echelon | hxxps://dropmefiles[.]com/UbQSy

Analysis

max time kernel
661s
max time network
672s
platform
windows10_x64
resource
win10-en-20210920
submitted
15-10-2021 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dropmefiles.com/UbQSy
Sample

211015-kkyezaaga4

Score

10^/10

echelon discovery spyware stealer

Malware Config

Signatures

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

dnSpy.exekrnl_portable_bootstrapper.binkrnl_portable_bootstrapper.binkrnl_console_bootstrapper.exeKrnlService.exesvhost.exeshhost.exeJava.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid	process
4236	dnSpy.exe
2300	krnl_portable_bootstrapper.bin
1800	krnl_portable_bootstrapper.bin
3776	krnl_console_bootstrapper.exe
4164	KrnlService.exe
4208	svhost.exe
1912	shhost.exe
964	Java.exe
3764	software_reporter_tool.exe
2328	software_reporter_tool.exe
4072	software_reporter_tool.exe
408	software_reporter_tool.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

krnl_portable_bootstrapper.bin

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation	krnl_portable_bootstrapper.bin

Loads dropped DLL 64 IoCs

Processes:

dnSpy.exe

pid	process
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe
4236	dnSpy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

189 api.ipify.org
190 api.ipify.org
191 api.ipify.org

flow	ioc
189	api.ipify.org
190	api.ipify.org
191	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 31 IoCs

Processes:

KrnlService.exesvhost.exeshhost.exeJava.exe

pid	process
4164	KrnlService.exe
4208	svhost.exe
1912	shhost.exe
4164	KrnlService.exe
4208	svhost.exe
964	Java.exe
1912	shhost.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe
964	Java.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1432 4208 WerFault.exe svhost.exe
2488 1912 WerFault.exe shhost.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1552 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3472 timeout.exe

pid	pid_target	process	target process
1432	4208	WerFault.exe	svhost.exe
2488	1912	WerFault.exe	shhost.exe

pid	process
1552	schtasks.exe

pid	process
3472	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 38 IoCs

Processes:

krnl_portable_bootstrapper.bindnSpy.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	krnl_portable_bootstrapper.bin
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	dnSpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	dnSpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "4"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	dnSpy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 4e003100000000004f53524410006b726e6c00003a0009000400efbe4f53d0624f53d3622e0000007cac01000000070000000000000000000000000000001a44ac006b0072006e006c00000014000000	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	dnSpy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	dnSpy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	dnSpy.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	dnSpy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	dnSpy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exednSpy.exekrnl_portable_bootstrapper.binkrnl_portable_bootstrapper.binkrnl_console_bootstrapper.exeWerFault.exeWerFault.exeKrnlService.exe

pid	process
4548	chrome.exe
4548	chrome.exe
2676	chrome.exe
2676	chrome.exe
3572	chrome.exe
3572	chrome.exe
3988	chrome.exe
3988	chrome.exe
1304	chrome.exe
1304	chrome.exe
1628	chrome.exe
1628	chrome.exe
4236	dnSpy.exe
2300	krnl_portable_bootstrapper.bin
2300	krnl_portable_bootstrapper.bin
2300	krnl_portable_bootstrapper.bin
4236	dnSpy.exe
1800	krnl_portable_bootstrapper.bin
1800	krnl_portable_bootstrapper.bin
1800	krnl_portable_bootstrapper.bin
3776	krnl_console_bootstrapper.exe
3776	krnl_console_bootstrapper.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
2488	WerFault.exe
2488	WerFault.exe
1432	WerFault.exe
1432	WerFault.exe
4164	KrnlService.exe
4164	KrnlService.exe
4164	KrnlService.exe
4164	KrnlService.exe
4164	KrnlService.exe
4164	KrnlService.exe
4164	KrnlService.exe
4164	KrnlService.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dnSpy.exe

pid process

4236 dnSpy.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

7zG.exednSpy.exekrnl_portable_bootstrapper.binkrnl_portable_bootstrapper.binkrnl_console_bootstrapper.exesvhost.exeshhost.exeWerFault.exeWerFault.exeKrnlService.exeJava.exe7zG.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: SeRestorePrivilege	1444	7zG.exe
Token: 35	1444	7zG.exe
Token: SeSecurityPrivilege	1444	7zG.exe
Token: SeSecurityPrivilege	1444	7zG.exe
Token: SeDebugPrivilege	4236	dnSpy.exe
Token: SeDebugPrivilege	4236	dnSpy.exe
Token: SeDebugPrivilege	2300	krnl_portable_bootstrapper.bin
Token: SeDebugPrivilege	1800	krnl_portable_bootstrapper.bin
Token: SeDebugPrivilege	3776	krnl_console_bootstrapper.exe
Token: SeDebugPrivilege	4208	svhost.exe
Token: SeDebugPrivilege	1912	shhost.exe
Token: SeRestorePrivilege	1432	WerFault.exe
Token: SeBackupPrivilege	1432	WerFault.exe
Token: SeDebugPrivilege	2488	WerFault.exe
Token: SeDebugPrivilege	1432	WerFault.exe
Token: SeDebugPrivilege	4164	KrnlService.exe
Token: SeDebugPrivilege	964	Java.exe
Token: SeDebugPrivilege	964	Java.exe
Token: SeRestorePrivilege	4380	7zG.exe
Token: 35	4380	7zG.exe
Token: SeSecurityPrivilege	4380	7zG.exe
Token: SeSecurityPrivilege	4380	7zG.exe
Token: 33	2328	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2328	software_reporter_tool.exe
Token: 33	3764	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3764	software_reporter_tool.exe
Token: 33	4072	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4072	software_reporter_tool.exe
Token: 33	408	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	408	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

chrome.exechrome.exe

pid	process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

dnSpy.exeKrnlService.exesvhost.exeshhost.exeJava.exe

pid process

4236 dnSpy.exe
4236 dnSpy.exe
4236 dnSpy.exe
4236 dnSpy.exe
4164 KrnlService.exe
4208 svhost.exe
1912 shhost.exe
964 Java.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2676 wrote to memory of 4460	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4460	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4328	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4548	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4548	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 512	2676	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://dropmefiles.com/UbQSy
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff90f484f50,0x7ff90f484f60,0x7ff90f484f70
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1552 /prefetch:2
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1856 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:8
2⤵
PID:512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
2⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4164 /prefetch:8
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 /prefetch:8
2⤵
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6504 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6696 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6620 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6460 /prefetch:8
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6436 /prefetch:8
2⤵
PID:1396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6184 /prefetch:8
2⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6456 /prefetch:8
2⤵
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6408 /prefetch:8
2⤵
PID:1728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
2⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,3296004091538904667,9442611679467592772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3136 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3452.0.1128429088\1362072473" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1520 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3452 "\\.\pipe\gecko-crash-server-pipe.3452" 1608 gpu
1⤵
PID:3100

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3452.3.1058971587\570166072" -childID 1 -isForBrowser -prefsHandle 2316 -prefMapHandle 2312 -prefsLen 122 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3452 "\\.\pipe\gecko-crash-server-pipe.3452" 1332 tab
1⤵
PID:1128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3452.13.448095363\1960123261" -childID 2 -isForBrowser -prefsHandle 3108 -prefMapHandle 3104 -prefsLen 6984 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3452 "\\.\pipe\gecko-crash-server-pipe.3452" 3136 tab
1⤵
PID:4332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3452.20.469004935\1743721578" -childID 3 -isForBrowser -prefsHandle 4380 -prefMapHandle 4364 -prefsLen 7689 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3452 "\\.\pipe\gecko-crash-server-pipe.3452" 4224 tab
1⤵
PID:1816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4980

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap10987:66:7zEvent29631
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Users\Admin\Desktop\krnl\dnSpy.exe
"C:\Users\Admin\Desktop\krnl\dnSpy.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Users\Admin\Desktop\krnl\krnl_portable_bootstrapper.bin
"C:\Users\Admin\Desktop\krnl\krnl_portable_bootstrapper.bin"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Users\Admin\Desktop\krnl\krnl_portable_bootstrapper.bin
"C:\Users\Admin\Desktop\krnl\krnl_portable_bootstrapper.bin"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Users\Admin\AppData\Local\Temp\krnl_console_bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\krnl_console_bootstrapper.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Users\Admin\AppData\Local\Temp\KrnlService.exe
"C:\Users\Admin\AppData\Local\Temp\KrnlService.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Java" /tr '"C:\Users\Admin\AppData\Roaming\Java.exe"' & exit
4⤵
PID:3300

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Java" /tr '"C:\Users\Admin\AppData\Roaming\Java.exe"'
5⤵
- Creates scheduled task(s)
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2307.tmp.bat""
4⤵
PID:2076

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:3472

C:\Users\Admin\AppData\Roaming\Java.exe
"C:\Users\Admin\AppData\Roaming\Java.exe"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:964

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1268
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Users\Admin\AppData\Local\Temp\shhost.exe
"C:\Users\Admin\AppData\Local\Temp\shhost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 2148
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap8098:58:7zEvent326 -ad -saa -- "C:\Users\Admin\Desktop\krnl"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff90f484f50,0x7ff90f484f60,0x7ff90f484f70
2⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1500 /prefetch:2
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1912 /prefetch:8
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 /prefetch:8
2⤵
PID:532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
2⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
2⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4396 /prefetch:8
2⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:8
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,2720057790707508221,11717668513050829562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
2⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ff90f484f50,0x7ff90f484f60,0x7ff90f484f70
2⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1680 /prefetch:8
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:8
2⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:1
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
2⤵
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:8
2⤵
PID:1816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
2⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2952 /prefetch:8
2⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4500 /prefetch:8
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 /prefetch:8
2⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3668 /prefetch:8
2⤵
PID:2920

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=oIv7Ayo7BDmA10RKA3kEIU3S8cIXixKIYvWicmev --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3764

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=93.269.200 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff70f249300,0x7ff70f249310,0x7ff70f249320
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2328

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3764_IYABBYOYDRUNITMT" --sandboxed-process-id=2 --init-done-notifier=716 --sandbox-mojo-pipe-token=18081902858485584364 --mojo-platform-channel-handle=692 --engine=2
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3764_IYABBYOYDRUNITMT" --sandboxed-process-id=3 --init-done-notifier=916 --sandbox-mojo-pipe-token=1261459544719225878 --mojo-platform-channel-handle=912
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
2⤵
PID:664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1940 /prefetch:8
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,1601736628792353100,12412448727597292701,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5272 /prefetch:2
2⤵
PID:3012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\krnl.rar
MD5
d09d2d2404dfeb01304481492f8d8224

SHA1
f8b9c064c530ea91b99c7bf156e02bb192482416

SHA256
c3b4c7976a19135d4c2922460258546dd2a98be000ec84073062b15ebe863167

SHA512
b7ee7ac3ed6399baba099b0b8b10027c77a0719763253f901517dcf68f64d9e88c278ae853345512c69c10a7a7b8bb170b4ba069ffe69e6a3d507c7de5ef956e

Download Submit
C:\Users\Admin\Desktop\krnl\bin\DirectWriteForwarder.dll
MD5
fe18b6ed4c63d18156217dc30f1482e5

SHA1
1d1eccc4e03b086d49c453b4e5716e164892f006

SHA256
1f1093930ebc3779f2d4659ed3a31fd05cfa1dbffc0f7575955cb28e7b990c64

SHA512
c5c6e64eb2ab0ef93f6d823e002f895333983f4d151ac7296c7de65e9fb8096502f8db3035ded3612fb9c6c99a8a1c09c81c3ff84dca7e1b5c5b803d10e36052

Download Submit
C:\Users\Admin\Desktop\krnl\bin\PresentationCore.dll
MD5
8248dae04024364aec8b53ce0a292ec7

SHA1
02d208a9641770565ba0b5cb670c02eb72cf4edd

SHA256
d9108c34ce90cfe678a8151ff48ccb814f7865263b233176a27c4745344a1a3f

SHA512
b65b492e9a110cb73135aa74e22626b53776784bad2966831125736706efb183e598f78175517150889cf42ddee1dfa4d79ce8d38474137df91dd185f1787fe3

Download Submit
C:\Users\Admin\Desktop\krnl\bin\System.Diagnostics.Tracing.dll
MD5
04e44e8deaf68d6285623287e6494209

SHA1
060a22f69e413b47e6b0c2a8e9bf2f9b200c4575

SHA256
474dabc74f78e89a40de5be362ca399de630400b46e7cb81c224692ebdbeed25

SHA512
02bf3a560e4f10c1d2f208f16f03efc1cc7dbbdd8fcf875ef6040012663a1c6008331920ec62ccc09378f6337c8470e5b456566c4dbdb21478d079269df56ea1

Download Submit
C:\Users\Admin\Desktop\krnl\bin\System.IO.FileSystem.dll
MD5
944c070c2ac2208867b57d15c319ccc6

SHA1
7ac800a94af0da43c78b3c3411aa21d45ccf911d

SHA256
aa4db7afcb061c7b1029c414beef19ad5bb319b69f6eb7756113c9f207162e63

SHA512
8d5693c6dfe07affc6d814db358aaf8c69c7d66d98d97bbb4b922d1bc192cc399c84642f16d6415dcd4189e49e96068fb9049306f05b8faa782bfc37f96403cf

Download Submit
C:\Users\Admin\Desktop\krnl\bin\System.Private.CoreLib.dll
MD5
bd42384077787fb221c9f703fbb8bb88

SHA1
0228f9a53ff3abd70c711b86b489718307eeba05

SHA256
7a2279cd7d0507adcb206269bf0fe2e69f1059ebe5976f7413b76b769c75d531

SHA512
5e9c4a4182756d835bf231d5c8657eb98b82244740d9af034d59d0628d91ef0a25c11028f88c878513538bdb6cbc9ef4e4ec5b7564354ca346ea50fefd3c9fa2

Download Submit
C:\Users\Admin\Desktop\krnl\bin\System.Runtime.Extensions.dll
MD5
621f8acc3152f04a3fd9a901b08985e2

SHA1
19e89c3f51c3d8048e1d2fe1de269f8906f291a4

SHA256
ddd7f16cf52c23b5953f67057bcddcc8fc7f11b32dfd93a1e3079fb0e81a56fb

SHA512
3b31121685825b9cab3e0def9b9549f9fc5580d240e3abe8058d65326d2cdd37b6cf9ceaabe2d56b66d91b283203c8fad518eb0de3a6b8c02afef23915bfb1f8

Download Submit
C:\Users\Admin\Desktop\krnl\bin\System.Runtime.InteropServices.dll
MD5
48fb2d5f200c68a00ce0388770341478

SHA1
7279cd97c3f7f4753629e21cb8234e4082b1f890

SHA256
31286dd429d6588632adb78b514a0d9f8b8fc9ac2e88976d10f83d46cabdccb5

SHA512
e120bf83ca0bb6f91108d34839d88c23204e83b9805bac9bac3d08336132dbbd0c2b2012807d4ae1ebb1c5247d33cba4e2ba859ea45ed3f7517a0adbb1d3cdda

Download Submit
C:\Users\Admin\Desktop\krnl\bin\System.Runtime.dll
MD5
715f4dc52da61002d5bb4e1a64108e82

SHA1
a48ea9b3a88780ff489858bc02ca42ce969fa593

SHA256
7445aa86efeb0045d10ad97ec6a3b5bc72556e06501f471d754ae033df87d5d0

SHA512
b0dd8a363eaf975aa517fd7f109e7100da24f1d0f5fea52780c47dec7679609d0029c82cc79f5ee6d1bd296d3875f42ef9c9cd9033392a1269de4596ec27bd91

Download Submit
C:\Users\Admin\Desktop\krnl\bin\WindowsBase.dll
MD5
e8674dbfceac4bc362c1f15cdc8fd2ef

SHA1
d2c693cc121df0a69e5c1d1ab67a43123601f8e3

SHA256
85812bc0cbe06a06ccdd20473155a5cfef31b1760767e29ea688457f2830ccc1

SHA512
c01d639a188e745a0c4e789598b60e99bf0ea0544ca9ebd6b12f3e158c0bbc1e164dd0aa274cadf4b1ea3c99254656d057dc36d9ee29904de0e021485e652fc1

Download Submit
C:\Users\Admin\Desktop\krnl\bin\clrjit.dll
MD5
ae031b7fafb431d7e30b08d5e9a0b831

SHA1
28a59dd780e0329ef19248e953e8cf703a9f97b3

SHA256
97c766dbd9786e66e967263371b9f06a9f21aa2950795d4254a11edcd20e430e

SHA512
036e35fa9751c9c54006077da4ec5d248e9572d9b5e30f1af83992700d11210981df10141316b6afeb7ebe82d6e3517575bc9ba77cc7a9d2383b08ceceaf50fc

Download Submit
C:\Users\Admin\Desktop\krnl\bin\coreclr.dll
MD5
27d49de876adc48752954f64f5db9da4

SHA1
2137a2a832fbb479bb2ae15297ca6d11a36cf68c

SHA256
f31d2089328db88ffd561f56db944cae79647478e2b72be201d95607b8ae1666

SHA512
d2bec99263f36fefe1760f22b656e8cdd27ba5c66d5df9e8509165a8f119f0ba63c6a766e25ed4895a927a089c816c59fdd0c2fc0b2b9f2a22db65abbb1d9fd0

Download Submit
C:\Users\Admin\Desktop\krnl\bin\dnSpy.Contracts.DnSpy.dll
MD5
5897a5f8bb3fdbaea1f5d37f1a0137e5

SHA1
ad75c9397106112ae52dd1cb93899d81ea0c2d6b

SHA256
a06639a52050f3d0f4644ccd55c7ba1572a7f63b5cf51067f8e9088f7cae2449

SHA512
7f6567700efa2b8b01193e58992dbba714c21ba9e67896a39247335886c0f4e6a210d0023b6b7559c509131f83d99e2f16acbd08b0c4ad672b15582bfc234add

Download Submit
C:\Users\Admin\Desktop\krnl\bin\dnSpy.deps.json
MD5
c5ebae728e2f6d81ebb2811311491990

SHA1
41b37ba7693bb8c9f9852a80d1752e39203ee878

SHA256
c30990252f79f8a94c56ce5af663acf1333c34a4dd2c8abd199c82c684a45408

SHA512
9acc4497bdcdb472cb7b59d257be5275803abfc358f56803b73cc11bd691cc4320135d534a47d00605610a7426db2115fe227adbc98b60aebb78d366f312e737

Download Submit
C:\Users\Admin\Desktop\krnl\bin\dnSpy.dll
MD5
1495a61498fafbc13a37b91bf32fe191

SHA1
770e93957a7fd7a3172a51a48c56e7159c1aee09

SHA256
13313b9a80d6fe4e86e289475a57c96451e6e98133e136a74619ba3443306d12

SHA512
1750161ce2cd2ed6c4c21d904d249459ad91ac4c9a96c00645848852a0c42c85b0ce8c790c41322e148b43988b8bf78ef89df49dd3a1825c343178c33762a48c

Download Submit
C:\Users\Admin\Desktop\krnl\bin\dnSpy.runtimeconfig.json
MD5
c0bbae9a92c0004f0e48a1303834a4f1

SHA1
6254cc2e4595c272c88200a569ced499f82fb531

SHA256
d73d166ed2c36560e74ccd1067673bc17c881d570e09394ddd5ef0ffd3d9e8a4

SHA512
29a0025944bc65b708909a18e8d42723de52b5bf9fb191ab7936090f51edc4430791f341229f204e875d0673b046bc71e73842babc72312e19eb9c9019549272

Download Submit
C:\Users\Admin\Desktop\krnl\bin\dnlib.dll
MD5
4d0b771879de85137ee7e5f0d4bb4b16

SHA1
fc32cccd0cd5c3ebd968bcdf48e32a7ea25e9bd7

SHA256
962332e8c8cb459fb2f7dacec5d7a618cc53b1b49bc1740156398c89742f43fd

SHA512
bae39862ea07ebc5c9aa07a7333a880471baf4bf52eebedc03536e45584887eecc1075e0c0171229a54900ab93a66db9f666aa631c160912f538666da8c9e980

Download Submit
C:\Users\Admin\Desktop\krnl\bin\hostfxr.dll
MD5
fa1ba429770bc8b64ce65511f29ff88f

SHA1
c9af6e053edc6f4ce1fcd165f1635cd15db98a9f

SHA256
48d9968db0001585b27c46c96d47952e86a42540b236a7d6877e8c67b7fa79a1

SHA512
c6dd92c56739e0b11dfeb496bbc14b24374e1910cb1a4c83edbb07d2565b2279fae0a9325d363ea7b2c548aea429ab6dcb875328ad48dcf2ef3256eb6c2778a3

Download Submit
C:\Users\Admin\Desktop\krnl\bin\hostpolicy.dll
MD5
af83b14c9628f161c980f69f7ae7b2be

SHA1
8b38008a74370379548a3accd259f43833b529ff

SHA256
fb249fed957ee658bfc20dbe18d1810aed29cd0b626374d147da5891a24b1b52

SHA512
a70d3f787b63345e7c2d6fcc50f66858d3c4bfccc952c637900067c1b59312d6c72febd04749fa36e027d65eaf07c5d7f6e90c1ed4b28767f6f5d36dded15712

Download Submit
C:\Users\Admin\Desktop\krnl\bin\mscorlib.dll
MD5
a029bd0904a2966373c1302b0e0324a9

SHA1
b01c81668917eb6b8566c1fe210fb300648d97ba

SHA256
2b3ead4f40779324d728c8970721b3af78f8085877e73e1ae163085515ed285a

SHA512
33e9deb58c0f1220b097a6be47f8b00696261e61d0a3910cbe871cb03240aaf4acfde2af9a9dbf38c1b9061246fffc9eefe6b036d0cba87f351182c367c9acf1

Download Submit
C:\Users\Admin\Desktop\krnl\bin\netstandard.dll
MD5
349c39c3ff7dd2fb44d5fa3c5baf64c6

SHA1
b60d38ed5bcb35f66468a43dc4349dfa970b1c02

SHA256
737d504f6fa742b23cf4149cd0384fdbdc929bc4231bdd0d7bd772ea9dd1805f

SHA512
e63dd8f5e1392740a0e2228fcd88bba0392c5834ae2a3caa311e894b177623d636d12a5c0107f81f9b92e01fcdc75cbca287731eee4d136f73d1e9b6fca9bc0b

Download Submit
C:\Users\Admin\Desktop\krnl\dnSpy.exe
MD5
5cf180fec9628c4df4267de3ed7a98a7

SHA1
edeaac9111d8f499378b67c983f7b7defbddb268

SHA256
bc1c4e0fc49c138bbfc223d3e94231cd4884439c663646d91e48fa005df6704a

SHA512
97149bb70657393965382a152f8dcdcd9bdca5a6914b788dcba6b92be1547a83fd2720afbd6b2deb9d20da524ee2bb85375d9ffd4b019157f0eef51d46539133

Download Submit
\??\pipe\crashpad_2676_GQXZERFQHNSPHHNB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Desktop\krnl\bin\DirectWriteForwarder.dll
MD5
fe18b6ed4c63d18156217dc30f1482e5

SHA1
1d1eccc4e03b086d49c453b4e5716e164892f006

SHA256
1f1093930ebc3779f2d4659ed3a31fd05cfa1dbffc0f7575955cb28e7b990c64

SHA512
c5c6e64eb2ab0ef93f6d823e002f895333983f4d151ac7296c7de65e9fb8096502f8db3035ded3612fb9c6c99a8a1c09c81c3ff84dca7e1b5c5b803d10e36052

Download Submit
\Users\Admin\Desktop\krnl\bin\PresentationCore.dll
MD5
8248dae04024364aec8b53ce0a292ec7

SHA1
02d208a9641770565ba0b5cb670c02eb72cf4edd

SHA256
d9108c34ce90cfe678a8151ff48ccb814f7865263b233176a27c4745344a1a3f

SHA512
b65b492e9a110cb73135aa74e22626b53776784bad2966831125736706efb183e598f78175517150889cf42ddee1dfa4d79ce8d38474137df91dd185f1787fe3

Download Submit
\Users\Admin\Desktop\krnl\bin\System.Diagnostics.Tracing.dll
MD5
04e44e8deaf68d6285623287e6494209

SHA1
060a22f69e413b47e6b0c2a8e9bf2f9b200c4575

SHA256
474dabc74f78e89a40de5be362ca399de630400b46e7cb81c224692ebdbeed25

SHA512
02bf3a560e4f10c1d2f208f16f03efc1cc7dbbdd8fcf875ef6040012663a1c6008331920ec62ccc09378f6337c8470e5b456566c4dbdb21478d079269df56ea1

Download Submit
\Users\Admin\Desktop\krnl\bin\System.IO.FileSystem.dll
MD5
944c070c2ac2208867b57d15c319ccc6

SHA1
7ac800a94af0da43c78b3c3411aa21d45ccf911d

SHA256
aa4db7afcb061c7b1029c414beef19ad5bb319b69f6eb7756113c9f207162e63

SHA512
8d5693c6dfe07affc6d814db358aaf8c69c7d66d98d97bbb4b922d1bc192cc399c84642f16d6415dcd4189e49e96068fb9049306f05b8faa782bfc37f96403cf

Download Submit
\Users\Admin\Desktop\krnl\bin\System.Private.CoreLib.dll
MD5
bd42384077787fb221c9f703fbb8bb88

SHA1
0228f9a53ff3abd70c711b86b489718307eeba05

SHA256
7a2279cd7d0507adcb206269bf0fe2e69f1059ebe5976f7413b76b769c75d531

SHA512
5e9c4a4182756d835bf231d5c8657eb98b82244740d9af034d59d0628d91ef0a25c11028f88c878513538bdb6cbc9ef4e4ec5b7564354ca346ea50fefd3c9fa2

Download Submit
\Users\Admin\Desktop\krnl\bin\System.Runtime.Extensions.dll
MD5
621f8acc3152f04a3fd9a901b08985e2

SHA1
19e89c3f51c3d8048e1d2fe1de269f8906f291a4

SHA256
ddd7f16cf52c23b5953f67057bcddcc8fc7f11b32dfd93a1e3079fb0e81a56fb

SHA512
3b31121685825b9cab3e0def9b9549f9fc5580d240e3abe8058d65326d2cdd37b6cf9ceaabe2d56b66d91b283203c8fad518eb0de3a6b8c02afef23915bfb1f8

Download Submit
\Users\Admin\Desktop\krnl\bin\System.Runtime.InteropServices.dll
MD5
48fb2d5f200c68a00ce0388770341478

SHA1
7279cd97c3f7f4753629e21cb8234e4082b1f890

SHA256
31286dd429d6588632adb78b514a0d9f8b8fc9ac2e88976d10f83d46cabdccb5

SHA512
e120bf83ca0bb6f91108d34839d88c23204e83b9805bac9bac3d08336132dbbd0c2b2012807d4ae1ebb1c5247d33cba4e2ba859ea45ed3f7517a0adbb1d3cdda

Download Submit
\Users\Admin\Desktop\krnl\bin\System.Runtime.dll
MD5
715f4dc52da61002d5bb4e1a64108e82

SHA1
a48ea9b3a88780ff489858bc02ca42ce969fa593

SHA256
7445aa86efeb0045d10ad97ec6a3b5bc72556e06501f471d754ae033df87d5d0

SHA512
b0dd8a363eaf975aa517fd7f109e7100da24f1d0f5fea52780c47dec7679609d0029c82cc79f5ee6d1bd296d3875f42ef9c9cd9033392a1269de4596ec27bd91

Download Submit
\Users\Admin\Desktop\krnl\bin\WindowsBase.dll
MD5
e8674dbfceac4bc362c1f15cdc8fd2ef

SHA1
d2c693cc121df0a69e5c1d1ab67a43123601f8e3

SHA256
85812bc0cbe06a06ccdd20473155a5cfef31b1760767e29ea688457f2830ccc1

SHA512
c01d639a188e745a0c4e789598b60e99bf0ea0544ca9ebd6b12f3e158c0bbc1e164dd0aa274cadf4b1ea3c99254656d057dc36d9ee29904de0e021485e652fc1

Download Submit
\Users\Admin\Desktop\krnl\bin\clrjit.dll
MD5
ae031b7fafb431d7e30b08d5e9a0b831

SHA1
28a59dd780e0329ef19248e953e8cf703a9f97b3

SHA256
97c766dbd9786e66e967263371b9f06a9f21aa2950795d4254a11edcd20e430e

SHA512
036e35fa9751c9c54006077da4ec5d248e9572d9b5e30f1af83992700d11210981df10141316b6afeb7ebe82d6e3517575bc9ba77cc7a9d2383b08ceceaf50fc

Download Submit
\Users\Admin\Desktop\krnl\bin\coreclr.dll
MD5
27d49de876adc48752954f64f5db9da4

SHA1
2137a2a832fbb479bb2ae15297ca6d11a36cf68c

SHA256
f31d2089328db88ffd561f56db944cae79647478e2b72be201d95607b8ae1666

SHA512
d2bec99263f36fefe1760f22b656e8cdd27ba5c66d5df9e8509165a8f119f0ba63c6a766e25ed4895a927a089c816c59fdd0c2fc0b2b9f2a22db65abbb1d9fd0

Download Submit
\Users\Admin\Desktop\krnl\bin\hostfxr.dll
MD5
fa1ba429770bc8b64ce65511f29ff88f

SHA1
c9af6e053edc6f4ce1fcd165f1635cd15db98a9f

SHA256
48d9968db0001585b27c46c96d47952e86a42540b236a7d6877e8c67b7fa79a1

SHA512
c6dd92c56739e0b11dfeb496bbc14b24374e1910cb1a4c83edbb07d2565b2279fae0a9325d363ea7b2c548aea429ab6dcb875328ad48dcf2ef3256eb6c2778a3

Download Submit
\Users\Admin\Desktop\krnl\bin\hostpolicy.dll
MD5
af83b14c9628f161c980f69f7ae7b2be

SHA1
8b38008a74370379548a3accd259f43833b529ff

SHA256
fb249fed957ee658bfc20dbe18d1810aed29cd0b626374d147da5891a24b1b52

SHA512
a70d3f787b63345e7c2d6fcc50f66858d3c4bfccc952c637900067c1b59312d6c72febd04749fa36e027d65eaf07c5d7f6e90c1ed4b28767f6f5d36dded15712

Download Submit
\Users\Admin\Desktop\krnl\bin\netstandard.dll
MD5
349c39c3ff7dd2fb44d5fa3c5baf64c6

SHA1
b60d38ed5bcb35f66468a43dc4349dfa970b1c02

SHA256
737d504f6fa742b23cf4149cd0384fdbdc929bc4231bdd0d7bd772ea9dd1805f

SHA512
e63dd8f5e1392740a0e2228fcd88bba0392c5834ae2a3caa311e894b177623d636d12a5c0107f81f9b92e01fcdc75cbca287731eee4d136f73d1e9b6fca9bc0b

Download Submit
memory/408-552-0x0000000000000000-mapping.dmp

Download
memory/964-487-0x0000000005750000-0x0000000005CB2000-memory.dmp

Filesize
5.4MB

Download
memory/964-480-0x0000000000000000-mapping.dmp

Download
memory/1552-478-0x0000000000000000-mapping.dmp

Download
memory/1800-413-0x000000001C704000-0x000000001C706000-memory.dmp

Filesize
8KB

Download
memory/1800-403-0x0000000000000000-mapping.dmp

Download
memory/1800-412-0x000000001C700000-0x000000001C702000-memory.dmp

Filesize
8KB

Download
memory/1800-414-0x000000001C702000-0x000000001C704000-memory.dmp

Filesize
8KB

Download
memory/1800-415-0x000000001C706000-0x000000001C708000-memory.dmp

Filesize
8KB

Download
memory/1800-433-0x00000000031F0000-0x00000000031F2000-memory.dmp

Filesize
8KB

Download
memory/1912-449-0x0000000000000000-mapping.dmp

Download
memory/1912-461-0x0000000005D00000-0x0000000006262000-memory.dmp

Filesize
5.4MB

Download
memory/2076-477-0x0000000000000000-mapping.dmp

Download
memory/2300-304-0x0000000000000000-mapping.dmp

Download
memory/2300-337-0x0000000002D30000-0x0000000002D32000-memory.dmp

Filesize
8KB

Download
memory/2300-327-0x000000001B820000-0x000000001BD4A000-memory.dmp

Filesize
5.2MB

Download
memory/2300-324-0x000000001B820000-0x000000001BD4A000-memory.dmp

Filesize
5.2MB

Download
memory/2300-325-0x000000001B820000-0x000000001BD4A000-memory.dmp

Filesize
5.2MB

Download
memory/2300-326-0x000000001B820000-0x000000001BD4A000-memory.dmp

Filesize
5.2MB

Download
memory/2328-542-0x0000000000000000-mapping.dmp

Download
memory/3300-476-0x0000000000000000-mapping.dmp

Download
memory/3472-479-0x0000000000000000-mapping.dmp

Download
memory/3764-539-0x0000000000000000-mapping.dmp

Download
memory/3776-428-0x0000000000000000-mapping.dmp

Download
memory/3776-450-0x00000000051C0000-0x0000000005722000-memory.dmp

Filesize
5.4MB

Download
memory/4072-563-0x000001E66D490000-0x000001E66D4D0000-memory.dmp

Filesize
256KB

Download
memory/4072-562-0x000001E66D450000-0x000001E66D490000-memory.dmp

Filesize
256KB

Download
memory/4072-560-0x000001E66D2C0000-0x000001E66D300000-memory.dmp

Filesize
256KB

Download
memory/4072-559-0x000001E66B270000-0x000001E66B2B0000-memory.dmp

Filesize
256KB

Download
memory/4072-557-0x000001E66B1F0000-0x000001E66B1F1000-memory.dmp

Filesize
4KB

Download
memory/4072-558-0x000001E66B1F0000-0x000001E66B230000-memory.dmp

Filesize
256KB

Download
memory/4072-546-0x0000000000000000-mapping.dmp

Download
memory/4072-561-0x000001E66D300000-0x000001E66D340000-memory.dmp

Filesize
256KB

Download
memory/4072-564-0x000001E66D4D0000-0x000001E66D510000-memory.dmp

Filesize
256KB

Download
memory/4072-565-0x000001E66D510000-0x000001E66D550000-memory.dmp

Filesize
256KB

Download
memory/4164-468-0x0000000005680000-0x0000000005BE2000-memory.dmp

Filesize
5.4MB

Download
memory/4164-429-0x0000000000000000-mapping.dmp

Download
memory/4208-451-0x0000000005BD0000-0x0000000006132000-memory.dmp

Filesize
5.4MB

Download
memory/4208-439-0x0000000000000000-mapping.dmp

Download
memory/4236-313-0x0000018DB5AB6000-0x0000018DB5AB7000-memory.dmp

Filesize
4KB

Download
memory/4236-159-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-199-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-200-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-198-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-156-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-197-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-201-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-202-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-163-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-203-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-162-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-204-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-205-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-160-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-206-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-157-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-374-0x0000018DB5AB7000-0x0000018DB5AB8000-memory.dmp

Filesize
4KB

Download
memory/4236-207-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-155-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-130-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-127-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-250-0x0000018DB5AB5000-0x0000018DB5AB6000-memory.dmp

Filesize
4KB

Download
memory/4236-158-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-244-0x0000018DB5AB3000-0x0000018DB5AB5000-memory.dmp

Filesize
8KB

Download
memory/4236-126-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-224-0x0000018DB5AB0000-0x0000018DB5AB2000-memory.dmp

Filesize
8KB

Download
memory/4236-216-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-214-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-213-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-212-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-211-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-210-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-209-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download
memory/4236-208-0x0000018DB5A60000-0x0000018DB5A62000-memory.dmp

Filesize
8KB

Download