Resubmissions
02-12-2022 16:07
221202-tkqjssge4v 1002-12-2022 14:05
221202-rd1p3shf7w 802-12-2022 13:33
221202-qtte9scb96 10Analysis
-
max time kernel
1097s -
max time network
1092s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
02-12-2022 16:07
Static task
static1
General
-
Target
WP#5563.html
-
Size
1.3MB
-
MD5
95ed47cde1fb0eb6dacc8b4670ebb6b7
-
SHA1
521c360dcaa32e3eff2f428b86f8addd4ab8be6b
-
SHA256
e9aa4f42f9605ed58f0b2a834f661456338208afc9d5397c490c80f617359e52
-
SHA512
134dd937ef7261413a69503305e250aab3e181821b507c5a4519854ebc2c0ce07d0bbea3f15f3996178e9b027aa4e9cbb8aba7e966d11f68db7264c6e2652998
-
SSDEEP
24576:mJ2sDzVQSb1YgNQPBNbCmsJOGXwllO3gmpeV+3uYNYhtpVE:m8mNtlmSOZi7pt+/u
Malware Config
Extracted
qakbot
404.46
obama224
1669794048
75.161.233.194:995
216.82.134.218:443
174.104.184.149:443
173.18.126.3:443
87.202.101.164:50000
172.90.139.138:2222
184.153.132.82:443
185.135.120.81:443
24.228.132.224:2222
87.223.84.190:443
178.153.195.40:443
24.64.114.59:2222
77.126.81.208:443
75.99.125.235:2222
173.239.94.212:443
98.145.23.67:443
109.177.245.176:2222
72.200.109.104:443
12.172.173.82:993
82.11.242.219:443
92.149.205.238:2222
183.82.100.110:2222
176.142.207.63:443
92.24.200.226:995
69.119.123.159:2222
91.169.12.198:32100
64.121.161.102:443
124.122.55.68:443
12.172.173.82:995
85.231.105.49:2222
94.63.65.146:443
176.133.4.230:995
213.67.255.57:2222
90.89.95.158:2222
156.217.158.177:995
88.126.94.4:50000
87.57.13.215:443
102.159.83.36:443
121.122.99.223:995
216.196.245.102:2222
12.172.173.82:465
78.69.251.252:2222
76.80.180.154:995
75.143.236.149:443
109.11.175.42:2222
221.161.103.6:443
74.92.243.113:50000
75.98.154.19:443
47.41.154.250:443
49.175.72.56:443
81.229.117.95:2222
92.189.214.236:2222
83.92.85.93:443
108.162.6.34:443
84.35.26.14:995
136.232.184.134:995
188.54.99.243:995
93.24.192.142:20
75.84.234.68:443
71.31.101.183:443
80.13.179.151:2222
184.155.91.69:443
76.100.159.250:443
24.64.114.59:3389
46.246.245.152:995
70.115.104.126:995
197.2.209.208:995
50.90.249.161:443
70.66.199.12:443
216.196.245.102:2083
182.66.197.35:443
142.161.27.232:2222
76.127.192.23:443
92.207.132.174:2222
174.77.209.5:443
12.172.173.82:21
199.83.165.233:443
74.66.134.24:443
77.86.98.236:443
90.104.22.28:2222
71.247.10.63:50003
108.6.249.139:443
184.176.154.83:995
81.198.136.151:995
80.0.74.165:443
71.247.10.63:995
174.58.146.57:443
69.133.162.35:443
50.68.204.71:995
24.64.114.59:61202
47.34.30.133:443
12.172.173.82:50001
75.158.15.211:443
216.196.245.102:2078
181.164.194.228:443
193.154.207.221:443
213.191.164.70:443
197.92.135.188:443
172.117.139.142:995
76.20.42.45:443
24.64.114.59:2078
73.36.196.11:443
58.247.115.126:995
73.155.10.79:443
92.98.72.220:2222
84.113.121.103:443
2.50.47.109:443
12.172.173.82:990
106.212.18.255:995
98.147.155.235:443
92.106.70.62:2222
108.44.207.232:443
24.206.27.39:443
130.43.99.103:995
50.68.204.71:993
71.46.234.171:443
108.162.6.34:995
24.142.218.202:443
166.62.145.54:443
-
salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ChromeRecovery.exepid process 3736 ChromeRecovery.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4532 rundll32.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
WScript.exemspaint.exedescription ioc process File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\E: mspaint.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 7 IoCs
Processes:
elevation_service.exedescription ioc process File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir508_1152959119\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir508_1152959119\ChromeRecoveryCRX.crx elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir508_1152959119\ChromeRecovery.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir508_1152959119\ChromeRecovery.exe elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir508_1152959119\manifest.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir508_1152959119\manifest.json elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir508_1152959119\_metadata\verified_contents.json elevation_service.exe -
Drops file in Windows directory 4 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2824 4036 WerFault.exe PaintStudio.View.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exePaintStudio.View.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8115012d7106d901 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = f2d735327106d901 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "2zw1toc" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1e7cea407106d901 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 4057dfd6d01fd901 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "376776765" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1851fa267106d901 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "376840310" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "376807973" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{2B774733-B369-4C78-A217-573A3F52270F}" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 03bc80556daed801 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 868 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
PaintStudio.View.exepid process 4036 PaintStudio.View.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exepowershell.exerundll32.exewermgr.exepid process 5068 chrome.exe 5068 chrome.exe 2500 chrome.exe 2500 chrome.exe 4560 chrome.exe 4560 chrome.exe 5112 chrome.exe 5112 chrome.exe 4176 chrome.exe 4176 chrome.exe 3952 chrome.exe 3952 chrome.exe 2500 chrome.exe 2500 chrome.exe 3992 chrome.exe 3992 chrome.exe 4004 chrome.exe 4004 chrome.exe 68 chrome.exe 68 chrome.exe 68 chrome.exe 68 chrome.exe 748 powershell.exe 748 powershell.exe 748 powershell.exe 4532 rundll32.exe 4532 rundll32.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe 4288 wermgr.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
MicrosoftEdgeCP.exerundll32.exepid process 1892 MicrosoftEdgeCP.exe 1892 MicrosoftEdgeCP.exe 1892 MicrosoftEdgeCP.exe 1892 MicrosoftEdgeCP.exe 4532 rundll32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
chrome.exepid process 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
powershell.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepowershell.exepowershell_ise.exePaintStudio.View.exedescription pid process Token: SeDebugPrivilege 748 powershell.exe Token: SeDebugPrivilege 4692 MicrosoftEdge.exe Token: SeDebugPrivilege 4692 MicrosoftEdge.exe Token: SeDebugPrivilege 4692 MicrosoftEdge.exe Token: SeDebugPrivilege 4692 MicrosoftEdge.exe Token: SeDebugPrivilege 1136 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1136 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1136 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1136 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2104 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2104 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2104 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2104 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4692 MicrosoftEdge.exe Token: SeDebugPrivilege 3932 powershell.exe Token: SeDebugPrivilege 4984 powershell_ise.exe Token: SeDebugPrivilege 4036 PaintStudio.View.exe Token: SeDebugPrivilege 4036 PaintStudio.View.exe Token: SeDebugPrivilege 4036 PaintStudio.View.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
chrome.exepid process 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
chrome.exepid process 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe 2500 chrome.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exemspaint.exePaintStudio.View.exepid process 4692 MicrosoftEdge.exe 1892 MicrosoftEdgeCP.exe 1892 MicrosoftEdgeCP.exe 4476 mspaint.exe 4036 PaintStudio.View.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 2500 wrote to memory of 2780 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 2780 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5060 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5068 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 5068 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe PID 2500 wrote to memory of 3908 2500 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Users\Admin\AppData\Local\Temp\WP#5563.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa9ca24f50,0x7ffa9ca24f60,0x7ffa9ca24f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2628 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4092 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4120 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=772 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4740 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5044 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5052 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1556 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5820 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5972 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5968 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5960 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5932 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1732 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2400 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5736 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,13443464914330391645,7881150001469153313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:82⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "E:\WP.vbs"1⤵
- Enumerates connected drives
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass metaphysic\\environmentalists.ps12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\users\public\untroubledlyHousetop.txt DrawThemeIcon3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\wermgr.exeC:\Windows\SysWOW64\wermgr.exe4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" E:\WP.vbs1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir508_1152959119\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir508_1152959119\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={d46e56c4-5203-43fb-8581-f19f16aee746} --system2⤵
- Executes dropped EXE
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\untroubledlyHousetop.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" E:\WP.vbs1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" E:\metaphysic\readme.txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" E:\metaphysic\choked.txt1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "E:\metaphysic\environmentalists.ps1"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" E:\metaphysic\preyed.txt1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "E:\metaphysic\simmers.jpg" /ForceBootstrapPaint3D1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4036 -s 35642⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir508_1152959119\ChromeRecovery.exeFilesize
253KB
MD549ac3c96d270702a27b4895e4ce1f42a
SHA155b90405f1e1b72143c64113e8bc65608dd3fd76
SHA25682aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f
SHA512b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3Filesize
141KB
MD5ea1c1ffd3ea54d1fb117bfdbb3569c60
SHA110958b0f690ae8f5240e1528b1ccffff28a33272
SHA2567c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d
SHA5126c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD56bf0e5945fb9da68e1b03bdaed5f6f8d
SHA1eed3802c8e4abe3b327c100c99c53d3bbcf8a33d
SHA256dda58fd16fee83a65c05936b1a070187f2c360024650ecaf857c5e060a6a55f1
SHA512977a393fdad2b162aa42194ddad6ec8bcab24f81980ff01b1c22c4d59ac268bb5ce947105c968de1a8a66b35023280a1e7709dfea5053385f87141389ebecb25
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
45KB
MD50b5d94d20be9eecbaed3dddd04143f07
SHA1c677d0355f4cc7301075a554adc889bce502e15a
SHA2563c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c
SHA512395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916
-
C:\Users\Public\untroubledlyHousetop.txtFilesize
4KB
MD5d7ad78ef183912c14f835f495eb23edf
SHA1b8993dee6ef7dcf32af033506b599bcccb6cfd1c
SHA256c3255453a92d467275698153ce1991d1bb598429040e2871ecfb871d915c62e3
SHA51202e17eda487db734f55906d9b0f254c0d0238cdcae11dcb3ffc52fd5638def040a372d065899c8b3c67b988d5e26f6f1c5a2eec81429b7bd29421dbaa45a2bed
-
C:\users\public\untroubledlyHousetop.txtFilesize
577KB
MD50125f1347902aa693cebd76d9c4c0616
SHA1679f4ea4b00b8940a8cbe222dc0d5f2d58a361b3
SHA256bc09025357744618728ca95b83e281847d749d3dbbfd3118674c901079735c7d
SHA5123f34ff6685f5c2d088aeb315217c6104acd0c507790e7891e2657b99eb0e4a22bc702bfae5b9bef7e5fc2cdb6e759e32c1270bf0e082e45baa9e8eabfed4099c
-
\??\pipe\crashpad_2500_HLSQUPMDPXUWLGBRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Public\untroubledlyHousetop.txtFilesize
577KB
MD50125f1347902aa693cebd76d9c4c0616
SHA1679f4ea4b00b8940a8cbe222dc0d5f2d58a361b3
SHA256bc09025357744618728ca95b83e281847d749d3dbbfd3118674c901079735c7d
SHA5123f34ff6685f5c2d088aeb315217c6104acd0c507790e7891e2657b99eb0e4a22bc702bfae5b9bef7e5fc2cdb6e759e32c1270bf0e082e45baa9e8eabfed4099c
-
memory/748-145-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-166-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-125-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-126-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-127-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-128-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-129-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-130-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-131-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-133-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-134-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-132-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-135-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-136-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-137-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-138-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-139-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-140-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-141-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-142-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-143-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-144-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-123-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-146-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-148-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-149-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-151-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-152-0x0000000005030000-0x0000000005066000-memory.dmpFilesize
216KB
-
memory/748-153-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-154-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-155-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-156-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-157-0x0000000007B90000-0x00000000081B8000-memory.dmpFilesize
6.2MB
-
memory/748-158-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-159-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-160-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-161-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-162-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-163-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-164-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-165-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-183-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-167-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-168-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-169-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-116-0x0000000000000000-mapping.dmp
-
memory/748-181-0x0000000008740000-0x0000000008A90000-memory.dmpFilesize
3.3MB
-
memory/748-172-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-173-0x0000000008540000-0x0000000008562000-memory.dmpFilesize
136KB
-
memory/748-174-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-175-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-176-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-177-0x00000000085E0000-0x0000000008646000-memory.dmpFilesize
408KB
-
memory/748-178-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-179-0x0000000008650000-0x00000000086B6000-memory.dmpFilesize
408KB
-
memory/748-180-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-117-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-185-0x0000000008DE0000-0x0000000008E2B000-memory.dmpFilesize
300KB
-
memory/748-124-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-184-0x0000000008DA0000-0x0000000008DBC000-memory.dmpFilesize
112KB
-
memory/748-182-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-186-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-187-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-188-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-189-0x0000000009060000-0x00000000090D6000-memory.dmpFilesize
472KB
-
memory/748-190-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-191-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-202-0x000000000A150000-0x000000000A1E4000-memory.dmpFilesize
592KB
-
memory/748-203-0x00000000034B0000-0x00000000034CA000-memory.dmpFilesize
104KB
-
memory/748-204-0x0000000009390000-0x00000000093B2000-memory.dmpFilesize
136KB
-
memory/748-205-0x000000000A6F0000-0x000000000ABEE000-memory.dmpFilesize
5.0MB
-
memory/748-118-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-122-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-121-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-119-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/748-120-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/3736-359-0x0000000000000000-mapping.dmp
-
memory/3932-546-0x0000000007570000-0x00000000078C0000-memory.dmpFilesize
3.3MB
-
memory/3932-619-0x00000000098D0000-0x0000000009975000-memory.dmpFilesize
660KB
-
memory/3932-614-0x0000000009870000-0x000000000988E000-memory.dmpFilesize
120KB
-
memory/3932-613-0x0000000009890000-0x00000000098C3000-memory.dmpFilesize
204KB
-
memory/3932-825-0x0000000009A40000-0x0000000009A5A000-memory.dmpFilesize
104KB
-
memory/3932-830-0x0000000009A30000-0x0000000009A38000-memory.dmpFilesize
32KB
-
memory/3932-566-0x0000000008B30000-0x0000000008B6C000-memory.dmpFilesize
240KB
-
memory/3932-549-0x0000000007E70000-0x0000000007EBB000-memory.dmpFilesize
300KB
-
memory/4288-355-0x0000000002E70000-0x0000000002E9A000-memory.dmpFilesize
168KB
-
memory/4288-342-0x0000000002E70000-0x0000000002E9A000-memory.dmpFilesize
168KB
-
memory/4288-296-0x0000000000000000-mapping.dmp
-
memory/4532-234-0x0000000000000000-mapping.dmp
-
memory/4532-293-0x00000000030D0000-0x00000000030FD000-memory.dmpFilesize
180KB
-
memory/4532-338-0x0000000003100000-0x000000000312A000-memory.dmpFilesize
168KB
-
memory/4532-294-0x0000000003100000-0x000000000312A000-memory.dmpFilesize
168KB
-
memory/4532-295-0x0000000003100000-0x000000000312A000-memory.dmpFilesize
168KB
-
memory/4692-171-0x000001A668600000-0x000001A668610000-memory.dmpFilesize
64KB
-
memory/4692-170-0x000001A667D20000-0x000001A667D30000-memory.dmpFilesize
64KB
-
memory/4984-867-0x000001B561D40000-0x000001B561D48000-memory.dmpFilesize
32KB
-
memory/4984-853-0x000001B55FB10000-0x000001B55FB5A000-memory.dmpFilesize
296KB
-
memory/4984-855-0x000001B55FB60000-0x000001B55FB98000-memory.dmpFilesize
224KB
-
memory/4984-856-0x000001B55FAD0000-0x000001B55FAD8000-memory.dmpFilesize
32KB
-
memory/4984-857-0x000001B561A00000-0x000001B561A22000-memory.dmpFilesize
136KB
-
memory/4984-858-0x000001B561AB0000-0x000001B561B26000-memory.dmpFilesize
472KB
-
memory/4984-859-0x000001B55FBC0000-0x000001B55FBC8000-memory.dmpFilesize
32KB
-
memory/4984-860-0x000001B55FBD0000-0x000001B55FBD8000-memory.dmpFilesize
32KB
-
memory/4984-861-0x000001B561C00000-0x000001B561C08000-memory.dmpFilesize
32KB
-
memory/4984-854-0x000001B55F9A0000-0x000001B55F9AE000-memory.dmpFilesize
56KB
-
memory/4984-863-0x000001B561D20000-0x000001B561D3C000-memory.dmpFilesize
112KB
-
memory/4984-864-0x000001B561DE0000-0x000001B561E99000-memory.dmpFilesize
740KB
-
memory/4984-865-0x000001B561D20000-0x000001B561D2A000-memory.dmpFilesize
40KB
-
memory/4984-866-0x000001B561D40000-0x000001B561D5C000-memory.dmpFilesize
112KB
-
memory/4984-852-0x000001B543260000-0x000001B543298000-memory.dmpFilesize
224KB
-
memory/4984-868-0x000001B561EC0000-0x000001B561EDA000-memory.dmpFilesize
104KB
-
memory/4984-869-0x000001B561EC0000-0x000001B561EC6000-memory.dmpFilesize
24KB
-
memory/4984-870-0x000001B561ED0000-0x000001B561EDA000-memory.dmpFilesize
40KB
-
memory/4984-873-0x000001B561EE0000-0x000001B561EF2000-memory.dmpFilesize
72KB
-
memory/4984-874-0x000001B564EF0000-0x000001B564F2E000-memory.dmpFilesize
248KB