formbook | 5af12eff648e8c7aed0ad5933ba0c874c1ec33e35fcce1591cb26b5b680ccd73

Analysis

max time kernel
295s
max time network
302s
platform
windows7_x64
resource
win7-20220414-en
submitted
31-05-2022 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO AU74356 – For Mid June.exe
Size

675KB
MD5

e524708edfa0588f48c1f82421262794
SHA1

a4af13dba0ce7be02f3d3408a34071df9c927d5d
SHA256

fa100b947c2ad8d93cc6f323547650927145917919bf06e33532fb28903d09a6
SHA512

e27f2bff8afd7d2962c06bacb011417616db9762fcf810abfd928585d793f347506f825e825e516af59ce433f5521b8c49caa6486cf1f20360d2aba65ac7abd1

Score

10^/10

formbook t19g rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t19g

Decoy

playstationspiele.com

cakesbyannal.com

racepin.space

anti-offender.com

magnetque.com

farragorealtybrokerage.com

khuludmohammed.com

v33696.com

84ggg.com

d440.com

soccersmarthome.com

ofthis.world

fivestaryardcards.com

lusyard.com

gghft.com

viajesfortur.com

rationalirrationality.com

hanaramenrestaurant.com

exactlycleanse.com

martensenargentina.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2860-88-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2860-89-0x000000000041F1B0-mapping.dmp	formbook
behavioral1/memory/2860-104-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2924-130-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

ChromeRecovery.exe

pid process

2936 ChromeRecovery.exe

pid	process
2936	ChromeRecovery.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

PO AU74356 – For Mid June.exePO AU74356 – For Mid June.exemstsc.exe

description	pid	process	target process
PID 960 set thread context of 2860	960	PO AU74356 – For Mid June.exe	PO AU74356 – For Mid June.exe
PID 2860 set thread context of 1260	2860	PO AU74356 – For Mid June.exe	Explorer.EXE
PID 2924 set thread context of 1260	2924	mstsc.exe	Explorer.EXE
PID 2924 set thread context of 2880	2924	mstsc.exe	chrome.exe
PID 2924 set thread context of 1944	2924	mstsc.exe	chrome.exe
PID 2924 set thread context of 2260	2924	mstsc.exe	chrome.exe
PID 2924 set thread context of 756	2924	mstsc.exe	chrome.exe
PID 2924 set thread context of 2188	2924	mstsc.exe	chrome.exe
PID 2924 set thread context of 1164	2924	mstsc.exe	chrome.exe
PID 2924 set thread context of 2984	2924	mstsc.exe	chrome.exe
PID 2924 set thread context of 2848	2924	mstsc.exe	chrome.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2208_1557933112\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2208_1557933112\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2208_1557933112\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2208_1557933112\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2208_1557933112\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2208_1557933112\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2208_1557933112\manifest.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2708 schtasks.exe

pid	process
2708	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mstsc.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Modifies registry class 64 IoCs

Processes:

Explorer.EXEchrome.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1326"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "6"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0 = 5a00310000000000bf546a8d10203239393732347e310000420008000400efbe8e5487acbf546a8d2a000000505c00000000080000000000000000000000000000003200390039003700320034003800330031003600000018000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294967295"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "526"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

chrome.exechrome.exepowershell.exePO AU74356 – For Mid June.exemstsc.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
1112	chrome.exe
1956	chrome.exe
1956	chrome.exe
2696	powershell.exe
2860	PO AU74356 – For Mid June.exe
2860	PO AU74356 – For Mid June.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2616	chrome.exe
2924	mstsc.exe
2984	chrome.exe
2924	mstsc.exe
1648	chrome.exe
2924	mstsc.exe
2260	chrome.exe
2924	mstsc.exe
2924	mstsc.exe
1956	chrome.exe
1956	chrome.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
756	chrome.exe
2924	mstsc.exe
1608	chrome.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2984	chrome.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Explorer.EXEchrome.exe

pid process

1260 Explorer.EXE
2984 chrome.exe

Suspicious behavior: MapViewOfSection 24 IoCs

Processes:

PO AU74356 – For Mid June.exemstsc.exe

pid	process
2860	PO AU74356 – For Mid June.exe
2860	PO AU74356 – For Mid June.exe
2860	PO AU74356 – For Mid June.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe
2924	mstsc.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

AUDIODG.EXEpowershell.exePO AU74356 – For Mid June.exeExplorer.EXEmstsc.exe

description	pid	process
Token: 33	2032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2032	AUDIODG.EXE
Token: 33	2032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2032	AUDIODG.EXE
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2860	PO AU74356 – For Mid June.exe
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeDebugPrivilege	2924	mstsc.exe
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeExplorer.EXE

pid	process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1260	Explorer.EXE
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

Explorer.EXEchrome.exechrome.exechrome.exe

pid	process
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1648	chrome.exe
1648	chrome.exe
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1608	chrome.exe
1608	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe
2984	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1956 wrote to memory of 1088	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1088	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1088	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1988	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1112	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1112	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1112	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe
PID 1956 wrote to memory of 1188	1956	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Users\Admin\AppData\Local\Temp\PO AU74356 – For Mid June.exe
"C:\Users\Admin\AppData\Local\Temp\PO AU74356 – For Mid June.exe"
2⤵
- Suspicious use of SetThreadContext
PID:960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\meapGtdGiVI.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\meapGtdGiVI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA78.tmp"
3⤵
- Creates scheduled task(s)
PID:2708

C:\Users\Admin\AppData\Local\Temp\PO AU74356 – For Mid June.exe
"C:\Users\Admin\AppData\Local\Temp\PO AU74356 – For Mid June.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefaec4f50,0x7fefaec4f60,0x7fefaec4f70
3⤵
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1032 /prefetch:2
3⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1240 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1708 /prefetch:8
3⤵
PID:1188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
3⤵
PID:1908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:1
3⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
3⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3204 /prefetch:2
3⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
3⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3436 /prefetch:8
3⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3476 /prefetch:8
3⤵
PID:2316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:8
3⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
3⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
3⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3764 /prefetch:8
3⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3880 /prefetch:8
3⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3868 /prefetch:8
3⤵
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
3⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
3⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
3⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
3⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1476 /prefetch:8
3⤵
PID:788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
3⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
3⤵
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3068 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
3⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4244 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1532 /prefetch:8
3⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3948 /prefetch:8
3⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3848 /prefetch:8
3⤵
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4244 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3852 /prefetch:8
3⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
3⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4244 /prefetch:8
3⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Users\Admin\AppData\Local\Temp\PO AU74356 – For Mid June.exe
"C:\Users\Admin\AppData\Local\Temp\PO AU74356 – For Mid June.exe"
4⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\PO AU74356 – For Mid June.exe
"C:\Users\Admin\AppData\Local\Temp\PO AU74356 – For Mid June.exe"
4⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
3⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=992,17343338718939777553,18070875163296243784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3908 /prefetch:8
3⤵
PID:2728

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:996

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x548
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2208

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2208_1557933112\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2208_1557933112\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={2844d73f-b715-4b93-9fa4-e514b0b6b17e} --system
2⤵
- Executes dropped EXE
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2208_1557933112\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0243d578-c2f8-4f7e-af69-8686702b12d0.tmp
Filesize
726KB

MD5
30e47c6cef922b30283db05b6224266e

SHA1
1f02ceaa49d7dd1fab3e0ebce0c9e311f342b5fd

SHA256
1c1c438dad40c1e0c5c951194a40c3c06a4cc476e648cee7cc4733c0b15e8cdb

SHA512
276f6936621c44ef10db4e6eabe35f0fb6e009f19b025d00bede633dd33fb6b5ee1683998d50bf65917983f38ead751454e6392c2d703cd6083b6e2b96d424b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0243d578-c2f8-4f7e-af69-8686702b12d0.tmp
Filesize
732KB

MD5
9083966092f21aca39b1d5a5ae955f2d

SHA1
8adca5618aaf1e7cf01eea334db96521fb42e64c

SHA256
0709d235e76640e06241f792e88ee6eb772deba1093246ef655b352c32c4d561

SHA512
bbc1e73a9a4daf52b79a7e71eeaa7026c734e5ac32a3281ebf682c7d6a321a86093f90b23532d26b9dc2be8478b11da704f9f1049690d95265650b87e1701b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\037b8dd4-aa69-446e-b887-8c3bcf4bc6be.tmp
Filesize
99KB

MD5
173ca02e5b06065771deb2f28e4e5a9e

SHA1
20f1774fb280c94c13082a255c27d7a786efd5c7

SHA256
634557ae2916f2faa0cbf2557f8f96e26845abe94d2784fd73b169ec5618b186

SHA512
d947e3ed56be1f3c668943e8f066f39650d2e0d76bf64bad167e100b8b1066b88d8e851346afbd9777e90445f41c5108a0a2f1514a3f28f02d4ec39978121e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\6163e0ab-cbc9-4a98-a18d-d6dc55fa95ac.tmp
Filesize
187KB

MD5
ac37c0b754d09a34151af5900df267dc

SHA1
36d8de53dac225457c6b4473c9fb7a7cbc5964ab

SHA256
64ebf9ba4d6dd81b1f317c6e77fde9f7bcb717b200e436db22b231340356194b

SHA512
072ef40cea0744e7de859e5b8c29167f825d9b1e96db20861c79b9f3b1b923a3c40215f1f25d76136aadf5f8258fff3da089e05d59f6d9a9b44aff3385d1fbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6163e0ab-cbc9-4a98-a18d-d6dc55fa95ac.tmp
Filesize
450KB

MD5
54ae33a0567727141043a43633a0be54

SHA1
003d8fbfcab8a2c9d6ccdb022664f9480c4505b1

SHA256
44dbd6e73e2c43dcac468f33db86aa82c72f371cedd10690dd16548161bc9195

SHA512
70d01cad430cb857b561b75fd74f64944e58a6534b66cb4f38ee122f751eb10052afd7b1fdab22aa0e46d4d3b5e3f218f39b961131d94f638322dc12712e014e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef0763b5-1efd-4004-be98-fac3a3512bbb.tmp
Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA78.tmp
Filesize
1KB

MD5
7f8bf390e6861372b1f1fc23b633beb7

SHA1
1b640e5465f7dcb69336e619f6c407929e0f735c

SHA256
e8c82a80487946ce32e60578f3586a128316e1187559bcef7d76c231f878629a

SHA512
73db8bdef7135e877ce64b8f0d741ced541aa509af5806e613c6e458275fc553449987de21c1c12b66e6214ce0be4e2962f35325d634c66d47d8e42e76ef777c

Download Submit
C:\Users\Admin\AppData\Roaming\269N2RT7\269logcl.ini
Filesize
130B

MD5
511da415feabdd5f98f8d0ba16660073

SHA1
4617576af8a0c2b4ed43ac8699901179e5c68955

SHA256
c3b5d8fdcc3e0c39c5ea1186be7037caec251f147603d8279f34d3645cf6156e

SHA512
92e2186c39ec8e843153ffdf92ce644a4e18c09de12567ba64338d8bea377201438cd455e644bb0d9e5dc5e5253596e1f3001dc40928c4820a927c934ad6c709

Download Submit
C:\Users\Admin\AppData\Roaming\269N2RT7\269logim.jpeg
Filesize
87KB

MD5
f9ed46bd9c72ea347ac83a03b263b38e

SHA1
c3be89856a5eb4e6ebcb9fbad991db67f6e84203

SHA256
1ee1edea681d610473c17b041f46e9035e8117dc58c3ffa255caac1e7cd62a2f

SHA512
be0ddcb78712726cfb02aa8e01b7e34347341390ca809e0411a609f0b732464ac3dc4f023a9af6391e8285db7ba17b4bc9300908bbeb932114774760130a6923

Download Submit
C:\Users\Admin\AppData\Roaming\269N2RT7\269logrf.ini
Filesize
40B

MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\269N2RT7\269logri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\269N2RT7\269logrv.ini
Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1956_TZYBWACPOFUZNUNA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/960-83-0x000000006D2B0000-0x000000006D3D3000-memory.dmp

Filesize
1.1MB

Download
memory/960-101-0x000000006DA30000-0x000000006DC01000-memory.dmp

Filesize
1.8MB

Download
memory/960-72-0x00000000729A0000-0x0000000073D2F000-memory.dmp

Filesize
19.6MB

Download
memory/960-73-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/960-74-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/960-70-0x000000006DCA0000-0x000000006DD25000-memory.dmp

Filesize
532KB

Download
memory/960-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/960-77-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/960-78-0x000000006DA30000-0x000000006DC01000-memory.dmp

Filesize
1.8MB

Download
memory/960-69-0x0000000004925000-0x0000000004936000-memory.dmp

Filesize
68KB

Download
memory/960-56-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/960-68-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/960-57-0x00000000729A0000-0x0000000073D2F000-memory.dmp

Filesize
19.6MB

Download
memory/960-84-0x00000000048E0000-0x0000000004914000-memory.dmp

Filesize
208KB

Download
memory/960-67-0x000000006DF10000-0x000000006EC2D000-memory.dmp

Filesize
13.1MB

Download
memory/960-66-0x000000006EC30000-0x000000006EDC4000-memory.dmp

Filesize
1.6MB

Download
memory/960-65-0x000000006EE10000-0x000000006F54E000-memory.dmp

Filesize
7.2MB

Download
memory/960-64-0x000000006F550000-0x000000006F64C000-memory.dmp

Filesize
1008KB

Download
memory/960-91-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/960-92-0x0000000071F90000-0x00000000729A0000-memory.dmp

Filesize
10.1MB

Download
memory/960-93-0x0000000071B90000-0x0000000071F83000-memory.dmp

Filesize
3.9MB

Download
memory/960-94-0x0000000070FE0000-0x0000000071B8E000-memory.dmp

Filesize
11.7MB

Download
memory/960-95-0x000000006FCD0000-0x0000000070FD7000-memory.dmp

Filesize
19.0MB

Download
memory/960-96-0x000000006FAD0000-0x000000006FCC4000-memory.dmp

Filesize
2.0MB

Download
memory/960-97-0x000000006EC30000-0x000000006EDC4000-memory.dmp

Filesize
1.6MB

Download
memory/960-98-0x000000006DF10000-0x000000006EC2D000-memory.dmp

Filesize
13.1MB

Download
memory/960-99-0x0000000004925000-0x0000000004936000-memory.dmp

Filesize
68KB

Download
memory/960-100-0x00000000729A0000-0x0000000073D2F000-memory.dmp

Filesize
19.6MB

Download
memory/960-71-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/960-102-0x000000006D2B0000-0x000000006D3D3000-memory.dmp

Filesize
1.1MB

Download
memory/960-63-0x000000006FAD0000-0x000000006FCC4000-memory.dmp

Filesize
2.0MB

Download
memory/960-54-0x0000000000010000-0x00000000000BE000-memory.dmp

Filesize
696KB

Download
memory/960-62-0x000000006FCD0000-0x0000000070FD7000-memory.dmp

Filesize
19.0MB

Download
memory/960-61-0x0000000070FE0000-0x0000000071B8E000-memory.dmp

Filesize
11.7MB

Download
memory/960-60-0x0000000071B90000-0x0000000071F83000-memory.dmp

Filesize
3.9MB

Download
memory/960-59-0x0000000073F90000-0x0000000074770000-memory.dmp

Filesize
7.9MB

Download
memory/960-58-0x0000000071F90000-0x00000000729A0000-memory.dmp

Filesize
10.1MB

Download
memory/996-76-0x000007FEFBF11000-0x000007FEFBF13000-memory.dmp

Filesize
8KB

Download
memory/1260-125-0x0000000007430000-0x000000000756F000-memory.dmp

Filesize
1.2MB

Download
memory/1532-170-0x0000000000000000-mapping.dmp

Download
memory/2696-103-0x00000000689F0000-0x0000000069041000-memory.dmp

Filesize
6.3MB

Download
memory/2696-106-0x00000000689F0000-0x0000000069041000-memory.dmp

Filesize
6.3MB

Download
memory/2696-117-0x000000006BF20000-0x000000006BF6B000-memory.dmp

Filesize
300KB

Download
memory/2696-116-0x000000006A4F0000-0x000000006AC8C000-memory.dmp

Filesize
7.6MB

Download
memory/2696-118-0x000000006AC90000-0x000000006B788000-memory.dmp

Filesize
11.0MB

Download
memory/2696-119-0x000000006C380000-0x000000006C3A5000-memory.dmp

Filesize
148KB

Download
memory/2696-121-0x000000006BDF0000-0x000000006BE8C000-memory.dmp

Filesize
624KB

Download
memory/2696-120-0x000000006BE90000-0x000000006BF15000-memory.dmp

Filesize
532KB

Download
memory/2696-123-0x000000006BDC0000-0x000000006BDED000-memory.dmp

Filesize
180KB

Download
memory/2696-124-0x0000000069890000-0x0000000069A2E000-memory.dmp

Filesize
1.6MB

Download
memory/2696-114-0x0000000069C70000-0x000000006A4EA000-memory.dmp

Filesize
8.5MB

Download
memory/2696-122-0x00000000697C0000-0x0000000069883000-memory.dmp

Filesize
780KB

Download
memory/2696-126-0x0000000069170000-0x0000000069274000-memory.dmp

Filesize
1.0MB

Download
memory/2696-127-0x0000000069050000-0x0000000069164000-memory.dmp

Filesize
1.1MB

Download
memory/2696-128-0x0000000069280000-0x00000000697B6000-memory.dmp

Filesize
5.2MB

Download
memory/2696-79-0x0000000000000000-mapping.dmp

Download
memory/2696-105-0x000000006B790000-0x000000006BD3B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-115-0x0000000069A30000-0x0000000069C65000-memory.dmp

Filesize
2.2MB

Download
memory/2696-107-0x000000006B790000-0x000000006BD3B000-memory.dmp

Filesize
5.7MB

Download
memory/2696-108-0x000000006AC90000-0x000000006B788000-memory.dmp

Filesize
11.0MB

Download
memory/2696-109-0x000000006C260000-0x000000006C2E1000-memory.dmp

Filesize
516KB

Download
memory/2708-80-0x0000000000000000-mapping.dmp

Download
memory/2860-89-0x000000000041F1B0-mapping.dmp

Download
memory/2860-112-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2860-111-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/2860-86-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-132-0x00000000022C0000-0x0000000002354000-memory.dmp

Filesize
592KB

Download
memory/2924-131-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/2924-129-0x00000000003B0000-0x00000000004B4000-memory.dmp

Filesize
1.0MB

Download
memory/2924-110-0x0000000000000000-mapping.dmp

Download
memory/2924-130-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2936-145-0x0000000000000000-mapping.dmp

Download
memory/2996-151-0x0000000000000000-mapping.dmp

Download