM.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\text_auto_file\shell\edit\command OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{5AB3DEE3-F26F-45E5-853F-2A9F8E722946} explorer.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\text_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\text_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\鰀䆟縀䆁\ = "text_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings bahrwq.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.text\ = "text_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\鰀䆟縀䆁 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\text_auto_file\shell\open\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\text_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\.text OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\text_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\text_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 5032 NOTEPAD.EXE 1180 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepid process 1684 powershell.exe 1684 powershell.exe 1196 powershell.exe 1196 powershell.exe 2492 powershell.exe 2492 powershell.exe 2536 powershell.exe 2536 powershell.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
Processes:
7zFM.exetaskmgr.exe7zFM.exeOpenWith.exewbykee.exeMLClauncher.exepid process 3556 7zFM.exe 2504 taskmgr.exe 4360 7zFM.exe 4424 OpenWith.exe 432 wbykee.exe 3612 MLClauncher.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exemsedge.exepid process 3016 msedge.exe 3016 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe 872 msedge.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
MLClauncher.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exeMLClauncher.exeMLClauncher.exeMLClauncher.exeMLClauncher.exeMLClauncher.exeMLClauncher.exeMLClauncher.exeMLClauncher.exeMLClauncher.exeMLClauncher.exeMLClauncher.exeMLClauncher.exe7zFM.exebahrwq.exepowershell.exepowershell.exepowershell.exepowershell.exesystem_2.0.exeMLClauncher.exeMLClauncher.exe7zFM.exesystem_2.0.exeexplorer.exesystem_2.0.exesystem_2.0.exeAUDIODG.EXEsystem_2.0.exewbykee.exesystem_2.0.exesystem_2.0.exesystem_2.0.exesystem_2.0.exesystem_2.0.exesystem_2.0.exesystem_2.0.exedescription pid process Token: SeDebugPrivilege 3612 MLClauncher.exe Token: SeDebugPrivilege 1684 powershell.exe Token: SeDebugPrivilege 1196 powershell.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 3612 MLClauncher.exe Token: SeDebugPrivilege 2504 taskmgr.exe Token: SeSystemProfilePrivilege 2504 taskmgr.exe Token: SeCreateGlobalPrivilege 2504 taskmgr.exe Token: SeDebugPrivilege 2212 MLClauncher.exe Token: SeDebugPrivilege 4548 MLClauncher.exe Token: SeDebugPrivilege 2920 MLClauncher.exe Token: SeDebugPrivilege 3872 MLClauncher.exe Token: SeDebugPrivilege 2084 MLClauncher.exe Token: SeDebugPrivilege 1876 MLClauncher.exe Token: SeDebugPrivilege 2056 MLClauncher.exe Token: SeDebugPrivilege 656 MLClauncher.exe Token: SeDebugPrivilege 1268 MLClauncher.exe Token: SeDebugPrivilege 4268 MLClauncher.exe Token: SeDebugPrivilege 2116 MLClauncher.exe Token: SeDebugPrivilege 1880 MLClauncher.exe Token: SeRestorePrivilege 3556 7zFM.exe Token: 35 3556 7zFM.exe Token: SeSecurityPrivilege 3556 7zFM.exe Token: SeSecurityPrivilege 3556 7zFM.exe Token: SeDebugPrivilege 3960 bahrwq.exe Token: SeDebugPrivilege 4740 powershell.exe Token: SeDebugPrivilege 3952 powershell.exe Token: SeDebugPrivilege 4200 powershell.exe Token: SeDebugPrivilege 4976 powershell.exe Token: SeDebugPrivilege 3960 bahrwq.exe Token: SeDebugPrivilege 1140 system_2.0.exe Token: SeDebugPrivilege 1768 MLClauncher.exe Token: SeDebugPrivilege 2556 MLClauncher.exe Token: SeRestorePrivilege 4360 7zFM.exe Token: 35 4360 7zFM.exe Token: SeSecurityPrivilege 4360 7zFM.exe Token: SeSecurityPrivilege 4360 7zFM.exe Token: SeDebugPrivilege 4696 system_2.0.exe Token: 33 2504 taskmgr.exe Token: SeIncBasePriorityPrivilege 2504 taskmgr.exe Token: SeShutdownPrivilege 408 explorer.exe Token: SeCreatePagefilePrivilege 408 explorer.exe Token: SeShutdownPrivilege 408 explorer.exe Token: SeCreatePagefilePrivilege 408 explorer.exe Token: SeDebugPrivilege 4812 system_2.0.exe Token: SeDebugPrivilege 4896 system_2.0.exe Token: 33 1792 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1792 AUDIODG.EXE Token: SeDebugPrivilege 4592 system_2.0.exe Token: SeBackupPrivilege 432 wbykee.exe Token: SeRestorePrivilege 432 wbykee.exe Token: SeDebugPrivilege 2696 system_2.0.exe Token: SeDebugPrivilege 4108 system_2.0.exe Token: SeDebugPrivilege 848 system_2.0.exe Token: SeDebugPrivilege 2828 system_2.0.exe Token: SeDebugPrivilege 2108 system_2.0.exe Token: SeDebugPrivilege 4576 system_2.0.exe Token: SeDebugPrivilege 4900 system_2.0.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe 2504 taskmgr.exe -
Suspicious use of SetWindowsHookEx 57 IoCs
Processes:
OpenWith.exebahrwq.exeOpenWith.exeOpenWith.exewbykee.exepid process 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 1968 OpenWith.exe 3960 bahrwq.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 3900 OpenWith.exe 3900 OpenWith.exe 3900 OpenWith.exe 3900 OpenWith.exe 3900 OpenWith.exe 3900 OpenWith.exe 3900 OpenWith.exe 3900 OpenWith.exe 3900 OpenWith.exe 3900 OpenWith.exe 3900 OpenWith.exe 432 wbykee.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MLClauncher.exe7zFM.exeOpenWith.exebahrwq.exeOpenWith.exemsedge.exedescription pid process target process PID 3612 wrote to memory of 1684 3612 MLClauncher.exe powershell.exe PID 3612 wrote to memory of 1684 3612 MLClauncher.exe powershell.exe PID 3612 wrote to memory of 1196 3612 MLClauncher.exe powershell.exe PID 3612 wrote to memory of 1196 3612 MLClauncher.exe powershell.exe PID 3612 wrote to memory of 2492 3612 MLClauncher.exe powershell.exe PID 3612 wrote to memory of 2492 3612 MLClauncher.exe powershell.exe PID 3612 wrote to memory of 2536 3612 MLClauncher.exe powershell.exe PID 3612 wrote to memory of 2536 3612 MLClauncher.exe powershell.exe PID 3556 wrote to memory of 5032 3556 7zFM.exe NOTEPAD.EXE PID 3556 wrote to memory of 5032 3556 7zFM.exe NOTEPAD.EXE PID 1968 wrote to memory of 4092 1968 OpenWith.exe NOTEPAD.EXE PID 1968 wrote to memory of 4092 1968 OpenWith.exe NOTEPAD.EXE PID 3612 wrote to memory of 3960 3612 MLClauncher.exe bahrwq.exe PID 3612 wrote to memory of 3960 3612 MLClauncher.exe bahrwq.exe PID 3960 wrote to memory of 4740 3960 bahrwq.exe powershell.exe PID 3960 wrote to memory of 4740 3960 bahrwq.exe powershell.exe PID 3960 wrote to memory of 3952 3960 bahrwq.exe powershell.exe PID 3960 wrote to memory of 3952 3960 bahrwq.exe powershell.exe PID 3960 wrote to memory of 4200 3960 bahrwq.exe powershell.exe PID 3960 wrote to memory of 4200 3960 bahrwq.exe powershell.exe PID 3960 wrote to memory of 4976 3960 bahrwq.exe powershell.exe PID 3960 wrote to memory of 4976 3960 bahrwq.exe powershell.exe PID 3960 wrote to memory of 2476 3960 bahrwq.exe schtasks.exe PID 3960 wrote to memory of 2476 3960 bahrwq.exe schtasks.exe PID 3556 wrote to memory of 1768 3556 7zFM.exe MLClauncher.exe PID 3556 wrote to memory of 1768 3556 7zFM.exe MLClauncher.exe PID 3556 wrote to memory of 2556 3556 7zFM.exe MLClauncher.exe PID 3556 wrote to memory of 2556 3556 7zFM.exe MLClauncher.exe PID 4424 wrote to memory of 4084 4424 OpenWith.exe NOTEPAD.EXE PID 4424 wrote to memory of 4084 4424 OpenWith.exe NOTEPAD.EXE PID 3612 wrote to memory of 3192 3612 MLClauncher.exe CMD.EXE PID 3612 wrote to memory of 3192 3612 MLClauncher.exe CMD.EXE PID 3960 wrote to memory of 3016 3960 bahrwq.exe msedge.exe PID 3960 wrote to memory of 3016 3960 bahrwq.exe msedge.exe PID 3016 wrote to memory of 2920 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2920 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe PID 3016 wrote to memory of 2092 3016 msedge.exe msedge.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
wbykee.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System wbykee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wbykee.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" wbykee.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MLClauncher.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\bahrwq.exe"C:\Users\Admin\AppData\Local\Temp\bahrwq.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bahrwq.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'bahrwq.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\system_2.0.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system_2.0.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system_2.0" /tr "C:\Users\Admin\AppData\Local\system_2.0.exe"3⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rt.pornohub.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff13c446f8,0x7fff13c44708,0x7fff13c447184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14118072181476811689,14385248689046351375,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:84⤵
-
C:\Users\Admin\AppData\Local\Temp\awtidx.exe"C:\Users\Admin\AppData\Local\Temp\awtidx.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\eymuur.exe"C:\Users\Admin\AppData\Local\Temp\eymuur.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\yrenvq.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "system_2.0"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5A4B.tmp.bat""3⤵
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Windows\SYSTEM32\CMD.EXE"CMD.EXE"2⤵
-
C:\Users\Admin\AppData\Local\Temp\wbykee.exe"C:\Users\Admin\AppData\Local\Temp\wbykee.exe"2⤵
- UAC bypass
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqcoap.bat" "2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mcserv2847.github.io/2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff13c446f8,0x7fff13c44708,0x7fff13c447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:33⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5096 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,10353074252557061236,1210973725353074128,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5580 /prefetch:23⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\smishno).txt1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4ED5C4BD\version.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4EDD496E\12⤵
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MLClauncher.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8012F0DE\.reloc2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO801E4EFE\.text2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x404 0x4941⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\system_2.0.exeC:\Users\Admin\AppData\Local\system_2.0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MLClauncher.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54ae558d9a60b658bbaca0fea1f96e6ed
SHA1fc97b01845924cc27c43d658e6f068a1ef17bb31
SHA256f76c65d0fb316e5e0245e4a320a352e85cb97ec168e742e6f95bf7b70cc89a83
SHA512450f406c52a3088e59923fc717222891a7f257b5b5864b4811de23e8ab7b06f9155111662052d5c4a92884a71b6043805190af2e1d1b3572e8507b4ba5851f3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f345a055b63637a2070e5d80f4558d10
SHA1ca4d09a1090cf4abe52cbde996f0849113d0a82d
SHA256184d496618ca7cbc36a786ea6bd50eff2f4f7ba1fb18104540ec892665fc311e
SHA51213c8b5cd04aa8fe3ab7d8a85cf77b53e8a2b4f290d2011f4f5b6633bdc10c6c8c1b7ebbc5db49988786f6aa812e5eb95c7fa167d7342b99e04ec9285384cf270
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
334B
MD584aacb7c324413f557f298acc4d8ce80
SHA1c54df7429b92498bffef8d98db076b613f1b86c3
SHA2567aa6a4c84eae021d1f92bf00ce8b632da6790eb00fb2617f318e183324e46ef5
SHA5124873ffdf2061dae379345492f3a502e4a38bcfb594d5163943e98ea0f624becbeaeafb522bcf17fa91adb985117291dd8da2ed6a4048d68caad6de94c489f380
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
481B
MD581df2acddd34d388370f2ccb5be835d0
SHA11b843d2452449c5b928fdaf99db49e822ff60183
SHA256c75f0498654c064bf868eab4f853b4d32378f91ea86a6502c1a7bbe58250ba51
SHA5126a3265091ce7932267bc59ca154001ef0b3ca70f20bd7f652cd08152bfebf5df83b2dd0d975847ede36b6316c5719a966aa5df08bbe83913bd1a5a7a744a3cb1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5af24d63f57af4cca885cd144a73688ce
SHA1f00156055937c1e7e283b50b64d93614d8d14e4c
SHA2569b19bcff64e24e039e1f6bdb4f615e835bfa6833b734b83118be55e1ff48457d
SHA512d5f7616734a778f337cb2dbca51c6a4d908f6edd19236fb11c07127a93bf8bcc7f234a4048f1ac77880ebf8146e73581df2be7d16c17f46abd3062ba9f65abad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54ace2fc1925b64a7eeaefdd4a2bec185
SHA1c0c77864b6d8bda5d81c1ad4c0b793ab86c45712
SHA256ded181fc63041eb1eb523ba3a72a25ed87eda5e4abda7918c590ab48915bb23b
SHA512149a3902bef88df1b39f8f91b12618505093ced76dd77d3568b64e92c4a14ebbefdd171178b18a60dda0d29dbceb101307c6bc592ba607f9161370661a5ad548
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b4ef1aa45f55becb98ccc975e1c8c4bc
SHA1add0e7266be13b42bbfd60ca177d715f7f6cff35
SHA256a34c44aa8045d7cf0444325ae86a4d2527036d4f28a02a8c717e522f5392e3ac
SHA512ef4f69d83421cf1bb792090ce1fe3861745d6bc9e185ef9eeabd968fc7cb6ae5f9c0d7799d184f3f6de4b28cc4d72f3623f5847a85adb809be63f4ca737a8c97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57808cd08a6f3a79b3c2d632fb5d833bc
SHA133c38fd2d110f16567343d3265364d183770b933
SHA256c6d32a99b8f30de3af988d7c146a8fd216e0a728d825b9711518e08a51a3bbaa
SHA512eaff7eebb35a0ad4a1b84e1f4f029256decf2b629786e83f4638a40ac2c02ba24689d65d8cbc642ed3e70257ce1f81b1309feee7343ba1515400a16204d4fdfb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD599b3a7acb3b7b684b457498a75963ac9
SHA154a36f61b227b93d8cc06996fedca9b7823a274a
SHA256c983451d9e2b5f3e0a32b984da5a3c9bf44d1cb180c788b9e11c20d94ccb0f0e
SHA512e67da2e48b33b30beb31c73eb0330ad2499df0d331dde80661cad6b4d51cacca8f75113496cd508b7984038be2c44e197ed6c365a4e1fd73e4a425dce39b78d7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD585ef39dbb8081a851f4eb5bf072e4906
SHA19c834fd6eccea47f2bda6cc53d19c8dcebd5e2a4
SHA256323d87bf56139c0a5559052c16bf3e098c3503fd78597074b07f6775e1ad95cd
SHA512f0cd9cdf9f8caf2a1ba51411c7f92b59c20869226e9fc44ed37b2c01e3ddfb6057cd5144aedc5af170d732c4fe9a07744e6114585714f2441080e8768b17c4e1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOGFilesize
322B
MD5dc0e9917bacefd0d9ab57a29f5cd5ff6
SHA103b0e53c76d5df32a06ef1afe195f25e12cef191
SHA256b77c748cf5fff6f8fff48facb96e0e840b99a0377cc244c3fd803908685fc3c8
SHA512cfa18b7a5fd5aefd16bd69a49f60513febbb808330485d9dcf0480db6f4a3d9bb2525d16d1150165bd48864c3688aa76a323b22381f1f0bc6529986746cfd550
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13361478154737457Filesize
933B
MD5e5abd9a633579e2c501bbb8413fd4bf7
SHA1c718f03ffc6fe66f01e15b4604fe505d54f64218
SHA25654348574ffca1e1175281966516f540f2cb60376a08ce56cb525106c9025aa3a
SHA51283f5e1904794e949d87baaed117d0231ab4436ff60f5de6115491e0409d05892430e452b230ca938705e509c02a231a211f8cc4cabcd0257f54d8722911d5c0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD5810e764263bad12bd0325efa825fa257
SHA188bbd5096e9d47cb716d65f9224f8b6f2e35d2f4
SHA256bbfc9e78201b96af567a5d780f09ec0f2cf318f5d6c8fddd25cb61c2f153b6b3
SHA5122bbff9696652c33f3932b78830836338319c26d0d3e3a48b01817b883d732b3c63979f9cb28b0bfac0b91f7e14b0feec0008b2dddc9b421d583c468886a1c40c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
326B
MD5f89fda727134d8a08e27b6fae15d18e6
SHA138363be68d9b93002e053b8849b11675b4f690d2
SHA2568b27698d52e78afa943c9a2560f887ebd2eeb5b0fa2c426abe8dc15c47bf33bc
SHA512b4c64896f2d01f2e2d67fdc7c5cb83c2cae2aee5df12416cd25887e52ceb3577729bf52b57b85554e5118fa0b1fec522757988f0dfe3dda62759be1f8746af48
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
372B
MD5d625c5791f2d7c1b553500e8d95b364e
SHA11de4831ee53fd3930efcbbf9ec57fbe8d932aa93
SHA2567c7d3bb0a0fff2c1951e138e728a4d7f98f91d12d1fd45bfebe131daac0f0e94
SHA51255124632a5c59d0e7400c9060c313537a55f124ec10816b96fa28dfbbefa4355f88b126d60db9ed44a81fdc364422d5cf56d528b2bd8989d5b64209f704785ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe662a43.TMPFilesize
372B
MD55c13869b7f4bfa476f3b686c40c7d86b
SHA179dffce0d011b3b7c1e909aaeb17927ce205bfd5
SHA256bebbef2cf9b5d8406cbf742d0a6dd1d43a241fd81047c95f69c0070a2f90a2a7
SHA512b8b2b7fa07bc26f42fcae81ce16457b2f2f2693f59d847c58b80092484dd3ddf9a66327606d84136c4c87fea8aeffb5a20e8bc6bf366c00c1f135c7c3c61858e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
44KB
MD51fda74b79c3535f27542e8c12f174078
SHA1c7d296adbd4d8dbcceccc705637bce8c28221ca4
SHA256e3b199a00f5ae41c8b8916fa246e71ae03e5e5533213527dec2f02af71364b68
SHA5126f653341a8e880f40f664a8025b3cf4a56aa99c47ce20c7987f352468faf3ada523586c35c41e7fbf39c177f729bfe3c9cb92ca64c6a53e292e2108ebbe6e522
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
594B
MD53fd219ba1603630bdff17a434f9f2f0b
SHA1a798f9defff59ef97501ed3dcb1916324fdac8a7
SHA25629f6ce364240a79e1ec870250462d66adc749e7ddddd2d54092e22e333792278
SHA51207952b691af4f5c422f589c45effdc30147fb450c5b01b4a214859aeadb6a9edf241f36378902efa588f4fc4203f8753de2265e606a2ecb29780248e66270a76
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
340B
MD5587c0f47ae90929bb99811df87e832bb
SHA13a2bb922dace9c1ba78c652bdf729d58c2b9117a
SHA2561e2d4b9ada39ca577b6578b6527633ed823300b12a2593c5b3c06dbb85f24951
SHA512748cd99c8c53570b40039b2c4d2a211fe6564815f93dffbd5869a4de495f8fa18024c969150597c30e482b758636e5573f81f8bf7bfdbbd5ce30e44ca36cfb36
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD525201bad9843a6ada66469d01fabd781
SHA1942025294d610e2504585cfee62c6f052ffd9c05
SHA25687c6d2770c86cfd7a73917497162fb91087630ec20871a4951b05fc96344e855
SHA5122b7e5f0f9a22129327996739b85a285bf19f5f7d865aee7fcf44b04e4e58c568371c63772fad5dc6bca1c46da0e36d18cfb677bd5641a5fd2355d16d36788b20
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD540c147040ed0a3a2ca5f8ccd94bec848
SHA12529a78e42e5370995b8056714e87ea50aa08993
SHA256ece2b7e3e00ae111a3284a376902742f31c5b51a1d31f81c3bcb33ac7754e684
SHA512d90660e10be815bf8e6987e2eafbe1558357e2d9e324ebfb69de945486260e6501eba282d36c656c6430cc06ec938dadf2dbda2c7a8aad4a2731907c24612407
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD565a68df1062af34622552c4f644a5708
SHA16f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA5124e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD565e4f01c24b55569d54d23b8efd0c8d5
SHA12c58f21418af8c0f1e118a7f3cf17d8448a8be64
SHA256c1e9cf9a0865152d180419cb3ebc77538bdbdc9d1e633eb71ad6871fbc4d4763
SHA512afaf0c200caba78650aee46bd62994c5becc073c22cb62404f783b257c78a72061e240b8678c38790b2cec1e41429161b13c6d92cc9817fe70e86abff5af2056
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD583685d101174171875b4a603a6c2a35c
SHA137be24f7c4525e17fa18dbd004186be3a9209017
SHA2560c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870
SHA512005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD57d9ecfe610b58440e18d2bffe5167d71
SHA17afeed064042ef5e614228f678a0c595699c3d84
SHA2562c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632
SHA512017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56f3b96b24f06e2d37a46e43e8b784f56
SHA17be6702c5867f359e913eeeecdd5b76698589295
SHA2568e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720
SHA512d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD547605a4dda32c9dff09a9ca441417339
SHA14f68c895c35b0dc36257fc8251e70b968c560b62
SHA256e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a
SHA512b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885
-
C:\Users\Admin\AppData\Local\Temp\7zO4ED5C4BD\version.txtFilesize
1KB
MD54c5ede9ddf5c90d3b3dd9ff6a136d1be
SHA17635c76666ed69ec1aa2dfb44e17867c393dd123
SHA2568ba25de9b2670be9a304d0e052c3efac49e88a94b1360b30b88ba141dd6655ec
SHA51213cd035135fe9bd46987ef09e2a7a6d55359ef716f17eab56e9330d9d2f8482d7b68a224a77f542489418ad6cf6fe2f5e5cd8d1500292aa13ca2b54596ed0d64
-
C:\Users\Admin\AppData\Local\Temp\7zO4EDD496E\1Filesize
490B
MD5a19a2658ba69030c6ac9d11fd7d7e3c1
SHA1879dcf690e5bf1941b27cf13c8bcf72f8356c650
SHA256c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f
SHA512fa583ba012a80d44e599285eb6a013baf41ffbe72ee8561fc89af0ec5543003ba4165bfe7b1ba79252a1b3b6e5626bf52dc712eacd107c0b093a5a2757284d73
-
C:\Users\Admin\AppData\Local\Temp\7zO8012F0DE\.relocFilesize
512B
MD51deade56951cba0eb9b5db159416d0e9
SHA1c3dc2b227ac2ca4c67e6430a7c663f221d99c474
SHA256d4d6020cce7aaf4bfe89931092e9808590c58de4ac7c31c63b3013b86404bff4
SHA5125decca2b667cf5f87e2b147fbdeabb67649de524372168500b35e97cc1a9ea605e843840dc56a22952549279345fd9dd9c57c90d768c0036751b101d08f2d432
-
C:\Users\Admin\AppData\Local\Temp\7zO801E4EFE\.textFilesize
63KB
MD59ebfe80abf28382ce7eb8c0b383bd48d
SHA13e363375374931fc0dd42735ff79d4f5660af31a
SHA25611c71738af94d2784e26a3fa3621960c9a4ebff6bfc98fb8047730ab902a749f
SHA51254a1cdef38554f3c7899d6e445db9793f034e36462357586502537fe3ca6e08c0fb3be85258be55bfc1654ec4756af606a8f3b7c764321b84b1ee5e7893e8c76
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lq3dkt5a.l1y.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\awtidx.exeFilesize
206KB
MD5362b515ce8b6c1d0e355365a1ca706b7
SHA1340e2350c538ca4911315aee7abebe38d2e8edb8
SHA2564002b8f40aaa94cdcf0373abc1601ddd30a6f205c99e500a7e203ee8d3ed5325
SHA512f7f201eeee17d08ac8003f2561a9969fe359b4412baf3586e9839cd22fe4616b413e8fc940608672ac13d62036b0c4f4a3ffbc8c404f710d13919ffb86f67cc4
-
C:\Users\Admin\AppData\Local\Temp\bahrwq.exeFilesize
176KB
MD5bab5c4a5f667e3ee78612d22c7d2dc47
SHA1c63dcc1ac9f2c0deda96c455c82b15e933726307
SHA2561794fea06bcf0cf96f65059ea316b1e5ca86e1072077cfd1768f15cab5aeb56a
SHA5125f74c83e0e6a23cf0a7b22e39f8ce6a8c0757db98a72e97319cac90d65469f946bb4140919dba2c09af534fe7b7b406d0f13bc590b3e8c6ad1834e06b0c10a47
-
C:\Users\Admin\AppData\Local\Temp\eymuur.exeFilesize
248KB
MD520d2c71d6d9daf4499ffc4a5d164f1c3
SHA138e5dcd93f25386d05a34a5b26d3fba1bf02f7c8
SHA2563ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d
SHA5128ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704
-
C:\Users\Admin\AppData\Local\Temp\places.rawFilesize
5.0MB
MD52b0b966b1be75d105fb7e1161cc39c02
SHA159f22e80633bd25ee7414dc1ef209806ce058724
SHA2568de6576d21b54de940db46879dac7bb406ec9fed05c7663a56860fa2a56527b2
SHA512ad54784fcb873b6843dcd95d06a1c7d9ea3e1e038acdb66a1213036930a9c965b2d2957489dc1f842a0a04f35a134a617a3930182615f6996a953d9fe702125d
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
66KB
MD523e7e5af720dfc90b86294a8a7800c76
SHA1e674bd73e3c9a496c9b5422f43874fcfc9f5510c
SHA2561810fc024d4da8c805bdf76c8152ec68615c33676c4bee025d889de89af3724f
SHA5120bb3731bfd6601b9b903ce93aa3fc493d063d5ddb20b7e2277808205bcde96f5cc7dafc94caf59ec5e7d0b8a44aa6b739cc6f326d29aaa03c3b85c090cab3681
-
C:\Users\Admin\AppData\Local\Temp\tmp51B3.tmp.datFilesize
100KB
MD5d4993802b9cf3203200f899233c3e2fc
SHA1a632e8d796c8a0d1cf8cda55aa882b1a82b7318f
SHA256cff606c51ac13f4352de08f7838939c1e261bdc232a10bb94f6924d00cbd0dd6
SHA5121910cf846fe61ef744dc6bcf9062caaf6ab1856a64bd8aa6849cbddcdc8fa921f0cef16d0d9cc38842345f5873724b27764307076bd50bd46bb74f643cde03bd
-
C:\Users\Admin\AppData\Local\Temp\tmp51F8.tmp.datFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\tmp8596.tmpFilesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
-
C:\Users\Admin\AppData\Local\Temp\wbykee.exeFilesize
2.5MB
MD5971fc96da6226204766efbbe23dafa43
SHA1ba78587dc5f15ec6afbcb103d86e9ceb9e4d5281
SHA256e21716da385fcb1fca8a98136f9b683eb3dc53de4cd0e8ed08c051e74270fdde
SHA51234f976f97cb1634d1f880595d0b20ee4e4e1636a3d5d29c750d5d142fe39ab5e78de0239bdc75ce04d80c4efe3aad01de169afb22bab7914b551a88b98ba22c4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnkFilesize
1KB
MD5daf7a1c73ebcfdc801f4b6e47c240b32
SHA1640dacad0b1bee946b3dcf5d51da9a0ca464c668
SHA2563bc39c7e4eb531d7cfeae8a8cde4e4a69efca0fa806492bfa108b30d090d5ac6
SHA512c75374d51df049c7ac18078fa91a60af60a27a33e557d7b10e31ed2caed9017503f2b9fe842d699266aa64d1b02f0044089639bc43d4593de22de65bc6309a7f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system_2.0.lnkFilesize
979B
MD5c82bafe81cb48d1bcb0b62d3adbd69c7
SHA17768c96ff8b1d35e688ad659966a1f63147fa9b0
SHA2569a987b20b6f2f5144e6711ee7892911545215d9ef6423616b77562e5a200806f
SHA512fc0bedd7334ed87c67f2574d495da7358b78734794f76f015748748216fce8fad02b619a1a30acd0b311bb673edf3f4d30b19f0c121cefae65dad010d9b0229b
-
\??\pipe\LOCAL\crashpad_3016_XSMSNNNYJOTSCXCNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/432-674-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-790-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-961-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-932-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-720-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-700-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-997-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-889-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-540-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-851-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-770-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-743-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-1048-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-654-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-632-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-609-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-582-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-562-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-1074-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-425-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-444-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-466-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-491-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/432-510-0x0000000000400000-0x00000000006CC000-memory.dmpFilesize
2.8MB
-
memory/1684-18-0x0000028CF5E80000-0x0000028CF5FEA000-memory.dmpFilesize
1.4MB
-
memory/1684-19-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/1684-3-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/1684-13-0x0000028CF5D50000-0x0000028CF5D72000-memory.dmpFilesize
136KB
-
memory/1684-14-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/1684-15-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/2504-79-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-71-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-73-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-78-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-72-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-80-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-83-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-82-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-81-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/2504-77-0x000002370CAE0000-0x000002370CAE1000-memory.dmpFilesize
4KB
-
memory/3612-62-0x000000001AAB0000-0x000000001AAEA000-memory.dmpFilesize
232KB
-
memory/3612-315-0x000000001B700000-0x000000001B70C000-memory.dmpFilesize
48KB
-
memory/3612-390-0x000000001BF40000-0x000000001BFCE000-memory.dmpFilesize
568KB
-
memory/3612-1-0x00000000000A0000-0x00000000000B6000-memory.dmpFilesize
88KB
-
memory/3612-165-0x000000001B970000-0x000000001B97A000-memory.dmpFilesize
40KB
-
memory/3612-161-0x000000001EA50000-0x000000001EF78000-memory.dmpFilesize
5.2MB
-
memory/3612-2-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/3612-160-0x000000001B7C0000-0x000000001B870000-memory.dmpFilesize
704KB
-
memory/3612-276-0x000000001D130000-0x000000001D250000-memory.dmpFilesize
1.1MB
-
memory/3612-60-0x0000000002040000-0x000000000204C000-memory.dmpFilesize
48KB
-
memory/3612-59-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmpFilesize
10.8MB
-
memory/3612-0-0x00007FFF197C3000-0x00007FFF197C5000-memory.dmpFilesize
8KB
-
memory/3612-58-0x00007FFF197C3000-0x00007FFF197C5000-memory.dmpFilesize
8KB
-
memory/3612-360-0x000000001B720000-0x000000001B72A000-memory.dmpFilesize
40KB
-
memory/3612-901-0x000000001B9B0000-0x000000001B9BA000-memory.dmpFilesize
40KB
-
memory/3612-89-0x000000001ABA0000-0x000000001ABAA000-memory.dmpFilesize
40KB
-
memory/3960-359-0x000000001D6E0000-0x000000001DA30000-memory.dmpFilesize
3.3MB
-
memory/3960-361-0x000000001C970000-0x000000001C9AA000-memory.dmpFilesize
232KB
-
memory/3960-317-0x000000001D5C0000-0x000000001D6DE000-memory.dmpFilesize
1.1MB
-
memory/3960-366-0x000000001C010000-0x000000001C01A000-memory.dmpFilesize
40KB
-
memory/3960-275-0x000000001C950000-0x000000001C95C000-memory.dmpFilesize
48KB
-
memory/3960-107-0x00000000007A0000-0x00000000007D2000-memory.dmpFilesize
200KB
-
memory/3960-367-0x000000001BFA0000-0x000000001BFB2000-memory.dmpFilesize
72KB
-
memory/3960-381-0x000000001BCC0000-0x000000001BCCA000-memory.dmpFilesize
40KB
-
memory/3960-389-0x000000001BF90000-0x000000001BF9A000-memory.dmpFilesize
40KB
-
memory/4488-557-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/4776-376-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB
-
memory/4776-377-0x0000000000400000-0x0000000000487000-memory.dmpFilesize
540KB