hxxps://dropmefiles[.]com/ju2DW

Analysis

max time kernel
393s
max time network
396s
platform
windows10_x64
resource
win10-en-20211208
submitted
18-12-2021 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dropmefiles.com/ju2DW

Score

10^/10

discovery persistence themida

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4860 created 4708 4860 WerFault.exe ExtremeDumper.exe

description	pid	process	target process
PID 4860 created 4708	4860	WerFault.exe	ExtremeDumper.exe

Executes dropped EXE 12 IoCs

Processes:

1.exedotnet-sdk-3.1.416-win-x64.exedotnet-sdk-3.1.416-win-x64.exedotnet-sdk-3.1.416-win-x64.exedotnet-sdk-3.1.416-win-x64.exedotnet-sdk-3.1.416-win-x64.exedotnet.exe1.exeExtremeDumper.exeExtremeDumper.exe1.exeExtremeDumper.exe

pid	process
3860	1.exe
644	dotnet-sdk-3.1.416-win-x64.exe
3116	dotnet-sdk-3.1.416-win-x64.exe
3848	dotnet-sdk-3.1.416-win-x64.exe
628	dotnet-sdk-3.1.416-win-x64.exe
3644	dotnet-sdk-3.1.416-win-x64.exe
192	dotnet.exe
4584	1.exe
4708	ExtremeDumper.exe
4920	ExtremeDumper.exe
1412	1.exe
2396	ExtremeDumper.exe

Loads dropped DLL 64 IoCs

Processes:

dotnet-sdk-3.1.416-win-x64.exedotnet-sdk-3.1.416-win-x64.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exedotnet.exe

pid	process
3116	dotnet-sdk-3.1.416-win-x64.exe
628	dotnet-sdk-3.1.416-win-x64.exe
3064	MsiExec.exe
3064	MsiExec.exe
3076	MsiExec.exe
3076	MsiExec.exe
228	MsiExec.exe
228	MsiExec.exe
2392	MsiExec.exe
3344	MsiExec.exe
3344	MsiExec.exe
1572	MsiExec.exe
1572	MsiExec.exe
192	MsiExec.exe
192	MsiExec.exe
224	MsiExec.exe
224	MsiExec.exe
680	MsiExec.exe
1932	MsiExec.exe
1932	MsiExec.exe
3060	MsiExec.exe
1212	MsiExec.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe
192	dotnet.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\1\1.exe	themida
C:\Users\Admin\Desktop\1\1.exe	themida
behavioral1/memory/3860-120-0x0000000140000000-0x0000000140831000-memory.dmp	themida
behavioral1/memory/4584-201-0x0000000140000000-0x0000000140831000-memory.dmp	themida
behavioral1/memory/1412-217-0x0000000140000000-0x0000000140831000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dotnet-sdk-3.1.416-win-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dotnet-sdk-3.1.416-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{a3f6b727-7a69-4e86-95ab-22befeaea6ff} = "\"C:\\ProgramData\\Package Cache\\{a3f6b727-7a69-4e86-95ab-22befeaea6ff}\\dotnet-sdk-3.1.416-win-x64.exe\" /burn.runonce"	dotnet-sdk-3.1.416-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

1.exe1.exe1.exe

pid process

3860 1.exe
4584 1.exe
1412 1.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Text.Encoding.Extensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Xml.XDocument.xml	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Sdks\Microsoft.NET.Sdk.Razor\tools\netcoreapp3.0\ru\Microsoft.CodeAnalysis.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\it\Microsoft.DotNet.Configurer.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.22\System.Xml.XPath.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.IO.FileSystem.Watcher.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Xml.XmlDocument.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\dotnet.runtimeconfig.json	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\cs\NuGet.DependencyResolver.Core.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Microsoft\Microsoft.NET.Build.Extensions\Microsoft.NET.Build.Extensions.NETFramework.targets	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\MSBuild.runtimeconfig.json	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Security.Cryptography.Encoding.xml	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\3.1.0\ref\netcoreapp3.1\System.CodeDom.xml	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\de\Microsoft.TestPlatform.CoreUtilities.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Extensions\Microsoft.TestPlatform.Extensions.BlameDataCollector.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Collections.xml	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\3.1.10\ref\netcoreapp3.1\Microsoft.AspNetCore.Metadata.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\cs\Microsoft.DotNet.Cli.Utils.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Extensions\de\Microsoft.TestPlatform.Extensions.EventLogCollector.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\ru\NuGet.Configuration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Net.WebProxy.xml	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\3.1.10\ref\netcoreapp3.1\Microsoft.AspNetCore.Session.xml	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\zh-Hans\Microsoft.TestPlatform.CrossPlatEngine.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Sdks\NuGet.Build.Tasks.Pack\Desktop\fr\NuGet.Build.Tasks.Pack.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\DotnetTools\dotnet-user-secrets\3.1.22-servicing.21579.4\tools\netcoreapp3.1\any\DotnetToolSettings.xml	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.22\System.Resources.ResourceManager.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.22\de\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\3.1.10\ref\netcoreapp3.1\Microsoft.Extensions.Options.DataAnnotations.xml	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\DotnetTools\dotnet-dev-certs\3.1.22-servicing.21579.4\tools\netcoreapp3.1\any\dotnet-dev-certs.deps.json	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\pl\NuGet.DependencyResolver.Core.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Security.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\3.1.0\ref\netcoreapp3.1\System.Security.Cryptography.Pkcs.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\FSharp\default.win32manifest	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Sdks\Microsoft.NET.Sdk.WindowsDesktop\tools\netcoreapp2.1\fr\PresentationBuildTasks.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Roslyn\bincore\es\Microsoft.CodeAnalysis.VisualBasic.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.22\System.Drawing.Common.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\3.1.10\ref\netcoreapp3.1\Microsoft.AspNetCore.ResponseCaching.Abstractions.xml	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.22\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Sdks\Microsoft.NET.Sdk.Razor\tools\netcoreapp3.0\fr\Microsoft.CodeAnalysis.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\vstest.console.runtimeconfig.json	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Runtime.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Net.WebHeaderCollection.xml	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Globalization.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Host.win-x64\3.1.22\runtimes\win-x64\native\nethost.h	msiexec.exe
File created	C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.ObjectModel.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\3.1.0\ref\netcoreapp3.1\UIAutomationClient.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\3.1.10\ref\netcoreapp3.1\Microsoft.AspNetCore.SignalR.Core.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.Globalization.Extensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.22\es\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App\3.1.22\Microsoft.Extensions.Logging.EventLog.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App\3.1.22\Microsoft.AspNetCore.Mvc.DataAnnotations.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Runtime.Intrinsics.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Host.win-arm64\3.1.22\runtimes\win-arm64\native\apphost.exe	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\pt-BR\Test.Utility.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\templates\3.1.23\microsoft.dotnet.test.projecttemplates.3.1.1.0.2-beta4.20176.1.nupkg	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Microsoft\Microsoft.NET.Build.Extensions\tools\netcoreapp2.1\fr\Microsoft.NET.Build.Extensions.Tasks.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\TestHost\ru\Microsoft.TestPlatform.CommunicationUtilities.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\it\Microsoft.TestPlatform.Utilities.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Sdks\Microsoft.NET.Sdk.WindowsDesktop\tools\netcoreapp2.1\ko\PresentationBuildTasks.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.Linq.Expressions.dll	msiexec.exe
File created	C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\3.1.10\ref\netcoreapp3.1\Microsoft.Net.Http.Headers.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\FSharp\ru\FSharp.Compiler.Private.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\Roslyn\Microsoft.VisualBasic.Core.targets	msiexec.exe
File created	C:\Program Files\dotnet\sdk\3.1.416\ja\Microsoft.TestPlatform.CommunicationUtilities.resources.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI67C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e920.msi	msiexec.exe
File created	C:\Windows\Installer\f77e900.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1FBD.tmp	msiexec.exe
File created	C:\Windows\Installer\f77e90c.msi	msiexec.exe
File created	C:\Windows\Installer\f77e914.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e914.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e8f0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e8f4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e91c.msi	msiexec.exe
File created	C:\Windows\Installer\f77e923.msi	msiexec.exe
File created	C:\Windows\Installer\f77e8f8.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{31EDE1E7-C855-4633-9D73-56F566136567}	msiexec.exe
File created	C:\Windows\Installer\f77e8ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e908.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI21B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE8F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAACA.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FEA48357-CE2F-3ED0-B2A0-8548BEC6F111}	msiexec.exe
File created	C:\Windows\Installer\f77e91f.msi	msiexec.exe
File created	C:\Windows\Installer\f77e8fc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e900.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI15B0.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{23B200E6-5E51-403D-A3F5-62CD42B23D7D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2503.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI260F.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{87DE9382-0F95-4768-98B8-BB5C1AB2B94F}	msiexec.exe
File created	C:\Windows\Installer\f77e8fb.msi	msiexec.exe
File created	C:\Windows\Installer\f77e927.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e90c.msi	msiexec.exe
File created	C:\Windows\Installer\f77e90f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e910.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI314F.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CC17FE4A-4844-4F8D-9A99-D91F94B83850}	msiexec.exe
File created	C:\Windows\Installer\f77e8f0.msi	msiexec.exe
File created	C:\Windows\Installer\f77e8f3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C4E.tmp	msiexec.exe
File created	C:\Windows\Installer\f77e907.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e924.msi	msiexec.exe
File created	C:\Windows\Installer\f77e92b.msi	msiexec.exe
File created	C:\Windows\Installer\f77e8f7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AE5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e918.msi	msiexec.exe
File created	C:\Windows\Installer\f77e924.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16DA.tmp	msiexec.exe
File created	C:\Windows\Installer\f77e903.msi	msiexec.exe
File created	C:\Windows\Installer\f77e904.msi	msiexec.exe
File created	C:\Windows\Installer\f77e90b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D5C6F442-F51D-4D15-82C1-61E3435BA3C8}	msiexec.exe
File created	C:\Windows\Installer\f77e920.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA606.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e928.msi	msiexec.exe
File created	C:\Windows\Installer\f77e917.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DC8.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A3DC6AE7-CAE9-461E-9F75-5ABDCD36B4BF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C72.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8E5.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4804 4708 WerFault.exe ExtremeDumper.exe
4860 4708 WerFault.exe ExtremeDumper.exe

pid	pid_target	process	target process
4804	4708	WerFault.exe	ExtremeDumper.exe
4860	4708	WerFault.exe	ExtremeDumper.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 31 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1D	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\18	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\19	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1c	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1d	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1B	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exedotnet-sdk-3.1.416-win-x64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_24.84.30622_x64\ = "{B343AEBD-9A5A-40B7-A032-81163019A913}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BFC6307A304B895458FF3D79BA8B1837\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75384AEFF2EC0DE32B0A5884EB6C1F11	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75384AEFF2EC0DE32B0A5884EB6C1F11\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2839ED7859F08674898BBBC5A12B9BF4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E002B3215E5D3043A5F26DC242BD3D7\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C826D445F412F84989FC6A0F52F9B0F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AB7E6EF50295FE76F983EBB7144A7820\244F6C5DD15F51D4281C163E34B53A8C	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C826D445F412F84989FC6A0F52F9B0F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AEF388C3910B6C4AB3FADF97A6B15E0\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C883FEA0-0193-4C6B-BAF3-DA9FA7B6510E}v24.88.30721\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\netstandard_targeting_pack_24.0.28113_x64\ = "{A7036CFB-B403-4598-85FF-D397ABB88173}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_3.1.416.015882_x64	dotnet-sdk-3.1.416-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_24.84.30622_x64\Dependents	dotnet-sdk-3.1.416-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C826D445F412F84989FC6A0F52F9B0F\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DBEA343BA5A97B040A23186103919A31\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E1EDE13558C3364D937655F66315676\ProductName = "Microsoft .NET Core Targeting Pack - 3.1.0 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0DA2E13835058E0590A175BB98E86059	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_apphost_pack_24.88.30721_x64_arm64\DisplayName = "Microsoft .NET Core AppHost Pack - 3.1.22 (x64_arm64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6C826D445F412F84989FC6A0F52F9B0F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6C826D445F412F84989FC6A0F52F9B0F\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{44D628C6-14F5-48F2-89F9-6C0A5FF2B9F0}v24.88.30721\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_24.88.30721_x64\DisplayName = "Microsoft .NET Core Host FX Resolver - 3.1.22 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E002B3215E5D3043A5F26DC242BD3D7\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{a3f6b727-7a69-4e86-95ab-22befeaea6ff}\Version = "3.1.416.15882"	dotnet-sdk-3.1.416-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DBEA343BA5A97B040A23186103919A31\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_24.84.30622_x64	dotnet-sdk-3.1.416-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BFC6307A304B895458FF3D79BA8B1837\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4EF71CC4484D8F4A9999DF1498B8305\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.AspNetCore.SharedFramework_x64_ENU,v3.1.22\DisplayName = "Microsoft ASP.NET Core 3.1.22 Shared Framework (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\244F6C5DD15F51D4281C163E34B53A8C\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{D5C6F442-F51D-4D15-82C1-61E3435BA3C8}v24.88.30721\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4EF71CC4484D8F4A9999DF1498B8305\SourceList\PackageName = "dotnet-sdk-internal-3.1.416-win-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AEF388C3910B6C4AB3FADF97A6B15E0\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E002B3215E5D3043A5F26DC242BD3D7\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3F3C67CC3525BE44BDB0C9D03419C5DD\63950D8AA6B3A1F4B8134CA7C15FD57F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1FA005500853917751F00EA4148C14E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2839ED7859F08674898BBBC5A12B9BF4\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7E1EDE13558C3364D937655F66315676\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7EA6CD3A9EACE164F957A5DBDC634BFB\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_3.1.416.015882_x64\Version = "12.20.15882"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_apphost_pack_24.88.30721_x64_arm64\Version = "24.88.30721"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\244F6C5DD15F51D4281C163E34B53A8C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AEF388C3910B6C4AB3FADF97A6B15E0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C49F196EB6C545A576671C0DA7F90E79\C3249157779A0614382A843663002A61	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75384AEFF2EC0DE32B0A5884EB6C1F11\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{FEA48357-CE2F-3ED0-B2A0-8548BEC6F111}v3.1.10.20520\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75384AEFF2EC0DE32B0A5884EB6C1F11\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7EA6CD3A9EACE164F957A5DBDC634BFB\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7EA6CD3A9EACE164F957A5DBDC634BFB\SourceList\PackageName = "dotnet-31templates-3.1.416-servicing-015882-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4EF71CC4484D8F4A9999DF1498B8305\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4EF71CC4484D8F4A9999DF1498B8305\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DBEA343BA5A97B040A23186103919A31\PackageCode = "3F4CC0CA0281F604A814BC8E1581EFF0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_targeting_pack_24.64.28315_x64\DisplayName = "Microsoft Windows Desktop Targeting Pack - 3.1.0 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4EF71CC4484D8F4A9999DF1498B8305\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{CC17FE4A-4844-4F8D-9A99-D91F94B83850}v12.20.15882\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B69D1BA3E37C77C4EB9D5895F13CFB41\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0AEF388C3910B6C4AB3FADF97A6B15E0\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\313BF4CC719528C59682153D548C134F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2839ED7859F08674898BBBC5A12B9BF4\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B69D1BA3E37C77C4EB9D5895F13CFB41\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\244F6C5DD15F51D4281C163E34B53A8C\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D5C6F442-F51D-4D15-82C1-61E3435BA3C8}v24.88.30721\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.AspNetCore.TargetingPack_x64_ENU,v3.1.10\Dependents\{a3f6b727-7a69-4e86-95ab-22befeaea6ff}	dotnet-sdk-3.1.416-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7EA6CD3A9EACE164F957A5DBDC634BFB	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_24.88.30721_x64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6E002B3215E5D3043A5F26DC242BD3D7\PackageCode = "ACB873918E8390A4E88EED37B78BBD3B"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_targeting_pack_24.64.28315_x64\ = "{7519423C-A977-4160-83A2-48633600A216}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3249157779A0614382A843663002A61	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4EF71CC4484D8F4A9999DF1498B8305\PackageCode = "8A8A85440E718DA44B276636B2795784"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe1.exechrome.exechrome.exechrome.exechrome.exemsiexec.exe1.exeExtremeDumper.exeWerFault.exe

pid	process
1628	chrome.exe
1628	chrome.exe
3776	chrome.exe
3776	chrome.exe
1832	chrome.exe
1832	chrome.exe
1168	chrome.exe
1168	chrome.exe
3488	chrome.exe
3488	chrome.exe
3224	chrome.exe
3224	chrome.exe
2396	chrome.exe
2396	chrome.exe
1600	chrome.exe
1600	chrome.exe
3860	1.exe
3860	1.exe
1004	chrome.exe
1004	chrome.exe
1136	chrome.exe
1136	chrome.exe
4088	chrome.exe
4088	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
3616	chrome.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
1836	msiexec.exe
4584	1.exe
4584	1.exe
4708	ExtremeDumper.exe
4708	ExtremeDumper.exe
4804	WerFault.exe
4804	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

7zFM.exeExtremeDumper.exeExtremeDumper.exeExtremeDumper.exe

pid process

3076 7zFM.exe
4708 ExtremeDumper.exe
4920 ExtremeDumper.exe
2396 ExtremeDumper.exe

pid	process
3076	7zFM.exe
4708	ExtremeDumper.exe
4920	ExtremeDumper.exe
2396	ExtremeDumper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

chrome.exe

pid	process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exedotnet-sdk-3.1.416-win-x64.exemsiexec.exe

description	pid	process
Token: SeRestorePrivilege	3076	7zFM.exe
Token: 35	3076	7zFM.exe
Token: SeSecurityPrivilege	3076	7zFM.exe
Token: SeShutdownPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeIncreaseQuotaPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeSecurityPrivilege	1836	msiexec.exe
Token: SeCreateTokenPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeLockMemoryPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeIncreaseQuotaPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeMachineAccountPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeTcbPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeSecurityPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeTakeOwnershipPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeLoadDriverPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeSystemProfilePrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeSystemtimePrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeProfSingleProcessPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeIncBasePriorityPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeCreatePagefilePrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeCreatePermanentPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeBackupPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeRestorePrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeShutdownPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeDebugPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeAuditPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeSystemEnvironmentPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeChangeNotifyPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeRemoteShutdownPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeUndockPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeSyncAgentPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeEnableDelegationPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeManageVolumePrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeImpersonatePrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeCreateGlobalPrivilege	3644	dotnet-sdk-3.1.416-win-x64.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe
Token: SeTakeOwnershipPrivilege	1836	msiexec.exe
Token: SeRestorePrivilege	1836	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3076	7zFM.exe
3076	7zFM.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

chrome.exe

pid	process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3776 wrote to memory of 2744	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 2744	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1996	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1628	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 1628	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe
PID 3776 wrote to memory of 372	3776	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://dropmefiles.com/ju2DW
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffd79bf4f50,0x7ffd79bf4f60,0x7ffd79bf4f70
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1476 /prefetch:2
2⤵
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1860 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2316 /prefetch:8
2⤵
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
2⤵
PID:696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4176 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
2⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
2⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:8
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6376 /prefetch:8
2⤵
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6520 /prefetch:8
2⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6264 /prefetch:8
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6168 /prefetch:8
2⤵
PID:520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5892 /prefetch:8
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4856 /prefetch:8
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6588 /prefetch:8
2⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5844 /prefetch:8
2⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
2⤵
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2404 /prefetch:8
2⤵
PID:848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4200 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:1
2⤵
PID:3608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
2⤵
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6176 /prefetch:8
2⤵
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 /prefetch:8
2⤵
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3404 /prefetch:8
2⤵
PID:616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6372 /prefetch:8
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
2⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=848 /prefetch:8
2⤵
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7032 /prefetch:8
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6960 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6764 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6892 /prefetch:8
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6900 /prefetch:8
2⤵
PID:1564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6752 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4088

C:\Users\Admin\Downloads\dotnet-sdk-3.1.416-win-x64.exe
"C:\Users\Admin\Downloads\dotnet-sdk-3.1.416-win-x64.exe"
2⤵
- Executes dropped EXE
PID:644

C:\Windows\Temp\{AE2AD38B-C82A-4E21-8861-F2C312E8C430}\.cr\dotnet-sdk-3.1.416-win-x64.exe
"C:\Windows\Temp\{AE2AD38B-C82A-4E21-8861-F2C312E8C430}\.cr\dotnet-sdk-3.1.416-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\dotnet-sdk-3.1.416-win-x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=540
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3116

C:\Windows\Temp\{579D4E42-0F66-49DC-BA17-BB6B180D786E}\.be\dotnet-sdk-3.1.416-win-x64.exe
"C:\Windows\Temp\{579D4E42-0F66-49DC-BA17-BB6B180D786E}\.be\dotnet-sdk-3.1.416-win-x64.exe" -q -burn.elevated BurnPipe.{AB36263F-418C-4651-AFA0-ECD5B45DFE1F} {1E61892C-5C52-4AA7-97B1-0EEF602B19D8} 3116
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6852 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5272 /prefetch:8
2⤵
PID:1168

C:\Users\Admin\Downloads\dotnet-sdk-3.1.416-win-x64.exe
"C:\Users\Admin\Downloads\dotnet-sdk-3.1.416-win-x64.exe"
2⤵
- Executes dropped EXE
PID:3848

C:\Windows\Temp\{945A99E5-B13E-42EB-9940-F74ADDA7DC59}\.cr\dotnet-sdk-3.1.416-win-x64.exe
"C:\Windows\Temp\{945A99E5-B13E-42EB-9940-F74ADDA7DC59}\.cr\dotnet-sdk-3.1.416-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\dotnet-sdk-3.1.416-win-x64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=532
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3648 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3644 /prefetch:8
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
2⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1444 /prefetch:1
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
2⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,4816765561909315400,2376313564904261787,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
2⤵
PID:4992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1824

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\1.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:3984

C:\Users\Admin\Desktop\1\1.exe
1.exe
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E0896ED84DCF8D44C7808E908CDE8583
2⤵
- Loads dropped DLL
PID:3064

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CCCE8A44B2B8C8BBF4A2AB016AD19DE3
2⤵
- Loads dropped DLL
PID:3076

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 27C538EFF344276DC6B90A38F51163C0
2⤵
- Loads dropped DLL
PID:228

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AE52772ADA2674F0C4782073FCF416EE
2⤵
- Loads dropped DLL
PID:2392

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 35BEE8815A33B73415209B0DFD250710
2⤵
- Loads dropped DLL
PID:3344

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 062AB38C8EF4B7E34D663CCDB3B3B5E5
2⤵
- Loads dropped DLL
PID:1572

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 310C49EC8AABE143FDEAC67F42EC48E2
2⤵
- Loads dropped DLL
PID:192

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6BA041C4EFC44CED455B82E9F811A338
2⤵
- Loads dropped DLL
PID:224

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 914CFB76789B24F82AE970F97592DD4D
2⤵
- Loads dropped DLL
PID:680

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F2825E110B89B6B966EE411A174A41F4
2⤵
- Loads dropped DLL
PID:1932

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6F13DC7C45069B8661FA01090AAF86DD
2⤵
- Loads dropped DLL
PID:3060

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F81A429E7E7119D5155D732FD3E66A98 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:1212

C:\Program Files\dotnet\dotnet.exe
"C:\Program Files\dotnet\\dotnet.exe" exec "C:\Program Files\dotnet\\sdk\3.1.416\dotnet.dll" internal-reportinstallsuccess "C:\Users\Admin\Downloads\dotnet-sdk-3.1.416-win-x64.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:192

C:\Windows\SysWOW64\getmac.exe
"getmac.exe"
4⤵
PID:520

C:\Windows\SysWOW64\getmac.exe
"getmac.exe"
4⤵
PID:3032

C:\Windows\SysWOW64\getmac.exe
"getmac.exe"
4⤵
PID:4280

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F3B83CC2D9D6AE7F745B896B49946E78
2⤵
PID:4332

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7CFE5E35E77FD85D4683A4465856F328
2⤵
PID:4396

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:4464

C:\Users\Admin\Desktop\1\1.exe
"C:\Users\Admin\Desktop\1\1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Users\Admin\Desktop\1\ExtremeDumper.exe
"C:\Users\Admin\Desktop\1\ExtremeDumper.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4708 -s 1216
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4804

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4708 -s 1216
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4860

C:\Users\Admin\Desktop\1\ExtremeDumper.exe
"C:\Users\Admin\Desktop\1\ExtremeDumper.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4920

C:\Users\Admin\Desktop\1\1.exe
"C:\Users\Admin\Desktop\1\1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1412

C:\Users\Admin\Desktop\1\ExtremeDumper.exe
"C:\Users\Admin\Desktop\1\ExtremeDumper.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2396

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap18293:64:7zEvent31680 -ad -saa -- "C:\Users\Admin\Desktop\1\Dumps"
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\1\1.exe
MD5
8fbe8e44ef0cd24f09c6d4aa4a4556da

SHA1
42a8b4a8a9f6892aea1eb1f899af36f68ec8da9b

SHA256
ffde65c45bb1a3c2c1724d96ebaa7452cef826dff3f8ea0954e49d1dab256f03

SHA512
d841ecc4bbee6ebc7b24de08de9b3cb501836d69a61f859f1ddc14a1c592b3a855bce2e6e09cfb5893f084f2a89db33246323de05c0fa72c5ea5eecdc16e24ff

Download Submit
C:\Users\Admin\Desktop\1\1.exe
MD5
8fbe8e44ef0cd24f09c6d4aa4a4556da

SHA1
42a8b4a8a9f6892aea1eb1f899af36f68ec8da9b

SHA256
ffde65c45bb1a3c2c1724d96ebaa7452cef826dff3f8ea0954e49d1dab256f03

SHA512
d841ecc4bbee6ebc7b24de08de9b3cb501836d69a61f859f1ddc14a1c592b3a855bce2e6e09cfb5893f084f2a89db33246323de05c0fa72c5ea5eecdc16e24ff

Download Submit
C:\Users\Admin\Downloads\1.rar
MD5
508af47fe4f86ffae5a37da4bf10559a

SHA1
c797d22e4aa0283eb877373978e4102845b1a392

SHA256
3239592992406d07c47ba3051e2fa4de71295e13704315baf978de5538962fe9

SHA512
13b4219a03d1d029f343355c55bb2209e45a0ba2acf2117311608101134bc178c3d3811cbb8bdb4e06c19bc983ffe223f3b5dc4fbcacd4f24255db669e0e3d5b

Download Submit
C:\Users\Admin\Downloads\dotnet-sdk-3.1.416-win-x64.exe
MD5
85f9683fee3cbe4a15dc5e27d40127fb

SHA1
83a53e8770edd38eddd37ded63cef2253fc16979

SHA256
7ca36f399ad1ed95daff9653117ff227cbd521d4aca405ec8694b1221b942297

SHA512
782d8c2581b338321faf717bf46840bae7f895fbed871cb1c37deaffea4800a8d7ce22740f855f02a4ebdcef3a59a9c3c5d3592bfa0e5633d28acbba0543e823

Download Submit
C:\Users\Admin\Downloads\dotnet-sdk-3.1.416-win-x64.exe
MD5
85f9683fee3cbe4a15dc5e27d40127fb

SHA1
83a53e8770edd38eddd37ded63cef2253fc16979

SHA256
7ca36f399ad1ed95daff9653117ff227cbd521d4aca405ec8694b1221b942297

SHA512
782d8c2581b338321faf717bf46840bae7f895fbed871cb1c37deaffea4800a8d7ce22740f855f02a4ebdcef3a59a9c3c5d3592bfa0e5633d28acbba0543e823

Download Submit
C:\Users\Admin\Downloads\dotnet-sdk-3.1.416-win-x64.exe
MD5
85f9683fee3cbe4a15dc5e27d40127fb

SHA1
83a53e8770edd38eddd37ded63cef2253fc16979

SHA256
7ca36f399ad1ed95daff9653117ff227cbd521d4aca405ec8694b1221b942297

SHA512
782d8c2581b338321faf717bf46840bae7f895fbed871cb1c37deaffea4800a8d7ce22740f855f02a4ebdcef3a59a9c3c5d3592bfa0e5633d28acbba0543e823

Download Submit
C:\Windows\Temp\{579D4E42-0F66-49DC-BA17-BB6B180D786E}\.be\dotnet-sdk-3.1.416-win-x64.exe
MD5
61b1c27c55832e70579265f393453593

SHA1
5a5f286c33b27fad51cd7976c960c71fcb7e47ed

SHA256
119ac482677b32ca9133c7435f1b45988b5aa96235fad946bac9de5f6c2f59c4

SHA512
085be6a4e16a0be8f2849c82f81696b297cb0560690b09fb72d9cfd1bcde2a269c172c8d2d9659a6d7f3fa7460270c44b3f5220ebe0ef964f3049f2fe9f2f49d

Download Submit
C:\Windows\Temp\{579D4E42-0F66-49DC-BA17-BB6B180D786E}\.be\dotnet-sdk-3.1.416-win-x64.exe
MD5
61b1c27c55832e70579265f393453593

SHA1
5a5f286c33b27fad51cd7976c960c71fcb7e47ed

SHA256
119ac482677b32ca9133c7435f1b45988b5aa96235fad946bac9de5f6c2f59c4

SHA512
085be6a4e16a0be8f2849c82f81696b297cb0560690b09fb72d9cfd1bcde2a269c172c8d2d9659a6d7f3fa7460270c44b3f5220ebe0ef964f3049f2fe9f2f49d

Download Submit
C:\Windows\Temp\{579D4E42-0F66-49DC-BA17-BB6B180D786E}\dotnet_host_3.1.22_win_x64.msi
MD5
11f9c768a1d2f04757ee993a960cb0d7

SHA1
84710a4aa5eda74d0ae4b140c9e70e6f4b8786bf

SHA256
4aecf8220c21bf907c14c968570b9d516a86873e66ace5001a58e34e846d99a4

SHA512
09e7a98ba240ecfb216799a9f312b438267e82f51662d567f060cea91e6bf4e9a9158f2d294a0f0970f38cb887448f44f58ba23f6e1a076a269a468e8d3c9723

Download Submit
C:\Windows\Temp\{579D4E42-0F66-49DC-BA17-BB6B180D786E}\dotnet_hostfxr_3.1.22_win_x64.msi
MD5
c6b8819be85151fc34b6360b2c5b6e42

SHA1
2cb92e9efb88cb4a0927ce84f07939139f5bb0ca

SHA256
a4873dd28a270d9eb233eda3d708568988e46cf997f112af881c2bd3ac19ec8a

SHA512
85992e1540930439c00ce8a41b567675ef27df091c5d3eb2f39db46d79d2ac058afa7c9726745da8b494ac6e7c3c29bd77977aebd19c4c84010a044d3191442f

Download Submit
C:\Windows\Temp\{579D4E42-0F66-49DC-BA17-BB6B180D786E}\dotnet_runtime_3.1.22_win_x64.msi
MD5
c89ed2dda52d2af7d9b8217cd9046b73

SHA1
d6874e0c001a4ebb01c367abf00829ff8736fdfa

SHA256
d0e1508546fbcb287b99c501611583d5b0826607b69ea444170f67566aee3ce6

SHA512
1c2d775789f4bb08e0aed12d5e9aeb579cfc0070fc0493d43dad778ef9bf37fbb1560f89485741df067ceb19d16c1a7f2357b0b9142de6a8010e73395ffeb97b

Download Submit
C:\Windows\Temp\{579D4E42-0F66-49DC-BA17-BB6B180D786E}\dotnet_targeting_pack_3.1.0_win_x64.msi
MD5
ad23a50ee625c2d80c0034df504978c0

SHA1
7f3aaf89187d5af92288e90777cee6ffcd7c48d4

SHA256
3d5db01fa2190c57b265d499fb5bd7d375e458878821bab4e0b878ce8f93ef5f

SHA512
27f02dbe49094f2c691aede8eb4ec81cc76913e3626a8bd181ef83f2b01b44a42862de1f6471ec844966608e04b070860afb5cff92cd2e5b59000104c6f3fa83

Download Submit
C:\Windows\Temp\{945A99E5-B13E-42EB-9940-F74ADDA7DC59}\.cr\dotnet-sdk-3.1.416-win-x64.exe
MD5
61b1c27c55832e70579265f393453593

SHA1
5a5f286c33b27fad51cd7976c960c71fcb7e47ed

SHA256
119ac482677b32ca9133c7435f1b45988b5aa96235fad946bac9de5f6c2f59c4

SHA512
085be6a4e16a0be8f2849c82f81696b297cb0560690b09fb72d9cfd1bcde2a269c172c8d2d9659a6d7f3fa7460270c44b3f5220ebe0ef964f3049f2fe9f2f49d

Download Submit
C:\Windows\Temp\{945A99E5-B13E-42EB-9940-F74ADDA7DC59}\.cr\dotnet-sdk-3.1.416-win-x64.exe
MD5
61b1c27c55832e70579265f393453593

SHA1
5a5f286c33b27fad51cd7976c960c71fcb7e47ed

SHA256
119ac482677b32ca9133c7435f1b45988b5aa96235fad946bac9de5f6c2f59c4

SHA512
085be6a4e16a0be8f2849c82f81696b297cb0560690b09fb72d9cfd1bcde2a269c172c8d2d9659a6d7f3fa7460270c44b3f5220ebe0ef964f3049f2fe9f2f49d

Download Submit
C:\Windows\Temp\{AE2AD38B-C82A-4E21-8861-F2C312E8C430}\.cr\dotnet-sdk-3.1.416-win-x64.exe
MD5
61b1c27c55832e70579265f393453593

SHA1
5a5f286c33b27fad51cd7976c960c71fcb7e47ed

SHA256
119ac482677b32ca9133c7435f1b45988b5aa96235fad946bac9de5f6c2f59c4

SHA512
085be6a4e16a0be8f2849c82f81696b297cb0560690b09fb72d9cfd1bcde2a269c172c8d2d9659a6d7f3fa7460270c44b3f5220ebe0ef964f3049f2fe9f2f49d

Download Submit
C:\Windows\Temp\{AE2AD38B-C82A-4E21-8861-F2C312E8C430}\.cr\dotnet-sdk-3.1.416-win-x64.exe
MD5
61b1c27c55832e70579265f393453593

SHA1
5a5f286c33b27fad51cd7976c960c71fcb7e47ed

SHA256
119ac482677b32ca9133c7435f1b45988b5aa96235fad946bac9de5f6c2f59c4

SHA512
085be6a4e16a0be8f2849c82f81696b297cb0560690b09fb72d9cfd1bcde2a269c172c8d2d9659a6d7f3fa7460270c44b3f5220ebe0ef964f3049f2fe9f2f49d

Download Submit
\??\pipe\crashpad_3776_MESJDSJAAJWXPCAD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\Temp\{579D4E42-0F66-49DC-BA17-BB6B180D786E}\.ba\wixstdba.dll
MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
\Windows\Temp\{71AC96A0-268E-4506-8A03-69D811C377BD}\.ba\wixstdba.dll
MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
memory/192-165-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/192-185-0x00000252A4FC0000-0x00000252A4FC2000-memory.dmp

Filesize
8KB

Download
memory/192-166-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

Filesize
4KB

Download
memory/192-182-0x0000000000000000-mapping.dmp

Download
memory/192-194-0x00000252A4FC0000-0x00000252A4FC2000-memory.dmp

Filesize
8KB

Download
memory/192-183-0x00000252A4FC0000-0x00000252A4FC2000-memory.dmp

Filesize
8KB

Download
memory/192-191-0x00000252A4FC0000-0x00000252A4FC2000-memory.dmp

Filesize
8KB

Download
memory/192-190-0x00000252BF3D0000-0x00000252BF3D2000-memory.dmp

Filesize
8KB

Download
memory/192-184-0x00000252A4FC0000-0x00000252A4FC2000-memory.dmp

Filesize
8KB

Download
memory/192-164-0x0000000000000000-mapping.dmp

Download
memory/192-186-0x00000252A4FC0000-0x00000252A4FC2000-memory.dmp

Filesize
8KB

Download
memory/192-187-0x00000252A4FC0000-0x00000252A4FC2000-memory.dmp

Filesize
8KB

Download
memory/224-169-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/224-167-0x0000000000000000-mapping.dmp

Download
memory/224-168-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/228-152-0x0000000000000000-mapping.dmp

Download
memory/228-153-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/228-154-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/520-188-0x0000000000000000-mapping.dmp

Download
memory/628-133-0x0000000000000000-mapping.dmp

Download
memory/644-124-0x0000000000000000-mapping.dmp

Download
memory/680-171-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/680-172-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/680-170-0x0000000000000000-mapping.dmp

Download
memory/1212-180-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1212-181-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1212-179-0x0000000000000000-mapping.dmp

Download
memory/1412-217-0x0000000140000000-0x0000000140831000-memory.dmp

Filesize
8.2MB

Download
memory/1572-161-0x0000000000000000-mapping.dmp

Download
memory/1572-163-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1572-162-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1836-145-0x0000026D3F460000-0x0000026D3F462000-memory.dmp

Filesize
8KB

Download
memory/1836-144-0x0000026D3F460000-0x0000026D3F462000-memory.dmp

Filesize
8KB

Download
memory/1932-173-0x0000000000000000-mapping.dmp

Download
memory/1932-174-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1932-175-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2392-156-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2392-157-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2392-155-0x0000000000000000-mapping.dmp

Download
memory/2396-222-0x00000184E56B0000-0x00000184E56B2000-memory.dmp

Filesize
8KB

Download
memory/2396-225-0x00000184E56B4000-0x00000184E56B5000-memory.dmp

Filesize
4KB

Download
memory/2396-224-0x00000184E56B2000-0x00000184E56B4000-memory.dmp

Filesize
8KB

Download
memory/3032-189-0x0000000000000000-mapping.dmp

Download
memory/3060-176-0x0000000000000000-mapping.dmp

Download
memory/3060-177-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/3060-178-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/3064-146-0x0000000000000000-mapping.dmp

Download
memory/3064-148-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3064-147-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/3076-151-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/3076-150-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/3076-149-0x0000000000000000-mapping.dmp

Download
memory/3116-127-0x0000000000000000-mapping.dmp

Download
memory/3344-160-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/3344-158-0x0000000000000000-mapping.dmp

Download
memory/3344-159-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/3644-137-0x0000000000000000-mapping.dmp

Download
memory/3848-131-0x0000000000000000-mapping.dmp

Download
memory/3860-121-0x00007FFD86940000-0x00007FFD86942000-memory.dmp

Filesize
8KB

Download
memory/3860-120-0x0000000140000000-0x0000000140831000-memory.dmp

Filesize
8.2MB

Download
memory/3860-117-0x0000000000000000-mapping.dmp

Download
memory/4280-193-0x0000000000000000-mapping.dmp

Download
memory/4332-196-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/4332-197-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/4332-195-0x0000000000000000-mapping.dmp

Download
memory/4396-200-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/4396-199-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/4396-198-0x0000000000000000-mapping.dmp

Download
memory/4584-204-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/4584-201-0x0000000140000000-0x0000000140831000-memory.dmp

Filesize
8.2MB

Download
memory/4708-209-0x000001A8E5CF2000-0x000001A8E5CF4000-memory.dmp

Filesize
8KB

Download
memory/4708-208-0x000001A8CD320000-0x000001A8CD32B000-memory.dmp

Filesize
44KB

Download
memory/4708-207-0x000001A8E5CF0000-0x000001A8E5CF2000-memory.dmp

Filesize
8KB

Download
memory/4708-205-0x000001A8CB5C0000-0x000001A8CB5C1000-memory.dmp

Filesize
4KB

Download
memory/4920-214-0x0000023C914A2000-0x0000023C914A4000-memory.dmp

Filesize
8KB

Download
memory/4920-213-0x0000023C914A0000-0x0000023C914A2000-memory.dmp

Filesize
8KB

Download
memory/4920-215-0x0000023C914A4000-0x0000023C914A5000-memory.dmp

Filesize
4KB

Download
memory/4920-216-0x0000023CAD600000-0x0000023CAD719000-memory.dmp

Filesize
1.1MB

Download