49d45a60bc679dd8205b6653bb9e36b20904ed76c2ff245b7204b668e5952663

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
Size

746KB
MD5

773ad14bd9e7e2fbb5f76cf6ebfc8224
SHA1

e809f9bff7b24ae387475381cd06b5d73516327f
SHA256

49d45a60bc679dd8205b6653bb9e36b20904ed76c2ff245b7204b668e5952663
SHA512

523921f6e6357276b998fdbba97b405629bf8138eeaa98c0e482c39ee9817220db6eeba93a6acaee99d6980968464cf635147cfc472ed8bb1689bb702c3199c6
SSDEEP

12288:uYd+DN2QzXqUgYVhLLNO931vK1ifzNvZA4VVvHd+Lck5BLZrtDp/HeEikYL6DZj1:LIEQzXXLLq3RMEvpHkLd5ZZNp/H9izWP

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Windows\\system32\\Google Chrome\\Google.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Windows\\system32\\Google Chrome\\Google.exe restart"	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe restart"	Google.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{RPJ3M73V-345F-M807-65QB-4N6N2X13CEM6}	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe

Deletes itself 1 IoCs

pid	Process
3048	svchost.exe

Executes dropped EXE 50 IoCs

pid	Process
2212	Google.exe
780	Google.exe
2660	Google.exe
3392	Google.exe
3636	Google.exe
3348	Google.exe
4976	Google.exe
4020	Google.exe
2428	Google.exe
4332	Google.exe
3044	Google.exe
3448	Google.exe
3120	Google.exe
1892	Google.exe
932	Google.exe
852	Google.exe
316	Google.exe
4816	Google.exe
2824	Google.exe
636	Google.exe
3624	Google.exe
4752	Google.exe
1532	Google.exe
5116	Google.exe
672	Google.exe
1524	Google.exe
3180	Google.exe
1972	Google.exe
5088	Google.exe
2076	Google.exe
452	Google.exe
4732	Google.exe
4212	Google.exe
384	Google.exe
5000	Google.exe
2920	Google.exe
316	Google.exe
3456	Google.exe
3768	Google.exe
3124	Google.exe
4108	Google.exe
4200	Google.exe
924	Google.exe
4916	Google.exe
3228	Google.exe
3680	Google.exe
4684	Google.exe
1168	Google.exe
2816	Google.exe
3824	Google.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3300-6-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3300-7-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3300-12-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3300-8-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3300-13-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3300-14-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2240-18-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3300-19-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3048-16-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3300-20-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2660-37-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2660-38-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2660-39-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3512-41-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2660-42-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2660-43-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3112-74-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3348-75-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3348-76-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/756-108-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2836-144-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3076-180-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1536-216-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2136-251-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2356-286-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/4200-339-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2288-374-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2124-410-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/1324-445-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/3976-478-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/672-506-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral2/memory/2616-537-0x0000000010000000-0x000000001031C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Google Chrome\\Google.exe"	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Google Chrome\\Google.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\773ad14bd9e7e2fbb5f76cf6ebfc8224.exe"	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Google Chrome\\Google.exe"	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Google Chrome\\Google.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Google Chrome\\Google.exe"	Google.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google.exe"	Google.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Google Chrome\Google.exe	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	svchost.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe
File created	C:\Windows\SysWOW64\Google Chrome\Google.exe	Google.exe

Suspicious use of SetThreadContext 35 IoCs

description	pid	Process	procid_target
PID 4500 set thread context of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4048 set thread context of 3300	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	94
PID 2212 set thread context of 780	2212	Google.exe	103
PID 780 set thread context of 2660	780	Google.exe	104
PID 3392 set thread context of 3636	3392	Google.exe	110
PID 3636 set thread context of 3348	3636	Google.exe	111
PID 4976 set thread context of 4020	4976	Google.exe	116
PID 4020 set thread context of 2428	4020	Google.exe	118
PID 4332 set thread context of 3044	4332	Google.exe	124
PID 3044 set thread context of 3448	3044	Google.exe	127
PID 3120 set thread context of 1892	3120	Google.exe	132
PID 1892 set thread context of 932	1892	Google.exe	135
PID 852 set thread context of 316	852	Google.exe	140
PID 316 set thread context of 4816	316	Google.exe	143
PID 2824 set thread context of 636	2824	Google.exe	146
PID 636 set thread context of 3624	636	Google.exe	147
PID 4752 set thread context of 1532	4752	Google.exe	152
PID 1532 set thread context of 5116	1532	Google.exe	153
PID 672 set thread context of 1524	672	Google.exe	158
PID 3180 set thread context of 1972	3180	Google.exe	163
PID 1524 set thread context of 5088	1524	Google.exe	160
PID 2076 set thread context of 452	2076	Google.exe	166
PID 452 set thread context of 4732	452	Google.exe	167
PID 4212 set thread context of 384	4212	Google.exe	172
PID 384 set thread context of 5000	384	Google.exe	175
PID 2920 set thread context of 316	2920	Google.exe	182
PID 316 set thread context of 3456	316	Google.exe	184
PID 3768 set thread context of 3124	3768	Google.exe	188
PID 3124 set thread context of 4108	3124	Google.exe	189
PID 4200 set thread context of 924	4200	Google.exe	194
PID 924 set thread context of 4916	924	Google.exe	197
PID 3228 set thread context of 3680	3228	Google.exe	200
PID 3680 set thread context of 4684	3680	Google.exe	203
PID 1168 set thread context of 2816	1168	Google.exe	206
PID 2816 set thread context of 3824	2816	Google.exe	207

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Google.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	Google.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	Google.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
780	Google.exe
780	Google.exe
3636	Google.exe
3636	Google.exe
4020	Google.exe
4020	Google.exe
3044	Google.exe
3044	Google.exe
1892	Google.exe
1892	Google.exe
316	Google.exe
316	Google.exe
636	Google.exe
636	Google.exe
1532	Google.exe
1532	Google.exe
1524	Google.exe
1524	Google.exe
452	Google.exe
452	Google.exe
384	Google.exe
384	Google.exe
316	Google.exe
316	Google.exe
3124	Google.exe
3124	Google.exe
924	Google.exe
924	Google.exe
3680	Google.exe
3680	Google.exe
2816	Google.exe
2816	Google.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3300	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
2660	Google.exe
3348	Google.exe
2428	Google.exe
3448	Google.exe
932	Google.exe
4816	Google.exe
3624	Google.exe
5116	Google.exe
5088	Google.exe
4732	Google.exe
5000	Google.exe
3456	Google.exe
4108	Google.exe
4916	Google.exe
4684	Google.exe
3824	Google.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4500 wrote to memory of 4048	4500	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	90
PID 4048 wrote to memory of 4488	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	96
PID 4048 wrote to memory of 4488	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	96
PID 4048 wrote to memory of 4488	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	96
PID 4048 wrote to memory of 4488	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	96
PID 4048 wrote to memory of 4488	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	96
PID 4048 wrote to memory of 4488	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	96
PID 4048 wrote to memory of 1140	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	95
PID 4048 wrote to memory of 1140	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	95
PID 4048 wrote to memory of 1140	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	95
PID 4048 wrote to memory of 1140	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	95
PID 4048 wrote to memory of 1140	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	95
PID 4048 wrote to memory of 1140	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	95
PID 4048 wrote to memory of 3300	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	94
PID 4048 wrote to memory of 3300	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	94
PID 4048 wrote to memory of 3300	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	94
PID 4048 wrote to memory of 3300	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	94
PID 4048 wrote to memory of 3300	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	94
PID 4048 wrote to memory of 3300	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	94
PID 4048 wrote to memory of 3300	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	94
PID 4048 wrote to memory of 3300	4048	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	94
PID 3300 wrote to memory of 3048	3300	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	93
PID 3300 wrote to memory of 3048	3300	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	93
PID 3300 wrote to memory of 3048	3300	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	93
PID 3300 wrote to memory of 3048	3300	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	93
PID 3300 wrote to memory of 2240	3300	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	92
PID 3300 wrote to memory of 2240	3300	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	92
PID 3300 wrote to memory of 2240	3300	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	92
PID 3300 wrote to memory of 2240	3300	773ad14bd9e7e2fbb5f76cf6ebfc8224.exe	92
PID 2240 wrote to memory of 2212	2240	svchost.exe	102
PID 2240 wrote to memory of 2212	2240	svchost.exe	102
PID 2240 wrote to memory of 2212	2240	svchost.exe	102
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 2212 wrote to memory of 780	2212	Google.exe	103
PID 780 wrote to memory of 4796	780	Google.exe	106
PID 780 wrote to memory of 4796	780	Google.exe	106
PID 780 wrote to memory of 4796	780	Google.exe	106
PID 780 wrote to memory of 4796	780	Google.exe	106
PID 780 wrote to memory of 4796	780	Google.exe	106

C:\Users\Admin\AppData\Local\Temp\773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
"C:\Users\Admin\AppData\Local\Temp\773ad14bd9e7e2fbb5f76cf6ebfc8224.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
  C:\Users\Admin\AppData\Local\Temp\773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
    C:\Users\Admin\AppData\Local\Temp\773ad14bd9e7e2fbb5f76cf6ebfc8224.exe
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4488

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:2660
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:3512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4796
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3392
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:3636
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:3348
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1608
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4976
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4332
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:3044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4484
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:3448
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:2836
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3120
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:1892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4432
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:932
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:3076
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:852
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4976
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:4816
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:1536
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2824
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:636
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:3624
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:2136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2928
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4752
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:5116
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:2356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3664
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:672
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:1524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1568
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:5088
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:4272
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3180
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    PID:1972
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2076
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:452
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:4732
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:2288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1320
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4212
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2920
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:316
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:3456
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:1324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:528
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3768
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:3124
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:4108
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:3976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:2348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3828
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4200
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3224
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:4916
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:672
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3228
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:3680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3780
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:4684
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:2616
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\system32\Google Chrome\Google.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1168
- - C:\Windows\SysWOW64\Google Chrome\Google.exe
    "C:\Windows\SysWOW64\Google Chrome\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2816
  - - C:\Windows\SysWOW64\Google Chrome\Google.exe
      "C:\Windows\SysWOW64\Google Chrome\Google.exe"
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Checks SCSI registry key(s)
      Suspicious use of SetWindowsHookEx
      PID:3824
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        
        PID:5056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:3700

C:\Windows\SysWOW64\svchost.exe
svchost.exe
1⤵
- Deletes itself
PID:3048

C:\Windows\SysWOW64\Google Chrome\Google.exe
"C:\Windows\SysWOW64\Google Chrome\Google.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4020
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\SysWOW64\Google Chrome\Google.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:2428
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:4652

C:\Windows\SysWOW64\Google Chrome\Google.exe
"C:\Windows\SysWOW64\Google Chrome\Google.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:3736
- C:\Windows\SysWOW64\Google Chrome\Google.exe
  "C:\Windows\SysWOW64\Google Chrome\Google.exe"
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Suspicious use of SetWindowsHookEx
  PID:5000
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Google Chrome\Google.exe

Filesize
746KB

MD5
56340cd04defaa4856f35103d6d74c8b

SHA1
6eeba342ba1bc0f6b8ad068c82292dfffc0a8416

SHA256
f120f4e2dd708e5a08566773344d7c89a476ae87be76627ec8e9f8b4e8fe93f7

SHA512
4603e45fe8d619094ef0a2ff26f00c67216ef23527b00786f8412450c006b4d5fa51724eab1941f20aecd61deb8bbe696e276d8df17ce323d323bb5f74b606f3

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome\Google.exe

Filesize
448KB

MD5
5fd90e2b4ad4ecb972a89d2092b21a04

SHA1
ea530f94bfa270b933c5ba6d43ac34b66b52b7e6

SHA256
c175ad62847e09a6341d104e8802a172e16f9f6578aa9fec457d0164271dfbec

SHA512
88cefa6a20ac2e57b3ca3677428a1273144d60e190285d9d61f814bd0e4a9a5c1c985d3e2f5f36526e523b604bfb1a095c7da45fd79baa65614be3bdced579d3

Download Submit
C:\Users\Admin\AppData\Roaming\Google Chrome\Google.exe

Filesize
382KB

MD5
ea093587055ade793a9721de923ccfbb

SHA1
7dd898f22a8b015ce5f6f91f3262e4b583a73801

SHA256
e2e9093b82129797ae35ceca671c8f0311845e9bc6d9ecf8649ad50037f6c111

SHA512
07e50f761ae24a83ba01d92a847687a1723a7b0ccf8ac0299ca9e64efe8af3d6401beb8e76bc8feb7fafbd0c64f6d94d64d42c3fbd664fb587128719146baa28

Download Submit
C:\Windows\SysWOW64\Google Chrome\Google.exe

Filesize
264KB

MD5
a00398fcf0921a3f70af8454e40221df

SHA1
6edecea0005c26d45954f3f377597742f3217898

SHA256
0d32374e8330e58dd5c3ea07a82bad95d83059434b2c43c7e835d36cd7e66111

SHA512
337aa21f4ab0ad6c567fb2db5fe0ef84521c9044019bf98cfa066a1054cdca7411d88d91861fda63e24e23a2c5b946063c18f790bef1bd511dc5380094928baf

Download Submit
C:\Windows\SysWOW64\Google Chrome\Google.exe

Filesize
365KB

MD5
e66b9f0e55909b430721bda2bedcfcc5

SHA1
7a07a04f57948833bcb8f83d91931877e18daf0b

SHA256
fab51b8ca86f6eb4ce27761a69ccd2b4b385937a9d4ca7d0c3e232e3bfc8aea8

SHA512
39cc1a7b67231f4186858d3169508b58ab592b4583f6b5737aee84ed85fddc2d5be876add44d42638ee7c74128ecc7a444df98c29bd27caae2d5fb6c39341831

Download Submit
C:\Windows\SysWOW64\Google Chrome\Google.exe

Filesize
640KB

MD5
7a0a6c2aada6e984ef4680d4911fd37e

SHA1
1ff73ee1f64d1dd25e148170436e54e8059973a4

SHA256
6238db009c016a6956e8bb60cb75dcdc5f52fec92733b248ef327ef3e9b2203b

SHA512
6aa8d9d78399e2cfdffeaaf7a01c2fef07f09ac6109a3403be747c8b6dd5b8110582708045c6078cb4072de1befcbee41ec179918faf39f46f8cfe2dea74f10b

Download Submit
C:\Windows\SysWOW64\Google Chrome\Google.exe

Filesize
746KB

MD5
773ad14bd9e7e2fbb5f76cf6ebfc8224

SHA1
e809f9bff7b24ae387475381cd06b5d73516327f

SHA256
49d45a60bc679dd8205b6653bb9e36b20904ed76c2ff245b7204b668e5952663

SHA512
523921f6e6357276b998fdbba97b405629bf8138eeaa98c0e482c39ee9817220db6eeba93a6acaee99d6980968464cf635147cfc472ed8bb1689bb702c3199c6

Download Submit
C:\Windows\SysWOW64\Google Chrome\Google.exe

Filesize
381KB

MD5
7d5d77ab6ccb7bdc1ab711c3acba6396

SHA1
fb314efc5cba3215cae33b9594f935cd49a08bd9

SHA256
efee64d9ceee5d37bff8a88e4e03e295ff184df4913d5bb2e7b702f6ee56b8df

SHA512
c9a76e909ff38036820b5bbfe0ba0064e51063dc7af9a8664a37b646f53a16be987b5cfde164c665cdc2dda96b196c663ed2424e7ae2bbe36a2019cbcc9fd46a

Download Submit
C:\Windows\SysWOW64\Google Chrome\Google.exe

Filesize
155KB

MD5
85903a32c00cdac249b90cbb8fde9238

SHA1
23fad5217d9fc5328a5668b10a3eb7569d61704b

SHA256
0288c76b912c668e6abc64a42e5e71087660d9146f1a27e3c34a63a383c20f8a

SHA512
392a73e21680d700461aa4375705661ed4266d27bfd167350f079797cb2761310b74ef16311d64a049b783b8f704b8d1a9da41af988760e886b2eb4ff9906ae8

Download Submit
C:\Windows\SysWOW64\Google Chrome\Google.exe

Filesize
209KB

MD5
bcf5903529ace4c4e4d92e95c422872b

SHA1
d93a1fd7da2b3ef7c9b445cc19ddcf9be65ef7d1

SHA256
74c6dac1c91aa93827002aa8fac68c17dc869eb6c7f8fc8ace7f291000d8c150

SHA512
4846e5bb9469008070609efc13caa6cf8eff4225ea726086a66607c836d5382323ab52dc3752a86c3c321ad5125eca90cecb93bb03e98e84cba5f5c673dfc263

Download Submit
C:\Windows\SysWOW64\Google Chrome\Google.exe

Filesize
92KB

MD5
469a4c278093d5db44b03b033f39365c

SHA1
76cef6b502742b66f48d22599c41dfad9ff495e5

SHA256
4b0f151679d3097e8642c38fa61760d81e2f76ddcee92246c59db6ad231bc4f4

SHA512
ae55f7ae297eea4c46c3ba373d6cdd02708de6b038b533ffd71764928e01b08b8a6106842c9167927e60212d7f3c87b1027ade7f552760bac62ebef922126682

Download Submit
memory/316-198-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/316-427-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/316-437-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/316-210-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/384-403-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/384-392-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/452-356-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/452-366-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/636-243-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/636-233-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/672-302-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/672-506-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/756-108-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/780-29-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/780-35-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/852-197-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/852-190-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/924-492-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/924-500-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1168-551-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/1324-445-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1524-303-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1524-330-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1532-268-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1532-278-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1536-216-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1892-172-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1892-162-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1972-329-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1972-338-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2076-355-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/2124-410-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2136-251-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2212-26-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/2240-18-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2288-374-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2356-286-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2616-537-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2660-42-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2660-38-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2660-39-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2660-43-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2660-37-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2824-232-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/2836-144-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2920-426-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/3044-137-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3044-126-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3048-16-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3076-180-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3112-74-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3120-161-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/3120-154-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/3124-462-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3124-472-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3180-326-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/3180-313-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/3228-521-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/3300-6-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3300-7-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3300-20-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3300-12-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3300-8-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3300-13-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3300-14-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3300-19-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3348-75-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3348-76-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3392-52-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/3392-56-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/3512-41-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/3636-66-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3636-59-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3680-532-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3680-522-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/3768-460-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/3976-478-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4020-91-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4020-98-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4048-10-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4048-5-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4048-1-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4048-2-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4048-4-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4200-339-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/4200-491-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/4212-384-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/4212-391-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/4332-125-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/4332-118-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/4500-3-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/4500-0-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/4752-267-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download
memory/4976-89-0x0000000000400000-0x00000000004BFC00-memory.dmp

Filesize
767KB

Download