pandastealer | 57e399eee8e7310f54c728235115e9cf4cf84cd42095b9267620fe6af49e5ba8

Analysis

max time kernel
692s
max time network
896s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
27-02-2022 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

telegram_soft/telegram_soft.exe
Size

68.6MB
MD5

ee1154642153932ed0427aa0273f0edc
SHA1

16b0a829d4e1ecaf04c8d7b4c2c7ba9fa40007f1
SHA256

a1e2802eb55f371138e0e43d8062a3098ffff5058593fb566360971d49810e2e
SHA512

16e3329d52dcbe3eccfae8f38efa5e8627defebfb700223524e2205b98056c71b34c31d23db8a98449f3d558337ad994702fe999a81e286eafb7ae75a4a059f7

Score

10^/10

pandastealer evasion stealer themida trojan

Malware Config

Signatures

Panda Stealer Payload 9 IoCs

resource	yara_rule
behavioral4/memory/4560-213-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/4560-214-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/4560-216-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/4480-218-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/4480-219-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/4480-220-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/1412-222-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/1412-223-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer
behavioral4/memory/1412-224-0x00000000002C0000-0x0000000000A14000-memory.dmp	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 16 IoCs

pid	Process
2988	unis000.exe
3732	unis000.exe
536	update.exe
2132	update.exe
3536	telegram_soft.exe
4000	telegram_soft.exe
3068	unis000.exe
3404	unis000.exe
4664	telegram_soft.exe
4728	telegram_soft.exe
4780	unis000.exe
4796	unis000.exe
4436	telegram_soft.exe
4756	telegram_soft.exe
4896	unis000.exe
4868	unis000.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Activator.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	unis000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	update.exe

Loads dropped DLL 64 IoCs

pid	Process
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe

Themida packer 24 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral4/memory/380-134-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/380-135-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/380-136-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/2168-137-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/2168-138-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/2168-139-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/3784-204-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/3784-205-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/3784-206-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/544-207-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/544-208-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/544-209-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp	themida
behavioral4/memory/4560-212-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4560-213-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4560-214-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4560-216-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4480-217-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4480-218-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4480-219-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/4480-220-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/1412-221-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/1412-222-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/1412-223-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida
behavioral4/memory/1412-224-0x00000000002C0000-0x0000000000A14000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	telegram_soft.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	telegram_soft.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
380	telegram_soft.exe
2168	telegram_soft.exe
2168	telegram_soft.exe
3784	telegram_soft.exe
544	telegram_soft.exe
544	telegram_soft.exe
3732	unis000.exe
2132	update.exe
4000	telegram_soft.exe
3404	unis000.exe
4560	Activator.exe
4728	telegram_soft.exe
4796	unis000.exe
4480	Activator.exe
1412	Activator.exe
4756	telegram_soft.exe
4868	unis000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "231"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	taskmgr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPMODEL\DEPLOYMENT\PACKAGE\*\S-1-5-21-790714498-1549421491-1643397139-1000\{ADE54141-8A50-4CEF-9D2D-2234C553C514}	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3732	unis000.exe
3732	unis000.exe
3732	unis000.exe
3732	unis000.exe
2132	update.exe
2132	update.exe
2132	update.exe
2132	update.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
4000	telegram_soft.exe
736	chrome.exe
736	chrome.exe
2092	chrome.exe
2092	chrome.exe
2252	chrome.exe
2252	chrome.exe
2116	chrome.exe
2116	chrome.exe
4336	chrome.exe
4336	chrome.exe
4384	chrome.exe
4384	chrome.exe
4560	Activator.exe
4560	Activator.exe
4028	chrome.exe
4028	chrome.exe
4268	chrome.exe
4268	chrome.exe
3508	chrome.exe
3508	chrome.exe
4480	Activator.exe
4480	Activator.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1320	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4536	chrome.exe
4536	chrome.exe
4536	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 35	2168	telegram_soft.exe
Token: 35	544	telegram_soft.exe
Token: 35	3732	unis000.exe
Token: SeDebugPrivilege	3732	unis000.exe
Token: 35	2132	update.exe
Token: SeDebugPrivilege	2132	update.exe
Token: 35	4000	telegram_soft.exe
Token: SeDebugPrivilege	4000	telegram_soft.exe
Token: SeDebugPrivilege	3404	unis000.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: 36	2180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: 36	2180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3988	WMIC.exe
Token: SeSecurityPrivilege	3988	WMIC.exe
Token: SeTakeOwnershipPrivilege	3988	WMIC.exe
Token: SeLoadDriverPrivilege	3988	WMIC.exe
Token: SeSystemProfilePrivilege	3988	WMIC.exe
Token: SeSystemtimePrivilege	3988	WMIC.exe
Token: SeProfSingleProcessPrivilege	3988	WMIC.exe
Token: SeIncBasePriorityPrivilege	3988	WMIC.exe
Token: SeCreatePagefilePrivilege	3988	WMIC.exe
Token: SeBackupPrivilege	3988	WMIC.exe
Token: SeRestorePrivilege	3988	WMIC.exe
Token: SeShutdownPrivilege	3988	WMIC.exe
Token: SeDebugPrivilege	3988	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
4268	chrome.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe
1320	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3764	ShellExperienceHost.exe
3764	ShellExperienceHost.exe
4692	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 2168	380	telegram_soft.exe	72
PID 380 wrote to memory of 2168	380	telegram_soft.exe	72
PID 3784 wrote to memory of 544	3784	telegram_soft.exe	89
PID 3784 wrote to memory of 544	3784	telegram_soft.exe	89
PID 2168 wrote to memory of 2224	2168	telegram_soft.exe	90
PID 2168 wrote to memory of 2224	2168	telegram_soft.exe	90
PID 2168 wrote to memory of 3800	2168	telegram_soft.exe	91
PID 2168 wrote to memory of 3800	2168	telegram_soft.exe	91
PID 3800 wrote to memory of 2988	3800	cmd.exe	92
PID 3800 wrote to memory of 2988	3800	cmd.exe	92
PID 2988 wrote to memory of 3732	2988	unis000.exe	93
PID 2988 wrote to memory of 3732	2988	unis000.exe	93
PID 3732 wrote to memory of 536	3732	unis000.exe	94
PID 3732 wrote to memory of 536	3732	unis000.exe	94
PID 3732 wrote to memory of 204	3732	unis000.exe	96
PID 3732 wrote to memory of 204	3732	unis000.exe	96
PID 536 wrote to memory of 2132	536	update.exe	98
PID 536 wrote to memory of 2132	536	update.exe	98
PID 2132 wrote to memory of 3536	2132	update.exe	99
PID 2132 wrote to memory of 3536	2132	update.exe	99
PID 3536 wrote to memory of 4000	3536	telegram_soft.exe	101
PID 3536 wrote to memory of 4000	3536	telegram_soft.exe	101
PID 4000 wrote to memory of 2844	4000	telegram_soft.exe	102
PID 4000 wrote to memory of 2844	4000	telegram_soft.exe	102
PID 4000 wrote to memory of 1244	4000	telegram_soft.exe	103
PID 4000 wrote to memory of 1244	4000	telegram_soft.exe	103
PID 1244 wrote to memory of 3068	1244	cmd.exe	104
PID 1244 wrote to memory of 3068	1244	cmd.exe	104
PID 3068 wrote to memory of 3404	3068	unis000.exe	105
PID 3068 wrote to memory of 3404	3068	unis000.exe	105
PID 3404 wrote to memory of 2688	3404	unis000.exe	106
PID 3404 wrote to memory of 2688	3404	unis000.exe	106
PID 3404 wrote to memory of 3012	3404	unis000.exe	107
PID 3404 wrote to memory of 3012	3404	unis000.exe	107
PID 3012 wrote to memory of 2180	3012	cmd.exe	108
PID 3012 wrote to memory of 2180	3012	cmd.exe	108
PID 3404 wrote to memory of 1272	3404	unis000.exe	110
PID 3404 wrote to memory of 1272	3404	unis000.exe	110
PID 1272 wrote to memory of 3988	1272	cmd.exe	111
PID 1272 wrote to memory of 3988	1272	cmd.exe	111
PID 3404 wrote to memory of 3644	3404	unis000.exe	112
PID 3404 wrote to memory of 3644	3404	unis000.exe	112
PID 3644 wrote to memory of 4072	3644	cmd.exe	113
PID 3644 wrote to memory of 4072	3644	cmd.exe	113
PID 3404 wrote to memory of 3368	3404	unis000.exe	114
PID 3404 wrote to memory of 3368	3404	unis000.exe	114
PID 3368 wrote to memory of 3560	3368	cmd.exe	115
PID 3368 wrote to memory of 3560	3368	cmd.exe	115
PID 3404 wrote to memory of 2604	3404	unis000.exe	116
PID 3404 wrote to memory of 2604	3404	unis000.exe	116
PID 2604 wrote to memory of 1220	2604	cmd.exe	117
PID 2604 wrote to memory of 1220	2604	cmd.exe	117
PID 3404 wrote to memory of 3856	3404	unis000.exe	118
PID 3404 wrote to memory of 3856	3404	unis000.exe	118
PID 3856 wrote to memory of 3832	3856	cmd.exe	119
PID 3856 wrote to memory of 3832	3856	cmd.exe	119
PID 3404 wrote to memory of 652	3404	unis000.exe	120
PID 3404 wrote to memory of 652	3404	unis000.exe	120
PID 652 wrote to memory of 688	652	cmd.exe	121
PID 652 wrote to memory of 688	652	cmd.exe	121
PID 3404 wrote to memory of 3572	3404	unis000.exe	122
PID 3404 wrote to memory of 3572	3404	unis000.exe	122
PID 3572 wrote to memory of 3980	3572	cmd.exe	123
PID 3572 wrote to memory of 3980	3572	cmd.exe	123

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
  "C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c unis000.exe -checked
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
      unis000.exe -checked
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
        
        unis000.exe -checked
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Users\Admin\AppData\Local\Temp\telegram_soft\update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\telegram_soft\update.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\telegram_soft\update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\telegram_soft\update.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        10⤵
        
        PID:2844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c unis000.exe -checked
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
        
        unis000.exe -checked
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
        
        unis000.exe -checked
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        13⤵
        
        PID:2688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3644
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic BASEBOARD get SerialNumber
        14⤵
        
        PID:4072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get ProcessorId
        14⤵
        
        PID:3560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic BASEBOARD get SerialNumber
        14⤵
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get SerialNumber"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE get SerialNumber
        14⤵
        
        PID:3832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get Model"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE get Model
        14⤵
        
        PID:688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get PNPDeviceID"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE get PNPDeviceID
        14⤵
        
        PID:3980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY hku"
        13⤵
        
        PID:1620
        
        C:\Windows\system32\reg.exe
        
        REG QUERY hku
        14⤵
        
        PID:3724
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --new-window --disable-http-cache http://localhost:20500/web/login.html
        13⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xf4,0xf8,0xfc,0xd0,0x100,0x7ffaffad4f50,0x7ffaffad4f60,0x7ffaffad4f70
        14⤵
        
        PID:3748
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
        14⤵
        
        PID:2748
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:8
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:736
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 /prefetch:8
        14⤵
        
        PID:2000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
        14⤵
        
        PID:2936
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
        14⤵
        
        PID:3092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
        14⤵
        
        PID:3448
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5136 /prefetch:8
        14⤵
        
        PID:1876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
        14⤵
        
        PID:3868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4388 /prefetch:8
        14⤵
        
        PID:2844
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
        14⤵
        
        PID:3480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:8
        14⤵
        
        PID:2208
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
        14⤵
        
        PID:1312
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5188 /prefetch:8
        14⤵
        
        PID:3684
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:8
        14⤵
        
        PID:1776
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
        14⤵
        
        PID:2916
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2116
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
        14⤵
        
        PID:1036
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4336
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1688,15924652884789726907,12010329793120979325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:8
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4384
      - C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
        
        "C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
        6⤵
        
        PID:204

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs
1⤵
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
  "C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
  2⤵
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
- Modifies registry class
PID:3724

C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
1⤵
- Executes dropped EXE
PID:4664
- C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
  "C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c unis000.exe -checked
    3⤵
    PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
      unis000.exe -checked
      4⤵
      Executes dropped EXE
      PID:4780
    - - C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
        
        unis000.exe -checked
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4812
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:4860
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:4876
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:4960
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:4976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
        6⤵
        
        PID:5012
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic BASEBOARD get SerialNumber
        7⤵
        
        PID:5028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId"
        6⤵
        
        PID:5060
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get ProcessorId
        7⤵
        
        PID:5076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
        6⤵
        
        PID:5108
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic BASEBOARD get SerialNumber
        7⤵
        
        PID:3064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get SerialNumber"
        6⤵
        
        PID:2604
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE get SerialNumber
        7⤵
        
        PID:2916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get Model"
        6⤵
        
        PID:4100
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE get Model
        7⤵
        
        PID:3008
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get PNPDeviceID"
        6⤵
        
        PID:3280
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE get PNPDeviceID
        7⤵
        
        PID:3904
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY hku"
        6⤵
        
        PID:4216
        
        C:\Windows\system32\reg.exe
        
        REG QUERY hku
        7⤵
        
        PID:4192
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --new-window --disable-http-cache http://localhost:20500/web/login.html
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4268
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffaff334f50,0x7ffaff334f60,0x7ffaff334f70
        7⤵
        
        PID:4080
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
        7⤵
        
        PID:3220
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:8
        7⤵
        
        PID:3484
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2064 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
        7⤵
        
        PID:3252
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
        7⤵
        
        PID:3416
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
        7⤵
        
        PID:3784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,4258581478103133691,1478679181325169051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1320

C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\Activator.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1412

C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
"C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
1⤵
- Executes dropped EXE
PID:4436
- C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe
  "C:\Users\Admin\AppData\Local\Temp\telegram_soft\telegram_soft.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c unis000.exe -checked
    3⤵
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
      unis000.exe -checked
      4⤵
      Executes dropped EXE
      PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\telegram_soft\unis000.exe
        
        unis000.exe -checked
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4868
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:4996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:4964
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:5064
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:1220
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
        6⤵
        
        PID:3572
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic BASEBOARD get SerialNumber
        7⤵
        
        PID:5108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic cpu get ProcessorId"
        6⤵
        
        PID:1720
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get ProcessorId
        7⤵
        
        PID:2604
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic BASEBOARD get SerialNumber"
        6⤵
        
        PID:780
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic BASEBOARD get SerialNumber
        7⤵
        
        PID:4116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get SerialNumber"
        6⤵
        
        PID:816
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE get SerialNumber
        7⤵
        
        PID:2864
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get Model"
        6⤵
        
        PID:4204
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE get Model
        7⤵
        
        PID:2588
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic DISKDRIVE get PNPDeviceID"
        6⤵
        
        PID:2992
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic DISKDRIVE get PNPDeviceID
        7⤵
        
        PID:1256
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY hku"
        6⤵
        
        PID:1192
        
        C:\Windows\system32\reg.exe
        
        REG QUERY hku
        7⤵
        
        PID:3508
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --new-window --disable-http-cache http://localhost:20500/web/login.html
        6⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        
        PID:4536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x94,0x7ffafded4f50,0x7ffafded4f60,0x7ffafded4f70
        7⤵
        
        PID:2264
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2004 /prefetch:8
        7⤵
        
        PID:1628
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:2
        7⤵
        
        PID:3456
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2460 /prefetch:8
        7⤵
        
        PID:2516
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
        7⤵
        
        PID:3500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
        7⤵
        
        PID:3040
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
        7⤵
        
        PID:2908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
        7⤵
        
        PID:536
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,5638464557205394071,4957883377474093759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
        7⤵
        
        PID:4808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ca855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-130-0x00007FFB1F790000-0x00007FFB1F792000-memory.dmp

Filesize
8KB

Download
memory/380-136-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/380-135-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/380-134-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/544-209-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/544-208-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/544-207-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/1412-224-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/1412-221-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/1412-223-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/1412-222-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/2168-137-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/2168-138-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/2168-139-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/3784-205-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/3784-206-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/3784-204-0x00007FF6F0F70000-0x00007FF6F1861000-memory.dmp

Filesize
8.9MB

Download
memory/4480-217-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4480-218-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4480-219-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4480-220-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4560-214-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4560-216-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4560-215-0x00000000770B4000-0x00000000770B6000-memory.dmp

Filesize
8KB

Download
memory/4560-213-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download
memory/4560-212-0x00000000002C0000-0x0000000000A14000-memory.dmp

Filesize
7.3MB

Download