Analysis
-
max time kernel
527s -
max time network
529s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-07-2024 05:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win11-20240419-en
Errors
General
-
Target
http://google.com
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" gdifuncs.exe -
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\Downloads\metrofax.doc office_macro_on_action -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 5244 takeown.exe 5264 icacls.exe 5408 takeown.exe 5400 icacls.exe -
Executes dropped EXE 12 IoCs
Processes:
Gas.exeGas.exeLoveYou.exeFlashKiller.exeFlashKiller.exeBlueScreen.exeBlueScreen.exeHorrorTrojan Ultimate Edition.exembr.exejeffpopup.exebobcreep.exegdifuncs.exepid process 2204 Gas.exe 3112 Gas.exe 4660 LoveYou.exe 4960 FlashKiller.exe 2600 FlashKiller.exe 4460 BlueScreen.exe 4192 BlueScreen.exe 5280 HorrorTrojan Ultimate Edition.exe 1972 mbr.exe 5932 jeffpopup.exe 5828 bobcreep.exe 6032 gdifuncs.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 5400 icacls.exe 5244 takeown.exe 5264 icacls.exe 5408 takeown.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 538907.crdownload upx behavioral1/memory/4460-1102-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/4460-1104-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/4192-1115-0x0000000000400000-0x0000000000409000-memory.dmp upx behavioral1/memory/4192-1126-0x0000000000400000-0x0000000000409000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exembr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe -
Drops file in Windows directory 8 IoCs
Processes:
cmd.execmd.exegdifuncs.execmd.exedescription ioc process File created C:\Windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav\:Zone.Identifier:$DATA cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe cmd.exe File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe File created C:\windows\WinAttr.gci gdifuncs.exe File opened for modification \??\c:\windows\WinAttr.gci cmd.exe File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3104 4960 WerFault.exe FlashKiller.exe 3024 2600 WerFault.exe FlashKiller.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEAcroRd32.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5536 timeout.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
msedge.exeWINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5660 taskkill.exe -
Modifies Control Panel 3 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" gdifuncs.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 16 IoCs
Processes:
OpenWith.exemsedge.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\僿翸 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\䝐ᅣɗ\ = "apk_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\apk_auto_file\shell\Read OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\apk_auto_file\shell OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\.apk\ = "apk_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\㟃ꟁ昀耀 OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{DD880388-2506-40ED-B647-8D0A358CCF7F} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\.apk OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\apk_auto_file OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\僿翸\ = "apk_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\䝐ᅣɗ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\apk_auto_file\shell\Read\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\㟃ꟁ昀耀\ = "apk_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\"" OpenWith.exe -
NTFS ADS 20 IoCs
Processes:
msedge.exemsedge.execmd.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeWINWORD.EXEmsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\FlashKiller.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 606024.crdownload:SmartScreen msedge.exe File created C:\bg.bmp\:Zone.Identifier:$DATA cmd.exe File created C:\Windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav\:Zone.Identifier:$DATA cmd.exe File opened for modification C:\Users\Admin\Downloads\Grave.apk:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 538907.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 529325.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\BlueScreen.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources (1).zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 772736.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 51146.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 15603.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 677401.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 457490.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\metrofax.doc:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\{F622B6FB-592E-48F6-A9A8-BED3DA6A16AB}\8tr.exe:Zone.Identifier WINWORD.EXE File opened for modification C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe:Zone.Identifier msedge.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
WINWORD.EXEWINWORD.EXEpid process 3284 WINWORD.EXE 3284 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exegdifuncs.exepid process 2740 msedge.exe 2740 msedge.exe 920 msedge.exe 920 msedge.exe 3252 identity_helper.exe 3252 identity_helper.exe 1624 msedge.exe 1624 msedge.exe 2992 msedge.exe 2992 msedge.exe 872 msedge.exe 872 msedge.exe 1444 msedge.exe 1444 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4824 msedge.exe 4424 msedge.exe 4424 msedge.exe 1092 msedge.exe 1092 msedge.exe 4816 msedge.exe 4816 msedge.exe 1456 msedge.exe 1456 msedge.exe 5180 msedge.exe 5180 msedge.exe 5164 msedge.exe 5164 msedge.exe 4900 msedge.exe 4900 msedge.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe 6032 gdifuncs.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4432 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs
Processes:
msedge.exepid process 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
gdifuncs.exeAUDIODG.EXEtakeown.exetakeown.exetaskkill.exedescription pid process Token: SeDebugPrivilege 6032 gdifuncs.exe Token: SeDebugPrivilege 6032 gdifuncs.exe Token: 33 6120 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 6120 AUDIODG.EXE Token: SeTakeOwnershipPrivilege 5244 takeown.exe Token: SeTakeOwnershipPrivilege 5408 takeown.exe Token: SeDebugPrivilege 5660 taskkill.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
msedge.exepid process 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe 920 msedge.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
OpenWith.exeAcroRd32.exeWINWORD.EXEWINWORD.EXEHorrorTrojan Ultimate Edition.exejeffpopup.exebobcreep.exepid process 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4432 OpenWith.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 4656 AcroRd32.exe 3284 WINWORD.EXE 3284 WINWORD.EXE 3284 WINWORD.EXE 3284 WINWORD.EXE 3284 WINWORD.EXE 3284 WINWORD.EXE 3284 WINWORD.EXE 3284 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 2752 WINWORD.EXE 5280 HorrorTrojan Ultimate Edition.exe 5932 jeffpopup.exe 5828 bobcreep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 920 wrote to memory of 2176 920 msedge.exe msedge.exe PID 920 wrote to memory of 2176 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2124 920 msedge.exe msedge.exe PID 920 wrote to memory of 2740 920 msedge.exe msedge.exe PID 920 wrote to memory of 2740 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe PID 920 wrote to memory of 4964 920 msedge.exe msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
gdifuncs.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff842c53cb8,0x7ff842c53cc8,0x7ff842c53cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5708 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5316 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7116 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6924 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7124 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1720 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7260 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7384 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\LoveYou.exe"C:\Users\Admin\Downloads\LoveYou.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4532 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\FlashKiller.exe"C:\Users\Admin\Downloads\FlashKiller.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 2523⤵
- Program crash
-
C:\Users\Admin\Downloads\FlashKiller.exe"C:\Users\Admin\Downloads\FlashKiller.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 2203⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7232 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6212 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\BlueScreen.exe"C:\Users\Admin\Downloads\BlueScreen.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\BlueScreen.exe"C:\Users\Admin\Downloads\BlueScreen.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6352 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6264 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4166.tmp\4167.tmp\4168.vbs //Nologo3⤵
-
C:\Users\Admin\AppData\Local\Temp\4166.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\4166.tmp\mbr.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4166.tmp\tools.cmd" "4⤵
- Drops file in Windows directory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f5⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters5⤵
-
C:\Users\Admin\AppData\Local\Temp\4166.tmp\jeffpopup.exe"C:\Users\Admin\AppData\Local\Temp\4166.tmp\jeffpopup.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\4166.tmp\bobcreep.exe"C:\Users\Admin\AppData\Local\Temp\4166.tmp\bobcreep.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\4166.tmp\gdifuncs.exe"C:\Users\Admin\AppData\Local\Temp\4166.tmp\gdifuncs.exe"4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\windows\SysWOW64\takeown.exe"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\windows\SysWOW64\icacls.exe"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65© "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit5⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\takeown.exetakeown /f LogonUI.exe6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\icacls.exeicacls LogonUI.exe /granted "Admin":F6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "tobi0a0c.exe"6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Grave.apk"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B315FA1EC6932298262B7BE7A19D6100 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=636FF414B1D0F9D75B9259495989FB31 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=636FF414B1D0F9D75B9259495989FB31 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D0F614AAAE3B864492D6E3F3311907AC --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4960 -ip 49601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2600 -ip 26001⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources\HorrorTrojan Ultimate Edition.vbs"1⤵
-
C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources\mbr.exe"C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources\mbr.exe"2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources\tools.cmd" "2⤵
- Drops file in Windows directory
- NTFS ADS
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f3⤵
- Sets desktop wallpaper using registry
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ade01a8cdbbf61f66497f88012a684d1
SHA19ff2e8985d9a101a77c85b37c4ac9d4df2525a1f
SHA256f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5
SHA512fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d0f84c55517d34a91f12cccf1d3af583
SHA152bd01e6ab1037d31106f8bf6e2552617c201cea
SHA2569a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c
SHA51294764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\169a949d-b1a1-48dc-9b95-74f41c354291.tmpFilesize
3KB
MD5d3cb1723ee96c6cc1ad587aa8163e4ea
SHA1108a2ebcad26a7d2becfb3ff4c085e8a0ebbb448
SHA2567a56af72181cbbd9cc070f0cab7dcfe02e37a47803d81ac1ad6959e7cf497298
SHA512c8711219deb83118adb1ccaeb0223df4fcd8a5f5b6300045e49b687de2195a7aa8cd45d47abff91c9bea27015faab3692d39c5beef293e6e9ccefb8ed082a67e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3116e49e-20b6-4927-8b28-7fa0e26fd62a.tmpFilesize
2KB
MD5d059487a48b12181bface162722fb255
SHA1dac29803f0364f3fb209ce1210974f42ecfdcca4
SHA256220a45c9a239ea53e2dc2df87d581f92530400db3260f46bc489daff8a39fe28
SHA5125159f10269395c6154c59cbc91349dbd02be401f6881bd0afdb6c2a1c50769ad000f02ade6b4d1f2676051d8df83fffca40db29f522746e5daed92e2d251f358
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000cFilesize
67KB
MD59e3f75f0eac6a6d237054f7b98301754
SHA180a6cb454163c3c11449e3988ad04d6ad6d2b432
SHA25633a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf
SHA5125cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000dFilesize
41KB
MD5ddb8bf0444969fde4ffd0dd3036d9dda
SHA1b77ba856c51a72a40f69637a9c7980cbbe859897
SHA2563e634c7e24539826f9f228decb932e1b9c3139c6505bbf6a9d15cc206f1cc6c3
SHA512bca01e2dbf2b8aed3a08ddd51d68029296175b7a2f2a601a3c3e522ccfbce6c397b3c9a109db07abb053cd812865d930b097888ea58a772a99d4a67821d02f5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000eFilesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000fFilesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012Filesize
1.2MB
MD5e9260f3d081cf9a5d5c7551fbdc3d234
SHA10cc5b721c02dab3301207880871fc97e004c3b88
SHA25681b05795af8af16e41a86d022730747b7b59a8e96951ec3053f34f91d66cae4e
SHA512d4445200865a3636e814fcddd9ea21dfdbed943deb68a12279d715879693921e94ca8dd8570853bbed657f47cc8d034f931f500b3591a2001185d9be45bd109a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003eFilesize
20KB
MD50f3de113dc536643a187f641efae47f4
SHA1729e48891d13fb7581697f5fee8175f60519615e
SHA2569bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8
SHA5128332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054Filesize
15.0MB
MD58f5a2b3154aba26acf5440fd3034326c
SHA1b4d508ee783dc1f1a2cf9147cc1e5729470e773b
SHA256fc7e799742a1c64361a8a9c3fecdf44f9db85f0bf57f4fb5712519d12ba4c5ac
SHA51201c052c71a2f97daf76c91765e3ee6ec46ca7cb67b162c2fc668ef5ee35399622496c95568dedffbaf72524f70f6afcfe90f567fbb653a93d800664b046cd5f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
5KB
MD55f5e281173c7315b328cf6697eb960fd
SHA1436107188ae5870ea2b8b14d3af25cd3c79a19ea
SHA25699355e706679ca3cc0a76ac5b15f2ec2e177d2400523a5ab062a08f9faf03b06
SHA512a11aab36a950ff5a711a08690ea17ba3f9a318b0d6c6d071bba34d0af5b1ca92367e1577a6a29b289e1ca63473c159668f5ea5446c4a7023e908b362e0f2f692
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
5KB
MD5b337b1639687f70b0dc361d211b76cf5
SHA170a984f7234f8069d0dce700dfd4ec919d53f4cb
SHA256df36e5650573b848a2796338d83547663c96220ae73280bd6c47edd8da304322
SHA512798d9f48399b660da0db56b752a8cc5cd5b94c1b6b2e19aab26d00e1c564ab8fb8333888c9305fadcd7fd35417b6eadad4388bceff96b83465e5c9ea705334a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
4KB
MD54af60f3c1d318d3e85cd9d42708789e5
SHA136bc60e852777ee34d8f8c4a9f4cf1a51b38ec68
SHA256b498370900748fc72f99bad62ebb627c4a3347b92ae367a43bfab62f1b5b8b29
SHA512ea701a34a2c9ac636815437505d4b85d08d2f1f9096aad2a254db89465cd0761166f04e97fb71e08466df79a3da0329cb109f4dc4d0b866eb6bbaf7e09839904
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
4KB
MD5c91b09c8b3ac6e631f79be33257225cd
SHA195370220568716e06a75fe3269bea019d7b81e19
SHA256585ceba77d65d6886f2f89521426698da54e5e7433a76653d7ff2c5d1d2f7904
SHA512904def7d6dc86b0e5f6fdb8a1588d2fe9026165be0fc9972423244ce675f79ade3fabfe460f05f5c333a0b79847a54ab6ed5335b8c54e0720b61501178230871
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
4KB
MD55a51c71308e405db6a845c5cdba36ba9
SHA1c4b090611f6e66821400a1d0e7595f64a59764ad
SHA2563b195906d9e1d80c975d7c0698d99d980aa4634bf09d70edff01c23bea7c7f8f
SHA5128dbcc071298d5386791ea7b9670be4b22e3296159ba834f755f02d0b73a74afbeb604352427c6b566828faacac7e6057718a42df56a963ef1cd5e80be66959a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD58588d251aea3ebdb6e2f47310cc0273b
SHA1fa8c4aa718ea31a2f597d8aa1cc33e4118402c5b
SHA2561c6d219356afe2f72c25ff08ed71785730ae20fa7ef33eb38f43ec610461378f
SHA512161a5361c1b952994f65d917de85ccbffad632bc213446297c61306e5c2295808002b9c7086c5c2c085eb487a4d112aa408ae1738f696561688797b3cb50d8c9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD59d8f039a9e43b76f200087db8a8f1fa7
SHA1ed64e165136f0431470da87a8a1e2454180fbe98
SHA256c3e30ed2c0a175c1e61d5016453d569569411639274947f6f8db2b2c3d5d88d5
SHA5120703b20af4028e47e8b5648437f666518eeced7dd68f041ef8386a7139980b14f14547da382104ef9e64c5aa5a9025da5f4c6babf86e1abf336ce27bef5341b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59eb82fe42f44c0a9571976264292beb5
SHA1d9f4b482d434703aeea94f6d9023d11e8460ab7e
SHA256b97dc3df6a9667ead76baf2ad7510e039c2a02f9b154c0c9c1b5627fe9147956
SHA512342295d099dfef986d8b608540aa7c873797041f2d44ccd31213773a2becc263ec46af5874784b91318df792d39e3efff2fe54fd0971bc14de20fedbc2532d6f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56931be188a013506ee82735809b2fc2e
SHA1f1d492b9e3f017634a87cd109be57800d6cac65d
SHA25642a82e114c4ea487ec891c5d3326c8e6c177f799badf6af68a6f1c14fa36e7b1
SHA512b0af19bf69e31939ae7842c522e1e915b84c2c1027ba58220b0ea38917c1214f37d8f578a46fb1f75fac6e270e9cb3cfa4742761230723a6e39fdcc458b794e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5545570020e6a6042b7d4007347ee5b3a
SHA1b49bbc0f2e369271072c00070594ce70a9d4883e
SHA25615475149dc4efbeb9e3130f3348db24db1e9a1570d1cd33bfa2bd50e158964f8
SHA51278b5133e3b0b90fadd877eb6cdb306071becfe8decd396a49fe075292c0ef2a39af897babe9ed210929f7126a750a253de648091bb8c1ae8fbcebea0369c9831
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD5666bee6433583cf0591e97e072a182d3
SHA1cd796d3611cba01a57ce24fc2e08065352520628
SHA256662ebfcdc1f62398efec076f4008d9056d4644b1a878c26a862c69a24f17d23f
SHA512b6ace46a32b4a4626a1fbc6f2b626551aba6679d5a4926e60f5d0b6d53b16b129fdcf957a5cf75dd37cddb39101e78ea3bdc00c22f7dcca62568b5a6a523d550
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5c5d7a07ffe5a514c3c041891c3310412
SHA12651c85ee73df25e222fe6a5698b9cc3dd8df3db
SHA256fc5d7743b2f24f068abd9c2c453248df23da7235de6cdd129bea00e967326cbe
SHA512c7eed3ab55145553f3d2b2ecb5a4c424152e67fab111b93dddefdba334b24d4af8ae6c1bbebc44b9274299e64b66ac5f5c1026542166f2fd0d4da732a6ab19f6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5cc623459bf43aea951bea42201add7d4
SHA159cb25adcbedcf700b6ef74cdf536f460ee728b5
SHA25652e7ed10b51ff68098d8432886c89501f35e9eb743294e004ff5b4be234f4732
SHA512c0a272aadf9d2cd1ddcbbdef2feb822c6b5505a10fd0b956320e07aff1716ee3192e5c1d463fc347fa4244fffeaa9c16a37502d591bc7e5170a7eee9582add14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5f8338be2e3e19355965a48200756e569
SHA1be31d67b9d6bea63745738f0c9743d098f63899a
SHA256eafdd405c78a7de6911df4839bc4ca7b057c2d9fa907c394997be060a00aaf31
SHA512b17b04548aad8d8698df969578826344924c49045c8cb577bb2f87457461e3c9d1877711915e8be8786b9b0d8ae10e6519ec4b80b95ce3fddfbfd6cd65639384
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5c9d222634618c4904e2c459b80649b88
SHA1e4b580e85c94589f46ba2f095b57167bf62baaf3
SHA256d3f88d3d1af44fa0a0d460cf959a588a49c2f508479db31a7425eb0041cf0250
SHA51201382bdb0e23aa892b0568bb53749dbdf470c9da2ecf012239a4c739a2c48c04e054f56eac52a903b440bcc33479b8235bee67c066a76f9943eeb22c57fbc76b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5344480db4998efc75ea6d9c90362c8a5
SHA1d1078b5da2d321663f6d039655db2f1c7bbf2ab7
SHA256be16dfb3029824a8f83118e3cfb5c1ce6b02e63529a0de69a27f0b8f9bf8e1e3
SHA5121368a6489464c6949257ba8480ecd78ebfb40d3ad9f8149501d19e68313dd7d40351f34f7b25c97ba242f217e84cec96c6feb7d2246efd4a2b97f8fdadb0554e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD562284e71b0f42e574f589b16db9c2809
SHA1ad667f69728412b1d18f411daf87f497d7e3df91
SHA256435fb0aff2455e5548dc328681bdc01ea456e162371142b9bc83d85fc2c02a84
SHA512aa426d818ab085467cd8120eec355e4962f952292f5c16abeaf4c0b06c0632d67d16e3f6b13cb6cd7311b79f7ee8f08da21adc2c08a811ffb43d8439e3d82f9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD54a3a6c69525519e1f9cf0ee98754a5d8
SHA17e1fb4d95094f67f0fd463bacf0e4287978c9433
SHA256747b848d4c8823013c66a5f9e68f4844962de4ae311f13b7fb6160473572fae0
SHA51217d69d4ea3635622ce7651662241d3c1043b319c4a8e3725a882531acfbc4448e97d5d2a3add63160a304be15f520cb11ee2fa0078d9b66a48f7207c8b260748
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5be4969ec98f26e498228066f4ba2263c
SHA130c0ff6c3f356f3b82cc12ad0767ca5d07124306
SHA256ec1cac10f3a5d6f52234727dd43598be0e25136ac0b6c55599cd4f38f6f1176d
SHA5125dc7b61af691af235f6d9e875cb714afa014b4cbf04e677fd8403f2bcf798ce0837e8287a8f3a684c0426e06408272b945ffc991ac095fa9535fa8b49bb96f4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD53d9966806866c2743c456918d956b8e2
SHA15488f767292df9a7e52e297637ab529195a93c18
SHA2563fd42850f06ce895bf7f21bf25100656cb7412d06db0cd882d5dc044d8197b0f
SHA512850f713ae82d18c49db5e12696f0a56088019419a2835365dc4ef0ca546c5a2f34aada03b9c648f84a9d1714d7abc4e8ef9735944fbb53eef1535a9af8a95a8e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5199fda3705b6c440e36e3fb4f72f529b
SHA10e6f6039dbcc994a499fbeaed22ca3c7304d284c
SHA256dedb0ba78967477539ae18ee066b470af832c1cfca932f12196f84d2081a2fdc
SHA5126e46228d43dc39702b4b4d03f25fd367cadf515713fd21a1e6e7e717e8259d619b18ae6a0b9815d30e602262424d51408bc3026db883989da366dc453c70d82f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5623f23ebe5a45b26699b787b69c0d3c6
SHA190646901b85cf17182670e61375a83e065f32178
SHA256f0b09dade8a3d57d48468c239bc7a67c16a58f5bd7ed58219051315a2b4a9a13
SHA5120e19a07434f3afa3b66d4e838da28c008b2ae5a37c72214c6ba75c6c8b591306f2a6db09a9d6a14c9a341ee590ec402a63e0c46f3f1da54c3008faa2c12cb6b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5889e8817359f01cf45b94070056b3aaf
SHA1db73309c3a037085b7c61f1bf628d2b513fef0b7
SHA256c62a574e0e1bbdb7ac44b89243542c14d744d9a85766b7841b94337cb9750c27
SHA5126f86d14047992cffab08e395da5af58dd9a1addae3eef6f69434547e2f02db3155ef1d6fcada24da734634883ad8f113ec51bd123877b6b7227c8cfc1b3e58c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD5f9ffb1a6534c7eb5752919ae9443e837
SHA13155f4d237db0db3ba00a6fcc1386a3790da16ae
SHA2569ebb06a15a44493812c3c437812ce65f8b1d1cb5850d85a427d0e259e96bcf75
SHA51221bdbb2df3916c4a4710580091bd0a0ea35ed125500a9489a6cfea72ad2ea109dd684bb0f8bc0e301ba013fdfa383ab5403ec1a8549e0f3cb42fbeddc5adc51f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
874B
MD5eff755799020078719aa2b336517ecae
SHA121683ee469ceb1fb9074f1b164f3367722edc2a4
SHA2563f114f69a62417315ab51609b3ba0a510c1dd9daae66917ee54d561eb8ed8f37
SHA512e16016697b1fc9556d798086190ac2d452357ee735a42506c6d1112c078ef6bdc4779a13bb2be8b4f4672917331497d83a9993510553be3beb8653c294fbdc4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD57ababd7514a20e86d35321569dfbad06
SHA1cd110f77cc409738b9c00fdc7c4174cde14c5d7c
SHA25620bf18244a9af5120271b78528fb799020aedeb4bed9dfc63740a854606dc70c
SHA51299782fb00bf4442d7b98a0b62f03c2e3fbbdab2f99afd4dc3f88fb0a98b790bb94f6aa5aae117214cb097002c15bec7ef8dd5b5507eeb6d17cab58694fd4cab1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cec9.TMPFilesize
372B
MD57353d0afa812eb4012ed107ab09e5587
SHA12411d4516967eff498feb52fe8c5dac30dbc7199
SHA256418addb8401644b7421c7f7dbf854ad3bc4fa33c2ec866c66d4c12c5cce23b26
SHA5122e646e3e5081c9c37da1adf71b4b56b8494b04417aa19a868176e910d938ba6c6ea5447bbb33f6fbfe81db909f643b2b291f6c79565cc95a1a7b791886befd74
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\db27cd77-97a0-44b0-891a-c42c8f36c0b1\0Filesize
18.0MB
MD5d263542d62c61b922253b99e6c55c743
SHA16dc8d4f219358334be3b85577752a13ca0321be0
SHA25611bf83db0b15c7626b9afca804039d3b4ed7cd26c48be1632038d5fd50d6d6fe
SHA5123149a33f24d5c4bb122fe13593271b5cf6f5064046ac68d46e1cd00a1f77d198322069fc0ab3e8fc08774d288e78f0b90ec34ba99902fee563fe9eef20e1a042
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\db27cd77-97a0-44b0-891a-c42c8f36c0b1\3Filesize
10.0MB
MD5f5ab85ea7eb77f497d765e8df3c968da
SHA1d088d8a8029d7ffb2f942a1872ff8582b74c8469
SHA2567a0f8bbd0d34af175dc5806378b62f17567131c45b46be75535a4282718c6d8a
SHA51282c1c9d8f0e39904671274bcd9fb14e15477649cef6a1aba623669d83b84ea454009d997444802aafa1a732bc6d3dba2b6cd0f82c70547c3bdd733421030c216
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD57e61b4f8c2ea77a1646a23f80518a4e9
SHA10e3294bdf9063614e00b3f01fe435e1b79561987
SHA2561be235533f4ff43b0428d5ad2a8f80efbac799e94e4892ffed52e77a9e512bb3
SHA5127279ae6e377d91c99b49f0c1ff320e580781b179bb1eb58b9617bd1ad9ebea26477663332103d3412431291d12d4c9809e44dadea2d63516dc30c2e9cfe7f144
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD563f66284ee3ee9887b32100812205df8
SHA19c585923bd5a164d314a0104825a2c65b7236c4f
SHA256ef8012b2dbcb2b8332afafd32dd4e9cd2c57dd4446e159cdc3e7a188c17096d3
SHA5120a80a6e3cf4b36ded1c3057a08ab2308ca646fc5d9369247c8b3aebf88c61fa0a7e27244300e11657fcf3ada2b5cbc5e6ae74860cbf8af7e83bde808fe6e34a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f6667f562c35ee841fd126febbaa536f
SHA169ff7ca152b024ee5a5a1453770cc07929b1456d
SHA256e1a8b01e8168fc600fff2d5ec9c2681889a0054a4ef7021c762f9e737f4d45b7
SHA5123a1544705a1666994ccc6e9af470427922254182efb283046a2a6f5fc100f405ab81756ef3c8a3790e4f5262e209999f0a99c4962c72e63c236ee2c1f3507b25
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5d9b1e96bed83a032336f4c46da6239af
SHA10afa6f0154601629a4a438fbb7dee776f491bf88
SHA2562f7051fcc12e58868a88bb7bb32bc3605ee65d5a2bdc496934eb4235315df6da
SHA51213ce404a7f9d7a6bf52db2c334e67741b5f4162b660887f681fe91fedc2224d2efb4618f33dcd4d9a5c3c8ebaa0c674dacf3e03952a7eccd3ce543b1c8ffc622
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD57e70a441ddbb6b2646859659ad73bc65
SHA1717fd4ddd445bcb0d9cbb6ba4cd9fb93785b83ed
SHA2562a82d510ff57655c6078e0a26cbe7df39d7074468b8fa05eb87f98f3043692eb
SHA5120b19c6c10d3f723c40aae80100d451c482dfa773360c0be30af6a22f3cdbf26158c3cf0c06a36c2809ec757e5b210f72d1a0b280e3f87d235c8eabd19b35c25d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b839e1fe27cc7ac722a2cff6fa244cc0
SHA1d90b093802f41c1854e7ceac4d23ea4ac046e3ba
SHA25683014bd1a021a6e7af0290ea37c3d72da2a3329c7028ca9e5210009760b0b1ce
SHA512901124e4826cab81c1804e553584b4730130e0ab5ef7774732ca5aff0e5e103730601fc0d6198a2302afd5e1bfe46ce843750616153b65f28ddd0a06084875b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5bfc525fe76d79f379ac9e4d668975678
SHA1b52d28394fceb500f9572447f0875b6c6a719f30
SHA256b21794f044e0071b911c23b3844c1d19778c112b8f0492ec9256ae63c4b86ac0
SHA5121b1d619260ae983489ea00aab165db2e6480aeb0a5994e834819f2236193c4a282153835ef7665f0e03b16342520b749211beb3c237ea9ce43136b3bf95e434c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52497809ed0ea1b1ac1c842fe900cd4d8
SHA1584b90afa6bf27b75e436f83995851572126958e
SHA25682d97294ed3f9a85cfcb5077ebb49ba441ca07d2c5a14e0d5931967320fc8dba
SHA5128053ac682aa7daf204669fb16c413c51f843cbb2b0f2ce8e95b0bd1f5f0125075a73075547357ab533c6cc3b62082e5f263fb0fa31835ce6d4f1bdeea3bbf9f3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8D62F9BE-454D-45C5-8E2B-0727C757139BFilesize
168KB
MD53b452c65f147c036dcf54c8824247ace
SHA100e0057f3d4bdf9e68a83eedd9aa3e1ca95f29f1
SHA256242309d9e4ace4e122fd695014717dad15ef3d951a091d086494f6ac58af6005
SHA5121ffd0b0138a647e6b44b7ca8931ba4b6c7ed4ef12047a716445c338cef6eb7b9add761e1d53e3b5bc025c20ce8e7ac656ced99dc14f218c976fe6050f06b6d29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AF28CEED.emfFilesize
5KB
MD50ed5bc16545d23c325d756013579a697
SHA1dcdde3196414a743177131d7d906cb67315d88e7
SHA2563e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3
SHA512c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af
-
C:\Users\Admin\AppData\Local\Temp\TCD4EA4.tmp\sist02.xslFilesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Local\Temp\vbhja.rtfFilesize
816KB
MD51fa31ca64328a8787a861ebf2606147c
SHA10ee54ce015a7026a0c407c3aa23f0a0c177c0e9c
SHA25631deb9438ca1ba85581caf03001d7d5515f9aab2e035526cdbbf36c2f1453941
SHA512d5a0108bfbf0ee248f8f7bd31df9500262b036491ddf202fd20b2114469a100dddf66709f11d8f0425fd515d5886dbd654b3e19bad7d56b1907788261ec9f55b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datFilesize
249B
MD574635f6e5554ebd726fdca0c002dbee2
SHA1278e66625144f9d89050b0bedb482a68855b97d4
SHA256483e814b8f7ff4423f67f93987147b151908e1eef88479b67d4c7c69e5444424
SHA512bb5dfc5a78b97bd7a5bc0bfe1083b1f03b5592543abf9ce00a7a36c84fb540ddfb1c8ec8994f7e6eabc30b6de896414d171d7eb3c0735ee9708093162fd17f34
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
10KB
MD55f089cdb9c620d33934a0d17cc1d8337
SHA1e5daea364c969f9e58d87c9d772280e748301b7b
SHA25660858f8a219ca216251ecf0e91850696bcd9fd152f3267570703484562b8e90c
SHA512ba5148d1e6b276b57008e0f64654d31614eae91a92c5bcc8014e554016e8b94f8ae3c459f73cf27ca5116f813c0775ce91296848c22c13be45c365172125c25c
-
C:\Users\Admin\Desktop\YOUDIED 5.txtFilesize
74B
MD505d30a59150a996af1258cdc6f388684
SHA1c773b24888976c889284365dd0b584f003141f38
SHA256c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9
SHA5122144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a
-
C:\Users\Admin\Downloads\FlashKiller.exeFilesize
4KB
MD5331973644859575a72f7b08ba0447f2a
SHA1869a4f0c48ed46b8fe107c0368d5206bc8b2efb5
SHA256353df4f186c06a626373b0978d15ec6357510fd0d4ac54b63217b37142ab52d3
SHA512402662eb4d47af234b3e5fbba10c6d77bdfdb9ff8ecfdd9d204f0264b64ea97fc3b5c54469f537173a26c72b3733550854749649d649bc0153c8fe3faacc50a1
-
C:\Users\Admin\Downloads\Gas.exe:Zone.IdentifierFilesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
C:\Users\Admin\Downloads\Grave.apkFilesize
560KB
MD561b29201190909e848107d93063726ca
SHA1f6505a3b56fdbbc54e1624793581afe45010c890
SHA25664c874d0a67387d174fbf18811ef23e9d9b0f532ed7f805e542dacdf3c9d42f9
SHA512a2e8fa752d62e77e20e6fd86b7c6de3e683e41932eef448164944bd5f5dbb91ccf4380b3c13943e5c0264b9127b7f5e471ece68753af541d408caefae1065930
-
C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources.zipFilesize
23.0MB
MD5024187c3f6d944f699f4b4dd5a201d8e
SHA11c30cd4976aa303dd3be9bb577744fd694d10833
SHA2567429aa031069da80e88d528310c8e1379745b1a5b3589bf3b11987cf85bb3600
SHA51286e2e22525704a4ba10989cf9fa926fe73cf003171f0fd13a8e2393184e48e4a96baaed9ce50edffe497d12dda671c689daeb26de0c01d6d8e7b2d312d07ae4a
-
C:\Users\Admin\Downloads\Unconfirmed 15603.crdownloadFilesize
18KB
MD5e7af185503236e623705368a443a17d9
SHA1863084d6e7f3ed1ba6cc43f0746445b9ad218474
SHA256da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a
SHA5128db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3
-
C:\Users\Admin\Downloads\Unconfirmed 457490.crdownloadFilesize
22KB
MD531420227141ade98a5a5228bf8e6a97d
SHA119329845635ebbc5c4026e111650d3ef42ab05ac
SHA2561edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71
SHA512cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7
-
C:\Users\Admin\Downloads\Unconfirmed 538907.crdownloadFilesize
9KB
MD5b01ee228c4a61a5c06b01160790f9f7c
SHA1e7cc238b6767401f6e3018d3f0acfe6d207450f8
SHA25614e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160
SHA512c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140
-
C:\Users\Admin\Downloads\Unconfirmed 538907.crdownload:SmartScreenFilesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
C:\Users\Admin\Downloads\metrofax.docFilesize
221KB
MD528e855032f83adbd2d8499af6d2d0e22
SHA16b590325e2e465d9762fa5d1877846667268558a
SHA256b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e
SHA512e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34
-
C:\Windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wavFilesize
19.0MB
MD51b185a156cfc1ddeff939bf62672516b
SHA1fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA51241b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7
-
C:\bg.bmpFilesize
6.6MB
MD5a605dbeda4f89c1569dd46221c5e85b5
SHA15f28ce1e1788a083552b9ac760e57d278467a1f9
SHA25677897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610
-
\??\pipe\LOCAL\crashpad_920_JKFPNGTELSAFCQODMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1972-2785-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2284-2476-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3284-1305-0x00007FF811A70000-0x00007FF811A80000-memory.dmpFilesize
64KB
-
memory/3284-1154-0x00007FF80EF50000-0x00007FF80EF60000-memory.dmpFilesize
64KB
-
memory/3284-1164-0x00007FF80EF50000-0x00007FF80EF60000-memory.dmpFilesize
64KB
-
memory/3284-1303-0x00007FF811A70000-0x00007FF811A80000-memory.dmpFilesize
64KB
-
memory/3284-1149-0x00007FF811A70000-0x00007FF811A80000-memory.dmpFilesize
64KB
-
memory/3284-1306-0x00007FF811A70000-0x00007FF811A80000-memory.dmpFilesize
64KB
-
memory/3284-1151-0x00007FF811A70000-0x00007FF811A80000-memory.dmpFilesize
64KB
-
memory/3284-1152-0x00007FF811A70000-0x00007FF811A80000-memory.dmpFilesize
64KB
-
memory/3284-1153-0x00007FF811A70000-0x00007FF811A80000-memory.dmpFilesize
64KB
-
memory/3284-1150-0x00007FF811A70000-0x00007FF811A80000-memory.dmpFilesize
64KB
-
memory/3284-1304-0x00007FF811A70000-0x00007FF811A80000-memory.dmpFilesize
64KB
-
memory/4192-1126-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4192-1115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4460-1104-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4460-1102-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4960-1048-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/6032-2835-0x0000000000720000-0x0000000000C22000-memory.dmpFilesize
5.0MB
-
memory/6032-2836-0x0000000005C70000-0x0000000006216000-memory.dmpFilesize
5.6MB
-
memory/6032-2837-0x0000000005760000-0x00000000057F2000-memory.dmpFilesize
584KB
-
memory/6032-2838-0x0000000005B90000-0x0000000005B9A000-memory.dmpFilesize
40KB