asyncrat | e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1

Analysis

max time kernel
1800s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2022 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dawdwadaw.scr
Size

681KB
MD5

0cfa5f7c008e3dc2df275a99aef9cbbb
SHA1

51ebdbc8a8227667b20b5cb40f17ff1bb8550098
SHA256

e4f59660bf5047db2ed2539ef9a3e81724909809dc17c4f513debe261e1774e1
SHA512

bac124c7bd934b1bc9ba9fd09ada77fe2c37208637337a349f2ee213f91e81ae401e3ec9910a7cfe7aff991d49be986d448ab6a834cb1b9709ceccb4f64bb37e
SSDEEP

12288:C3c6vReZYEe4Wp0ZtExFUH17EjGh1aoNRtwamePvNVtQe:C3c6vAZYd4jKoiIFRmePvNVtn

Score

10^/10

asyncrat blacknet securityhealth service windows defendersmartscreen windowssystem guardruntime xsfcrg discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WindowsSystem GuardRuntime

217.64.31.3:8437

Mutex

WindowsSystem GuardRuntime

Attributes

delay
3
install
false
install_file
WindowsSystem Guard Runtime.exe
install_folder
%AppData%

aes.plain

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

XSFcRG

http://fakirlerclub.xyz/blacknet

Mutex

BN[ac95ac7ad595b3dbd5ad73e4bf7daac9]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
false
usb_spread
false

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

SecurityHealth Service

217.64.31.3:8437

Mutex

SecurityHealth Service

Attributes

delay
3
install
false
install_file
SecurityHealth Service.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Windows DefenderSmartScreen

217.64.31.3:9742

Mutex

Windows DefenderSmartScreen

Attributes

delay
1
install
false
install_file
Windows DefenderSmartScreen
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4032-193-0x0000000000400000-0x000000000041E000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/4032-193-0x0000000000400000-0x000000000041E000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

PURE.EXEVALSINKI PURE.EXEGRIM PURE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MIcrosoftEdge.exe\","	PURE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MIcrosoftEdge.exe\","	VALSINKI PURE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MIcrosoftEdge.exe\","	GRIM PURE.EXE

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/708-177-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/4092-200-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1348-255-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/4424-312-0x000001B615E60000-0x000001B615EA0000-memory.dmp	asyncrat

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

tmp2F1E.tmp.exeGRIM ORG START.EXEGRIM PURE.EXEPURE.EXESOFTICA.EXEVALSINKI DATAEN.EXEVALSINKI PURE.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEDefenderProtector.exeWindowDefenderSmartScreen.exeWindows DefenderSmartScreen.exeRuntimeBroker.exeprocessHUdVS.exeprocessHUdVS.exeprocessHUVS.exeprocessHUVS.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid	process
3480	tmp2F1E.tmp.exe
4560	GRIM ORG START.EXE
2876	GRIM PURE.EXE
2148	PURE.EXE
2192	SOFTICA.EXE
5116	VALSINKI DATAEN.EXE
3156	VALSINKI PURE.EXE
5008	WINDOWS DEFENDERSMARTSCREEN2.EXE
4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
4296	DefenderProtector.exe
3900	WindowDefenderSmartScreen.exe
2784	Windows DefenderSmartScreen.exe
1488	RuntimeBroker.exe
3260	processHUdVS.exe
748	processHUdVS.exe
4496	processHUVS.exe
1660	processHUVS.exe
3740	software_reporter_tool.exe
2332	software_reporter_tool.exe
4424	software_reporter_tool.exe
4168	software_reporter_tool.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp2F1E.tmp.exeGRIM ORG START.EXEWindowDefenderSmartScreen.exeprocessHUdVS.exeWindows DefenderSmartScreen.exeprocessHUVS.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	tmp2F1E.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	GRIM ORG START.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	WindowDefenderSmartScreen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	processHUdVS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	Windows DefenderSmartScreen.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	processHUVS.exe

Loads dropped DLL 7 IoCs

Processes:

software_reporter_tool.exe

pid	process
4424	software_reporter_tool.exe
4424	software_reporter_tool.exe
4424	software_reporter_tool.exe
4424	software_reporter_tool.exe
4424	software_reporter_tool.exe
4424	software_reporter_tool.exe
4424	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exeSOFTICA.EXEpowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows DefenderSmartScreen = "C:\\Users\\Admin\\AppData\\Roaming\\Windows DefenderSmartScreen.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindoDefenderSmartScreen = "C:\\Users\\Admin\\AppData\\Roaming\\WindowDefenderSmartScreen.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\OperaSetups = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker\\RuntimeBroker.exe"	SOFTICA.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSystem GuardRuntime = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSystem GuardRuntime\\WindowsSystem GuardRuntime.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 52 IoCs

Processes:

dawdwadaw.scrWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEVALSINKI PURE.EXEPURE.EXEGRIM PURE.EXEWindowDefenderSmartScreen.exeWindows DefenderSmartScreen.exe

description	pid	process	target process
PID 772 set thread context of 1624	772	dawdwadaw.scr	AppLaunch.exe
PID 4368 set thread context of 708	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 3156 set thread context of 4032	3156	VALSINKI PURE.EXE	RegAsm.exe
PID 2148 set thread context of 4092	2148	PURE.EXE	RegAsm.exe
PID 2876 set thread context of 4844	2876	GRIM PURE.EXE	RegAsm.exe
PID 3900 set thread context of 1496	3900	WindowDefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 1348	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 4268	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 4004	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 4944	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 3484	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 500	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5732	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5444	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 1436	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5892	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 1760	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5220	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5656	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5252	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 612	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 1204	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 1788	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5864	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5504	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 6056	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5944	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 2496	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 1440	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 1524	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 3148	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 4724	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5084	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 3552	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 2488	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 4064	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 4016	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5512	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5468	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 1532	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 376	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5544	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5972	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 2640	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 528	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 4452	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 644	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 3912	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 5860	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 3324	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 2268	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe
PID 2784 set thread context of 3128	2784	Windows DefenderSmartScreen.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3428 schtasks.exe
4012 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

748 timeout.exe

pid	process
3428	schtasks.exe
4012	schtasks.exe

pid	process
748	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

Processes:

dawdwadaw.scrOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	dawdwadaw.scr
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1148 PING.EXE
2556 PING.EXE
3528 PING.EXE
2508 PING.EXE
4336 PING.EXE
728 PING.EXE

pid	process
1148	PING.EXE
2556	PING.EXE
3528	PING.EXE
2508	PING.EXE
4336	PING.EXE
728	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

dawdwadaw.scrtaskmgr.exepowershell.exeWINDOWS DEFENDERSMARTSCREEN2.EXEVALSINKI DATAEN.EXEGRIM ORG START.EXE

pid	process
772	dawdwadaw.scr
772	dawdwadaw.scr
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
2316	powershell.exe
2316	powershell.exe
3496	taskmgr.exe
3496	taskmgr.exe
5008	WINDOWS DEFENDERSMARTSCREEN2.EXE
5008	WINDOWS DEFENDERSMARTSCREEN2.EXE
5116	VALSINKI DATAEN.EXE
5116	VALSINKI DATAEN.EXE
3496	taskmgr.exe
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
4560	GRIM ORG START.EXE
5116	VALSINKI DATAEN.EXE
3496	taskmgr.exe
5008	WINDOWS DEFENDERSMARTSCREEN2.EXE
3496	taskmgr.exe
5116	VALSINKI DATAEN.EXE
5116	VALSINKI DATAEN.EXE
5116	VALSINKI DATAEN.EXE
5116	VALSINKI DATAEN.EXE
5116	VALSINKI DATAEN.EXE
2316	powershell.exe
5116	VALSINKI DATAEN.EXE

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

OpenWith.exetaskmgr.exeDefenderProtector.exeRegAsm.exe

pid process

4108 OpenWith.exe
3496 taskmgr.exe
4296 DefenderProtector.exe
4844 RegAsm.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

4348 chrome.exe
4348 chrome.exe
4348 chrome.exe
4348 chrome.exe
4348 chrome.exe
4348 chrome.exe
4348 chrome.exe
4348 chrome.exe

pid	process
4108	OpenWith.exe
3496	taskmgr.exe
4296	DefenderProtector.exe
4844	RegAsm.exe

pid	process
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dawdwadaw.scrtaskmgr.exeAppLaunch.exeGRIM PURE.EXEPURE.EXEVALSINKI PURE.EXEVALSINKI DATAEN.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEpowershell.exeGRIM ORG START.EXERegAsm.exeSOFTICA.EXERegAsm.exeDefenderProtector.exeWindowDefenderSmartScreen.exeWindows DefenderSmartScreen.exeInstallUtil.exeprocessHUdVS.exeprocessHUdVS.exeRuntimeBroker.exeprocessHUVS.exeprocessHUVS.exeInstallUtil.exesvchost.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	772	dawdwadaw.scr
Token: SeDebugPrivilege	3496	taskmgr.exe
Token: SeSystemProfilePrivilege	3496	taskmgr.exe
Token: SeCreateGlobalPrivilege	3496	taskmgr.exe
Token: SeDebugPrivilege	1624	AppLaunch.exe
Token: SeDebugPrivilege	2876	GRIM PURE.EXE
Token: SeDebugPrivilege	2148	PURE.EXE
Token: SeDebugPrivilege	3156	VALSINKI PURE.EXE
Token: SeDebugPrivilege	5116	VALSINKI DATAEN.EXE
Token: SeDebugPrivilege	5008	WINDOWS DEFENDERSMARTSCREEN2.EXE
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	4560	GRIM ORG START.EXE
Token: SeDebugPrivilege	4032	RegAsm.exe
Token: SeDebugPrivilege	2192	SOFTICA.EXE
Token: SeDebugPrivilege	4844	RegAsm.exe
Token: SeDebugPrivilege	4296	DefenderProtector.exe
Token: SeDebugPrivilege	3900	WindowDefenderSmartScreen.exe
Token: SeDebugPrivilege	2784	Windows DefenderSmartScreen.exe
Token: SeDebugPrivilege	1496	InstallUtil.exe
Token: SeDebugPrivilege	3260	processHUdVS.exe
Token: SeDebugPrivilege	748	processHUdVS.exe
Token: SeDebugPrivilege	1488	RuntimeBroker.exe
Token: SeDebugPrivilege	4496	processHUVS.exe
Token: SeDebugPrivilege	1660	processHUVS.exe
Token: SeDebugPrivilege	1348	InstallUtil.exe
Token: SeBackupPrivilege	2120	svchost.exe
Token: SeRestorePrivilege	2120	svchost.exe
Token: SeSecurityPrivilege	2120	svchost.exe
Token: SeTakeOwnershipPrivilege	2120	svchost.exe
Token: 35	2120	svchost.exe
Token: SeDebugPrivilege	4268	InstallUtil.exe
Token: SeDebugPrivilege	4004	InstallUtil.exe
Token: SeBackupPrivilege	2120	svchost.exe
Token: SeRestorePrivilege	2120	svchost.exe
Token: SeSecurityPrivilege	2120	svchost.exe
Token: SeTakeOwnershipPrivilege	2120	svchost.exe
Token: 35	2120	svchost.exe
Token: SeDebugPrivilege	4944	InstallUtil.exe
Token: SeDebugPrivilege	3484	InstallUtil.exe
Token: SeDebugPrivilege	500	InstallUtil.exe
Token: SeDebugPrivilege	5732	InstallUtil.exe
Token: SeDebugPrivilege	5444	InstallUtil.exe
Token: SeDebugPrivilege	1436	InstallUtil.exe
Token: 33	2332	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2332	software_reporter_tool.exe
Token: 33	3740	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	3740	software_reporter_tool.exe
Token: 33	4424	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4424	software_reporter_tool.exe
Token: 33	4168	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4168	software_reporter_tool.exe
Token: SeDebugPrivilege	5892	InstallUtil.exe
Token: SeDebugPrivilege	1760	InstallUtil.exe
Token: SeDebugPrivilege	5220	InstallUtil.exe
Token: SeDebugPrivilege	5656	InstallUtil.exe
Token: SeDebugPrivilege	5252	InstallUtil.exe
Token: SeDebugPrivilege	612	InstallUtil.exe
Token: SeDebugPrivilege	1204	InstallUtil.exe
Token: SeDebugPrivilege	1788	InstallUtil.exe
Token: SeDebugPrivilege	5864	InstallUtil.exe
Token: SeDebugPrivilege	5504	InstallUtil.exe
Token: SeDebugPrivilege	6056	InstallUtil.exe
Token: SeDebugPrivilege	5944	InstallUtil.exe
Token: SeDebugPrivilege	2496	InstallUtil.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe
3496	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

OpenWith.exeRegAsm.exeInstallUtil.exe

pid process

4108 OpenWith.exe
4032 RegAsm.exe
4032 RegAsm.exe
1496 InstallUtil.exe
1496 InstallUtil.exe

pid	process
4108	OpenWith.exe
4032	RegAsm.exe
4032	RegAsm.exe
1496	InstallUtil.exe
1496	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dawdwadaw.scrAppLaunch.exetmp2F1E.tmp.exeWINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXEcmd.exeVALSINKI DATAEN.EXEWINDOWS DEFENDERSMARTSCREEN2.EXEPURE.EXEVALSINKI PURE.EXE

description	pid	process	target process
PID 772 wrote to memory of 1624	772	dawdwadaw.scr	AppLaunch.exe
PID 772 wrote to memory of 1624	772	dawdwadaw.scr	AppLaunch.exe
PID 772 wrote to memory of 1624	772	dawdwadaw.scr	AppLaunch.exe
PID 772 wrote to memory of 1624	772	dawdwadaw.scr	AppLaunch.exe
PID 772 wrote to memory of 1624	772	dawdwadaw.scr	AppLaunch.exe
PID 772 wrote to memory of 1624	772	dawdwadaw.scr	AppLaunch.exe
PID 772 wrote to memory of 1624	772	dawdwadaw.scr	AppLaunch.exe
PID 772 wrote to memory of 1624	772	dawdwadaw.scr	AppLaunch.exe
PID 1624 wrote to memory of 3480	1624	AppLaunch.exe	tmp2F1E.tmp.exe
PID 1624 wrote to memory of 3480	1624	AppLaunch.exe	tmp2F1E.tmp.exe
PID 1624 wrote to memory of 3480	1624	AppLaunch.exe	tmp2F1E.tmp.exe
PID 3480 wrote to memory of 4560	3480	tmp2F1E.tmp.exe	GRIM ORG START.EXE
PID 3480 wrote to memory of 4560	3480	tmp2F1E.tmp.exe	GRIM ORG START.EXE
PID 3480 wrote to memory of 2876	3480	tmp2F1E.tmp.exe	GRIM PURE.EXE
PID 3480 wrote to memory of 2876	3480	tmp2F1E.tmp.exe	GRIM PURE.EXE
PID 3480 wrote to memory of 2876	3480	tmp2F1E.tmp.exe	GRIM PURE.EXE
PID 3480 wrote to memory of 2148	3480	tmp2F1E.tmp.exe	PURE.EXE
PID 3480 wrote to memory of 2148	3480	tmp2F1E.tmp.exe	PURE.EXE
PID 3480 wrote to memory of 2148	3480	tmp2F1E.tmp.exe	PURE.EXE
PID 3480 wrote to memory of 2192	3480	tmp2F1E.tmp.exe	SOFTICA.EXE
PID 3480 wrote to memory of 2192	3480	tmp2F1E.tmp.exe	SOFTICA.EXE
PID 3480 wrote to memory of 2192	3480	tmp2F1E.tmp.exe	SOFTICA.EXE
PID 3480 wrote to memory of 5116	3480	tmp2F1E.tmp.exe	VALSINKI DATAEN.EXE
PID 3480 wrote to memory of 5116	3480	tmp2F1E.tmp.exe	VALSINKI DATAEN.EXE
PID 3480 wrote to memory of 5116	3480	tmp2F1E.tmp.exe	VALSINKI DATAEN.EXE
PID 3480 wrote to memory of 3156	3480	tmp2F1E.tmp.exe	VALSINKI PURE.EXE
PID 3480 wrote to memory of 3156	3480	tmp2F1E.tmp.exe	VALSINKI PURE.EXE
PID 3480 wrote to memory of 3156	3480	tmp2F1E.tmp.exe	VALSINKI PURE.EXE
PID 3480 wrote to memory of 5008	3480	tmp2F1E.tmp.exe	WINDOWS DEFENDERSMARTSCREEN2.EXE
PID 3480 wrote to memory of 5008	3480	tmp2F1E.tmp.exe	WINDOWS DEFENDERSMARTSCREEN2.EXE
PID 3480 wrote to memory of 5008	3480	tmp2F1E.tmp.exe	WINDOWS DEFENDERSMARTSCREEN2.EXE
PID 3480 wrote to memory of 4368	3480	tmp2F1E.tmp.exe	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
PID 3480 wrote to memory of 4368	3480	tmp2F1E.tmp.exe	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
PID 3480 wrote to memory of 4368	3480	tmp2F1E.tmp.exe	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
PID 4368 wrote to memory of 2316	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	powershell.exe
PID 4368 wrote to memory of 2316	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	powershell.exe
PID 4368 wrote to memory of 2316	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	powershell.exe
PID 4368 wrote to memory of 644	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	cmd.exe
PID 4368 wrote to memory of 644	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	cmd.exe
PID 4368 wrote to memory of 644	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	cmd.exe
PID 4368 wrote to memory of 708	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 4368 wrote to memory of 708	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 4368 wrote to memory of 708	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 4368 wrote to memory of 708	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 4368 wrote to memory of 708	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 4368 wrote to memory of 708	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 4368 wrote to memory of 708	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 4368 wrote to memory of 708	4368	WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE	RegAsm.exe
PID 644 wrote to memory of 3428	644	cmd.exe	schtasks.exe
PID 644 wrote to memory of 3428	644	cmd.exe	schtasks.exe
PID 644 wrote to memory of 3428	644	cmd.exe	schtasks.exe
PID 5116 wrote to memory of 2312	5116	VALSINKI DATAEN.EXE	cmd.exe
PID 5116 wrote to memory of 2312	5116	VALSINKI DATAEN.EXE	cmd.exe
PID 5116 wrote to memory of 2312	5116	VALSINKI DATAEN.EXE	cmd.exe
PID 5008 wrote to memory of 3384	5008	WINDOWS DEFENDERSMARTSCREEN2.EXE	cmd.exe
PID 5008 wrote to memory of 3384	5008	WINDOWS DEFENDERSMARTSCREEN2.EXE	cmd.exe
PID 5008 wrote to memory of 3384	5008	WINDOWS DEFENDERSMARTSCREEN2.EXE	cmd.exe
PID 2148 wrote to memory of 1716	2148	PURE.EXE	RegAsm.exe
PID 2148 wrote to memory of 1716	2148	PURE.EXE	RegAsm.exe
PID 2148 wrote to memory of 1716	2148	PURE.EXE	RegAsm.exe
PID 5116 wrote to memory of 3508	5116	VALSINKI DATAEN.EXE	cmd.exe
PID 5116 wrote to memory of 3508	5116	VALSINKI DATAEN.EXE	cmd.exe
PID 5116 wrote to memory of 3508	5116	VALSINKI DATAEN.EXE	cmd.exe
PID 3156 wrote to memory of 4032	3156	VALSINKI PURE.EXE	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\dawdwadaw.scr
"C:\Users\Admin\AppData\Local\Temp\dawdwadaw.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\tmp2F1E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp2F1E.tmp.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE
"C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DefenderProtector" /tr '"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"' & exit
5⤵
PID:4040

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "DefenderProtector" /tr '"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"'
6⤵
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp702F.tmp.bat""
5⤵
PID:4740

C:\Windows\system32\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:748

C:\Users\Admin\AppData\Roaming\DefenderProtector.exe
"C:\Users\Admin\AppData\Roaming\DefenderProtector.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE
"C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Users\Admin\AppData\Roaming\PURE.EXE
"C:\Users\Admin\AppData\Roaming\PURE.EXE"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
PID:4092

C:\Users\Admin\AppData\Roaming\SOFTICA.EXE
"C:\Users\Admin\AppData\Roaming\SOFTICA.EXE"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE
"C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "WindoDefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
5⤵
PID:2312

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
6⤵
- Runs ping.exe
PID:1148

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "WindoDefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
6⤵
- Adds Run key to start application
PID:4540

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE" "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
5⤵
PID:3508

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 15
6⤵
- Runs ping.exe
PID:3528

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 15
6⤵
- Runs ping.exe
PID:4336

C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe
"C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe
"C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe
"C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE
"C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows DefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
5⤵
PID:3384

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 8
6⤵
- Runs ping.exe
PID:2556

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Windows DefenderSmartScreen" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
6⤵
- Adds Run key to start application
PID:5036

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE" "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
5⤵
PID:3028

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 15
6⤵
- Runs ping.exe
PID:2508

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 15
6⤵
- Runs ping.exe
PID:728

C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe
"C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:3528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Users\Admin\AppData\Local\Temp\processHUVS.exe
"C:\Users\Admin\AppData\Local\Temp\processHUVS.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Users\Admin\AppData\Local\Temp\processHUVS.exe
"C:\Users\Admin\AppData\Local\Temp\processHUVS.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:3392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:1864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:1812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:3752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:6056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:5944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:1524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:3148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:4724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:4220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:3552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:4452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:3580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:3912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:5860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:3324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:1964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:3128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
7⤵
PID:2380

C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
"C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsSystem GuardRuntime';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WindowsSystem GuardRuntime' -Value '"C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe"' -PropertyType 'String'
5⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \WindowsSystem GuardRuntime /tr "C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
5⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \WindowsSystem GuardRuntime /tr "C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:3428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
5⤵
PID:708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4108

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3480

C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffb89e04f50,0x7ffb89e04f60,0x7ffb89e04f70
2⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2060 /prefetch:8
2⤵
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2312 /prefetch:8
2⤵
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
2⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
2⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
2⤵
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:8
2⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 /prefetch:8
2⤵
PID:5280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4584 /prefetch:8
2⤵
PID:5428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:8
2⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:8
2⤵
PID:5468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:8
2⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:8
2⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 /prefetch:8
2⤵
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
2⤵
PID:5832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
2⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
2⤵
PID:5876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:8
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
2⤵
PID:5296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:8
2⤵
PID:5560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:8
2⤵
PID:5620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3928 /prefetch:8
2⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3860 /prefetch:2
2⤵
PID:656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:8
2⤵
PID:4544

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=FAj1sNAVHkXBMIJpehvP3ezfbUL2KOqN59ceOqe1 --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=104.288.200 --initial-client-data=0x2ac,0x2b0,0x2b4,0x288,0x2b8,0x7ff64f4b2d20,0x7ff64f4b2d30,0x7ff64f4b2d40
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3740_OZWJKNELRZDYQWLD" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=16276670475289057025 --mojo-platform-channel-handle=780 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4424

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3740_OZWJKNELRZDYQWLD" --sandboxed-process-id=3 --init-done-notifier=1032 --sandbox-mojo-pipe-token=14068706931239034804 --mojo-platform-channel-handle=1028
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3656 /prefetch:8
2⤵
PID:6028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5256 /prefetch:8
2⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=940 /prefetch:8
2⤵
PID:5196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:8
2⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1664,1762155593365395592,17394981272217573200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=928 /prefetch:8
2⤵
PID:5844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUVS.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUVS.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUVS.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUVS.txt
Filesize
76B

MD5
23a6871b896edb38511cb38c5d600686

SHA1
ab3a564a4d1292bb1273e54a2235c5922a03e623

SHA256
f56c03a0791e6284db3be9509ebbd084f177402f6c1db3345df66c310efb671e

SHA512
27f2f12f1c35063cf0bbc7fede4d7479ac54688ab520c5a849de04b674b23741d3bbbf6cc34d0375ab125e327b3e54caee30743c43f6da2b9f890b6b8e58d2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUVS.txt
Filesize
76B

MD5
f7b02459c1d200b5ad5f441c8f3b856e

SHA1
57776be92e80326866fe20fd4c095aa35c022d83

SHA256
b548d4fdefddc2913c0de42cdcd62c9861515dc58c4d83f8a0c6b9e68ffc8f1d

SHA512
c89c8391ce7eca4b78e058a98badb080100a20d3f12ee2b72ff6c1567d75401e1698d11059d86fa3dbd64c04948ddd814a9f8927aad4578ec2ebdf5e7f711825

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUVS.txt
Filesize
76B

MD5
f7b02459c1d200b5ad5f441c8f3b856e

SHA1
57776be92e80326866fe20fd4c095aa35c022d83

SHA256
b548d4fdefddc2913c0de42cdcd62c9861515dc58c4d83f8a0c6b9e68ffc8f1d

SHA512
c89c8391ce7eca4b78e058a98badb080100a20d3f12ee2b72ff6c1567d75401e1698d11059d86fa3dbd64c04948ddd814a9f8927aad4578ec2ebdf5e7f711825

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUdVS.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUdVS.txt
Filesize
74B

MD5
c3dde641a5edf599f3d4765303caeec1

SHA1
7ef909981e1d047602ab6bf747bf780fb363ef36

SHA256
022b8cf8ee45eb204b6a59e8c13316562ebcf25040fc76357c393eaa05060589

SHA512
f7f4b7d1a33c2278dfc45f207c05f33de2bb96cad1a98bf0c1fecdf3541ffe3574b48002edecbc33343181108bff6755f9a4fa5e455fe73dfecb68051c4bbb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUdVS.txt
Filesize
73B

MD5
47390d80f9e06a2ddd8dd588917b52d3

SHA1
eb2e3f5a6a2ca02b61299ed33d1afbbda3e95ffc

SHA256
c3fc7c6a0e8bee2a4456d9cc9516b2b542777e93603d44c4354bc8900447c086

SHA512
3b752a9296b53b5c97fe875e6d05b37b3fa7f7a1de11f349f2a63a72e78b2fd78bb1dce79f94cd1be24b36607f3982bd199e0d67bf94ef02111268449d10f342

Download Submit
C:\Users\Admin\AppData\Local\Temp\processHUdVS.txt
Filesize
73B

MD5
47390d80f9e06a2ddd8dd588917b52d3

SHA1
eb2e3f5a6a2ca02b61299ed33d1afbbda3e95ffc

SHA256
c3fc7c6a0e8bee2a4456d9cc9516b2b542777e93603d44c4354bc8900447c086

SHA512
3b752a9296b53b5c97fe875e6d05b37b3fa7f7a1de11f349f2a63a72e78b2fd78bb1dce79f94cd1be24b36607f3982bd199e0d67bf94ef02111268449d10f342

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F1E.tmp.exe
Filesize
5.6MB

MD5
4bb7f0bad8e479f59da6821dc3cbc03f

SHA1
354c80b709a8eff0da641fabc73f036c5b45b4d3

SHA256
4cd3c805a6c796530a65b0e3650a92eac73b44d8b534669231865837c6c27a69

SHA512
caa08b5114fd98fb7d4baedfc11796196c844a47b915d9b6db6c2fd0d4eb5a5a2715df505247ee40cf3c308b4861a9994995586eb28250d5157d8b56298a86f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2F1E.tmp.exe
Filesize
5.6MB

MD5
4bb7f0bad8e479f59da6821dc3cbc03f

SHA1
354c80b709a8eff0da641fabc73f036c5b45b4d3

SHA256
4cd3c805a6c796530a65b0e3650a92eac73b44d8b534669231865837c6c27a69

SHA512
caa08b5114fd98fb7d4baedfc11796196c844a47b915d9b6db6c2fd0d4eb5a5a2715df505247ee40cf3c308b4861a9994995586eb28250d5157d8b56298a86f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp702F.tmp.bat
Filesize
161B

MD5
81a1e7396a6504a5e961e5c3badc1854

SHA1
f137dc09103f659a6afaf594467cc9886aac5f51

SHA256
fc1d83eb14e76966b2199321294e6dedd530681739fea7cd467acd3dcfdc4a94

SHA512
77dcf6fe5a5e652c04e889602ba5b73c422214d9aec7dc081dcac45e0caf13fee945fb5708465c81794616532dc2e1dc26b4b2bd7c6b569b5d6b28d7532c23b7

Download Submit
C:\Users\Admin\AppData\Roaming\DefenderProtector.exe
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\DefenderProtector.exe
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM ORG START.EXE
Filesize
279KB

MD5
2bb0d97d59e57d4b018564507f979f3d

SHA1
5637a617c2ea8b454c4e93e4fce099f69faf49b1

SHA256
cd788384c672f9838c1542de5235620492fcd3b003093b0275aa3e6a46ca9ef4

SHA512
429741a50b2ac53418c715e5234b405d2fda3ee428afed6ad49f35b7b2ac98f1e8dad55379923c4e9cd073c2834c6781be852360247bbf6d49b4f022baec7ca8

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE
Filesize
12KB

MD5
0f7bba77e7a6219abb730495e7f4b4c7

SHA1
34ae94ef50573476a34f0545009e44b4364b9f48

SHA256
4a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b

SHA512
4f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae

Download Submit
C:\Users\Admin\AppData\Roaming\GRIM PURE.EXE
Filesize
12KB

MD5
0f7bba77e7a6219abb730495e7f4b4c7

SHA1
34ae94ef50573476a34f0545009e44b4364b9f48

SHA256
4a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b

SHA512
4f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MIcrosoftEdge.exe
Filesize
12KB

MD5
a338b5d30d5e20938f6c7d186b013759

SHA1
1b30c511aabf8c55c327898b1bc82ae2022b1f20

SHA256
f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7

SHA512
2e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\MIcrosoftEdge.exe
Filesize
12KB

MD5
0f7bba77e7a6219abb730495e7f4b4c7

SHA1
34ae94ef50573476a34f0545009e44b4364b9f48

SHA256
4a5ee7c191a4830cc3433ba61e7803cc90796bcf20f5d9d4aa47a5c12ddabd3b

SHA512
4f198ad953b42cc6d7d05b0326c76f2bfd053c1f4c9041ea398731062cffc210977deaf006384b9e1c371086a866ccc688ad7a2bd82c18653e067caabd8d5aae

Download Submit
C:\Users\Admin\AppData\Roaming\PURE.EXE
Filesize
12KB

MD5
067b49ce5caf426877fcc6ca178491a7

SHA1
ac71a4d3f5eeafac96f5d1915ca7e5d0bdf292f3

SHA256
1a8e00e3e52a737a298a474f205d205955661415500c3d7f9e22fb311a7e162d

SHA512
52cc0de51953e092261d4c94e6c1045d984cc1bc0877bd799a0aca22ce17e2cb9b851761527dcec584eb37d1370c6fe17ce5c8870b82f5a45d8cc4571dd6084d

Download Submit
C:\Users\Admin\AppData\Roaming\PURE.EXE
Filesize
12KB

MD5
067b49ce5caf426877fcc6ca178491a7

SHA1
ac71a4d3f5eeafac96f5d1915ca7e5d0bdf292f3

SHA256
1a8e00e3e52a737a298a474f205d205955661415500c3d7f9e22fb311a7e162d

SHA512
52cc0de51953e092261d4c94e6c1045d984cc1bc0877bd799a0aca22ce17e2cb9b851761527dcec584eb37d1370c6fe17ce5c8870b82f5a45d8cc4571dd6084d

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
Filesize
4.0MB

MD5
040bd5f344fe41128d1372340d9650b7

SHA1
8c67bccebf50a74a4f32ae5db55d33c333811d42

SHA256
2b86cdac51e413cfd0dc6cd0f3aa10f27e71e717e115647e8930e477ef7fcdfc

SHA512
14657d028870d4639373c4c3616289136f0cc83c9fc2082c9ccc40345b64444c492a29daa2202c70e27ce5990404b05a6fead4c84ac2bc1be1e5a835efb62f85

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe
Filesize
4.0MB

MD5
040bd5f344fe41128d1372340d9650b7

SHA1
8c67bccebf50a74a4f32ae5db55d33c333811d42

SHA256
2b86cdac51e413cfd0dc6cd0f3aa10f27e71e717e115647e8930e477ef7fcdfc

SHA512
14657d028870d4639373c4c3616289136f0cc83c9fc2082c9ccc40345b64444c492a29daa2202c70e27ce5990404b05a6fead4c84ac2bc1be1e5a835efb62f85

Download Submit
C:\Users\Admin\AppData\Roaming\SOFTICA.EXE
Filesize
4.0MB

MD5
040bd5f344fe41128d1372340d9650b7

SHA1
8c67bccebf50a74a4f32ae5db55d33c333811d42

SHA256
2b86cdac51e413cfd0dc6cd0f3aa10f27e71e717e115647e8930e477ef7fcdfc

SHA512
14657d028870d4639373c4c3616289136f0cc83c9fc2082c9ccc40345b64444c492a29daa2202c70e27ce5990404b05a6fead4c84ac2bc1be1e5a835efb62f85

Download Submit
C:\Users\Admin\AppData\Roaming\SOFTICA.EXE
Filesize
4.0MB

MD5
040bd5f344fe41128d1372340d9650b7

SHA1
8c67bccebf50a74a4f32ae5db55d33c333811d42

SHA256
2b86cdac51e413cfd0dc6cd0f3aa10f27e71e717e115647e8930e477ef7fcdfc

SHA512
14657d028870d4639373c4c3616289136f0cc83c9fc2082c9ccc40345b64444c492a29daa2202c70e27ce5990404b05a6fead4c84ac2bc1be1e5a835efb62f85

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI DATAEN.EXE
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE
Filesize
12KB

MD5
a338b5d30d5e20938f6c7d186b013759

SHA1
1b30c511aabf8c55c327898b1bc82ae2022b1f20

SHA256
f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7

SHA512
2e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660

Download Submit
C:\Users\Admin\AppData\Roaming\VALSINKI PURE.EXE
Filesize
12KB

MD5
a338b5d30d5e20938f6c7d186b013759

SHA1
1b30c511aabf8c55c327898b1bc82ae2022b1f20

SHA256
f69138a24b385afc10b8cfe81a567b3f1aa2c8ac9cd34e40195d80d7659197d7

SHA512
2e086a913da79587e18a8c4c60b9de5a1bc95d7f0da392001fb2e3b6449a6efb93c08a921ce049e54be17bbd944706372b2857a1429ad5d0604ef446ba870660

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWS DEFENDERSMARTSCREEN2.EXE
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
Filesize
87KB

MD5
75fd186e8710fe1db3195e9495360d97

SHA1
9ca803b7c7f531da6f2e0d41d20103524164f487

SHA256
3382da4d56715d6a1ee83d45082a3f34413ba16a0728581e8c4462eb65ba1e2c

SHA512
722d6b570d0c342b77803a18ba70f48c865633512d02b77fd7ef3eb08718ecdd92bdd0dda679bd98883ee4972c068c20288e99eb5306aade6333fd43e2db4506

Download Submit
C:\Users\Admin\AppData\Roaming\WINDOWSSYSTEM GUARDRUNTIME2_PROTECTED.EXE
Filesize
87KB

MD5
75fd186e8710fe1db3195e9495360d97

SHA1
9ca803b7c7f531da6f2e0d41d20103524164f487

SHA256
3382da4d56715d6a1ee83d45082a3f34413ba16a0728581e8c4462eb65ba1e2c

SHA512
722d6b570d0c342b77803a18ba70f48c865633512d02b77fd7ef3eb08718ecdd92bdd0dda679bd98883ee4972c068c20288e99eb5306aade6333fd43e2db4506

Download Submit
C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\WindowDefenderSmartScreen.exe
Filesize
624KB

MD5
5e56235cac2cf93002c366489c7fa7c8

SHA1
67a96b5f8127ae819517347e098da58af42e6117

SHA256
ce3b28d738549a19a8f2aa8eb6fd13bc088cf28e592a498d8c1239a3892f0b0a

SHA512
44d6bbef4870d1c050566fca25bba3786d181f8bb4120dc7f4d8c93683af0153b84946e46dff58ea348d65e7bb5d8857f4b2b038e8b870bd31a10d3a13e0ab32

Download Submit
C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
C:\Users\Admin\AppData\Roaming\Windows DefenderSmartScreen.exe
Filesize
580KB

MD5
cec25ed7c1577b2afa0ffd0ee79a1416

SHA1
f9e2b7e1cdccbeb6fdab7d61fe0c48fe859d28a8

SHA256
5b9bc889577a20bbb676a8b296f2823780f2d1931f0aa9301d9b088e50622a43

SHA512
ed8f0f07116e7bc7a12a9613870a4e4ed07aeb53882715f2e02fce5acd870fb302f7a5d650867f401ac7e125cc4ad44709ebf97d8bf3d486ccb88cf2cd055c93

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSystem GuardRuntime\WindowsSystem GuardRuntime.exe
Filesize
87KB

MD5
75fd186e8710fe1db3195e9495360d97

SHA1
9ca803b7c7f531da6f2e0d41d20103524164f487

SHA256
3382da4d56715d6a1ee83d45082a3f34413ba16a0728581e8c4462eb65ba1e2c

SHA512
722d6b570d0c342b77803a18ba70f48c865633512d02b77fd7ef3eb08718ecdd92bdd0dda679bd98883ee4972c068c20288e99eb5306aade6333fd43e2db4506

Download Submit
\??\pipe\crashpad_4348_SUJPUNSJMVISZKZZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/500-274-0x0000000000000000-mapping.dmp

Download
memory/644-175-0x0000000000000000-mapping.dmp

Download
memory/708-177-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/708-176-0x0000000000000000-mapping.dmp

Download
memory/728-230-0x0000000000000000-mapping.dmp

Download
memory/748-251-0x0000000000000000-mapping.dmp

Download
memory/748-212-0x0000000000000000-mapping.dmp

Download
memory/772-133-0x0000000005530000-0x0000000005552000-memory.dmp

Filesize
136KB

Download
memory/772-132-0x0000000000990000-0x0000000000A40000-memory.dmp

Filesize
704KB

Download
memory/1068-240-0x0000000000000000-mapping.dmp

Download
memory/1148-194-0x0000000000000000-mapping.dmp

Download
memory/1348-242-0x0000000000000000-mapping.dmp

Download
memory/1348-255-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1436-283-0x0000000000000000-mapping.dmp

Download
memory/1496-239-0x0000000000000000-mapping.dmp

Download
memory/1624-134-0x0000000000000000-mapping.dmp

Download
memory/1624-135-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1660-260-0x0000000000000000-mapping.dmp

Download
memory/1716-189-0x0000000000000000-mapping.dmp

Download
memory/1760-295-0x0000000000000000-mapping.dmp

Download
memory/1864-280-0x0000000000000000-mapping.dmp

Download
memory/2148-150-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/2148-147-0x0000000000000000-mapping.dmp

Download
memory/2192-155-0x0000000000260000-0x000000000065C000-memory.dmp

Filesize
4.0MB

Download
memory/2192-151-0x0000000000000000-mapping.dmp

Download
memory/2312-185-0x0000000000000000-mapping.dmp

Download
memory/2316-206-0x0000000005FE0000-0x0000000005FFE000-memory.dmp

Filesize
120KB

Download
memory/2316-184-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/2316-191-0x0000000005AA0000-0x0000000005ABE000-memory.dmp

Filesize
120KB

Download
memory/2316-205-0x00000000718F0000-0x000000007193C000-memory.dmp

Filesize
304KB

Download
memory/2316-182-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/2316-174-0x0000000000000000-mapping.dmp

Download
memory/2316-203-0x0000000006A80000-0x0000000006AB2000-memory.dmp

Filesize
200KB

Download
memory/2316-224-0x0000000007120000-0x0000000007142000-memory.dmp

Filesize
136KB

Download
memory/2316-180-0x0000000004B50000-0x0000000005178000-memory.dmp

Filesize
6.2MB

Download
memory/2316-178-0x00000000044E0000-0x0000000004516000-memory.dmp

Filesize
216KB

Download
memory/2316-213-0x00000000073F0000-0x0000000007A6A000-memory.dmp

Filesize
6.5MB

Download
memory/2316-214-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/2316-215-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/2316-216-0x0000000007040000-0x00000000070D6000-memory.dmp

Filesize
600KB

Download
memory/2316-217-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

Filesize
56KB

Download
memory/2316-218-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/2316-219-0x00000000070E0000-0x00000000070E8000-memory.dmp

Filesize
32KB

Download
memory/2332-289-0x0000000000000000-mapping.dmp

Download
memory/2508-211-0x0000000000000000-mapping.dmp

Download
memory/2556-195-0x0000000000000000-mapping.dmp

Download
memory/2784-235-0x0000000000000000-mapping.dmp

Download
memory/2784-238-0x0000000000D30000-0x0000000000DC6000-memory.dmp

Filesize
600KB

Download
memory/2876-142-0x0000000000000000-mapping.dmp

Download
memory/2876-146-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/3028-207-0x0000000000000000-mapping.dmp

Download
memory/3156-162-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/3156-158-0x0000000000000000-mapping.dmp

Download
memory/3260-249-0x0000000000CF0000-0x0000000000D0A000-memory.dmp

Filesize
104KB

Download
memory/3260-246-0x0000000000000000-mapping.dmp

Download
memory/3384-186-0x0000000000000000-mapping.dmp

Download
memory/3392-269-0x0000000000000000-mapping.dmp

Download
memory/3428-179-0x0000000000000000-mapping.dmp

Download
memory/3480-136-0x0000000000000000-mapping.dmp

Download
memory/3484-272-0x0000000000000000-mapping.dmp

Download
memory/3508-188-0x0000000000000000-mapping.dmp

Download
memory/3528-198-0x0000000000000000-mapping.dmp

Download
memory/3528-241-0x0000000000000000-mapping.dmp

Download
memory/3740-288-0x0000000000000000-mapping.dmp

Download
memory/3900-234-0x00000000005C0000-0x0000000000662000-memory.dmp

Filesize
648KB

Download
memory/3900-231-0x0000000000000000-mapping.dmp

Download
memory/4004-267-0x0000000000000000-mapping.dmp

Download
memory/4012-209-0x0000000000000000-mapping.dmp

Download
memory/4032-193-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4032-190-0x0000000000000000-mapping.dmp

Download
memory/4032-196-0x00000000057A0000-0x00000000057F6000-memory.dmp

Filesize
344KB

Download
memory/4040-202-0x0000000000000000-mapping.dmp

Download
memory/4092-200-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4092-192-0x0000000000000000-mapping.dmp

Download
memory/4168-293-0x0000000000000000-mapping.dmp

Download
memory/4268-263-0x0000000000000000-mapping.dmp

Download
memory/4296-223-0x00007FFB88470000-0x00007FFB88F31000-memory.dmp

Filesize
10.8MB

Download
memory/4296-220-0x0000000000000000-mapping.dmp

Download
memory/4296-228-0x00007FFB88470000-0x00007FFB88F31000-memory.dmp

Filesize
10.8MB

Download
memory/4336-229-0x0000000000000000-mapping.dmp

Download
memory/4368-173-0x0000000000B40000-0x0000000000B5C000-memory.dmp

Filesize
112KB

Download
memory/4368-168-0x0000000000000000-mapping.dmp

Download
memory/4424-304-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-302-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-306-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-291-0x0000000000000000-mapping.dmp

Download
memory/4424-303-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-307-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-309-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-310-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-301-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-305-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-312-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-300-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-299-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-298-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-313-0x000001B615E60000-0x000001B615EA0000-memory.dmp

Filesize
256KB

Download
memory/4424-308-0x000001B615EA0000-0x000001B615EE0000-memory.dmp

Filesize
256KB

Download
memory/4452-341-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4496-256-0x0000000000000000-mapping.dmp

Download
memory/4540-227-0x0000000000000000-mapping.dmp

Download
memory/4560-167-0x00007FFB88470000-0x00007FFB88F31000-memory.dmp

Filesize
10.8MB

Download
memory/4560-145-0x0000015875060000-0x00000158750AC000-memory.dmp

Filesize
304KB

Download
memory/4560-139-0x0000000000000000-mapping.dmp

Download
memory/4560-208-0x00007FFB88470000-0x00007FFB88F31000-memory.dmp

Filesize
10.8MB

Download
memory/4740-204-0x0000000000000000-mapping.dmp

Download
memory/4844-201-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4844-199-0x0000000000000000-mapping.dmp

Download
memory/4944-270-0x0000000000000000-mapping.dmp

Download
memory/5008-181-0x000000000A2A0000-0x000000000A332000-memory.dmp

Filesize
584KB

Download
memory/5008-170-0x0000000000A70000-0x0000000000B06000-memory.dmp

Filesize
600KB

Download
memory/5008-183-0x0000000005D10000-0x0000000005D1A000-memory.dmp

Filesize
40KB

Download
memory/5008-163-0x0000000000000000-mapping.dmp

Download
memory/5036-226-0x0000000000000000-mapping.dmp

Download
memory/5116-154-0x0000000000000000-mapping.dmp

Download
memory/5116-159-0x0000000000E00000-0x0000000000EA2000-memory.dmp

Filesize
648KB

Download
memory/5116-165-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/5116-169-0x0000000004F10000-0x0000000004FAC000-memory.dmp

Filesize
624KB

Download
memory/5444-281-0x0000000000000000-mapping.dmp

Download
memory/5732-277-0x0000000000000000-mapping.dmp

Download
memory/5816-286-0x0000000000000000-mapping.dmp

Download
memory/5892-287-0x0000000000000000-mapping.dmp

Download
memory/5912-285-0x0000000000000000-mapping.dmp

Download
memory/5976-297-0x0000000000000000-mapping.dmp

Download