Analysis
-
max time kernel
1360s -
max time network
1409s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02-09-2022 17:35
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.misp-project.org/feeds/
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
https://www.misp-project.org/feeds/
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
https://www.misp-project.org/feeds/
Resource
macos-20220504-en
Errors
General
-
Target
https://www.misp-project.org/feeds/
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\1376_2052264926\us_tv_and_film.txt
Extracted
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@Please_Read_Me@.txt
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 20 IoCs
Processes:
taskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exetaskse.exe@WanaDecryptor@.exetaskdl.exesoftware_reporter_tool.exetaskse.exe@WanaDecryptor@.exetaskdl.exepid process 2924 taskdl.exe 2284 @WanaDecryptor@.exe 3064 @WanaDecryptor@.exe 2948 taskhsvc.exe 1456 taskse.exe 320 @WanaDecryptor@.exe 2792 taskdl.exe 2364 taskse.exe 2704 @WanaDecryptor@.exe 1904 taskdl.exe 1856 software_reporter_tool.exe 2936 software_reporter_tool.exe 980 software_reporter_tool.exe 2640 taskse.exe 2808 @WanaDecryptor@.exe 2540 taskdl.exe 1812 software_reporter_tool.exe 1820 taskse.exe 2616 @WanaDecryptor@.exe 2704 taskdl.exe -
Modifies extensions of user files 24 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exedescription ioc process File created C:\Users\Admin\Pictures\StopSet.tiff.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\UpdateGet.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\ExpandGet.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\ShowGrant.tiff.WNCRYT => C:\Users\Admin\Pictures\ShowGrant.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\StopSet.tiff.WNCRYT => C:\Users\Admin\Pictures\StopSet.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\UnblockExit.tif.WNCRYT => C:\Users\Admin\Pictures\UnblockExit.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\UpdateGet.tiff ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\ExpandGet.png.WNCRYT => C:\Users\Admin\Pictures\ExpandGet.png.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\MountGrant.raw.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\MountGrant.raw.WNCRYT => C:\Users\Admin\Pictures\MountGrant.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\MountGrant.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\PushUnregister.raw.WNCRYT => C:\Users\Admin\Pictures\PushUnregister.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\PushUnregister.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\ShowGrant.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\UnblockExit.tif.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\UpdateGet.tiff.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\UpdateGet.tiff.WNCRYT => C:\Users\Admin\Pictures\UpdateGet.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\StopSet.tiff ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\ExpandGet.png.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\PushUnregister.raw.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\ShowGrant.tiff.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\UnblockExit.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\ShowGrant.tiff ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Drops startup file 1 IoCs
Processes:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBA0A.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Loads dropped DLL 47 IoCs
Processes:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execscript.execmd.exe@WanaDecryptor@.exetaskhsvc.exechrome.exesoftware_reporter_tool.exepid process 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2120 cscript.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2460 cmd.exe 2460 cmd.exe 2284 @WanaDecryptor@.exe 2284 @WanaDecryptor@.exe 2948 taskhsvc.exe 2948 taskhsvc.exe 2948 taskhsvc.exe 2948 taskhsvc.exe 2948 taskhsvc.exe 2948 taskhsvc.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 1376 chrome.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 980 software_reporter_tool.exe 980 software_reporter_tool.exe 980 software_reporter_tool.exe 980 software_reporter_tool.exe 980 software_reporter_tool.exe 980 software_reporter_tool.exe 980 software_reporter_tool.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 2680 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yqdbhvadqux735 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@WanaDecryptor@.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" @WanaDecryptor@.exe -
Drops file in Windows directory 2 IoCs
Processes:
chrome.exechrome.exedescription ioc process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico chrome.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2356 vssadmin.exe -
Modifies registry class 64 IoCs
Processes:
chrome.exechrome.exerundll32.exerundll32.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.md rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\md_auto_file\shell\Read\command rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202020202020202020202 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\md_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\.md\ = "md_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "26" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26 chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\md_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202020202020202020202 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1" chrome.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\md_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\md_auto_file\shell\Read rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\26\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" chrome.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exetaskhsvc.exesoftware_reporter_tool.exepid process 1164 chrome.exe 1376 chrome.exe 1376 chrome.exe 1756 chrome.exe 1620 chrome.exe 1376 chrome.exe 1376 chrome.exe 2752 chrome.exe 2840 chrome.exe 2932 chrome.exe 1868 chrome.exe 1604 chrome.exe 2536 chrome.exe 2400 chrome.exe 2384 chrome.exe 1468 chrome.exe 2948 taskhsvc.exe 2948 taskhsvc.exe 2948 taskhsvc.exe 1856 software_reporter_tool.exe 1856 software_reporter_tool.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
rundll32.exechrome.exechrome.exe@WanaDecryptor@.exepid process 1316 rundll32.exe 2384 chrome.exe 1468 chrome.exe 320 @WanaDecryptor@.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
AUDIODG.EXEtaskse.exevssvc.exeWMIC.exetaskse.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exetaskse.exesoftware_reporter_tool.exetaskse.exedescription pid process Token: 33 2764 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2764 AUDIODG.EXE Token: 33 2764 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2764 AUDIODG.EXE Token: SeTcbPrivilege 1456 taskse.exe Token: SeTcbPrivilege 1456 taskse.exe Token: SeBackupPrivilege 1520 vssvc.exe Token: SeRestorePrivilege 1520 vssvc.exe Token: SeAuditPrivilege 1520 vssvc.exe Token: SeIncreaseQuotaPrivilege 680 WMIC.exe Token: SeSecurityPrivilege 680 WMIC.exe Token: SeTakeOwnershipPrivilege 680 WMIC.exe Token: SeLoadDriverPrivilege 680 WMIC.exe Token: SeSystemProfilePrivilege 680 WMIC.exe Token: SeSystemtimePrivilege 680 WMIC.exe Token: SeProfSingleProcessPrivilege 680 WMIC.exe Token: SeIncBasePriorityPrivilege 680 WMIC.exe Token: SeCreatePagefilePrivilege 680 WMIC.exe Token: SeBackupPrivilege 680 WMIC.exe Token: SeRestorePrivilege 680 WMIC.exe Token: SeShutdownPrivilege 680 WMIC.exe Token: SeDebugPrivilege 680 WMIC.exe Token: SeSystemEnvironmentPrivilege 680 WMIC.exe Token: SeRemoteShutdownPrivilege 680 WMIC.exe Token: SeUndockPrivilege 680 WMIC.exe Token: SeManageVolumePrivilege 680 WMIC.exe Token: 33 680 WMIC.exe Token: 34 680 WMIC.exe Token: 35 680 WMIC.exe Token: SeIncreaseQuotaPrivilege 680 WMIC.exe Token: SeSecurityPrivilege 680 WMIC.exe Token: SeTakeOwnershipPrivilege 680 WMIC.exe Token: SeLoadDriverPrivilege 680 WMIC.exe Token: SeSystemProfilePrivilege 680 WMIC.exe Token: SeSystemtimePrivilege 680 WMIC.exe Token: SeProfSingleProcessPrivilege 680 WMIC.exe Token: SeIncBasePriorityPrivilege 680 WMIC.exe Token: SeCreatePagefilePrivilege 680 WMIC.exe Token: SeBackupPrivilege 680 WMIC.exe Token: SeRestorePrivilege 680 WMIC.exe Token: SeShutdownPrivilege 680 WMIC.exe Token: SeDebugPrivilege 680 WMIC.exe Token: SeSystemEnvironmentPrivilege 680 WMIC.exe Token: SeRemoteShutdownPrivilege 680 WMIC.exe Token: SeUndockPrivilege 680 WMIC.exe Token: SeManageVolumePrivilege 680 WMIC.exe Token: 33 680 WMIC.exe Token: 34 680 WMIC.exe Token: 35 680 WMIC.exe Token: SeTcbPrivilege 2364 taskse.exe Token: SeTcbPrivilege 2364 taskse.exe Token: 33 2936 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 2936 software_reporter_tool.exe Token: 33 1856 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 1856 software_reporter_tool.exe Token: 33 980 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 980 software_reporter_tool.exe Token: SeTcbPrivilege 2640 taskse.exe Token: SeTcbPrivilege 2640 taskse.exe Token: 33 1812 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 1812 software_reporter_tool.exe Token: SeTcbPrivilege 1820 taskse.exe Token: SeTcbPrivilege 1820 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exepid process 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
chrome.exepid process 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe 1376 chrome.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
AcroRd32.exechrome.exechrome.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exepid process 2332 AcroRd32.exe 2332 AcroRd32.exe 2384 chrome.exe 2384 chrome.exe 2384 chrome.exe 2384 chrome.exe 1468 chrome.exe 1468 chrome.exe 2284 @WanaDecryptor@.exe 2284 @WanaDecryptor@.exe 3064 @WanaDecryptor@.exe 3064 @WanaDecryptor@.exe 320 @WanaDecryptor@.exe 320 @WanaDecryptor@.exe 2704 @WanaDecryptor@.exe 2808 @WanaDecryptor@.exe 2616 @WanaDecryptor@.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 1376 wrote to memory of 1356 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1356 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1356 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 524 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1164 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1164 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1164 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe PID 1376 wrote to memory of 1656 1376 chrome.exe chrome.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.misp-project.org/feeds/1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefaff4f50,0x7fefaff4f60,0x7fefaff4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1116 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1220 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3404 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=540 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1972 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3340 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3348 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1680 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3892 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2556 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1384 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3048 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1012 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2052 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3828 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=944 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2744 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=500 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4164 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4024 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3964 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8260 /prefetch:82⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:82⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2180 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1100,9469416980249844330,353971939641628766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6736 /prefetch:82⤵
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=x4td1TetIPRQ8m9U8jXxbHWdLPYD4daz4XkLH+gY --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=104.288.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x13fbf2d20,0x13fbf2d30,0x13fbf2d403⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1856_LZSRMKMAUVEFBTYC" --sandboxed-process-id=2 --init-done-notifier=492 --sandbox-mojo-pipe-token=16475304952072240334 --mojo-platform-channel-handle=468 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1856_LZSRMKMAUVEFBTYC" --sandboxed-process-id=3 --init-done-notifier=652 --sandbox-mojo-pipe-token=2483820531181304927 --mojo-platform-channel-handle=6483⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2fc1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5741⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_theZoo-master.zip\theZoo-master\malware\Binaries\Ransomware.WannaCry\Ransomware.WannaCry.pass1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_theZoo-master.zip\theZoo-master\requirements.txt1⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Temp1_theZoo-master.zip\theZoo-master\README.md1⤵
- Modifies registry class
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_theZoo-master.zip\theZoo-master\README.md"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_theZoo-master.zip\theZoo-master\requirements.txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_theZoo-master.zip\theZoo-master\requirements.txt1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c 131611662141340.bat2⤵
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@WanaDecryptor@.exe@WanaDecryptor@.exe co2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@WanaDecryptor@.exe@WanaDecryptor@.exe vs3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@WanaDecryptor@.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@WanaDecryptor@.exe@WanaDecryptor@.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yqdbhvadqux735" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yqdbhvadqux735" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@WanaDecryptor@.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@WanaDecryptor@.exe@WanaDecryptor@.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@WanaDecryptor@.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@WanaDecryptor@.exe@WanaDecryptor@.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@WanaDecryptor@.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@WanaDecryptor@.exe@WanaDecryptor@.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_1376_RZLBKBCEIFXXDNXDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/320-93-0x0000000000000000-mapping.dmp
-
memory/680-100-0x0000000000000000-mapping.dmp
-
memory/860-65-0x0000000000000000-mapping.dmp
-
memory/980-128-0x000000013FBF6000-0x000000013FBF7000-memory.dmpFilesize
4KB
-
memory/980-129-0x000000013FBF6000-0x000000013FBF7000-memory.dmpFilesize
4KB
-
memory/980-130-0x0000000000000000-mapping.dmp
-
memory/1316-55-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmpFilesize
8KB
-
memory/1456-92-0x0000000000000000-mapping.dmp
-
memory/1812-154-0x0000000000000000-mapping.dmp
-
memory/1812-152-0x000000013FBF6000-0x000000013FBF7000-memory.dmpFilesize
4KB
-
memory/1812-153-0x000000013FBF6000-0x000000013FBF7000-memory.dmpFilesize
4KB
-
memory/1820-155-0x0000000000000000-mapping.dmp
-
memory/1856-109-0x0000000000000000-mapping.dmp
-
memory/1904-108-0x0000000000000000-mapping.dmp
-
memory/2120-73-0x0000000000000000-mapping.dmp
-
memory/2184-72-0x0000000000000000-mapping.dmp
-
memory/2204-96-0x0000000000000000-mapping.dmp
-
memory/2240-64-0x0000000000000000-mapping.dmp
-
memory/2284-75-0x0000000000000000-mapping.dmp
-
memory/2332-61-0x0000000075091000-0x0000000075093000-memory.dmpFilesize
8KB
-
memory/2332-60-0x0000000000000000-mapping.dmp
-
memory/2356-99-0x0000000000000000-mapping.dmp
-
memory/2364-105-0x0000000000000000-mapping.dmp
-
memory/2460-76-0x0000000000000000-mapping.dmp
-
memory/2472-94-0x0000000000000000-mapping.dmp
-
memory/2540-134-0x0000000000000000-mapping.dmp
-
memory/2616-156-0x0000000000000000-mapping.dmp
-
memory/2640-131-0x0000000000000000-mapping.dmp
-
memory/2680-67-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/2704-106-0x0000000000000000-mapping.dmp
-
memory/2704-158-0x0000000000000000-mapping.dmp
-
memory/2792-97-0x0000000000000000-mapping.dmp
-
memory/2808-132-0x0000000000000000-mapping.dmp
-
memory/2924-71-0x0000000000000000-mapping.dmp
-
memory/2936-110-0x0000000000000000-mapping.dmp
-
memory/2948-102-0x0000000073FE0000-0x00000000741FC000-memory.dmpFilesize
2.1MB
-
memory/2948-89-0x0000000073F50000-0x0000000073FD2000-memory.dmpFilesize
520KB
-
memory/2948-86-0x0000000000310000-0x000000000060E000-memory.dmpFilesize
3.0MB
-
memory/2948-85-0x0000000073F20000-0x0000000073F42000-memory.dmpFilesize
136KB
-
memory/2948-104-0x0000000000310000-0x000000000060E000-memory.dmpFilesize
3.0MB
-
memory/2948-84-0x0000000073F50000-0x0000000073FD2000-memory.dmpFilesize
520KB
-
memory/2948-83-0x0000000073FE0000-0x00000000741FC000-memory.dmpFilesize
2.1MB
-
memory/2948-82-0x00000000742A0000-0x0000000074322000-memory.dmpFilesize
520KB
-
memory/2948-103-0x0000000073F50000-0x0000000073FD2000-memory.dmpFilesize
520KB
-
memory/2948-88-0x0000000073FE0000-0x00000000741FC000-memory.dmpFilesize
2.1MB
-
memory/2948-101-0x00000000742A0000-0x0000000074322000-memory.dmpFilesize
520KB
-
memory/2948-80-0x0000000000000000-mapping.dmp
-
memory/2948-161-0x0000000000310000-0x000000000060E000-memory.dmpFilesize
3.0MB
-
memory/2948-87-0x00000000742A0000-0x0000000074322000-memory.dmpFilesize
520KB
-
memory/2948-90-0x0000000073F20000-0x0000000073F42000-memory.dmpFilesize
136KB
-
memory/2948-160-0x0000000073FE0000-0x00000000741FC000-memory.dmpFilesize
2.1MB
-
memory/2948-91-0x0000000000310000-0x000000000060E000-memory.dmpFilesize
3.0MB
-
memory/3040-98-0x0000000000000000-mapping.dmp
-
memory/3064-78-0x0000000000000000-mapping.dmp