chimera | 7dbdb8b4fd0fcf92596a02a244e73a019c65ed0bd6e4cd52203efa2d25c17330

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-07-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera credential_access discovery ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/2872-3-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Renames multiple (3249) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment-2x.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\13.jpg	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.24123.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\ribbon.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\mask\mask_corners.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osmmui.msi.16.en-us.vreg.dat	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ci_60x42.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-200.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32_altform-unplated.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x86__8wekyb3d8bbwe\logo.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\WideTile.scale-125.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\sfs_icons.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Popups\Upsell\background.jpg	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\ui-strings.js	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\SkypeAppList.scale-100.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-125_contrast-white.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.scale-125.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\11d.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\angel.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraLargeTile.contrast-white_scale-125.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\AppList.scale-200.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adc_logo.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\WindowsPhoneReservedAppInfo.xml	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\themes_frame.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-125.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_Spiral.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\MedTile.scale-200.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\ui-strings.js	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-200.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-200.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Close.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ui-strings.js	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-white_scale-200.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\Icon.targetsize-256.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\common\King_Of_The_Hill_Unearned_small.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\DailyChallenges\tile3_diamond.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-30.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\SplashScreen.scale-100.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\fi_16x11.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-200_8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1113_20x20x32.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\ui-strings.js	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-150.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small2x.png	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3883688402"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000691450fdbb89fb4887673729dc870e6b000000000200000000001066000000010000200000006e96d64e29c0ecf080ae1b7ffd78b8a61b0978c44e4060d731c7a712395a6c40000000000e8000000002000020000000aff75479a16d77fc32b538aa57c000ef9545751794663ae83c5fb9eef5a9bbcf2000000063417b72e74128e173d4472816b58a268414e8e4e25bdb40a970d62e128f1b2540000000a3ed6fb9c20f7fd1237194da0558324cf1d2f7284eb25ba2046547b03c92588b6cb68dc740ce2efeb7aebf0f97478474ad88469d28ad16a7ea285b3d9acc31e5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31120868"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31120868"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000691450fdbb89fb4887673729dc870e6b00000000020000000000106600000001000020000000a5dba597eaca570d5351a71cd06d206ce972a47dd57686254771928ac2719469000000000e8000000002000020000000206efc5c672f75ccdec3f1188f9ad159950afe9d7f4638ecd993acb9bfcf5a0820000000d083c361aa7d260864ccfe82f9c976c33d237a9b1824fb4012df7453766728304000000067cc512729eee99dcfd850acb33990e5fbb96c4101275d9484c32f3d51e58e41a470d2b5124df95f5476df8e1f9e6360743babaa53805d27a7ae9c308454e083	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b5b4e8e4ddda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{13284B2A-49D8-11EF-92F7-765C1CF5FF36} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3883688402"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70babbe8e4ddda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mega.nz	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d912c9c9e4ddda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000084ac5e7936a969bf063f81ce69d9c0a68cf6ded12adb9da743790589f9ba1145cca193175de9c9d5a81ee3dc8b37e32c1d26ca83becb9d1a79d7	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mega.nz\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "428651324"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "428619333"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a42535e4e4ddda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5b4269cfe4ddda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mega.nz\NumberOfSubdomain = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mega.nz\NumberOfSubdomains = "1"	MicrosoftEdgeCP.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2776	MicrosoftEdgeCP.exe
2776	MicrosoftEdgeCP.exe
2776	MicrosoftEdgeCP.exe
2776	MicrosoftEdgeCP.exe
2776	MicrosoftEdgeCP.exe
2776	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
Token: SeDebugPrivilege	4600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4600	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4456	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4456	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4456	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4456	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4388	firefox.exe
Token: SeDebugPrivilege	4388	firefox.exe
Token: 33	2580	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2580	AUDIODG.EXE
Token: SeDebugPrivilege	4364	MicrosoftEdge.exe
Token: SeDebugPrivilege	4364	MicrosoftEdge.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4648	iexplore.exe
4388	firefox.exe
4388	firefox.exe
4388	firefox.exe
4388	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4388	firefox.exe
4388	firefox.exe
4388	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4364	MicrosoftEdge.exe
2776	MicrosoftEdgeCP.exe
4600	MicrosoftEdgeCP.exe
2776	MicrosoftEdgeCP.exe
4648	iexplore.exe
4648	iexplore.exe
4916	IEXPLORE.EXE
4916	IEXPLORE.EXE
4388	firefox.exe
4388	firefox.exe
4388	firefox.exe
4388	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2776 wrote to memory of 4456	2776	MicrosoftEdgeCP.exe	78
PID 2872 wrote to memory of 4648	2872	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe	81
PID 2872 wrote to memory of 4648	2872	1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe	81
PID 4648 wrote to memory of 4916	4648	iexplore.exe	82
PID 4648 wrote to memory of 4916	4648	iexplore.exe	82
PID 4648 wrote to memory of 4916	4648	iexplore.exe	82
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 2776 wrote to memory of 4340	2776	MicrosoftEdgeCP.exe	83
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4616 wrote to memory of 4388	4616	firefox.exe	86
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87
PID 4388 wrote to memory of 1756	4388	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe
"C:\Users\Admin\AppData\Local\Temp\1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4648 CREDAT:82945 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4916

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4340

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.0.229443105\2015967010" -parentBuildID 20221007134813 -prefsHandle 1600 -prefMapHandle 1892 -prefsLen 18084 -prefMapSize 231738 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91d136ea-b09f-4188-85c5-77ace2a398ab} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 1856 196f1d64458 socket
    3⤵
    PID:1756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.1.1730784827\669215872" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 18635 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b14de5b0-5b88-432b-b2f1-d69f00574337} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 1832 196f1d65058 gpu
    3⤵
    PID:856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.2.191978716\1635074718" -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3092 -prefsLen 19464 -prefMapSize 231738 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a3265fa-b9ff-4356-9b05-40abd20a8813} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 3108 196f4f84358 tab
    3⤵
    PID:4472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.3.2024589217\1413990679" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3416 -prefsLen 19572 -prefMapSize 231738 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aabee47a-2373-4021-bc4b-11799183ed11} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 3408 196f5995e58 tab
    3⤵
    PID:5184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.4.1204830716\557935034" -parentBuildID 20221007134813 -prefsHandle 3948 -prefMapHandle 3944 -prefsLen 21588 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e9c2e7e-af7f-4b6a-aafd-cd64412affa5} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 3896 196f5a48a58 rdd
    3⤵
    PID:5512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.5.1557535145\1887537632" -childID 3 -isForBrowser -prefsHandle 4736 -prefMapHandle 4732 -prefsLen 27853 -prefMapSize 231738 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd5624b0-43dc-4ffd-b461-fc3a554a5742} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 4812 196f921c258 tab
    3⤵
    PID:5820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.6.1848781132\1802673482" -childID 4 -isForBrowser -prefsHandle 4748 -prefMapHandle 4744 -prefsLen 27853 -prefMapSize 231738 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0238e0bd-4346-4213-b70b-4f668db06a58} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 4828 196f921cb58 tab
    3⤵
    PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.7.497426447\393083394" -childID 5 -isForBrowser -prefsHandle 5184 -prefMapHandle 4776 -prefsLen 27958 -prefMapSize 231738 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d14b1777-b34e-452a-87d9-213f83f7d5ff} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 1908 196f921ad58 tab
    3⤵
    PID:5944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.8.409726981\2065934056" -childID 6 -isForBrowser -prefsHandle 5728 -prefMapHandle 5724 -prefsLen 28311 -prefMapSize 231738 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4699081a-446d-4aa2-89f9-76b668c6a65a} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 5736 196facc9058 tab
    3⤵
    PID:6100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.9.1624372454\1186919998" -childID 7 -isForBrowser -prefsHandle 5924 -prefMapHandle 5744 -prefsLen 28311 -prefMapSize 231738 -jsInitHandle 1216 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {811f96a3-fea8-4511-a407-30382c28248b} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 5904 196f5fe4658 tab
    3⤵
    PID:5124

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
dc53b04721b39802a04592f853538e64

SHA1
1899879709408836dbf540c18cfbe0de80b39805

SHA256
57eb1324be08bd7caf9056370b1885c44a4f535b2905a200b6cd5c1ce9135a3a

SHA512
d892670588fc07095e40a9b32f6ed17362c152f0ec7cacad032b81d756c7793e15d0fed81b3057d849f406e59c427fdf263dfff1ec5f7f4b06a786e7076da78b

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
754c60704e49a33416fa108cccfd927c

SHA1
876b19e48fa7f63fe12a23d0851b7ef0d8aff355

SHA256
78e56a40657af66000f8251104e476e1b54cd8264669e1af1b94a9eba7826632

SHA512
afbe95157ebde7af3f04819e5af5d83a1d4a8570fb1fde961867e47582adeb75f1c5fc4e22a6ff7e6132c9575c3e1fa33c7775b244950b67377905b15980f5e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
b30fa1c01f7356209d91c1b1e0a20e35

SHA1
56f3bb996552d347ac8a29858789a3052553e1b9

SHA256
d56ed1df6c506cc5cb9075a78d92dc855ed790b222aff0f51a30bbc01c6d8a60

SHA512
94637a286cc3171b7cddf4a4d718db72c50ab4c9b3ddde9d9828bc591f4a563ef88246b458b5739641f5adfa28534f8b182b50a6c0e692799f66434f4a363c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\T28YHK6H\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
e4f1e50a13f9d1f863ae99825301ec19

SHA1
1f999d3d68743364fc54bbc4379bb48b8e6896f2

SHA256
78d3f1301ae478334e5ebe9f66e3ae0b9079f5db9bc38536fd812f9286c4cf8a

SHA512
c4f3a2b922f51c94069066e4856cfc05642f70be73b2981d6a31f401191197e3a77698cfece9ab6be4cbb44044c0413275b0c0ea69cb65da072cb5b51afeb155

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\cache2\doomed\18377

Filesize
51KB

MD5
ad90f2f0ce393b7f29c0831fdcf5a9d0

SHA1
ff7ebdb2c9f0bb9184b67e33e326830a182eb84a

SHA256
33f60dc2114a939b08658095a7dd87bfb6a1894b928b8edb4aa200d221ced2f0

SHA512
88ae82a6187398938dad9970e164ab9532a47c8c66b3316b3d79337b806915698712b171fa8eb93a2627ca4d7e683fed7716b18db88bff9c56f1301528a75a68

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\0H4D9VJ9\favicon[1].ico

Filesize
6KB

MD5
72f13fa5f987ea923a68a818d38fb540

SHA1
f014620d35787fcfdef193c20bb383f5655b9e1e

SHA256
37127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1

SHA512
b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\UHOV4U59\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFC5223E56708BE22F.TMP

Filesize
16KB

MD5
a808e1de4c717ee49ea97981d4d3ca12

SHA1
3762e421dd0212b341d028a804c6d37560031663

SHA256
931b294f9bd97fdaf4d8453773d9bfa20ae74b9405eedc4cc4657ba8bc4499f4

SHA512
fac5e5a4ec786227d4a8b1f25c3730f06ec71398ac68d763f44213904d5e6463e1d9c392fb341284325d8e11622ed2a762b68b1efb6f3fbe33eae2df7b5d5daf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\datareporting\glean\db\data.safe.bin

Filesize
1KB

MD5
0f60cc7927fe58645d36c54854f8eff3

SHA1
50de648d144b74000162cbdfbbe8e81851bd55e5

SHA256
4db2016bb60e6e0ca64dd783a58046d23bfdb5470d2c72e161f78db7c9f95420

SHA512
51033e8847121a33e0b0f4ca80ed88699e0bcd4ce0fc6c1083393204456d9c62e1fc92a35078c4b2609031129da1ace1455f8d4622ad69a162a35aa93e24e979

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b7c53122dcc4b17de42162bea1ed1054

SHA1
22e50bea02524f7bd5ec1608f78ecd13d1419420

SHA256
e0a800243b23a994bfaaab5994fe8a95a1bd4c7416837ad495df8a53f8545699

SHA512
6b7cd023f8faaa84ef58ad10b7a23b82d246545ee11fe0fdd6b83916da410b2ad85ad093ff787205bb06f0bb7f1f6fe92b27f8789a84907afc7de0e021d87975

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\datareporting\glean\pending_pings\64b1d8f8-c8fa-4bc6-8a3a-b5ae97ccdca8

Filesize
656B

MD5
5ab96644d4695bd875862db47286cc23

SHA1
a6b1d6e90e732472821de9f496be998fe7cd4803

SHA256
ceaa6fa860d9ee619a9359d6469f071f2bb082a0a51a1bb415981edfe2a38793

SHA512
0a47a520898d39f80da2fcd8b8df8c6092f017d74956495db988a2082ef589cb96c27492c36aad3f7b9a4f4650a000d8dfc8a09f1532e0fed44106a47b13f097

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\datareporting\glean\pending_pings\b9218a09-c23c-4f49-9d61-21d0ca2dacef

Filesize
587B

MD5
fa73af1f79f8d6dcd063e994339f2f24

SHA1
728c91987b5ae836a029ec0b3da4b7f5abb941bd

SHA256
95b94011a18a9832a0d69c9713358454b92134f0a9e14ec64580e15813f140bf

SHA512
3c29d30f41bed67fbdd796b9087cc7cf39fb03a6f41777a5c729cef3e0f0d432a174d6bf33f93255816027674dec568ddd52d2e5a415d70d68f791f5bddadfa2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\extensions.json.tmp

Filesize
36KB

MD5
4437c5a242a7dc538ec94393b7c6b190

SHA1
f72870ea2bd26cbec8a2bfaf711308b10e477b4c

SHA256
874f5cc75de8fbdabd3a4828b89d1eefe668ca42b4d37c8574475a6fdbfabd22

SHA512
fad07026a3e70d47f1ab7da9221af0eccae601d775ebe8ff8ee3964c60f13a2853d3f297502b5aa8c6c5e73b5382d40a59303bba946fd4bbe1f807e531121816

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\key4.db

Filesize
288KB

MD5
042adb35ceddd946f76b7fcd538fed33

SHA1
5c3b9118df279663be6b1d1b62eca43242196bb5

SHA256
fdb549ee0ce4d35fae4d766d102ef758d58d5693dd7544a7780f650dec384311

SHA512
7044368383908b6814dc64e939378c39767bf987f60a1692be79c1f351469519920d93a734dc2c15bd38237c2532ed0593ea56c474f668571418dbd1aa15b64a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\prefs-1.js

Filesize
6KB

MD5
476466ed4e09a44060adbc45c31d4a81

SHA1
3641b2fa9da09af8a9bace3db31ab08e909dcd02

SHA256
39bcf607ef6fd2e7fa9bda9e0412af79d0842c5a51f4a723c68bf6da0d2e4db2

SHA512
82fa84b4e22012c8707769958ff3208b796cb0f2cf579e195bcbe0e83112ed7d24d5c68a962febd726839cd954f7a7f8d556534db1a80176f9c82f0971fdcfab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\prefs-1.js

Filesize
6KB

MD5
8b7317c93efaba8c641785ea1788da61

SHA1
210ccba33a2515cc5c57f5bc874ab2fa93b6a77e

SHA256
b165bebe6970b0264c691c4a22284ebaa2ca52dc870175368df10c9cd4e1ecc8

SHA512
ba88c13e27d784a929c32df434b28548f9846c615915dc0f2ea016655a310308acc7e3ca84ba8b016e6e0de00a836624ae530358dc0fa58a5fda8c0a94c7d7a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\prefs-1.js

Filesize
6KB

MD5
7f93604c2b008c5617b8f0141e27e27b

SHA1
421d7d2d2252d59aa6910da93023848743ce90a8

SHA256
652a0614986b0c9243609e568609ac7bfbac596ac62764a94f8188b6a0287498

SHA512
0f84cb108f45fe693e2332c7cd3079689d2b84b28db819d66d59ff079d7c44aebf40ad06d143e17d979df94b1f053311eecf1982deb5ad0aa23a95ced3b30607

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\prefs.js

Filesize
1KB

MD5
671776145d91858572fca7877425d25f

SHA1
13fcda53d544ac35a5dc706ff4f6c928301ef184

SHA256
75ee99b30a9104b2784f405ae84eec8f5ab0b75a58df582d2a37a1daa2e6e336

SHA512
ab8b5c8312d3cad7400d17a6c8266cffdc33649bc7b5daff20b5deebfdd4da95c84926c579b447512b3a937a42a66a5ebe42f3aa08a108e8cfc5f722a5c9d8a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\search.json.mozlz4

Filesize
280B

MD5
41d220d4783f67d2b57beec20c135229

SHA1
6e97765e77920b6010fac2cb4abf1e3cea106541

SHA256
5d1881e74d76b95bad59439bb5c7676258a4ae6b6d853074e93b5247cf1715dc

SHA512
dc30ddc4c8cfe598de5e24bc88cebbe4256fbb21a0b1db6c2ec15311053e7d8be6a93a0bcfcfd8a02543f8b9cf9b15a5840154b272a2df71d59d7dfd80984ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
816bd59311a269a72a26afb275c64303

SHA1
1a41bd45e03b3981adf2e42fe0329e0ba449eadb

SHA256
8839d2f15830e11864f811e72b1178527d9c649cfee4c71de03d2e40618b76a6

SHA512
c78b87fe9a34b9ca821a64090376ea150befa4abf6326b179a5c0b7bf5e6ce5048e5bdf2898c4a25b4e791449dc1f6f68a0a0953e84f188f34ee36cd5190d921

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
1eeaac69f92377d964fbad5ebafe2d4d

SHA1
0c2caeebe588dd8ee3d0f65e48a754cf3039e499

SHA256
a64a7bfe232303a3d386c07cffb2d13966aab3c4c0772384058b2f6806b2cd55

SHA512
2fcb47e3810e4030670ef4a334abd038af953cd2bdeb448bd6c2923a35be49bb7534a83e0ca7f1fe6ac16c6b9eeb1f3202080ee441511840207d720e9630efb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\storage\default\https+++mega.nz\cache\morgue\24\{804d857c-be1d-4ac4-a41e-5e02dcf53818}.final

Filesize
1KB

MD5
3efa9abd92666265dd81c4f4311a96f9

SHA1
41b6b716d67b93555e444cd453f3c6e3f8c9522c

SHA256
5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7

SHA512
5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
48KB

MD5
08867453029a31354f07a9e1f3421ebf

SHA1
e986a9ba9de07a67153e031206302a84cce3b0fc

SHA256
b78e0d414f8a5e4413313dd6ef50f80c9ef409549aa5ae72812a7a373c7aa1e8

SHA512
5de7f62a2c94b24435b998c789824551320f41f03671338e2fb9220e728493455822476f4b1085c675eeda0a6df815e6bbc108408d7af112bda14ed60b6719b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
128KB

MD5
3e2049e6c7da1c3d0dbd5ab2a6bb23d0

SHA1
5cb135a312b73fce6160c18ac34415757cb7b1e9

SHA256
a58f63d6a337b81546bfe1f700c2b6851793b9d2d7a536f3270cb9bdb3110d9a

SHA512
e50890d4535cd20edf87f17cd82685a5805de0f0f77b9719265ebea76c054e566d67b1617d6af766ab75c49455b7a968410b2c3693e3582944b9c4050311c374

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t7xlbt2r.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b7b0cb5202d4e903c4a9a98bbed0b7ba

SHA1
1ecb7dbee45d12071b5905172af34bb883c938a7

SHA256
26917eda2791e0076a42075cd5f95f637e0a4383806735180fef72c4ff1e4300

SHA512
d46924e29636290e96760b636952568d729594e3e01d225019004b6c8c570581f80dacfeda67d675d39424c8c3617a59bed5da3f88651159b68c4d1004f87506

Download Submit
memory/2872-2-0x0000000073CC0000-0x0000000074270000-memory.dmp

Filesize
5.7MB

Download
memory/2872-8-0x0000000073CC0000-0x0000000074270000-memory.dmp

Filesize
5.7MB

Download
memory/2872-0-0x0000000073CC1000-0x0000000073CC2000-memory.dmp

Filesize
4KB

Download
memory/2872-9-0x0000000005330000-0x000000000534A000-memory.dmp

Filesize
104KB

Download
memory/2872-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2872-1-0x0000000073CC0000-0x0000000074270000-memory.dmp

Filesize
5.7MB

Download
memory/2872-1213-0x0000000073CC0000-0x0000000074270000-memory.dmp

Filesize
5.7MB

Download
memory/4364-8018-0x00000247AA0B0000-0x00000247AA0B1000-memory.dmp

Filesize
4KB

Download
memory/4364-752-0x00000247A2A20000-0x00000247A2A22000-memory.dmp

Filesize
8KB

Download
memory/4364-8019-0x00000247AA0C0000-0x00000247AA0C1000-memory.dmp

Filesize
4KB

Download
memory/4364-733-0x00000247A3920000-0x00000247A3930000-memory.dmp

Filesize
64KB

Download
memory/4364-717-0x00000247A3820000-0x00000247A3830000-memory.dmp

Filesize
64KB

Download
memory/4456-1906-0x0000017CC18B0000-0x0000017CC18B2000-memory.dmp

Filesize
8KB

Download
memory/4456-1400-0x0000017CC2190000-0x0000017CC2192000-memory.dmp

Filesize
8KB

Download
memory/4456-1189-0x0000017CB0C00000-0x0000017CB0D00000-memory.dmp

Filesize
1024KB

Download
memory/4456-1908-0x0000017CC18D0000-0x0000017CC18D2000-memory.dmp

Filesize
8KB

Download
memory/4456-1208-0x0000017CC0E30000-0x0000017CC0E32000-memory.dmp

Filesize
8KB

Download
memory/4456-1404-0x0000017CC21B0000-0x0000017CC21B2000-memory.dmp

Filesize
8KB

Download
memory/4456-1398-0x0000017CC1BE0000-0x0000017CC1BE2000-memory.dmp

Filesize
8KB

Download
memory/4456-1206-0x0000017CC0D70000-0x0000017CC0D72000-memory.dmp

Filesize
8KB

Download
memory/4456-1396-0x0000017CC1BC0000-0x0000017CC1BC2000-memory.dmp

Filesize
8KB

Download
memory/4456-1224-0x0000017CC14E0000-0x0000017CC14E2000-memory.dmp

Filesize
8KB

Download
memory/4456-1226-0x0000017CC14F0000-0x0000017CC14F2000-memory.dmp

Filesize
8KB

Download
memory/4456-1230-0x0000017CC19F0000-0x0000017CC19F2000-memory.dmp

Filesize
8KB

Download
memory/4456-1222-0x0000017CC14C0000-0x0000017CC14C2000-memory.dmp

Filesize
8KB

Download
memory/4456-1203-0x0000017CC0D40000-0x0000017CC0D42000-memory.dmp

Filesize
8KB

Download
memory/4600-1018-0x000001C30D7C0000-0x000001C30D8C0000-memory.dmp

Filesize
1024KB

Download