qakbot | e6a745c945687a17e3b9fd92f79971ee19509e34149aabc8984f643b9fee2ee1

Analysis

max time kernel
2700s
max time network
2685s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
28-12-2022 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RulesUpdate_BOU8.pdf
Size

182KB
MD5

8f9f2232556cce9c88603a631e34e531
SHA1

3e84033b98cf7934443d4c6e3e1a006700ca9827
SHA256

e6a745c945687a17e3b9fd92f79971ee19509e34149aabc8984f643b9fee2ee1
SHA512

906bb0ebde963de069c003201d490f734c62a32c1a58d03f908e19143ec58fb902dd31ca24755f3e5917ec54e615c3e841eae4e2140ce9c8b8a5a6e30b638d0a
SSDEEP

3072:rtcT+cunJn1jedfcL4E5SiuRFxBc1p72Rl5x1zy1/rHscZBOEuJLfHpGl:aTuJ1jqfIrgiuRFc1pKRl712lMU9mLpO

Score

10^/10

qakbot azd 1672147664 banker discovery spyware stealer trojan

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

azd

Campaign

1672147664

80.103.77.44:2222

136.35.241.159:443

73.88.173.113:443

186.64.67.12:443

76.80.180.154:995

83.248.199.56:443

125.20.112.94:443

72.80.7.6:995

50.68.204.71:443

90.79.129.166:2222

108.162.6.34:443

86.130.9.250:2222

41.228.225.131:995

86.134.75.5:443

190.249.241.149:443

70.115.104.126:995

84.113.121.103:443

198.2.51.242:993

172.90.139.138:2222

89.115.196.99:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Executes dropped EXE 5 IoCs

Processes:

ChromeRecovery.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid	process
1948	ChromeRecovery.exe
1488	software_reporter_tool.exe
3600	software_reporter_tool.exe
3212	software_reporter_tool.exe
2400	software_reporter_tool.exe

Loads dropped DLL 7 IoCs

Processes:

software_reporter_tool.exe

pid	process
3212	software_reporter_tool.exe
3212	software_reporter_tool.exe
3212	software_reporter_tool.exe
3212	software_reporter_tool.exe
3212	software_reporter_tool.exe
3212	software_reporter_tool.exe
3212	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 5 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

chrome.execmd.execmd.exeNOTEPAD.EXEchrome.exe

description	ioc	process
File opened (read-only)	\??\E:	chrome.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	NOTEPAD.EXE
File opened (read-only)	\??\E:	chrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 3 IoCs

Processes:

7zG.exe7zG.exe7zG.exe

description	ioc	process
File created	C:\Windows\System32\cmd.7z.tmp	7zG.exe
File created	C:\Windows\System32\cmd.7z.tmp	7zG.exe
File created	C:\Windows\System32\cmd.zip	7zG.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2724_842923205\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2724_842923205\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2724_842923205\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2724_842923205\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2724_842923205\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2724_842923205\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2724_842923205\ChromeRecoveryCRX.crx	elevation_service.exe

Drops file in Windows directory 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Windows\rescache\_merged\3720402701\2219095117.pri firefox.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	firefox.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ = "0"	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\en-US	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service	chrome.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\en	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exeAcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

592 net.exe

pid	process
592	net.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exenetstat.exe

pid process

2996 ipconfig.exe
4680 netstat.exe

pid	process
2996	ipconfig.exe
4680	netstat.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 64 IoCs

Processes:

chrome.exechrome.exefirefox.exeNOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000100000002000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe

Opens file in notepad (likely ransom note) 4 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

4792 NOTEPAD.EXE
1848 NOTEPAD.EXE
2040 NOTEPAD.EXE
4484 NOTEPAD.EXE
Runs net.exe

pid	process
4792	NOTEPAD.EXE
1848	NOTEPAD.EXE
2040	NOTEPAD.EXE
4484	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exerundll32.exewermgr.exerundll32.exe

pid	process
3432	chrome.exe
3432	chrome.exe
1448	chrome.exe
1448	chrome.exe
4924	chrome.exe
4924	chrome.exe
816	chrome.exe
816	chrome.exe
2228	chrome.exe
1416	chrome.exe
1416	chrome.exe
2228	chrome.exe
4684	chrome.exe
4684	chrome.exe
3192	chrome.exe
3192	chrome.exe
2476	chrome.exe
2476	chrome.exe
2628	chrome.exe
2628	chrome.exe
1448	chrome.exe
1448	chrome.exe
3320	rundll32.exe
3320	rundll32.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
748	rundll32.exe
748	rundll32.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe
4376	wermgr.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

NOTEPAD.EXEchrome.exechrome.exefirefox.exe

pid process

4804 NOTEPAD.EXE
3792 chrome.exe
3996 chrome.exe
1824 firefox.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

3320 rundll32.exe
748 rundll32.exe
4668 rundll32.exe

pid	process
4804	NOTEPAD.EXE
3792	chrome.exe
3996	chrome.exe
1824	firefox.exe

pid	process
3320	rundll32.exe
748	rundll32.exe
4668	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

chrome.exechrome.exe

pid	process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exenetstat.exewhoami.exemsiexec.exefirefox.exe7zG.exe7zG.exe

description	pid	process
Token: SeManageVolumePrivilege	1448	chrome.exe
Token: SeManageVolumePrivilege	1448	chrome.exe
Token: SeDebugPrivilege	4680	netstat.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeDebugPrivilege	5072	whoami.exe
Token: SeSecurityPrivilege	1364	msiexec.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeRestorePrivilege	1776	7zG.exe
Token: 35	1776	7zG.exe
Token: SeSecurityPrivilege	1776	7zG.exe
Token: SeSecurityPrivilege	1776	7zG.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeDebugPrivilege	1824	firefox.exe
Token: SeRestorePrivilege	4824	7zG.exe
Token: 35	4824	7zG.exe
Token: SeSecurityPrivilege	4824	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

AcroRd32.exechrome.exeNOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEfirefox.exe7zG.exeNOTEPAD.EXEchrome.exe

pid	process
2340	AcroRd32.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
4884	NOTEPAD.EXE
1400	NOTEPAD.EXE
4804	NOTEPAD.EXE
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1776	7zG.exe
2040	NOTEPAD.EXE
1824	firefox.exe
1824	firefox.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exefirefox.exechrome.exe

pid	process
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1448	chrome.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
1824	firefox.exe
1824	firefox.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
1824	firefox.exe

Suspicious use of SetWindowsHookEx 52 IoCs

Processes:

AcroRd32.exeNOTEPAD.EXEOpenWith.exefirefox.exechrome.exechrome.exe

pid	process
2340	AcroRd32.exe
2340	AcroRd32.exe
2340	AcroRd32.exe
2340	AcroRd32.exe
2340	AcroRd32.exe
2340	AcroRd32.exe
4804	NOTEPAD.EXE
4804	NOTEPAD.EXE
4804	NOTEPAD.EXE
4804	NOTEPAD.EXE
4804	NOTEPAD.EXE
3772	OpenWith.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
3792	chrome.exe
3792	chrome.exe
3792	chrome.exe
3792	chrome.exe
3792	chrome.exe
3792	chrome.exe
3792	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
3996	chrome.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe
1824	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2340 wrote to memory of 1984	2340	AcroRd32.exe	RdrCEF.exe
PID 2340 wrote to memory of 1984	2340	AcroRd32.exe	RdrCEF.exe
PID 2340 wrote to memory of 1984	2340	AcroRd32.exe	RdrCEF.exe
PID 2340 wrote to memory of 3680	2340	AcroRd32.exe	RdrCEF.exe
PID 2340 wrote to memory of 3680	2340	AcroRd32.exe	RdrCEF.exe
PID 2340 wrote to memory of 3680	2340	AcroRd32.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 4336	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe
PID 1984 wrote to memory of 784	1984	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RulesUpdate_BOU8.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8BB501B0350E627FA257412F775222FE --mojo-platform-channel-handle=1644 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4336

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AA6BFF8F4DB039D3DB4CEB27213D0DA9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AA6BFF8F4DB039D3DB4CEB27213D0DA9 --renderer-client-id=2 --mojo-platform-channel-handle=1652 --allow-no-sandbox-job /prefetch:1
3⤵
PID:784

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DD29A3211E1864A6DF9A31E1CE6E313A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DD29A3211E1864A6DF9A31E1CE6E313A --renderer-client-id=4 --mojo-platform-channel-handle=1980 --allow-no-sandbox-job /prefetch:1
3⤵
PID:96

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ff9dc4f4f50,0x7ff9dc4f4f60,0x7ff9dc4f4f70
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1504 /prefetch:2
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1696 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 /prefetch:8
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
2⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4452 /prefetch:8
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:8
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3544 /prefetch:8
2⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:8
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
PID:888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
2⤵
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4284 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
2⤵
PID:1848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3752 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,3283175013231415322,4010960790354684142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
2⤵
PID:3728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1824

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" E:\Document\InvoiceUpdate.cmd
1⤵
- Suspicious use of FindShellTrayWindow
PID:4884

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:1400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Document\InvoiceUpdate.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Enumerates connected drives
PID:5052

C:\Windows\system32\rundll32.exe
rundll32 /s somedocument.br,Updt
2⤵
PID:204

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s somedocument.br,Updt
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3320

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376

C:\Windows\SysWOW64\net.exe
net view
5⤵
- Discovers systems in the same network
PID:592

C:\Windows\SysWOW64\cmd.exe
cmd /c set
5⤵
PID:2948

C:\Windows\SysWOW64\arp.exe
arp -a
5⤵
PID:2612

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:2996

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
5⤵
PID:3468

C:\Windows\SysWOW64\net.exe
net share
5⤵
PID:4192

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
6⤵
PID:4140

C:\Windows\SysWOW64\route.exe
route print
5⤵
PID:4584

C:\Windows\SysWOW64\netstat.exe
netstat -nao
5⤵
- Gathers network information
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\SysWOW64\net.exe
net localgroup
5⤵
PID:304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
6⤵
PID:2352

C:\Windows\SysWOW64\whoami.exe
whoami /all
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Document\InvoiceUpdate.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Enumerates connected drives
PID:4512

C:\Windows\system32\rundll32.exe
rundll32 /s somedocument.br,Updt
2⤵
PID:4036

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s somedocument.br,Updt
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:748

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:384

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" E:\Document\InvoiceUpdate.cmd
1⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Document\InvoiceUpdate.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:4792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Document\InvoiceUpdate.cmd" "
1⤵
PID:1260

C:\Windows\system32\rundll32.exe
rundll32 /s somedocument.br,Updt
2⤵
PID:5000

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s somedocument.br,Updt
3⤵
- Suspicious behavior: MapViewOfSection
PID:4668

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:4728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Document\InvoiceUpdate.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
PID:2608

C:\Windows\system32\rundll32.exe
rundll32 /s somedocument.br,Updt
2⤵
PID:2212

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s somedocument.br,Updt
3⤵
PID:4460

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3772

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Document\IncomingPay.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1848

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1824.0.71002816\495657777" -parentBuildID 20200403170909 -prefsHandle 1524 -prefMapHandle 1516 -prefsLen 1 -prefMapSize 219938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1824 "\\.\pipe\gecko-crash-server-pipe.1824" 1620 gpu
3⤵
PID:2632

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1824.3.477410332\914287591" -childID 1 -isForBrowser -prefsHandle 2240 -prefMapHandle 2236 -prefsLen 156 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1824 "\\.\pipe\gecko-crash-server-pipe.1824" 1444 tab
3⤵
PID:408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1824.13.415846663\92428417" -childID 2 -isForBrowser -prefsHandle 3372 -prefMapHandle 3368 -prefsLen 6938 -prefMapSize 219938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1824 "\\.\pipe\gecko-crash-server-pipe.1824" 3400 tab
3⤵
PID:4956

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap16720:156:7zEvent12011 -t7z -sae -- "C:\Users\Admin\Desktop\Desktop.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1776

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Document\InvoiceUpdate.cmd
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Document\InvoiceUpdate.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
PID:3228

C:\Windows\system32\rundll32.exe
rundll32 /s somedocument.br,Updt
2⤵
PID:4184

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s somedocument.br,Updt
3⤵
PID:4784

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Document\InvoiceUpdate.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Document\InvoiceUpdate.cmd" "
1⤵
PID:3788

C:\Windows\system32\rundll32.exe
rundll32 /s somedocument.br,Updt
2⤵
PID:4264

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s somedocument.br,Updt
3⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9dc4f4f50,0x7ff9dc4f4f60,0x7ff9dc4f4f70
2⤵
PID:3388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1532 /prefetch:2
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1908 /prefetch:8
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:1
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 /prefetch:8
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
2⤵
PID:204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3736 /prefetch:8
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3828 /prefetch:8
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4152 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:8
2⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:8
2⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
2⤵
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:8
2⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
2⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3596 /prefetch:8
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2904 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
2⤵
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 /prefetch:8
2⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:8
2⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
2⤵
PID:252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
2⤵
PID:2964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3208 /prefetch:8
2⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5040 /prefetch:8
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:8
2⤵
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:8
2⤵
PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:8
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:8
2⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:8
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3484 /prefetch:8
2⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4280 /prefetch:2
2⤵
PID:1884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3472 /prefetch:8
2⤵
PID:600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=932 /prefetch:8
2⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=776 /prefetch:8
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3116 /prefetch:8
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5748 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=940 /prefetch:8
2⤵
PID:4860

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=imofn5gzqsTTbSEB6pI6yHC6e3JsZkcBUH0xQyHG --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
PID:1488

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff63d955960,0x7ff63d955970,0x7ff63d955980
3⤵
- Executes dropped EXE
PID:3600

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1488_KGQRBDUZHWPMLKFT" --sandboxed-process-id=2 --init-done-notifier=700 --sandbox-mojo-pipe-token=13214789504298771250 --mojo-platform-channel-handle=676 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3212

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1488_KGQRBDUZHWPMLKFT" --sandboxed-process-id=3 --init-done-notifier=916 --sandbox-mojo-pipe-token=10370634325662232071 --mojo-platform-channel-handle=912
3⤵
- Executes dropped EXE
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:8
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5804 /prefetch:8
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=860 /prefetch:8
2⤵
PID:2724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1136,16448044335027045503,2805133893724129617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2724

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2724_842923205\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2724_842923205\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={0aa69efa-c9e9-4671-8f12-747416701291} --system
2⤵
- Executes dropped EXE
PID:1948

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap11773:76:7zEvent32437 -ad -saa -- "E:\E"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap8171:58:7zEvent14239 -ad -saa -- "C:\Windows\System32\cmd"
1⤵
- Drops file in System32 directory
PID:3964

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap3446:58:7zEvent1372 -ad -saa -- "C:\Windows\System32\cmd"
1⤵
- Drops file in System32 directory
PID:1156

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap18804:58:7zEvent28941 -tzip -sae -- "C:\Windows\System32\cmd.zip"
1⤵
- Drops file in System32 directory
PID:4716

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap4507:66:7zEvent10588 -t7z -sae -- "C:\Users\Admin\Desktop\Document.7z"
1⤵
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
e649e99ffb4dc774107f1e5bd3f7bf56

SHA1
0938c06437736a8354287713987e1cba757c9987

SHA256
454e44f3fa7684c78126d508f6d68e305e4ec75ac3280a43aec7209633353f75

SHA512
bd51905eb8ff8965950df0bd4cfff28d5fa69ecd8d255cacd5f2058e00e1643d6c83e1dfd7377dfab5a2e1f03fcd0311a0a2347c3bc74344ce871823f5454478

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.json
Filesize
10KB

MD5
90f880064a42b29ccff51fe5425bf1a3

SHA1
6a3cae3996e9fff653a1ddf731ced32b2be2acbf

SHA256
965203d541e442c107dbc6d5b395168123d0397559774beae4e5b9abc44ef268

SHA512
d9cbfcd865356f19a57954f8fd952caf3d31b354112766c41892d1ef40bd2533682d4ec3f4da0e59a5397364f67a484b45091ba94e6c69ed18ab681403dfd3f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\verified_contents.json
Filesize
7KB

MD5
0834821960cb5c6e9d477aef649cb2e4

SHA1
7d25f027d7cee9e94e9cbdee1f9220c8d20a1588

SHA256
52a24fa2fb3bcb18d9d8571ae385c4a830ff98ce4c18384d40a84ea7f6ba7f69

SHA512
9aeafc3ece295678242d81d71804e370900a6d4c6a618c5a81cacd869b84346feac92189e01718a7bb5c8226e9be88b063d2ece7cb0c84f17bb1af3c5b1a3fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons
Filesize
20KB

MD5
44c6a5280974de993ab6c68dcca22fe4

SHA1
d65168c373d57467f94dd6df40cb9b75a94fdcee

SHA256
a7595914b2e6c12d7bf39814f03f683ef9ad2907332c07d7a652497d8574afe9

SHA512
85fe682b95564240a6b4c972e7a9c87044af873cfbd91b24a6aa1a8a6f5b1e20acd25b61cfa130d2173cdb7b2a0777ff947a52d1d38c3a523121bc021e6ef5d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
116KB

MD5
9263ae85838efa58156f5a40085e1016

SHA1
b220b51fe19f133c0208e9c7193d75b695f0c2d2

SHA256
4a2d29e1515bd16c95837153e0dc0b6ba0a2c8d8fb292a12593f298f961284e8

SHA512
62041fe56939b30873acb4a729650502f8742b7fd43910ef13961534d045dac76e66b77ee747d8a5332b259d0ec436fd0ddb938c8d0dbb7cc584f6b4fe36ba9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
862e716282e86e26cbbbcaa5892c71ba

SHA1
81fb911ef5b55d7401195602cab6f455a447cf5b

SHA256
aecb9002f64c5b9ceee554ef3c92086296b32688ce45b448aeb621248270d333

SHA512
b455ff9240a87809417ea3e3daf4bd469bac1d3475150f38fd805d3cd499f7f09e21f6ff1dd984515d9c0dc4c7b5774fee65668825a52befd0ad2bdb713cb65c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
17KB

MD5
1472afcc7afaadb3f6cc63b336f09afb

SHA1
77f6ccb49ce58ce7797ee5f4dc89bcf959e3b3c0

SHA256
9cd4825f958c470e2b98d6b64d69a45d821edc4d0d50a6e80d99e43e3a1c8f88

SHA512
d05ea1de0475f7302a77f58152d7f2a8b4b789ef4f3cf3e4622cc098c524a2fe53e43f11685015e0f451de80cf0ae32ba8ea5cdbbe4c8d5403ffa8dc1ce7417a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.log
Filesize
112B

MD5
1ea51647350342942af24fe02c5dc391

SHA1
8b9568245f28a4868c880aaa5cc071aa09955139

SHA256
6d3703f927f9afd28d3e6ab938b6e6f890b5358760089e9007afb3ad5fc80e2c

SHA512
11f21a77ca5a92fa057f4a24b0497f317edab6efd4fad6be206246917aaab667bc6e4cc93e0a39d630269af4d26e979591cd18ddabba5134257aab4ff382ad08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
Filesize
348B

MD5
8059f00834a5f81c9874a2761eb36a4e

SHA1
75177255493b53b22aa2621cf1cf15ec4356f2dc

SHA256
2657fee002aba75b609d596dc9ae15efc81b47c93f22255edb969d2135a486ae

SHA512
facaa050f440488f2381cf3787610ebcdbeed1727460751b05066d108210789d6acbda8babb86ea2cd07dd6de4aa18c0bd8be2078a560ea8b91f4f4e282e3221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
Filesize
160B

MD5
de92ad90be6d3364745b2f73f4c3cf73

SHA1
9158681463bd30e5af4dda4baac81f93cedbda77

SHA256
0025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0

SHA512
9e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
Filesize
321B

MD5
612303ca4a62953555243fec83743984

SHA1
333e9dd8dbc9112cf9634889e805e928b568815f

SHA256
1b9c2b12c44f08e28a645968dd8390ce22bde25b6b11fac3d61b36fa44a65655

SHA512
4787d69fbe67738839714f8f1048e83744b2e85ef1c2907c12bfec1669e0d5e18a9566ecd1d4213e7359060d73360554fe167f1be64efd215b2c7c1cb16edd42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links
Filesize
128KB

MD5
dfb960da05af80cca081d3fbc602cdc7

SHA1
d20caac19da7982fb71e1fa05b6b4c18850395f1

SHA256
fb6a8b8ae91877bbe3264fc97d6821cc1b9aeedd5cd26ed72b423cafe9ff62d1

SHA512
93d1810781c86c9521d7c72c54272845977d2848bd368adf1f8fcb848011577a030397978089d7cff300dcc299e71b03a989365ae02dbfe4a58fe916999ae084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
13B

MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
170KB

MD5
dfb44862108efc1ee813a2f7f8770a50

SHA1
5f5c477fe717f21105c2030f4c8428967fdfec9a

SHA256
7ef5661fa3fe88164fd71bea033953ca0b346c6db080af2cb4e56b1fc1f291c5

SHA512
7e7e17d04556c9b6a903d75bf228b7161891cb3cc50cce7241bd5671ed4cdd256b303613a0ac98643e3c7205ca3cc6603d6f425da69addc2831217a420c1cf7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
9d8f7f0568494f66e228198becde9765

SHA1
a4aa91352e60250b8968f82df9077d87e97d8343

SHA256
21d5c486701b045d2ab7c01fbacad8d3001c53e16b89719deb942088a79790b7

SHA512
a2cc5e9638afbe020504a8c1ac410100a7ec8fb87f2f67f44bfbb95b4eaec17684f9cd22690bf6f12549a8c9cec0f07fc2f859c046c5a7829ebeb6bdcdae829c

Download Submit
C:\Users\Admin\Desktop\Desktop.7z
Filesize
12KB

MD5
75395ef039792f752337377755e91698

SHA1
ed4ca7590b9b1d5e7fd43facfa3e63137155cccf

SHA256
bc0cc2c2102b85640955552bb73e5bb002576aff5526ff1c8a41c70ea187aeb1

SHA512
ccddf22569cfd808430ead677b650e85803c47895e9629a76d33e30993026438c1df56e746cc9fc346d4c6088ced904ed2cb4e1286dec5b9df1fb557c189faa6

Download Submit
C:\Users\Admin\Desktop\Document\InvoiceUpdate.cmd
Filesize
12KB

MD5
413d3fce7afe9032e572523624a89c82

SHA1
a18ca5a82d54c2a56eafc1091ee54914225792d9

SHA256
572f53d4e9b1c16a7946f3de914544fe34390793fe40870f7bc37450c1932591

SHA512
f56be8a9519bf344ea577258ca82a01357e1cb85f03431fb45c505ca767441a671408a1be23d11b210efbdc1680be34d145e2907481ae4179a8627f6e0cb2bff

Download Submit
C:\Users\Admin\Desktop\Document\InvoiceUpdate.cmd
Filesize
12KB

MD5
413d3fce7afe9032e572523624a89c82

SHA1
a18ca5a82d54c2a56eafc1091ee54914225792d9

SHA256
572f53d4e9b1c16a7946f3de914544fe34390793fe40870f7bc37450c1932591

SHA512
f56be8a9519bf344ea577258ca82a01357e1cb85f03431fb45c505ca767441a671408a1be23d11b210efbdc1680be34d145e2907481ae4179a8627f6e0cb2bff

Download Submit
C:\Users\Admin\Desktop\Document\InvoiceUpdate.cmd
Filesize
12KB

MD5
78fcd9c6efdb0b256c832a8537ea40cc

SHA1
616116a31006a9db231b68a3af729b3b04f6c2b1

SHA256
c9869c3d809b6776fba231653c978e7e1221601431c7e59d32d522f826b9fcaf

SHA512
ed5f6ff7cb732766d29c78acf919cbcbe6ad85af264b0b29ba8f6cc0ccfa12c2cd38eb1cffd5bedcc74016ffb15e2025003d422a82d4484110452026b6c7b72f

Download Submit
C:\Users\Admin\Desktop\Document\somedocument.br
Filesize
4KB

MD5
2fc89a33b91a8e22a8e0d92f8026f0da

SHA1
ed25f1fdc83e1d2d399146f88766b66de47ea8cd

SHA256
29ee505e4e820b1099e7442c2c653426ecc313e68ea9ab2d9b5e07fe2487db94

SHA512
3b3f6e7e7f18be01442f09c39d0cd90903408b5f4e257e49152f684479d792213feab38298aa5f3851fadef999b6c5c0357308509e2cc6e8755d1bd1f6d2eef7

Download Submit
\??\pipe\crashpad_1448_TARSBPYJJZUYKJLO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2604_IPAHNACQGTYCYLES
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/96-423-0x0000000000000000-mapping.dmp

Download
memory/204-520-0x0000000000000000-mapping.dmp

Download
memory/304-1099-0x0000000000000000-mapping.dmp

Download
memory/384-698-0x0000000000000000-mapping.dmp

Download
memory/384-740-0x0000000002F10000-0x0000000002F3A000-memory.dmp

Filesize
168KB

Download
memory/592-927-0x0000000000000000-mapping.dmp

Download
memory/748-639-0x0000000000000000-mapping.dmp

Download
memory/784-399-0x0000000000000000-mapping.dmp

Download
memory/1052-1225-0x0000000000000000-mapping.dmp

Download
memory/1488-1361-0x0000000000000000-mapping.dmp

Download
memory/1948-1293-0x0000000000000000-mapping.dmp

Download
memory/1984-207-0x0000000000000000-mapping.dmp

Download
memory/2212-846-0x0000000000000000-mapping.dmp

Download
memory/2340-153-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-145-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-157-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-158-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-159-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-160-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-161-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-162-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-163-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-164-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-165-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-166-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-167-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-169-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-168-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-171-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-170-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-172-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-173-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-174-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-176-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-177-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-178-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-180-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-179-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-175-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-181-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-182-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-183-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-156-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-121-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-122-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-155-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-120-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-152-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-151-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-123-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-124-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-125-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-126-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-150-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-149-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-148-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-127-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-147-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-128-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-129-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-130-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-131-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-146-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-154-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-132-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-144-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-133-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-134-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-135-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-136-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-137-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-138-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-139-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-140-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-143-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-141-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2340-142-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/2352-1119-0x0000000000000000-mapping.dmp

Download
memory/2400-1372-0x0000000000000000-mapping.dmp

Download
memory/2612-956-0x0000000000000000-mapping.dmp

Download
memory/2948-950-0x0000000000000000-mapping.dmp

Download
memory/2996-974-0x0000000000000000-mapping.dmp

Download
memory/3212-1378-0x000001D2CE120000-0x000001D2CE160000-memory.dmp

Filesize
256KB

Download
memory/3212-1376-0x000001D2CE120000-0x000001D2CE160000-memory.dmp

Filesize
256KB

Download
memory/3212-1375-0x000001D2CE120000-0x000001D2CE160000-memory.dmp

Filesize
256KB

Download
memory/3212-1377-0x000001D2CE120000-0x000001D2CE160000-memory.dmp

Filesize
256KB

Download
memory/3212-1379-0x000001D2CE120000-0x000001D2CE160000-memory.dmp

Filesize
256KB

Download
memory/3212-1368-0x0000000000000000-mapping.dmp

Download
memory/3320-521-0x0000000000000000-mapping.dmp

Download
memory/3468-992-0x0000000000000000-mapping.dmp

Download
memory/3600-1364-0x0000000000000000-mapping.dmp

Download
memory/3680-308-0x0000000000000000-mapping.dmp

Download
memory/4036-638-0x0000000000000000-mapping.dmp

Download
memory/4140-1043-0x0000000000000000-mapping.dmp

Download
memory/4184-1172-0x0000000000000000-mapping.dmp

Download
memory/4192-1023-0x0000000000000000-mapping.dmp

Download
memory/4264-1224-0x0000000000000000-mapping.dmp

Download
memory/4336-370-0x0000000000000000-mapping.dmp

Download
memory/4376-637-0x0000000000B50000-0x0000000000B7A000-memory.dmp

Filesize
168KB

Download
memory/4376-580-0x0000000000000000-mapping.dmp

Download
memory/4376-741-0x0000000000B50000-0x0000000000B7A000-memory.dmp

Filesize
168KB

Download
memory/4460-848-0x0000000000000000-mapping.dmp

Download
memory/4584-1063-0x0000000000000000-mapping.dmp

Download
memory/4668-744-0x0000000000000000-mapping.dmp

Download
memory/4680-1079-0x0000000000000000-mapping.dmp

Download
memory/4728-803-0x0000000000000000-mapping.dmp

Download
memory/4728-845-0x0000000003040000-0x000000000306A000-memory.dmp

Filesize
168KB

Download
memory/4784-1173-0x0000000000000000-mapping.dmp

Download
memory/5000-743-0x0000000000000000-mapping.dmp

Download
memory/5072-1140-0x0000000000000000-mapping.dmp

Download