redline | hxxps://www[.]youtube[.]com/channel/UCn2OJocEFxegDrjKZMIfnLw

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3
suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3
suricata

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/3784-298-0x0000000000400000-0x000000000047C000-memory.dmp	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral1/memory/3784-298-0x0000000000400000-0x000000000047C000-memory.dmp	Nirsoft

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/3540-272-0x0000000000800000-0x00000000008D5000-memory.dmp	family_vidar
behavioral1/memory/3540-273-0x0000000000400000-0x0000000000541000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 53 IoCs

pid	Process
2960	HeavyLoad-x64-Setup.exe
1428	HeavyLoad-x64-Setup.tmp
844	HeavyLoad.exe
2676	HeavyLoad.exe
4256	ChromeRecovery.exe
4960	GoogleUpdateSetup.exe
3328	GoogleUpdate.exe
4472	GoogleUpdate.exe
4944	GoogleUpdate.exe
2660	GoogleUpdateComRegisterShell64.exe
4348	GoogleUpdateComRegisterShell64.exe
5024	GoogleUpdateComRegisterShell64.exe
4892	GoogleUpdate.exe
2008	GoogleUpdate.exe
432	OCCT.exe
2760	GoogleUpdate.exe
2744	GoogleUpdateSetup.exe
3080	GoogleCrashHandler.exe
5012	GoogleCrashHandler64.exe
1864	GoogleUpdate.exe
680	GoogleUpdate.exe
200	GoogleUpdate.exe
5020	GoogleUpdate.exe
4296	GoogleUpdateComRegisterShell64.exe
4416	GoogleUpdateComRegisterShell64.exe
2516	GoogleUpdateComRegisterShell64.exe
1668	GoogleUpdate.exe
3044	setup_installer.exe
4988	setup_install.exe
3804	Tue11613d9e9315.exe
1516	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe
2348	Tue1181d1ee600618.exe
3540	Tue113f25663d02bda9.exe
3868	Tue11e2f08af432365bf.exe
416	Tue11119e53660048.exe
3960	Tue110d5a53e57.exe
1988	Tue1175225f38ae9334b.exe
2096	Tue116b0a7643.exe
5012	Tue1175225f38ae9334b.tmp
164	Tue11119e53660048.exe
4068	Tue117c930640992.exe
1060	Tue1175225f38ae9334b.exe
2008	Tue11ea5e6d491.exe
2704	Tue112399042edee163a.exe
4880	Tue116ece1bdb4f8.exe
2744	Tue117c930640992.exe
4840	Tue1175225f38ae9334b.tmp
3784	11111.exe
3272	windllhost.exe
1516	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe
3420	Tue116ece1bdb4f8.exe
1280	40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe
3176	1d2495dd-46a7-4d2e-89c9-2af73ed7917e.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2096-290-0x0000000000DC0000-0x0000000001967000-memory.dmp	vmprotect

Loads dropped DLL 37 IoCs

pid	Process
3328	GoogleUpdate.exe
4472	GoogleUpdate.exe
4944	GoogleUpdate.exe
2660	GoogleUpdateComRegisterShell64.exe
4944	GoogleUpdate.exe
4348	GoogleUpdateComRegisterShell64.exe
4944	GoogleUpdate.exe
5024	GoogleUpdateComRegisterShell64.exe
4944	GoogleUpdate.exe
4892	GoogleUpdate.exe
2008	GoogleUpdate.exe
432	OCCT.exe
2760	GoogleUpdate.exe
2760	GoogleUpdate.exe
2008	GoogleUpdate.exe
1864	GoogleUpdate.exe
680	GoogleUpdate.exe
200	GoogleUpdate.exe
5020	GoogleUpdate.exe
4296	GoogleUpdateComRegisterShell64.exe
5020	GoogleUpdate.exe
4416	GoogleUpdateComRegisterShell64.exe
5020	GoogleUpdate.exe
2516	GoogleUpdateComRegisterShell64.exe
5020	GoogleUpdate.exe
1668	GoogleUpdate.exe
4988	setup_install.exe
4988	setup_install.exe
4988	setup_install.exe
4988	setup_install.exe
4988	setup_install.exe
5012	Tue1175225f38ae9334b.tmp
4840	Tue1175225f38ae9334b.tmp
3952	rundll32.exe
3952	rundll32.exe
2540	regsvr32.exe
2540	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
294	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WmiApSrv.exe
File created	C:\Windows\system32\perfc009.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfc00A.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh007.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh009.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh00A.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfc011.dat	WmiApSrv.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WmiApSrv.exe
File created	C:\Windows\system32\PerfStringBackup.TMP	WmiApSrv.exe
File created	C:\Windows\system32\perfh011.dat	WmiApSrv.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WmiApSrv.exe
File created	C:\Windows\system32\perfc007.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfc00C.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh00C.dat	WmiApSrv.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2096	Tue116b0a7643.exe
1280	40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4068 set thread context of 2744	4068	Tue117c930640992.exe	243
PID 4880 set thread context of 3420	4880	Tue116ece1bdb4f8.exe	257

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_vi.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\psuser_64.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_am.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_uk.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_sr.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\GoogleUpdate.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_id.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_no.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_de.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_sk.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_el.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Tue1175225f38ae9334b.tmp
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_th.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_ro.dll	GoogleUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\psmachine_64.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_pt-BR.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_pl.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_sv.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_ko.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_es.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_iw.dll	GoogleUpdate.exe
File created	C:\Program Files\JAM Software\HeavyLoad\is-60DMG.tmp	HeavyLoad-x64-Setup.tmp
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\psmachine_64.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_id.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_pl.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_ta.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_ml.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_sv.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_no.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_da.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_hr.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files\JAM Software\HeavyLoad\TreeSizeFree.chm	HeavyLoad-x64-Setup.tmp
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_zh-TW.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateOnDemand.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_mr.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_ms.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_cs.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_en.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_ur.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\GoogleUpdateSetup.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_nl.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_sw.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\psmachine.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\psuser_64.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_ar.dll	GoogleUpdateSetup.exe
File created	C:\Program Files\JAM Software\HeavyLoad\LicenseFiles\Jedi Component Library\is-733DO.tmp	HeavyLoad-x64-Setup.tmp
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdate.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_et.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_fil.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\GoogleCrashHandler.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_lt.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4512_1693533153\GoogleUpdateSetup.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_te.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\FarLabUninstaller\is-85174.tmp	Tue1175225f38ae9334b.tmp
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\GoogleUpdateSetup.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_sl.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM255D.tmp\goopdateres_zh-CN.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_pt-PT.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_bn.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\goopdateres_fil.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_lv.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_sr.dll	GoogleUpdate.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WmiApSrv.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WmiApSrv.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\421858948\3551649488.pri	LogonUI.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WmiApSrv.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation\IconReference = "@C:\\Program Files (x86)\\Google\\Update\\1.3.36.111\\goopdate.dll,-1004"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\ = "ServiceModule"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ = "IAppBundle"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.111\\GoogleUpdateBroker.exe\""	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\NumMethods\ = "10"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LOCALSERVER32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\ = "IAppVersionWeb"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9465B4B4-5216-4042-9A2C-754D3BCDC410}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\ = "IAppVersion"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc\CurVer\ = "GoogleUpdate.OnDemandCOMClassSvc.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ = "IProcessLauncher"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\NumMethods\ = "12"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\VersionIndependentProgID\ = "GoogleUpdate.Update3WebMachineFallback"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ = "IJobObserver2"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\NumMethods\ = "8"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.112\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3COMClassService\ = "Update3COMClass"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4EB61BAC-A3B6-4760-9581-655041EF4D69}\LocalService = "gupdate"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ = "IAppBundleWeb"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\ProgID	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassSvc\CurVer\ = "GoogleUpdate.OnDemandCOMClassSvc.1.0"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE908CDD-22BB-472A-9870-1A0390E42F36}\NumMethods\ = "41"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID\ = "GoogleUpdate.CoreMachineClass.1"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8324F243-250C-4E97-915C-8220BAE15E18}\InprocHandler32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\NumMethods\ = "16"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.112\\GoogleUpdateBroker.exe\""	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc\CLSID\ = "{1C4CDEFF-756A-4804-9E77-3E8EB9361016}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ = "ICoCreateAsync"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods\ = "5"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\NumMethods\ = "4"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.112\\GoogleUpdateOnDemand.exe\""	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8324F243-250C-4E97-915C-8220BAE15E18}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\87A63D9ADB627D777836153C680A3DFCF27DE90C	HeavyLoad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\87A63D9ADB627D777836153C680A3DFCF27DE90C\Blob = 03000000010000001400000087a63d9adb627d777836153c680a3dfcf27de90c2000000001000000ab040000308204a73082038fa003020102020e481b6a07a9424c1eaafef3cdf10f300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3136303631353030303030305a170d3234303631353030303030305a306e310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361314430420603550403133b476c6f62616c5369676e20457874656e6465642056616c69646174696f6e20436f64655369676e696e67204341202d20534841323536202d20473330820122300d06092a864886f70d01010105000382010f003082010a0282010100d9b7ba25ad94f35bbe41061c53ca0c108c514159337964f4579de4d525c4ec50845898727940e22f78d492ea260e9eae957cfbc4fd7144dd8c5fb7238b5ebbf4fc4bcb233dc37603f5d18c45bc71751d8bd28989bee3513dc6c88ab23135076eb9f5ba6a0df4109faed56249287bec57baab327cb17dd2a2560636eeb0efd06aaeeaab1fd60d9f7c96fbad70992d5d95f080d07946ec553accd338fb0407a807758282e0d07e77b88febd228fcae6d1468417f7643d748ba6044e1b772e8d0f020037bdadab40675c7b203def894c6688f5e7b9e9b9d36e0ced26bc6c66be91422b5717eb68f5a1fdbe76ef442109068e62b45104f73ba2cd7c5316a72dd63730203010001a38201633082015f300e0603551d0f0101ff040403020106301d0603551d250416301406082b0601050507030306082b0601050507030930120603551d130101ff040830060101ff020100301d0603551d0e04160414dc2c582c2a6f352d9f7995a8485dc46d3e53bfb9301f0603551d230418301680148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc303e06082b0601050507010104323030302e06082b060105050730018622687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f726f6f74723330360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f726f6f742d72332e63726c30620603551d20045b3059300b06092b06010401a03201023007060567810c0103304106092b06010401a032015f3034303206082b06010505070201162668747470733a2f2f7777772e676c6f62616c7369676e2e636f6d2f7265706f7369746f72792f300d06092a864886f70d01010b050003820101007609c4cc2fd9ef1e4ba9f857f3403921ca4c3c1d9e292b20d42b44d288ce1a0d05cf8381bbeb69bc318d2ac4c744cc6060941ccfa1e102240ead5bbe2cc2271e67b7e8281f3251e339f398dfb89f2e8b2ab47b0a03bcbd36048fc9d09c4fa3022799b0f045e934dfe43aa3b70637d86f2a7990d4d44e5871ec53a96198f73969e0129c575872862729a51de532f32b99975abf2bb03cb406ea0e64ecb7cd65802417c2d937f5b1261035477b9a02ba54a24593ff79bf1a8cc59fb59fdf78e76b50f14794694b24b8da05e80c9d4f06ec4a31207e4f5d86842f35a3cd9cc184571f1fadc0e2a4b1ef296b2197a6d4feed0337b0fcf58d2abcdc8483e3dec3e75f	HeavyLoad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	304	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4148	taskmgr.exe
4148	taskmgr.exe
4212	chrome.exe
4212	chrome.exe
3336	chrome.exe
3336	chrome.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4840	chrome.exe
4840	chrome.exe
4760	chrome.exe
4760	chrome.exe
3792	chrome.exe
3792	chrome.exe
5076	chrome.exe
5076	chrome.exe
3272	chrome.exe
3272	chrome.exe
1264	chrome.exe
1264	chrome.exe
2708	chrome.exe
2708	chrome.exe
1428	HeavyLoad-x64-Setup.tmp
1428	HeavyLoad-x64-Setup.tmp
844	HeavyLoad.exe
844	HeavyLoad.exe
2676	HeavyLoad.exe
2676	HeavyLoad.exe
2188	chrome.exe
2188	chrome.exe
612	chrome.exe
612	chrome.exe
4392	chrome.exe
4392	chrome.exe
1264	chrome.exe
1264	chrome.exe
4896	chrome.exe
4896	chrome.exe
2352	chrome.exe
2352	chrome.exe
3096	chrome.exe
3096	chrome.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
3328	GoogleUpdate.exe
4892	GoogleUpdate.exe
4892	GoogleUpdate.exe
4832	chrome.exe
4832	chrome.exe
2008	GoogleUpdate.exe
2008	GoogleUpdate.exe
2760	GoogleUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1640	Process not Found

Suspicious behavior: LoadsDriver 12 IoCs

pid	Process
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found
644	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1516	635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe
612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	taskmgr.exe
Token: SeSystemProfilePrivilege	4148	taskmgr.exe
Token: SeCreateGlobalPrivilege	4148	taskmgr.exe
Token: 33	4148	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4148	taskmgr.exe
Token: SeDebugPrivilege	3328	GoogleUpdate.exe
Token: SeDebugPrivilege	3328	GoogleUpdate.exe
Token: SeDebugPrivilege	3328	GoogleUpdate.exe
Token: SeDebugPrivilege	3328	GoogleUpdate.exe
Token: SeDebugPrivilege	4892	GoogleUpdate.exe
Token: SeDebugPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeLoadDriverPrivilege	432	OCCT.exe
Token: SeDebugPrivilege	2008	GoogleUpdate.exe
Token: SeDebugPrivilege	2760	GoogleUpdate.exe
Token: 33	3080	GoogleCrashHandler.exe
Token: SeIncBasePriorityPrivilege	3080	GoogleCrashHandler.exe
Token: 33	5012	GoogleCrashHandler64.exe
Token: SeIncBasePriorityPrivilege	5012	GoogleCrashHandler64.exe
Token: SeDebugPrivilege	1864	GoogleUpdate.exe
Token: SeDebugPrivilege	680	GoogleUpdate.exe
Token: SeDebugPrivilege	680	GoogleUpdate.exe
Token: SeDebugPrivilege	680	GoogleUpdate.exe
Token: SeDebugPrivilege	1668	GoogleUpdate.exe
Token: SeDebugPrivilege	2308	taskmgr.exe
Token: SeSystemProfilePrivilege	2308	taskmgr.exe
Token: SeCreateGlobalPrivilege	2308	taskmgr.exe
Token: 33	2308	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2308	taskmgr.exe
Token: SeCreateTokenPrivilege	3960	Tue110d5a53e57.exe
Token: SeAssignPrimaryTokenPrivilege	3960	Tue110d5a53e57.exe
Token: SeLockMemoryPrivilege	3960	Tue110d5a53e57.exe
Token: SeIncreaseQuotaPrivilege	3960	Tue110d5a53e57.exe
Token: SeMachineAccountPrivilege	3960	Tue110d5a53e57.exe
Token: SeTcbPrivilege	3960	Tue110d5a53e57.exe
Token: SeSecurityPrivilege	3960	Tue110d5a53e57.exe
Token: SeTakeOwnershipPrivilege	3960	Tue110d5a53e57.exe
Token: SeLoadDriverPrivilege	3960	Tue110d5a53e57.exe
Token: SeSystemProfilePrivilege	3960	Tue110d5a53e57.exe
Token: SeSystemtimePrivilege	3960	Tue110d5a53e57.exe
Token: SeProfSingleProcessPrivilege	3960	Tue110d5a53e57.exe
Token: SeIncBasePriorityPrivilege	3960	Tue110d5a53e57.exe
Token: SeCreatePagefilePrivilege	3960	Tue110d5a53e57.exe
Token: SeCreatePermanentPrivilege	3960	Tue110d5a53e57.exe
Token: SeBackupPrivilege	3960	Tue110d5a53e57.exe
Token: SeRestorePrivilege	3960	Tue110d5a53e57.exe
Token: SeShutdownPrivilege	3960	Tue110d5a53e57.exe
Token: SeDebugPrivilege	3960	Tue110d5a53e57.exe
Token: SeAuditPrivilege	3960	Tue110d5a53e57.exe
Token: SeSystemEnvironmentPrivilege	3960	Tue110d5a53e57.exe
Token: SeChangeNotifyPrivilege	3960	Tue110d5a53e57.exe
Token: SeRemoteShutdownPrivilege	3960	Tue110d5a53e57.exe
Token: SeUndockPrivilege	3960	Tue110d5a53e57.exe
Token: SeSyncAgentPrivilege	3960	Tue110d5a53e57.exe
Token: SeEnableDelegationPrivilege	3960	Tue110d5a53e57.exe
Token: SeManageVolumePrivilege	3960	Tue110d5a53e57.exe
Token: SeImpersonatePrivilege	3960	Tue110d5a53e57.exe
Token: SeCreateGlobalPrivilege	3960	Tue110d5a53e57.exe
Token: 31	3960	Tue110d5a53e57.exe
Token: 32	3960	Tue110d5a53e57.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
3336	chrome.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe
4148	taskmgr.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
844	HeavyLoad.exe
2676	HeavyLoad.exe
2676	HeavyLoad.exe
3216	setup_installx86-x64.exe
3044	setup_installer.exe
4988	setup_install.exe
3804	Tue11613d9e9315.exe
3868	Tue11e2f08af432365bf.exe
416	Tue11119e53660048.exe
3960	Tue110d5a53e57.exe
1988	Tue1175225f38ae9334b.exe
2096	Tue116b0a7643.exe
5012	Tue1175225f38ae9334b.tmp
164	Tue11119e53660048.exe
4068	Tue117c930640992.exe
1060	Tue1175225f38ae9334b.exe
2008	Tue11ea5e6d491.exe
2704	Tue112399042edee163a.exe
4840	Tue1175225f38ae9334b.tmp
2744	Tue117c930640992.exe
3784	11111.exe
3272	windllhost.exe
1280	40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe
5312	LogonUI.exe
5312	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 3676	3336	chrome.exe	68
PID 3336 wrote to memory of 3676	3336	chrome.exe	68
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4220	3336	chrome.exe	71
PID 3336 wrote to memory of 4212	3336	chrome.exe	70
PID 3336 wrote to memory of 4212	3336	chrome.exe	70
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72
PID 3336 wrote to memory of 4340	3336	chrome.exe	72

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/channel/UCn2OJocEFxegDrjKZMIfnLw
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffbf2374f50,0x7ffbf2374f60,0x7ffbf2374f70
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1524 /prefetch:2
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:3820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4868
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff758cda890,0x7ff758cda8a0,0x7ff758cda8b0
    3⤵
    PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue112399042edee163a.exe
    Tue112399042edee163a.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1264
- C:\Users\Admin\Downloads\HeavyLoad-x64-Setup.exe
  "C:\Users\Admin\Downloads\HeavyLoad-x64-Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\is-F0BSU.tmp\HeavyLoad-x64-Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-F0BSU.tmp\HeavyLoad-x64-Setup.tmp" /SL5="$90230,14724492,798208,C:\Users\Admin\Downloads\HeavyLoad-x64-Setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1428
  - - C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe
      "C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe" /nogui /installcertificate
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:844
  - - C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe
      "C:\Program Files\JAM Software\HeavyLoad\HeavyLoad.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,2869393384838357965,422427696186662551,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2708

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4148

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffbf2374f50,0x7ffbf2374f60,0x7ffbf2374f70
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:2
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2524 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3876 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3968 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3876 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4832
- C:\Users\Admin\Downloads\OCCT.exe
  "C:\Users\Admin\Downloads\OCCT.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3880 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5228 /prefetch:2
  2⤵
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3712 /prefetch:8
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue116b0a7643.exe
    Tue116b0a7643.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11119e53660048.exe
    Tue11119e53660048.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4008 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1504,5639113309881989063,9673409304843776312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6832 /prefetch:8
  2⤵
  PID:1908

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4512
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4512_1693533153\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4512_1693533153\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={5104f577-5b00-422b-b1aa-c41fb4e21592} --system
  2⤵
  - Executes dropped EXE
  PID:4256
- - C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4512_1693533153\GoogleUpdateSetup.exe
    "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4512_1693533153\GoogleUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4960
  - - C:\Program Files (x86)\Google\Temp\GUM255D.tmp\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Temp\GUM255D.tmp\GoogleUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3328
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4472
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4944
      - C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2660
      - C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4348
      - C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5024
    - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
        
        "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEUxMTNDQzctREIwNi00Nzc3LUFDQzEtMTFGNjlBRTRCQTU2fSIgdXNlcmlkPSJ7NEM0MkZBMTUtRjkwQy00NkVBLUFCQ0YtRTlCNEMyQzgxRkU4fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezRDMjI5MDE5LUM2RDctNDA4OS1CMTcxLTJGREQ0M0JGOTM2Mn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMTExIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
- - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /machine /installsource chromerecovery
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2008

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
- C:\Program Files (x86)\Google\Update\Install\{915D2872-3088-42B2-AADA-E638556CCEF6}\GoogleUpdateSetup.exe
  "C:\Program Files (x86)\Google\Update\Install\{915D2872-3088-42B2-AADA-E638556CCEF6}\GoogleUpdateSetup.exe" /update /sessionid "{A1D55F03-6B1A-44EA-A0BC-741830E6302E}"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2744
- - C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Temp\GUM75FD.tmp\GoogleUpdate.exe" /update /sessionid "{A1D55F03-6B1A-44EA-A0BC-741830E6302E}"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:680
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:200
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:5020
    - - C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4296
    - - C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4416
    - - C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2516
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTFENTVGMDMtNkIxQS00NEVBLUEwQkMtNzQxODMwRTYzMDJFfSIgdXNlcmlkPSJ7NEM0MkZBMTUtRjkwQy00NkVBLUFCQ0YtRTlCNEMyQzgxRkU4fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7M0I2RjI1NTctNTVCRi00RDg3LUIwMTUtMjRBNTI1OUFFQkM5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI0IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIxLjMuMzYuMTExIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE1MlIiIGluc3RhbGxhZ2U9IjE5IiBpbnN0YWxsZGF0ZT0iNTQ3NCIgY29ob3J0PSIxOjljbzoiIGNvaG9ydG5hbWU9IkV2ZXJ5b25lIEVsc2UiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:1668
- C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe
  "C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
  "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTFENTVGMDMtNkIxQS00NEVBLUEwQkMtNzQxODMwRTYzMDJFfSIgdXNlcmlkPSJ7NEM0MkZBMTUtRjkwQy00NkVBLUFCQ0YtRTlCNEMyQzgxRkU4fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0IxODRFN0U5LTc3MkMtNEJBQi04NjRBLUJCQjYxRUUxOENCQ30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjExMSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMTIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIxNTJSIiBpbnN0YWxsYWdlPSIxOSIgaWlkPSJ7OEQ4QjE0NjAtMzA3NS00RjI3LUQ4MzEtOEMwMTU3QkIzNjYwfSIgY29ob3J0PSIxOjljbzoiIGNvaG9ydG5hbWU9IkV2ZXJ5b25lIEVsc2UiPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vZWRnZWRsLm1lLmd2dDEuY29tL2VkZ2VkbC9yZWxlYXNlMi91cGRhdGUyL2FkeG1vbWZ0cmtvaW9kazdhd3l2YTNtejZ1dGFfMS4zLjM2LjExMi9Hb29nbGVVcGRhdGVTZXR1cC5leGUiIGRvd25sb2FkZWQ9IjEzNDEyNzIiIHRvdGFsPSIxMzQxMjcyIiBkb3dubG9hZF90aW1lX21zPSI0OTkiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzQy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE1MlIiIGluc3RhbGxhZ2U9IjE5IiBpaWQ9Ins4RDhCMTQ2MC0zMDc1LTRGMjctRDgzMS04QzAxNTdCQjM2NjB9Ij48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iOSIgZXJyb3Jjb2RlPSItMTYwNjIxOTc0OCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1864

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2268

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1632

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1184

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:4868

C:\Users\Admin\Desktop\setup_installx86-x64.exe
"C:\Users\Admin\Desktop\setup_installx86-x64.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3216
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      PID:3864
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        
        PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1004
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11613d9e9315.exe
      4⤵
      PID:4576
    - - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11613d9e9315.exe
        
        Tue11613d9e9315.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11171c1f250c59ea.exe
      4⤵
      PID:3700
    - - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11171c1f250c59ea.exe
        
        Tue11171c1f250c59ea.exe
        5⤵
        
        PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue110d5a53e57.exe
      4⤵
      PID:3236
    - - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue110d5a53e57.exe
        
        Tue110d5a53e57.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1181d1ee600618.exe
      4⤵
      PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1181d1ee600618.exe
        
        Tue1181d1ee600618.exe
        5⤵
        Executes dropped EXE
        
        PID:2348
      - C:\Users\Admin\AppData\Local\635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe
        
        "C:\Users\Admin\AppData\Local\635acfe2-0f18-4475-8d22-b0b77b85c6f8.exe"
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:1516
      - C:\Users\Admin\AppData\Local\40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe
        
        "C:\Users\Admin\AppData\Local\40c42a4e-0ab7-4cca-8ecc-20c34e73c096.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:1280
      - C:\Users\Admin\AppData\Local\1d2495dd-46a7-4d2e-89c9-2af73ed7917e.exe
        
        "C:\Users\Admin\AppData\Local\1d2495dd-46a7-4d2e-89c9-2af73ed7917e.exe"
        6⤵
        Executes dropped EXE
        
        PID:3176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue113f25663d02bda9.exe
      4⤵
      PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue113f25663d02bda9.exe
        
        Tue113f25663d02bda9.exe
        5⤵
        Executes dropped EXE
        
        PID:3540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e2f08af432365bf.exe
      4⤵
      PID:4228
    - - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11e2f08af432365bf.exe
        
        Tue11e2f08af432365bf.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3868
      - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\UDZC3.CPL",
        6⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\UDZC3.CPL",
        7⤵
        Loads dropped DLL
        
        PID:3952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue117c930640992.exe /mixtwo
      4⤵
      PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue117c930640992.exe
        
        Tue117c930640992.exe /mixtwo
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4068
      - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue117c930640992.exe
        
        Tue117c930640992.exe /mixtwo
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue116ece1bdb4f8.exe
      4⤵
      PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112399042edee163a.exe
      4⤵
      PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11ea5e6d491.exe
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11119e53660048.exe
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1175225f38ae9334b.exe
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue116b0a7643.exe
      4⤵
      PID:4532

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1175225f38ae9334b.exe
Tue1175225f38ae9334b.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1988
- C:\Users\Admin\AppData\Local\Temp\is-TCH70.tmp\Tue1175225f38ae9334b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TCH70.tmp\Tue1175225f38ae9334b.tmp" /SL5="$903AC,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1175225f38ae9334b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1175225f38ae9334b.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1175225f38ae9334b.exe" /SILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\is-VGJ83.tmp\Tue1175225f38ae9334b.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-VGJ83.tmp\Tue1175225f38ae9334b.tmp" /SL5="$503AE,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue1175225f38ae9334b.exe" /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\is-7I02G.tmp\windllhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7I02G.tmp\windllhost.exe" 77
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3272

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11119e53660048.exe
"C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11119e53660048.exe" -u
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:164

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue11ea5e6d491.exe
Tue11ea5e6d491.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -U /s .\yLCL~._
  2⤵
  - Loads dropped DLL
  PID:2540

C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue116ece1bdb4f8.exe
Tue116ece1bdb4f8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4880
- C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue116ece1bdb4f8.exe
  C:\Users\Admin\AppData\Local\Temp\7zS4EB962AA\Tue116ece1bdb4f8.exe
  2⤵
  - Executes dropped EXE
  PID:3420

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3096

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a93055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-177-0x000002C44F320000-0x000002C44F370000-memory.dmp

Filesize
320KB

Download
memory/432-174-0x000002C44FBD0000-0x000002C450334000-memory.dmp

Filesize
7.4MB

Download
memory/432-167-0x000002C431780000-0x000002C432DEC000-memory.dmp

Filesize
22.4MB

Download
memory/432-175-0x000002C44E300000-0x000002C44E310000-memory.dmp

Filesize
64KB

Download
memory/432-168-0x000002C431780000-0x000002C432DEC000-memory.dmp

Filesize
22.4MB

Download
memory/432-169-0x000002C44D300000-0x000002C44D302000-memory.dmp

Filesize
8KB

Download
memory/432-170-0x000002C44E030000-0x000002C44E0A6000-memory.dmp

Filesize
472KB

Download
memory/432-171-0x000002C44E390000-0x000002C44E440000-memory.dmp

Filesize
704KB

Download
memory/432-172-0x000002C44F3C0000-0x000002C44F452000-memory.dmp

Filesize
584KB

Download
memory/432-173-0x000002C44E320000-0x000002C44E33E000-memory.dmp

Filesize
120KB

Download
memory/432-176-0x000002C44E300000-0x000002C44E310000-memory.dmp

Filesize
64KB

Download
memory/696-120-0x000001CFC7D00000-0x000001CFC7D02000-memory.dmp

Filesize
8KB

Download
memory/696-121-0x000001CFC7D00000-0x000001CFC7D02000-memory.dmp

Filesize
8KB

Download
memory/844-135-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/844-137-0x00000000096A0000-0x00000000096A1000-memory.dmp

Filesize
4KB

Download
memory/844-136-0x0000000009410000-0x0000000009411000-memory.dmp

Filesize
4KB

Download
memory/1060-261-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1280-326-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1280-342-0x0000000071920000-0x00000000719A0000-memory.dmp

Filesize
512KB

Download
memory/1280-338-0x0000000077550000-0x0000000077641000-memory.dmp

Filesize
964KB

Download
memory/1280-336-0x00000000767B0000-0x0000000076972000-memory.dmp

Filesize
1.8MB

Download
memory/1280-323-0x00000000000B0000-0x0000000000212000-memory.dmp

Filesize
1.4MB

Download
memory/1428-130-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1516-294-0x0000000000400000-0x000000000082F000-memory.dmp

Filesize
4.2MB

Download
memory/1516-291-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/1516-292-0x0000000000910000-0x0000000000A5A000-memory.dmp

Filesize
1.3MB

Download
memory/1988-241-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2008-260-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2008-256-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/2096-283-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/2096-284-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2096-281-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2096-290-0x0000000000DC0000-0x0000000001967000-memory.dmp

Filesize
11.7MB

Download
memory/2096-289-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2096-287-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2096-296-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2096-285-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/2096-286-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2348-246-0x0000015169580000-0x0000015169586000-memory.dmp

Filesize
24KB

Download
memory/2348-250-0x00000151696C0000-0x00000151696F4000-memory.dmp

Filesize
208KB

Download
memory/2348-262-0x000001516B850000-0x000001516B852000-memory.dmp

Filesize
8KB

Download
memory/2348-244-0x0000015169250000-0x000001516929A000-memory.dmp

Filesize
296KB

Download
memory/2348-242-0x0000015169250000-0x000001516929A000-memory.dmp

Filesize
296KB

Download
memory/2348-254-0x00000151696F0000-0x00000151696F6000-memory.dmp

Filesize
24KB

Download
memory/2540-320-0x0000000004E20000-0x000000002F8AF000-memory.dmp

Filesize
682.6MB

Download
memory/2628-216-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2628-235-0x0000000006D50000-0x0000000007378000-memory.dmp

Filesize
6.2MB

Download
memory/2628-275-0x0000000007480000-0x00000000074E6000-memory.dmp

Filesize
408KB

Download
memory/2628-267-0x0000000006B10000-0x0000000006B32000-memory.dmp

Filesize
136KB

Download
memory/2628-308-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2628-231-0x0000000006710000-0x0000000006711000-memory.dmp

Filesize
4KB

Download
memory/2628-280-0x00000000074F0000-0x0000000007840000-memory.dmp

Filesize
3.3MB

Download
memory/2628-228-0x0000000004050000-0x0000000004086000-memory.dmp

Filesize
216KB

Download
memory/2628-278-0x0000000006BB0000-0x0000000006C16000-memory.dmp

Filesize
408KB

Download
memory/2628-243-0x0000000006712000-0x0000000006713000-memory.dmp

Filesize
4KB

Download
memory/2628-219-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2676-141-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/2676-140-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/2676-142-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/2744-265-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2744-274-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2744-268-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2960-126-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/3420-309-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3540-264-0x0000000000712000-0x000000000078E000-memory.dmp

Filesize
496KB

Download
memory/3540-272-0x0000000000800000-0x00000000008D5000-memory.dmp

Filesize
852KB

Download
memory/3540-273-0x0000000000400000-0x0000000000541000-memory.dmp

Filesize
1.3MB

Download
memory/3784-298-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3952-306-0x0000000004D10000-0x000000002F728000-memory.dmp

Filesize
682.1MB

Download
memory/4512-154-0x00000234B7150000-0x00000234B7152000-memory.dmp

Filesize
8KB

Download
memory/4512-155-0x00000234B7150000-0x00000234B7152000-memory.dmp

Filesize
8KB

Download
memory/4840-279-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4868-118-0x000001DCF4D10000-0x000001DCF4D12000-memory.dmp

Filesize
8KB

Download
memory/4868-117-0x000001DCF4D10000-0x000001DCF4D12000-memory.dmp

Filesize
8KB

Download
memory/4880-295-0x00000000055E0000-0x00000000055FE000-memory.dmp

Filesize
120KB

Download
memory/4880-271-0x0000000000D80000-0x0000000000E0A000-memory.dmp

Filesize
552KB

Download
memory/4880-269-0x0000000000D80000-0x0000000000E0A000-memory.dmp

Filesize
552KB

Download
memory/4880-276-0x0000000005640000-0x00000000056B6000-memory.dmp

Filesize
472KB

Download
memory/4880-282-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/4880-300-0x0000000005CA0000-0x000000000619E000-memory.dmp

Filesize
5.0MB

Download
memory/4880-277-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4892-221-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4892-270-0x0000000007B60000-0x0000000007EB0000-memory.dmp

Filesize
3.3MB

Download
memory/4892-255-0x0000000007AB0000-0x0000000007B16000-memory.dmp

Filesize
408KB

Download
memory/4892-248-0x0000000007040000-0x0000000007062000-memory.dmp

Filesize
136KB

Download
memory/4892-253-0x0000000007A40000-0x0000000007AA6000-memory.dmp

Filesize
408KB

Download
memory/4892-218-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4892-310-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4892-226-0x0000000004A10000-0x0000000004A46000-memory.dmp

Filesize
216KB

Download
memory/4892-234-0x0000000004C02000-0x0000000004C03000-memory.dmp

Filesize
4KB

Download
memory/4892-238-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/4892-237-0x00000000072C0000-0x00000000078E8000-memory.dmp

Filesize
6.2MB

Download
memory/4892-299-0x0000000007910000-0x000000000792C000-memory.dmp

Filesize
112KB

Download
memory/4988-202-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4988-200-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4988-196-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4988-195-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-194-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-193-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4988-201-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4988-198-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-192-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4988-197-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4988-191-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4988-199-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/5012-257-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download