redline | hxxps://www[.]youtube[.]com/channel/UCn2OJocEFxegDrjKZMIfnLw

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3
suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3
suricata

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/3784-298-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3784-298-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/3540-272-0x0000000000800000-0x00000000008D5000-memory.dmp	family_vidar
behavioral1/memory/3540-273-0x0000000000400000-0x0000000000541000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 53 IoCs

Processes:

HeavyLoad-x64-Setup.exeHeavyLoad-x64-Setup.tmpHeavyLoad.exeHeavyLoad.exeChromeRecovery.exeGoogleUpdateSetup.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeOCCT.exeGoogleUpdate.exeGoogleUpdateSetup.exeGoogleCrashHandler.exeGoogleCrashHandler64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exesetup_installer.exesetup_install.exeTue11613d9e9315.exe635acfe2-0f18-4475-8d22-b0b77b85c6f8.exeTue1181d1ee600618.exeTue113f25663d02bda9.exeTue11e2f08af432365bf.exeTue11119e53660048.exeTue110d5a53e57.exeTue1175225f38ae9334b.exeTue116b0a7643.exeTue1175225f38ae9334b.tmpTue11119e53660048.exeTue117c930640992.exeTue1175225f38ae9334b.exeTue11ea5e6d491.exeTue112399042edee163a.exeTue116ece1bdb4f8.exeTue117c930640992.exeTue1175225f38ae9334b.tmp11111.exewindllhost.exeTue116ece1bdb4f8.exe40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe1d2495dd-46a7-4d2e-89c9-2af73ed7917e.exe

pid	process
2960	HeavyLoad-x64-Setup.exe
1428	HeavyLoad-x64-Setup.tmp
844	HeavyLoad.exe
2676	HeavyLoad.exe
4256	ChromeRecovery.exe
4960	GoogleUpdateSetup.exe
3328	GoogleUpdate.exe
4472	GoogleUpdate.exe
4944	GoogleUpdate.exe
2660	GoogleUpdateComRegisterShell64.exe
4348	GoogleUpdateComRegisterShell64.exe
5024	GoogleUpdateComRegisterShell64.exe
4892	GoogleUpdate.exe
2008	GoogleUpdate.exe
432	OCCT.exe
2760	GoogleUpdate.exe
2744	GoogleUpdateSetup.exe
3080	GoogleCrashHandler.exe
5012	GoogleCrashHandler64.exe
1864	GoogleUpdate.exe
680	GoogleUpdate.exe
200	GoogleUpdate.exe
5020	GoogleUpdate.exe
4296	GoogleUpdateComRegisterShell64.exe
4416	GoogleUpdateComRegisterShell64.exe
2516	GoogleUpdateComRegisterShell64.exe
1668	GoogleUpdate.exe
3044	setup_installer.exe
4988	setup_install.exe
3804	Tue11613d9e9315.exe
1516	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe
2348	Tue1181d1ee600618.exe
3540	Tue113f25663d02bda9.exe
3868	Tue11e2f08af432365bf.exe
416	Tue11119e53660048.exe
3960	Tue110d5a53e57.exe
1988	Tue1175225f38ae9334b.exe
2096	Tue116b0a7643.exe
5012	Tue1175225f38ae9334b.tmp
164	Tue11119e53660048.exe
4068	Tue117c930640992.exe
1060	Tue1175225f38ae9334b.exe
2008	Tue11ea5e6d491.exe
2704	Tue112399042edee163a.exe
4880	Tue116ece1bdb4f8.exe
2744	Tue117c930640992.exe
4840	Tue1175225f38ae9334b.tmp
3784	11111.exe
3272	windllhost.exe
1516	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe
3420	Tue116ece1bdb4f8.exe
1280	40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe
3176	1d2495dd-46a7-4d2e-89c9-2af73ed7917e.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2096-290-0x0000000000DC0000-0x0000000001967000-memory.dmp	vmprotect

Loads dropped DLL 37 IoCs

Processes:

GoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeOCCT.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exesetup_install.exeTue1175225f38ae9334b.tmpTue1175225f38ae9334b.tmprundll32.exeregsvr32.exe

pid	process
3328	GoogleUpdate.exe
4472	GoogleUpdate.exe
4944	GoogleUpdate.exe
2660	GoogleUpdateComRegisterShell64.exe
4944	GoogleUpdate.exe
4348	GoogleUpdateComRegisterShell64.exe
4944	GoogleUpdate.exe
5024	GoogleUpdateComRegisterShell64.exe
4944	GoogleUpdate.exe
4892	GoogleUpdate.exe
2008	GoogleUpdate.exe
432	OCCT.exe
2760	GoogleUpdate.exe
2760	GoogleUpdate.exe
2008	GoogleUpdate.exe
1864	GoogleUpdate.exe
680	GoogleUpdate.exe
200	GoogleUpdate.exe
5020	GoogleUpdate.exe
4296	GoogleUpdateComRegisterShell64.exe
5020	GoogleUpdate.exe
4416	GoogleUpdateComRegisterShell64.exe
5020	GoogleUpdate.exe
2516	GoogleUpdateComRegisterShell64.exe
5020	GoogleUpdate.exe
1668	GoogleUpdate.exe
4988	setup_install.exe
4988	setup_install.exe
4988	setup_install.exe
4988	setup_install.exe
4988	setup_install.exe
5012	Tue1175225f38ae9334b.tmp
4840	Tue1175225f38ae9334b.tmp
3952	rundll32.exe
3952	rundll32.exe
2540	regsvr32.exe
2540	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

294 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
294	ip-api.com

Drops file in System32 directory 14 IoCs

Processes:

WmiApSrv.exe

description	ioc	process
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WmiApSrv.exe
File created	C:\Windows\system32\perfc009.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfc00A.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh007.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh009.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh00A.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfc011.dat	WmiApSrv.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WmiApSrv.exe
File created	C:\Windows\system32\PerfStringBackup.TMP	WmiApSrv.exe
File created	C:\Windows\system32\perfh011.dat	WmiApSrv.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WmiApSrv.exe
File created	C:\Windows\system32\perfc007.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfc00C.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh00C.dat	WmiApSrv.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Tue116b0a7643.exe40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe

pid process

2096 Tue116b0a7643.exe
1280 40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe

pid	process
2096	Tue116b0a7643.exe
1280	40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Tue117c930640992.exeTue116ece1bdb4f8.exe

description	pid	process	target process
PID 4068 set thread context of 2744	4068	Tue117c930640992.exe	Tue117c930640992.exe
PID 4880 set thread context of 3420	4880	Tue116ece1bdb4f8.exe	Tue116ece1bdb4f8.exe

Drops file in Program Files directory 64 IoCs

Processes:

GoogleUpdate.exeGoogleUpdateSetup.exeGoogleUpdate.exeGoogleUpdateSetup.exeTue1175225f38ae9334b.tmpHeavyLoad-x64-Setup.tmpelevation_service.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_vi.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\psuser_64.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_am.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_uk.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_sr.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\GoogleUpdate.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_id.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_no.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_de.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_sk.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_el.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Tue1175225f38ae9334b.tmp
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_th.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_ro.dll	GoogleUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\psmachine_64.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_pt-BR.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_pl.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_sv.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_ko.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_es.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_iw.dll	GoogleUpdate.exe
File created	C:\Program Files\JAM Software\HeavyLoad\is-60DMG.tmp	HeavyLoad-x64-Setup.tmp
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\psmachine_64.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_id.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_pl.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_ta.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_ml.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_sv.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_no.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_da.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_hr.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files\JAM Software\HeavyLoad\TreeSizeFree.chm	HeavyLoad-x64-Setup.tmp
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_zh-TW.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateOnDemand.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_mr.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_ms.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_cs.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_en.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_ur.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\GoogleUpdateSetup.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_nl.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_sw.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\psmachine.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\psuser_64.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_ar.dll	GoogleUpdateSetup.exe
File created	C:\Program Files\JAM Software\HeavyLoad\LicenseFiles\Jedi Component Library\is-733DO.tmp	HeavyLoad-x64-Setup.tmp
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdate.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_et.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_fil.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\GoogleCrashHandler.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_lt.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4512_1693533153\GoogleUpdateSetup.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_te.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\FarLabUninstaller\is-85174.tmp	Tue1175225f38ae9334b.tmp
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\GoogleUpdateSetup.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_sl.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_zh-CN.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_pt-PT.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_bn.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_fil.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_lv.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_sr.dll	GoogleUpdate.exe

Drops file in Windows directory 10 IoCs

Processes:

taskmgr.exetaskmgr.exetaskmgr.exeWmiApSrv.exeLogonUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WmiApSrv.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WmiApSrv.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\421858948\3551649488.pri	LogonUI.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WmiApSrv.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe635acfe2-0f18-4475-8d22-b0b77b85c6f8.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

LogonUI.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe

Modifies registry class 64 IoCs

Processes:

GoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation\IconReference = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.111\\goopdate.dll,-1004"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ = "ServiceModule"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ = "IAppBundle"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.111\\GoogleUpdateBroker.exe\""	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods\ = "10"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LOCALSERVER32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ = "IAppVersionWeb"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ = "IAppVersion"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc\CurVer\ = "GoogleUpdate.OnDemandCOMClassSvc.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\NumMethods\ = "12"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID\ = "GoogleUpdate.Update3WebMachineFallback"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ = "IJobObserver2"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods\ = "8"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.112\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\ = "Update3COMClass"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\LocalService = "gupdate"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc\CurVer\ = "GoogleUpdate.OnDemandCOMClassSvc.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods\ = "41"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID\ = "GoogleUpdate.CoreMachineClass.1"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8324F243-250C-4E97-915C-8220BAE15E18}\InprocHandler32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\NumMethods\ = "16"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.112\\GoogleUpdateBroker.exe\""	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc\CLSID\ = "{1C4CDEFF-756A-4804-9E77-3E8EB9361016}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ = "ICoCreateAsync"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods\ = "5"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods\ = "4"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.112\\GoogleUpdateOnDemand.exe\""	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8324F243-250C-4E97-915C-8220BAE15E18}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

HeavyLoad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\87A63D9ADB627D777836153C680A3DFCF27DE90C	HeavyLoad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\87A63D9ADB627D777836153C680A3DFCF27DE90C\Blob = 03000000010000001400000087a63d9adb627d777836153c680a3dfcf27de90c2000000001000000ab040000308204a73082038fa003020102020e481b6a07a9424c1eaafef3cdf10f300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3136303631353030303030305a170d3234303631353030303030305a306e310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361314430420603550403133b476c6f62616c5369676e20457874656e6465642056616c69646174696f6e20436f64655369676e696e67204341202d20534841323536202d20473330820122300d06092a864886f70d01010105000382010f003082010a0282010100d9b7ba25ad94f35bbe41061c53ca0c108c514159337964f4579de4d525c4ec50845898727940e22f78d492ea260e9eae957cfbc4fd7144dd8c5fb7238b5ebbf4fc4bcb233dc37603f5d18c45bc71751d8bd28989bee3513dc6c88ab23135076eb9f5ba6a0df4109faed56249287bec57baab327cb17dd2a2560636eeb0efd06aaeeaab1fd60d9f7c96fbad70992d5d95f080d07946ec553accd338fb0407a807758282e0d07e77b88febd228fcae6d1468417f7643d748ba6044e1b772e8d0f020037bdadab40675c7b203def894c6688f5e7b9e9b9d36e0ced26bc6c66be91422b5717eb68f5a1fdbe76ef442109068e62b45104f73ba2cd7c5316a72dd63730203010001a38201633082015f300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030306082b0601050507030930120603551d130101ff040830060101ff020100301d0603551d0e04160414dc2c582c2a6f352d9f7995a8485dc46d3e53bfb9301f0603551d230418301680148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc303e06082b0601050507010104323030302e06082b060105050730018622687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f726f6f74723330360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f726f6f742d72332e63726c30620603551d20045b3059300b06092b06010401a03201023007060567810c0103304106092b06010401a032015f3034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f300d06092a864886f70d01010b050003820101007609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f	HeavyLoad.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 304 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	304	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeHeavyLoad-x64-Setup.tmpHeavyLoad.exeHeavyLoad.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeGoogleUpdate.exeGoogleUpdate.exechrome.exeGoogleUpdate.exeGoogleUpdate.exe

pid	process
4148	taskmgr.exe
4148	taskmgr.exe
4212	chrome.exe
4212	chrome.exe
3336	chrome.exe
3336	chrome.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4840	chrome.exe
4840	chrome.exe
4760	chrome.exe
4760	chrome.exe
3792	chrome.exe
3792	chrome.exe
5076	chrome.exe
5076	chrome.exe
3272	chrome.exe
3272	chrome.exe
1264	chrome.exe
1264	chrome.exe
2708	chrome.exe
2708	chrome.exe
1428	HeavyLoad-x64-Setup.tmp
1428	HeavyLoad-x64-Setup.tmp
844	HeavyLoad.exe
844	HeavyLoad.exe
2676	HeavyLoad.exe
2676	HeavyLoad.exe
2188	chrome.exe
2188	chrome.exe
612	chrome.exe
612	chrome.exe
4392	chrome.exe
4392	chrome.exe
1264	chrome.exe
1264	chrome.exe
4896	chrome.exe
4896	chrome.exe
2352	chrome.exe
2352	chrome.exe
3096	chrome.exe
3096	chrome.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
4892	GoogleUpdate.exe
4892	GoogleUpdate.exe
4832	chrome.exe
4832	chrome.exe
2008	GoogleUpdate.exe
2008	GoogleUpdate.exe
2760	GoogleUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1640
Suspicious behavior: LoadsDriver 12 IoCs

Processes:

pid process

644
644
644
644
644
644
644
644
644
644
644
644
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe

pid process

1516 635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe

pid	process
1640

pid	process
644
644
644
644
644
644
644
644
644
644
644
644

pid	process
1516	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

Processes:

chrome.exechrome.exe

pid	process
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskmgr.exeGoogleUpdate.exeGoogleUpdate.exeOCCT.exeGoogleUpdate.exeGoogleUpdate.exeGoogleCrashHandler.exeGoogleCrashHandler64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exetaskmgr.exeTue110d5a53e57.exe

description	pid	process
Token: SeDebugPrivilege	4148	taskmgr.exe
Token: SeSystemProfilePrivilege	4148	taskmgr.exe
Token: SeCreateGlobalPrivilege	4148	taskmgr.exe
Token: 33	4148	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4148	taskmgr.exe
Token: SeDebugPrivilege	3328	GoogleUpdate.exe
Token: SeDebugPrivilege	3328	GoogleUpdate.exe
Token: SeDebugPrivilege	3328	GoogleUpdate.exe
Token: SeDebugPrivilege	3328	GoogleUpdate.exe
Token: SeDebugPrivilege	4892	GoogleUpdate.exe
Token: SeDebugPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeDebugPrivilege	2008	GoogleUpdate.exe
Token: SeDebugPrivilege	2760	GoogleUpdate.exe
Token: 33	3080	GoogleCrashHandler.exe
Token: SeIncBasePriorityPrivilege	3080	GoogleCrashHandler.exe
Token: 33	5012	GoogleCrashHandler64.exe
Token: SeIncBasePriorityPrivilege	5012	GoogleCrashHandler64.exe
Token: SeDebugPrivilege	1864	GoogleUpdate.exe
Token: SeDebugPrivilege	680	GoogleUpdate.exe
Token: SeDebugPrivilege	680	GoogleUpdate.exe
Token: SeDebugPrivilege	680	GoogleUpdate.exe
Token: SeDebugPrivilege	1668	GoogleUpdate.exe
Token: SeDebugPrivilege	2308	taskmgr.exe
Token: SeSystemProfilePrivilege	2308	taskmgr.exe
Token: SeCreateGlobalPrivilege	2308	taskmgr.exe
Token: 33	2308	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2308	taskmgr.exe
Token: SeCreateTokenPrivilege	3960	Tue110d5a53e57.exe
Token: SeAssignPrimaryTokenPrivilege	3960	Tue110d5a53e57.exe
Token: SeLockMemoryPrivilege	3960	Tue110d5a53e57.exe
Token: SeIncreaseQuotaPrivilege	3960	Tue110d5a53e57.exe
Token: SeMachineAccountPrivilege	3960	Tue110d5a53e57.exe
Token: SeTcbPrivilege	3960	Tue110d5a53e57.exe
Token: SeSecurityPrivilege	3960	Tue110d5a53e57.exe
Token: SeTakeOwnershipPrivilege	3960	Tue110d5a53e57.exe
Token: SeLoadDriverPrivilege	3960	Tue110d5a53e57.exe
Token: SeSystemProfilePrivilege	3960	Tue110d5a53e57.exe
Token: SeSystemtimePrivilege	3960	Tue110d5a53e57.exe
Token: SeProfSingleProcessPrivilege	3960	Tue110d5a53e57.exe
Token: SeIncBasePriorityPrivilege	3960	Tue110d5a53e57.exe
Token: SeCreatePagefilePrivilege	3960	Tue110d5a53e57.exe
Token: SeCreatePermanentPrivilege	3960	Tue110d5a53e57.exe
Token: SeBackupPrivilege	3960	Tue110d5a53e57.exe
Token: SeRestorePrivilege	3960	Tue110d5a53e57.exe
Token: SeShutdownPrivilege	3960	Tue110d5a53e57.exe
Token: SeDebugPrivilege	3960	Tue110d5a53e57.exe
Token: SeAuditPrivilege	3960	Tue110d5a53e57.exe
Token: SeSystemEnvironmentPrivilege	3960	Tue110d5a53e57.exe
Token: SeChangeNotifyPrivilege	3960	Tue110d5a53e57.exe
Token: SeRemoteShutdownPrivilege	3960	Tue110d5a53e57.exe
Token: SeUndockPrivilege	3960	Tue110d5a53e57.exe
Token: SeSyncAgentPrivilege	3960	Tue110d5a53e57.exe
Token: SeEnableDelegationPrivilege	3960	Tue110d5a53e57.exe
Token: SeManageVolumePrivilege	3960	Tue110d5a53e57.exe
Token: SeImpersonatePrivilege	3960	Tue110d5a53e57.exe
Token: SeCreateGlobalPrivilege	3960	Tue110d5a53e57.exe
Token: 31	3960	Tue110d5a53e57.exe
Token: 32	3960	Tue110d5a53e57.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe

Suspicious use of SetWindowsHookEx 25 IoCs

Processes:

HeavyLoad.exeHeavyLoad.exesetup_installx86-x64.exesetup_installer.exesetup_install.exeTue11613d9e9315.exeTue11e2f08af432365bf.exeTue11119e53660048.exeTue110d5a53e57.exeTue1175225f38ae9334b.exeTue116b0a7643.exeTue1175225f38ae9334b.tmpTue11119e53660048.exeTue117c930640992.exeTue1175225f38ae9334b.exeTue11ea5e6d491.exeTue112399042edee163a.exeTue1175225f38ae9334b.tmpTue117c930640992.exe11111.exewindllhost.exe40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exeLogonUI.exe

pid	process
844	HeavyLoad.exe
2676	HeavyLoad.exe
2676	HeavyLoad.exe
3216	setup_installx86-x64.exe
3044	setup_installer.exe
4988	setup_install.exe
3804	Tue11613d9e9315.exe
3868	Tue11e2f08af432365bf.exe
416	Tue11119e53660048.exe
3960	Tue110d5a53e57.exe
1988	Tue1175225f38ae9334b.exe
2096	Tue116b0a7643.exe
5012	Tue1175225f38ae9334b.tmp
164	Tue11119e53660048.exe
4068	Tue117c930640992.exe
1060	Tue1175225f38ae9334b.exe
2008	Tue11ea5e6d491.exe
2704	Tue112399042edee163a.exe
4840	Tue1175225f38ae9334b.tmp
2744	Tue117c930640992.exe
3784	11111.exe
3272	windllhost.exe
1280	40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe
5312	LogonUI.exe
5312	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3336 wrote to memory of 3676	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 3676	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4220	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4212	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4212	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe
PID 3336 wrote to memory of 4340	3336	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffbf2374f50,0x7ffbf2374f60,0x7ffbf2374f70
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2212 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1524 /prefetch:2
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 /prefetch:8
2⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:8
2⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:8
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:8
2⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:8
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5828 /prefetch:8
2⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5992 /prefetch:8
2⤵
PID:2996

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff758cda890,0x7ff758cda8a0,0x7ff758cda8b0
3⤵
PID:696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5180 /prefetch:8
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:8
2⤵
PID:5028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5860 /prefetch:8
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
2⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
2⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
2⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue112399042edee163a.exe
Tue112399042edee163a.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5860 /prefetch:8
2⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4864 /prefetch:8
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Users\Admin\Downloads\HeavyLoad-x64-Setup.exe
"C:\Users\Admin\Downloads\HeavyLoad-x64-Setup.exe"
2⤵
- Executes dropped EXE
PID:2960

C:\Users\Admin\AppData\Local\Temp\is-F0BSU.tmp\HeavyLoad-x64-Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F0BSU.tmp\HeavyLoad-x64-Setup.tmp" /SL5="$90230,14724492,798208,C:\Users\Admin\Downloads\HeavyLoad-x64-Setup.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe
"C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe" /nogui /installcertificate
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:844

C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe
"C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
2⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2708

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4148

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbf2374f50,0x7ffbf2374f60,0x7ffbf2374f70
2⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:2
2⤵
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 /prefetch:8
2⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2524 /prefetch:1
2⤵
PID:3812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
2⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1888 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3876 /prefetch:8
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3968 /prefetch:8
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3876 /prefetch:8
2⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
2⤵
PID:1280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2736 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
2⤵
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3416 /prefetch:8
2⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:8
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6012 /prefetch:8
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6000 /prefetch:8
2⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3216 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Users\Admin\Downloads\OCCT.exe
"C:\Users\Admin\Downloads\OCCT.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 /prefetch:8
2⤵
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 /prefetch:8
2⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6232 /prefetch:8
2⤵
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3880 /prefetch:8
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 /prefetch:8
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5228 /prefetch:2
2⤵
PID:664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:8
2⤵
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4964 /prefetch:8
2⤵
PID:364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6804 /prefetch:8
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6200 /prefetch:8
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3712 /prefetch:8
2⤵
PID:704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
2⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:8
2⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue116b0a7643.exe
Tue116b0a7643.exe
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
2⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11119e53660048.exe
Tue11119e53660048.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4008 /prefetch:8
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:8
2⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:8
2⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6832 /prefetch:8
2⤵
PID:1908

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4512

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4512_1693533153\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4512_1693533153\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={5104f577-5b00-422b-b1aa-c41fb4e21592} --system
2⤵
- Executes dropped EXE
PID:4256

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4512_1693533153\GoogleUpdateSetup.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4512_1693533153\GoogleUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4960

C:\Program Files (x86)\Google\Temp\GUM255D.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUM255D.tmp\GoogleUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4472

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4944

C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2660

C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4348

C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5024

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEUxMTNDQzctREIwNi00Nzc3LUFDQzEtMTFGNjlBRTRCQTU2fSIgdXNlcmlkPSJ7NEM0MkZBMTUtRjkwQy00NkVBLUFCQ0YtRTlCNEMyQzgxRkU4fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezRDMjI5MDE5LUM2RDctNDA4OS1CMTcxLTJGREQ0M0JGOTM2Mn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMTExIi8-PC9hcHA-PC9yZXF1ZXN0Pg
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /machine /installsource chromerecovery
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Program Files (x86)\Google\Update\Install\{915D2872-3088-42B2-AADA-E638556CCEF6}\GoogleUpdateSetup.exe
"C:\Program Files (x86)\Google\Update\Install\{915D2872-3088-42B2-AADA-E638556CCEF6}\GoogleUpdateSetup.exe" /update /sessionid "{A1D55F03-6B1A-44EA-A0BC-741830E6302E}"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2744

C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\GoogleUpdate.exe" /update /sessionid "{A1D55F03-6B1A-44EA-A0BC-741830E6302E}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:200

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5020

C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4296

C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4416

C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2516

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTFENTVGMDMtNkIxQS00NEVBLUEwQkMtNzQxODMwRTYzMDJFfSIgdXNlcmlkPSJ7NEM0MkZBMTUtRjkwQy00NkVBLUFCQ0YtRTlCNEMyQzgxRkU4fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7M0I2RjI1NTctNTVCRi00RDg3LUIwMTUtMjRBNTI1OUFFQkM5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI0IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIxLjMuMzYuMTExIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE1MlIiIGluc3RhbGxhZ2U9IjE5IiBpbnN0YWxsZGF0ZT0iNTQ3NCIgY29ob3J0PSIxOjljbzoiIGNvaG9ydG5hbWU9IkV2ZXJ5b25lIEVsc2UiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe
"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTFENTVGMDMtNkIxQS00NEVBLUEwQkMtNzQxODMwRTYzMDJFfSIgdXNlcmlkPSJ7NEM0MkZBMTUtRjkwQy00NkVBLUFCQ0YtRTlCNEMyQzgxRkU4fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0IxODRFN0U5LTc3MkMtNEJBQi04NjRBLUJCQjYxRUUxOENCQ30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjExMSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMTIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIxNTJSIiBpbnN0YWxsYWdlPSIxOSIgaWlkPSJ7OEQ4QjE0NjAtMzA3NS00RjI3LUQ4MzEtOEMwMTU3QkIzNjYwfSIgY29ob3J0PSIxOjljbzoiIGNvaG9ydG5hbWU9IkV2ZXJ5b25lIEVsc2UiPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vZWRnZWRsLm1lLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi91cGRhdGUyL2FkeG1vbWZ0cmtvaW9kazdhd3l2YTNtejZ1dGFfMS4zLjM2LjExMi9Hb29nbGVVcGRhdGVTZXR1cC5leGUiIGRvd25sb2FkZWQ9IjEzNDEyNzIiIHRvdGFsPSIxMzQxMjcyIiBkb3dubG9hZF90aW1lX21zPSI0OTkiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzQy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE1MlIiIGluc3RhbGxhZ2U9IjE5IiBpaWQ9Ins4RDhCMTQ2MC0zMDc1LTRGMjctRDgzMS04QzAxNTdCQjM2NjB9Ij48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iOSIgZXJyb3Jjb2RlPSItMTYwNjIxOTc0OCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1632

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1184

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:4868

C:\Users\Admin\Desktop\setup_installx86-x64.exe
"C:\Users\Admin\Desktop\setup_installx86-x64.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3216

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
PID:3864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
PID:1004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue11613d9e9315.exe
4⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11613d9e9315.exe
Tue11613d9e9315.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3804

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue11171c1f250c59ea.exe
4⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11171c1f250c59ea.exe
Tue11171c1f250c59ea.exe
5⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue110d5a53e57.exe
4⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue110d5a53e57.exe
Tue110d5a53e57.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1181d1ee600618.exe
4⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1181d1ee600618.exe
Tue1181d1ee600618.exe
5⤵
- Executes dropped EXE
PID:2348

C:\Users\Admin\AppData\Local\635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe
"C:\Users\Admin\AppData\Local\635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe"
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1516

C:\Users\Admin\AppData\Local\40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe
"C:\Users\Admin\AppData\Local\40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Users\Admin\AppData\Local\1d2495dd-46a7-4d2e-89c9-2af73ed7917e.exe
"C:\Users\Admin\AppData\Local\1d2495dd-46a7-4d2e-89c9-2af73ed7917e.exe"
6⤵
- Executes dropped EXE
PID:3176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue113f25663d02bda9.exe
4⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue113f25663d02bda9.exe
Tue113f25663d02bda9.exe
5⤵
- Executes dropped EXE
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue11e2f08af432365bf.exe
4⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11e2f08af432365bf.exe
Tue11e2f08af432365bf.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\UDZC3.CPL",
6⤵
PID:2776

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\UDZC3.CPL",
7⤵
- Loads dropped DLL
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue117c930640992.exe /mixtwo
4⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue117c930640992.exe
Tue117c930640992.exe /mixtwo
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue117c930640992.exe
Tue117c930640992.exe /mixtwo
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue116ece1bdb4f8.exe
4⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue112399042edee163a.exe
4⤵
PID:4932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue11ea5e6d491.exe
4⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue11119e53660048.exe
4⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1175225f38ae9334b.exe
4⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue116b0a7643.exe
4⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1175225f38ae9334b.exe
Tue1175225f38ae9334b.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Users\Admin\AppData\Local\Temp\is-TCH70.tmp\Tue1175225f38ae9334b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TCH70.tmp\Tue1175225f38ae9334b.tmp" /SL5="$903AC,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1175225f38ae9334b.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1175225f38ae9334b.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1175225f38ae9334b.exe" /SILENT
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Users\Admin\AppData\Local\Temp\is-VGJ83.tmp\Tue1175225f38ae9334b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VGJ83.tmp\Tue1175225f38ae9334b.tmp" /SL5="$503AE,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1175225f38ae9334b.exe" /SILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Users\Admin\AppData\Local\Temp\is-7I02G.tmp\windllhost.exe
"C:\Users\Admin\AppData\Local\Temp\is-7I02G.tmp\windllhost.exe" 77
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11119e53660048.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11119e53660048.exe" -u
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:164

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11ea5e6d491.exe
Tue11ea5e6d491.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -U /s .\yLCL~._
2⤵
- Loads dropped DLL
PID:2540

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue116ece1bdb4f8.exe
Tue116ece1bdb4f8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4880

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue116ece1bdb4f8.exe
C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue116ece1bdb4f8.exe
2⤵
- Executes dropped EXE
PID:3420

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a93055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe
MD5
9f28ccb0a1ed1374dd59d24b639c7cbf

SHA1
64b741be8898906ad38f81a729a134900f4a5da0

SHA256
48487a6a371505414beef5d28116eebdc7446e6cfa8bb984d491ad8498f98974

SHA512
d6b87adb9b29fc3a97a82c26b8ee0f86f0312a26140a9675c06570403918b843b44ec9172c6e94198eb2afa5aa5f4349d3655b186405505d5b56c17fb8e2806e

Download Submit
C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe
MD5
9f28ccb0a1ed1374dd59d24b639c7cbf

SHA1
64b741be8898906ad38f81a729a134900f4a5da0

SHA256
48487a6a371505414beef5d28116eebdc7446e6cfa8bb984d491ad8498f98974

SHA512
d6b87adb9b29fc3a97a82c26b8ee0f86f0312a26140a9675c06570403918b843b44ec9172c6e94198eb2afa5aa5f4349d3655b186405505d5b56c17fb8e2806e

Download Submit
C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe
MD5
9f28ccb0a1ed1374dd59d24b639c7cbf

SHA1
64b741be8898906ad38f81a729a134900f4a5da0

SHA256
48487a6a371505414beef5d28116eebdc7446e6cfa8bb984d491ad8498f98974

SHA512
d6b87adb9b29fc3a97a82c26b8ee0f86f0312a26140a9675c06570403918b843b44ec9172c6e94198eb2afa5aa5f4349d3655b186405505d5b56c17fb8e2806e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
9d9fbd528242d845d92a84b3832b22b0

SHA1
8e8b2e12d281651cfe90fe741c5780be01cbc661

SHA256
059c5b62c4cd41f9abe7c0dcfec55d9baff3484e4a51e2bb239a0c681d9fef8c

SHA512
de12be6a2218823ba811e2b190b1497549168358e7543003655f518ae43bae08dead71c76e270f6634262d89b18a0ae3a0744778b3922e966af108654f7aa7d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons
MD5
77fdeaae7568fe42dc675d881a5cdd52

SHA1
2629db00917e8aa19da91135a212bb6b92471d57

SHA256
4d25850a9c6de85ca3ad2d5eddfb22691a19db3e545873b63ebe3dc4601617dd

SHA512
7042c2a8caf3fdc5076f1c9e8c9da0b0ddbfbe4282f0405cdadd25971ce6ff28cf394e7613e3539452953ab7601e59aae6d6c0cd40e54068a643bdbf109968c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
MD5
c58fdd0d1ebd619b8cd2aee769f4308b

SHA1
473debc65443526f5d9514efa9781769c3ea11a7

SHA256
8117c70e7002d01950d78d704896d8de1f57d2daea76a17528a4c9ba6bf083e0

SHA512
2a3ef980406fc8dc11d7328b2e726d81de3e6c1e5dadc0653628e1757b2368aa017de8d2c3809263841dd1c00a5c23c39229d2f5f800d0ef78720a01edf4ccfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
MD5
4483872adc0ecd69831433d63c1e0323

SHA1
bc814ac414507bdd8f8a00a5ea012728d0151f38

SHA256
4729efa9d5050c8c951fe843d3962e8ec7df96bdaa2cfc3afde9e90d4127f9ff

SHA512
8298a73296aa0f402c35be75f636871793bf33c27345d4a8815a151c845a06dbebdd0af2b7a86f5ece37ed24a08832e4ec726d6a192a44009ec87244eabff6d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
MD5
cd179d7059543c45ec387f5cf09dc01b

SHA1
aa3472040d7bf74b5a5db7561e9aeb9c6abbdbdc

SHA256
6760a747522a7da7789602f374f48b7b24db5b92403a509d670e9fdadb4bb8cd

SHA512
cedf778448899d2b03773c3c4b115d38e17619a3afac72abaefa5effb62cd3088e138584844832147db670c61cfa3d2399a2c0eb90cabd2787c7deffcf0ae4bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
MD5
4738a317ebb7d3dc9c9e8400ce0917c5

SHA1
c916e551f0a9308edd9d5eb2a38f9af86f215f2c

SHA256
ed60965bd92e2f52adc696453eaaf3cb005b0d9de62b772c426df7826a975d9c

SHA512
52001653013d872e9974ba162dff8c9b36751d12b26234a3b74ac8f8a94960de7e9edff127b642d6a0a3af0a038a6d9fc6e23f370b50d9b56776a900f4ea70f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links
MD5
05aea0ec7ae2dfc8168be47673b58a97

SHA1
037d0a14967739a27e8e76b13e80707e7d5af98a

SHA256
a158a7017fb3d3d2db28c6f5896c39225dae6cb5f1862b2342ea5435e3447166

SHA512
654e6cb8d2bb726002875466589201ccef512f32bf36bf329cea0b0ffcdd052c888c7b7f2d8bd25205a833ca8546eafa5a6d618a05832694895ad5214b9b9aae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
MD5
b26651718c22b71e14a241b9ede7b4ee

SHA1
c613807b6b9e36b9f1ca688665b4b21105518383

SHA256
827c98d08d1e4ad646d23860b0a92b7faeb51cc50c728774eacf60d26c2ce448

SHA512
3271517cc64fde5868e3cf8394f6a82afc93bd9850efb2e3e8a6c54274349954123afe433e8ef6f23304b9af94e09931f45e573e35d9a3e2731bcc97264edf15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5
7fbfb8eec9d65d9021f4b2bf928f2a1f

SHA1
99bb7a6ea9f53c9f7595b841faba30ff1f1030e9

SHA256
4a10932a8b5dc49a4f6706500af1b713ed9f2bc6574c6c30baa024cac7dee035

SHA512
d27ccb698da6ba35f6d228fc26a4f5a397205c10f8c23618bfbf584f94157d797d725cbd9ce612a342772d9a10348bf5f0d1a8fa988b4d712f8bdbb2232a78c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F0BSU.tmp\HeavyLoad-x64-Setup.tmp
MD5
f0c680f168da13ad7424a9cb85b64cc9

SHA1
cd375842acf9a45284b1dc304d4c6d40e6c88723

SHA256
219b91ea3fce249cd2264e45da0e6fd106e2cf3ee8b437fdc900a7de7e1c6cd3

SHA512
0a6fd5c9961e5c4a223c8a6b127fccdc32ba99af6d99a7e44d61e93a8ead957e43446be0f2efec2466dac1f25335d8605e85093d0a53b3b8ba01aefa4fd8e59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F0BSU.tmp\HeavyLoad-x64-Setup.tmp
MD5
f0c680f168da13ad7424a9cb85b64cc9

SHA1
cd375842acf9a45284b1dc304d4c6d40e6c88723

SHA256
219b91ea3fce249cd2264e45da0e6fd106e2cf3ee8b437fdc900a7de7e1c6cd3

SHA512
0a6fd5c9961e5c4a223c8a6b127fccdc32ba99af6d99a7e44d61e93a8ead957e43446be0f2efec2466dac1f25335d8605e85093d0a53b3b8ba01aefa4fd8e59d

Download Submit
C:\Users\Admin\Downloads\HeavyLoad-x64-Setup.exe
MD5
ba7dd0c15f5ce2431035a4b4e1bbaae5

SHA1
a368248b55f8ee9a75becd4339e938ee31f391f9

SHA256
d4ce244ddb5ef7dfce3e650a2adb3b63964992de8088df6716e26b7d440001c8

SHA512
3ee2552815528e04e992339bd8ac216b42432f2d2727e4483a734082a3716bd4559dcbeeca132b49be1ce6fca2378b03137a801f9ca554a1f5104522eb1f7c6c

Download Submit
C:\Users\Admin\Downloads\HeavyLoad-x64-Setup.exe
MD5
ba7dd0c15f5ce2431035a4b4e1bbaae5

SHA1
a368248b55f8ee9a75becd4339e938ee31f391f9

SHA256
d4ce244ddb5ef7dfce3e650a2adb3b63964992de8088df6716e26b7d440001c8

SHA512
3ee2552815528e04e992339bd8ac216b42432f2d2727e4483a734082a3716bd4559dcbeeca132b49be1ce6fca2378b03137a801f9ca554a1f5104522eb1f7c6c

Download Submit
\??\pipe\crashpad_3336_XLQDSXKWAEEXEOUN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_612_WTQBTPDHNCJVOVTW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/164-247-0x0000000000000000-mapping.dmp

Download
memory/200-183-0x0000000000000000-mapping.dmp

Download
memory/416-227-0x0000000000000000-mapping.dmp

Download
memory/432-177-0x000002C44F320000-0x000002C44F370000-memory.dmp

Filesize
320KB

Download
memory/432-174-0x000002C44FBD0000-0x000002C450334000-memory.dmp

Filesize
7.4MB

Download
memory/432-167-0x000002C431780000-0x000002C432DEC000-memory.dmp

Filesize
22.4MB

Download
memory/432-175-0x000002C44E300000-0x000002C44E310000-memory.dmp

Filesize
64KB

Download
memory/432-168-0x000002C431780000-0x000002C432DEC000-memory.dmp

Filesize
22.4MB

Download
memory/432-169-0x000002C44D300000-0x000002C44D302000-memory.dmp

Filesize
8KB

Download
memory/432-170-0x000002C44E030000-0x000002C44E0A6000-memory.dmp

Filesize
472KB

Download
memory/432-171-0x000002C44E390000-0x000002C44E440000-memory.dmp

Filesize
704KB

Download
memory/432-172-0x000002C44F3C0000-0x000002C44F452000-memory.dmp

Filesize
584KB

Download
memory/432-173-0x000002C44E320000-0x000002C44E33E000-memory.dmp

Filesize
120KB

Download
memory/432-166-0x0000000000000000-mapping.dmp

Download
memory/432-176-0x000002C44E300000-0x000002C44E310000-memory.dmp

Filesize
64KB

Download
memory/680-182-0x0000000000000000-mapping.dmp

Download
memory/696-119-0x0000000000000000-mapping.dmp

Download
memory/696-120-0x000001CFC7D00000-0x000001CFC7D02000-memory.dmp

Filesize
8KB

Download
memory/696-121-0x000001CFC7D00000-0x000001CFC7D02000-memory.dmp

Filesize
8KB

Download
memory/844-135-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/844-132-0x0000000000000000-mapping.dmp

Download
memory/844-137-0x00000000096A0000-0x00000000096A1000-memory.dmp

Filesize
4KB

Download
memory/844-136-0x0000000009410000-0x0000000009411000-memory.dmp

Filesize
4KB

Download
memory/1004-204-0x0000000000000000-mapping.dmp

Download
memory/1060-261-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1060-251-0x0000000000000000-mapping.dmp

Download
memory/1268-230-0x0000000000000000-mapping.dmp

Download
memory/1280-326-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1280-342-0x0000000071920000-0x00000000719A0000-memory.dmp

Filesize
512KB

Download
memory/1280-338-0x0000000077550000-0x0000000077641000-memory.dmp

Filesize
964KB

Download
memory/1280-336-0x00000000767B0000-0x0000000076972000-memory.dmp

Filesize
1.8MB

Download
memory/1280-323-0x00000000000B0000-0x0000000000212000-memory.dmp

Filesize
1.4MB

Download
memory/1428-130-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1428-128-0x0000000000000000-mapping.dmp

Download
memory/1516-294-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1516-215-0x0000000000000000-mapping.dmp

Download
memory/1516-291-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/1516-292-0x0000000000910000-0x0000000000A5A000-memory.dmp

Filesize
1.3MB

Download
memory/1668-188-0x0000000000000000-mapping.dmp

Download
memory/1864-181-0x0000000000000000-mapping.dmp

Download
memory/1988-241-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1988-232-0x0000000000000000-mapping.dmp

Download
memory/2008-260-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2008-165-0x0000000000000000-mapping.dmp

Download
memory/2008-252-0x0000000000000000-mapping.dmp

Download
memory/2008-256-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2096-283-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/2096-284-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2096-239-0x0000000000000000-mapping.dmp

Download
memory/2096-281-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2096-290-0x0000000000DC0000-0x0000000001967000-memory.dmp

Filesize
11.7MB

Download
memory/2096-289-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2096-287-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2096-296-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2096-285-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2096-286-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2348-246-0x0000015169580000-0x0000015169586000-memory.dmp

Filesize
24KB

Download
memory/2348-250-0x00000151696C0000-0x00000151696F4000-memory.dmp

Filesize
208KB

Download
memory/2348-262-0x000001516B850000-0x000001516B852000-memory.dmp

Filesize
8KB

Download
memory/2348-244-0x0000015169250000-0x000001516929A000-memory.dmp

Filesize
296KB

Download
memory/2348-242-0x0000015169250000-0x000001516929A000-memory.dmp

Filesize
296KB

Download
memory/2348-254-0x00000151696F0000-0x00000151696F6000-memory.dmp

Filesize
24KB

Download
memory/2348-220-0x0000000000000000-mapping.dmp

Download
memory/2516-187-0x0000000000000000-mapping.dmp

Download
memory/2540-320-0x0000000004E20000-0x000000002F8AF000-memory.dmp

Filesize
682.6MB

Download
memory/2596-214-0x0000000000000000-mapping.dmp

Download
memory/2608-225-0x0000000000000000-mapping.dmp

Download
memory/2628-216-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2628-235-0x0000000006D50000-0x0000000007378000-memory.dmp

Filesize
6.2MB

Download
memory/2628-275-0x0000000007480000-0x00000000074E6000-memory.dmp

Filesize
408KB

Download
memory/2628-267-0x0000000006B10000-0x0000000006B32000-memory.dmp

Filesize
136KB

Download
memory/2628-308-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2628-231-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/2628-207-0x0000000000000000-mapping.dmp

Download
memory/2628-280-0x00000000074F0000-0x0000000007840000-memory.dmp

Filesize
3.3MB

Download
memory/2628-228-0x0000000004050000-0x0000000004086000-memory.dmp

Filesize
216KB

Download
memory/2628-278-0x0000000006BB0000-0x0000000006C16000-memory.dmp

Filesize
408KB

Download
memory/2628-243-0x0000000006712000-0x0000000006713000-memory.dmp

Filesize
4KB

Download
memory/2628-219-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2660-161-0x0000000000000000-mapping.dmp

Download
memory/2676-141-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/2676-140-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/2676-142-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2676-208-0x0000000000000000-mapping.dmp

Download
memory/2676-138-0x0000000000000000-mapping.dmp

Download
memory/2704-259-0x0000000000000000-mapping.dmp

Download
memory/2712-222-0x0000000000000000-mapping.dmp

Download
memory/2744-265-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2744-274-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2744-178-0x0000000000000000-mapping.dmp

Download
memory/2744-268-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2960-122-0x0000000000000000-mapping.dmp

Download
memory/2960-126-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2988-206-0x0000000000000000-mapping.dmp

Download
memory/3044-189-0x0000000000000000-mapping.dmp

Download
memory/3080-179-0x0000000000000000-mapping.dmp

Download
memory/3236-209-0x0000000000000000-mapping.dmp

Download
memory/3328-158-0x0000000000000000-mapping.dmp

Download
memory/3420-309-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3540-264-0x0000000000712000-0x000000000078E000-memory.dmp

Filesize
496KB

Download
memory/3540-223-0x0000000000000000-mapping.dmp

Download
memory/3540-272-0x0000000000800000-0x00000000008D5000-memory.dmp

Filesize
852KB

Download
memory/3540-273-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3700-212-0x0000000000000000-mapping.dmp

Download
memory/3784-298-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3804-211-0x0000000000000000-mapping.dmp

Download
memory/3864-203-0x0000000000000000-mapping.dmp

Download
memory/3868-224-0x0000000000000000-mapping.dmp

Download
memory/3952-306-0x0000000004D10000-0x000000002F728000-memory.dmp

Filesize
682.1MB

Download
memory/3960-229-0x0000000000000000-mapping.dmp

Download
memory/4068-249-0x0000000000000000-mapping.dmp

Download
memory/4228-217-0x0000000000000000-mapping.dmp

Download
memory/4256-156-0x0000000000000000-mapping.dmp

Download
memory/4296-185-0x0000000000000000-mapping.dmp

Download
memory/4348-162-0x0000000000000000-mapping.dmp

Download
memory/4416-186-0x0000000000000000-mapping.dmp

Download
memory/4472-159-0x0000000000000000-mapping.dmp

Download
memory/4512-154-0x00000234B7150000-0x00000234B7152000-memory.dmp

Filesize
8KB

Download
memory/4512-155-0x00000234B7150000-0x00000234B7152000-memory.dmp

Filesize
8KB

Download
memory/4532-213-0x0000000000000000-mapping.dmp

Download
memory/4576-205-0x0000000000000000-mapping.dmp

Download
memory/4840-266-0x0000000000000000-mapping.dmp

Download
memory/4840-279-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4868-118-0x000001DCF4D10000-0x000001DCF4D12000-memory.dmp

Filesize
8KB

Download
memory/4868-116-0x0000000000000000-mapping.dmp

Download
memory/4868-117-0x000001DCF4D10000-0x000001DCF4D12000-memory.dmp

Filesize
8KB

Download
memory/4880-295-0x00000000055E0000-0x00000000055FE000-memory.dmp

Filesize
120KB

Download
memory/4880-271-0x0000000000D80000-0x0000000000E0A000-memory.dmp

Filesize
552KB

Download
memory/4880-269-0x0000000000D80000-0x0000000000E0A000-memory.dmp

Filesize
552KB

Download
memory/4880-276-0x0000000005640000-0x00000000056B6000-memory.dmp

Filesize
472KB

Download
memory/4880-282-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/4880-300-0x0000000005CA0000-0x000000000619E000-memory.dmp

Filesize
5.0MB

Download
memory/4880-277-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4880-263-0x0000000000000000-mapping.dmp

Download
memory/4892-221-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4892-270-0x0000000007B60000-0x0000000007EB0000-memory.dmp

Filesize
3.3MB

Download
memory/4892-255-0x0000000007AB0000-0x0000000007B16000-memory.dmp

Filesize
408KB

Download
memory/4892-248-0x0000000007040000-0x0000000007062000-memory.dmp

Filesize
136KB

Download
memory/4892-253-0x0000000007A40000-0x0000000007AA6000-memory.dmp

Filesize
408KB

Download
memory/4892-218-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4892-310-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4892-226-0x0000000004A10000-0x0000000004A46000-memory.dmp

Filesize
216KB

Download
memory/4892-234-0x0000000004C02000-0x0000000004C03000-memory.dmp

Filesize
4KB

Download
memory/4892-238-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/4892-237-0x00000000072C0000-0x00000000078E8000-memory.dmp

Filesize
6.2MB

Download
memory/4892-210-0x0000000000000000-mapping.dmp

Download
memory/4892-164-0x0000000000000000-mapping.dmp

Download
memory/4892-299-0x0000000007910000-0x000000000792C000-memory.dmp

Filesize
112KB

Download
memory/4920-236-0x0000000000000000-mapping.dmp

Download
memory/4932-233-0x0000000000000000-mapping.dmp

Download
memory/4944-160-0x0000000000000000-mapping.dmp

Download
memory/4960-157-0x0000000000000000-mapping.dmp

Download
memory/4988-202-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4988-200-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4988-196-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4988-195-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-194-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-193-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4988-201-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4988-198-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-192-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4988-197-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-191-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4988-190-0x0000000000000000-mapping.dmp

Download
memory/4988-199-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5012-180-0x0000000000000000-mapping.dmp

Download
memory/5012-257-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5012-245-0x0000000000000000-mapping.dmp

Download
memory/5020-184-0x0000000000000000-mapping.dmp

Download
memory/5024-163-0x0000000000000000-mapping.dmp

Download