dcrat | 566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2022 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe
Size

244KB
MD5

e2a8b2851b1b7ec84eade5c32073a481
SHA1

a98ecfa96f887f82b41b6384cd0c1e939eee707e
SHA256

566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b
SHA512

75ff30800c1868bc0636d3fdcf76b1c5d45e9807c623ea1edebf9d0584640f6542d4631188fb4c73a47c0463f7e549bd5771bca833bd6999ac1c95e36239f013
SSDEEP

6144:W4neVAhDR9xI3MnR0tcLLHpkBvmSDV8Onf4wT/iFt/9z:W4yAhtiMnaVHf48iFlB

Malware Config

Extracted

Family

redline

Botnet

mario_new

176.122.23.55:11768

Attributes

auth_value
eeee8d5fcc3ba3a42094ef260c5bdcb4

Extracted

Family

djvu

http://acacaca.org/lancer/get.php

Attributes

extension
.mmdt
offline_id
yd6oYv6aBN90yFzTWdZ34sXSXtXiauzOLXZyWht1
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xuPJqoyzQE Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0557Jhyjd

rsa_pubkey.plain

Extracted

Family

socelars

https://hueduy.s3.eu-west-1.amazonaws.com/dhfry901/

Extracted

Family

redline

Botnet

1337

78.153.144.6:2510

Attributes

auth_value
b0447922bcbc2eda83260a9e7a638f45

Extracted

Family

redline

Botnet

nam5

103.89.90.61:34589

Attributes

auth_value
f23be8e9063fe5d0c6fc3ee8e7d565bd

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3980-181-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3980-183-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3980-186-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/101812-185-0x00000000049A0000-0x0000000004ABB000-memory.dmp	family_djvu
behavioral1/memory/3980-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3980-195-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1016-199-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1016-201-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1016-206-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1016-230-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1748-133-0x00000000008C0000-0x00000000008C9000-memory.dmp	family_smokeloader
behavioral1/memory/102032-162-0x0000000002BB0000-0x0000000002BB9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7536	1516	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8000	1516	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/101740-140-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline
behavioral1/memory/4592-235-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/4804-246-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/536-213-0x0000000000400000-0x000000000058E000-memory.dmp	family_socelars
behavioral1/memory/536-244-0x0000000000400000-0x000000000058E000-memory.dmp	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 7884 created 7628	7884	svchost.exe	361A.exe
PID 7884 created 8308	7884	svchost.exe	csrss.exe
PID 7884 created 8308	7884	svchost.exe	csrss.exe
PID 7884 created 8308	7884	svchost.exe	csrss.exe
PID 7884 created 9576	7884	svchost.exe	7BC1.exe

Downloads MZ/PE file

Executes dropped EXE 27 IoCs

Processes:

3BF0.exe5DFF.exe62A4.exe937A.exe937A.exe937A.exe937A.exeB7EB.exebuild2.exeCAE7.exebuild2.exeCF0F.exeD346.exeDD59.exe2AED.exe2AED.exe361A.exe3B5B.exe3B5B.exe361A.exe43D7.execsrss.exeinjector.exe7BC1.exetor.exe7BC1.exe8BA0.exe

pid	process
2804	3BF0.exe
101956	5DFF.exe
102032	62A4.exe
101812	937A.exe
3980	937A.exe
4400	937A.exe
1016	937A.exe
536	B7EB.exe
1296	build2.exe
3088	CAE7.exe
3452	build2.exe
5032	CF0F.exe
3588	D346.exe
5132	DD59.exe
7340	2AED.exe
7436	2AED.exe
7628	361A.exe
7660	3B5B.exe
7736	3B5B.exe
7912	361A.exe
7940	43D7.exe
8308	csrss.exe
8508	injector.exe
9576	7BC1.exe
9600	tor.exe
9836	7BC1.exe
9876	8BA0.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

8264 netsh.exe

pid	process
8264	netsh.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B7EB.exe	upx
C:\Users\Admin\AppData\Local\Temp\B7EB.exe	upx
behavioral1/memory/536-213-0x0000000000400000-0x000000000058E000-memory.dmp	upx
behavioral1/memory/536-244-0x0000000000400000-0x000000000058E000-memory.dmp	upx

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe2AED.exe3B5B.exe937A.exe937A.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	2AED.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3B5B.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	937A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	937A.exe

Loads dropped DLL 18 IoCs

Processes:

regsvr32.exebuild2.exerundll32.exerundll32.exetor.exe8BA0.exe

pid	process
102396	regsvr32.exe
3452	build2.exe
3452	build2.exe
3452	build2.exe
7552	rundll32.exe
8012	rundll32.exe
9600	tor.exe
9600	tor.exe
9600	tor.exe
9600	tor.exe
9600	tor.exe
9600	tor.exe
9600	tor.exe
9600	tor.exe
9600	tor.exe
9876	8BA0.exe
9876	8BA0.exe
9876	8BA0.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3316 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3316	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

937A.exe361A.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ccca4610-3070-4d47-b72e-938255b6473b\\937A.exe\" --AutoStart"	937A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	361A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

63 api.2ip.ua
64 api.2ip.ua
69 api.2ip.ua

flow	ioc
63	api.2ip.ua
64	api.2ip.ua
69	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

Processes:

3BF0.exe937A.exe937A.exebuild2.exeCAE7.exeCF0F.exe

description	pid	process	target process
PID 2804 set thread context of 101740	2804	3BF0.exe	AppLaunch.exe
PID 101812 set thread context of 3980	101812	937A.exe	937A.exe
PID 4400 set thread context of 1016	4400	937A.exe	937A.exe
PID 1296 set thread context of 3452	1296	build2.exe	build2.exe
PID 3088 set thread context of 4592	3088	CAE7.exe	AppLaunch.exe
PID 5032 set thread context of 4804	5032	CF0F.exe	AppLaunch.exe

Drops file in Program Files directory 19 IoCs

Processes:

B7EB.exe43D7.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	B7EB.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	B7EB.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	B7EB.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	43D7.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	B7EB.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	B7EB.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	B7EB.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	43D7.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	43D7.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	B7EB.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	B7EB.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	43D7.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	43D7.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	43D7.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	43D7.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	43D7.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	B7EB.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	B7EB.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	43D7.exe

Drops file in Windows directory 2 IoCs

Processes:

361A.exe

description ioc process

File opened for modification C:\Windows\rss 361A.exe
File created C:\Windows\rss\csrss.exe 361A.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

9728 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\rss	361A.exe
File created	C:\Windows\rss\csrss.exe	361A.exe

pid	process
9728	sc.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
101860	2804	WerFault.exe	3BF0.exe
102208	101956	WerFault.exe	5DFF.exe
6096	5132	WerFault.exe	DD59.exe
7596	7552	WerFault.exe	rundll32.exe
8056	8012	WerFault.exe	rundll32.exe
10096	9876	WerFault.exe	8BA0.exe
10200	10148	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe62A4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	62A4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	62A4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	62A4.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

8400 schtasks.exe
9512 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5512 timeout.exe

pid	process
8400	schtasks.exe
9512	schtasks.exe

pid	process
5512	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4880 taskkill.exe
5476 taskkill.exe
8144 taskkill.exe

pid	process
4880	taskkill.exe
5476	taskkill.exe
8144	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

361A.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	361A.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	361A.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	239	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	228	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe

pid	process
1748	566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe
1748	566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2576

pid	process
2576

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe62A4.exeexplorer.exeexplorer.exe

pid	process
1748	566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe
102032	62A4.exe
2576
2576
2576
2576
5904	explorer.exe
5904	explorer.exe
5904	explorer.exe
5904	explorer.exe
2576
2576
5904	explorer.exe
5904	explorer.exe
5904	explorer.exe
5904	explorer.exe
2576
2576
6340	explorer.exe
6340	explorer.exe
5904	explorer.exe
5904	explorer.exe
5904	explorer.exe
5904	explorer.exe
2576
2576
5904	explorer.exe
5904	explorer.exe
5904	explorer.exe
5904	explorer.exe
2576
2576
5904	explorer.exe
5904	explorer.exe
2576
2576
6340	explorer.exe
6340	explorer.exe
5904	explorer.exe
5904	explorer.exe
6340	explorer.exe
6340	explorer.exe
2576
2576
6340	explorer.exe
6340	explorer.exe
6340	explorer.exe
6340	explorer.exe
2576
2576
6340	explorer.exe
6340	explorer.exe
6340	explorer.exe
6340	explorer.exe
6340	explorer.exe
6340	explorer.exe
6340	explorer.exe
6340	explorer.exe
6340	explorer.exe
6340	explorer.exe
5904	explorer.exe
5904	explorer.exe
6340	explorer.exe
6340	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exechrome.exe

pid process

1408 chrome.exe
1408 chrome.exe
1408 chrome.exe
1408 chrome.exe
1408 chrome.exe
8556 chrome.exe
8556 chrome.exe
8556 chrome.exe
8556 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.exeB7EB.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeDebugPrivilege	101740	AppLaunch.exe
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeCreateTokenPrivilege	536	B7EB.exe
Token: SeAssignPrimaryTokenPrivilege	536	B7EB.exe
Token: SeLockMemoryPrivilege	536	B7EB.exe
Token: SeIncreaseQuotaPrivilege	536	B7EB.exe
Token: SeMachineAccountPrivilege	536	B7EB.exe
Token: SeTcbPrivilege	536	B7EB.exe
Token: SeSecurityPrivilege	536	B7EB.exe
Token: SeTakeOwnershipPrivilege	536	B7EB.exe
Token: SeLoadDriverPrivilege	536	B7EB.exe
Token: SeSystemProfilePrivilege	536	B7EB.exe
Token: SeSystemtimePrivilege	536	B7EB.exe
Token: SeProfSingleProcessPrivilege	536	B7EB.exe
Token: SeIncBasePriorityPrivilege	536	B7EB.exe
Token: SeCreatePagefilePrivilege	536	B7EB.exe
Token: SeCreatePermanentPrivilege	536	B7EB.exe
Token: SeBackupPrivilege	536	B7EB.exe
Token: SeRestorePrivilege	536	B7EB.exe
Token: SeShutdownPrivilege	536	B7EB.exe
Token: SeDebugPrivilege	536	B7EB.exe
Token: SeAuditPrivilege	536	B7EB.exe
Token: SeSystemEnvironmentPrivilege	536	B7EB.exe
Token: SeChangeNotifyPrivilege	536	B7EB.exe
Token: SeRemoteShutdownPrivilege	536	B7EB.exe
Token: SeUndockPrivilege	536	B7EB.exe
Token: SeSyncAgentPrivilege	536	B7EB.exe
Token: SeEnableDelegationPrivilege	536	B7EB.exe
Token: SeManageVolumePrivilege	536	B7EB.exe
Token: SeImpersonatePrivilege	536	B7EB.exe
Token: SeCreateGlobalPrivilege	536	B7EB.exe
Token: 31	536	B7EB.exe
Token: 32	536	B7EB.exe
Token: 33	536	B7EB.exe
Token: 34	536	B7EB.exe
Token: 35	536	B7EB.exe
Token: SeDebugPrivilege	4880	taskkill.exe
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

chrome.exechrome.exe

pid	process
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exechrome.exe

pid	process
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
1408	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe
8556	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3BF0.exeregsvr32.exe937A.exe937A.exe937A.exe937A.exeB7EB.execmd.exebuild2.exe

description	pid	process	target process
PID 2576 wrote to memory of 2804	2576		3BF0.exe
PID 2576 wrote to memory of 2804	2576		3BF0.exe
PID 2576 wrote to memory of 2804	2576		3BF0.exe
PID 2804 wrote to memory of 101740	2804	3BF0.exe	AppLaunch.exe
PID 2804 wrote to memory of 101740	2804	3BF0.exe	AppLaunch.exe
PID 2804 wrote to memory of 101740	2804	3BF0.exe	AppLaunch.exe
PID 2804 wrote to memory of 101740	2804	3BF0.exe	AppLaunch.exe
PID 2804 wrote to memory of 101740	2804	3BF0.exe	AppLaunch.exe
PID 2576 wrote to memory of 101956	2576		5DFF.exe
PID 2576 wrote to memory of 101956	2576		5DFF.exe
PID 2576 wrote to memory of 101956	2576		5DFF.exe
PID 2576 wrote to memory of 102032	2576		62A4.exe
PID 2576 wrote to memory of 102032	2576		62A4.exe
PID 2576 wrote to memory of 102032	2576		62A4.exe
PID 2576 wrote to memory of 102372	2576		regsvr32.exe
PID 2576 wrote to memory of 102372	2576		regsvr32.exe
PID 102372 wrote to memory of 102396	102372	regsvr32.exe	regsvr32.exe
PID 102372 wrote to memory of 102396	102372	regsvr32.exe	regsvr32.exe
PID 102372 wrote to memory of 102396	102372	regsvr32.exe	regsvr32.exe
PID 2576 wrote to memory of 101812	2576		937A.exe
PID 2576 wrote to memory of 101812	2576		937A.exe
PID 2576 wrote to memory of 101812	2576		937A.exe
PID 101812 wrote to memory of 3980	101812	937A.exe	937A.exe
PID 101812 wrote to memory of 3980	101812	937A.exe	937A.exe
PID 101812 wrote to memory of 3980	101812	937A.exe	937A.exe
PID 101812 wrote to memory of 3980	101812	937A.exe	937A.exe
PID 101812 wrote to memory of 3980	101812	937A.exe	937A.exe
PID 101812 wrote to memory of 3980	101812	937A.exe	937A.exe
PID 101812 wrote to memory of 3980	101812	937A.exe	937A.exe
PID 101812 wrote to memory of 3980	101812	937A.exe	937A.exe
PID 101812 wrote to memory of 3980	101812	937A.exe	937A.exe
PID 101812 wrote to memory of 3980	101812	937A.exe	937A.exe
PID 3980 wrote to memory of 3316	3980	937A.exe	icacls.exe
PID 3980 wrote to memory of 3316	3980	937A.exe	icacls.exe
PID 3980 wrote to memory of 3316	3980	937A.exe	icacls.exe
PID 3980 wrote to memory of 4400	3980	937A.exe	937A.exe
PID 3980 wrote to memory of 4400	3980	937A.exe	937A.exe
PID 3980 wrote to memory of 4400	3980	937A.exe	937A.exe
PID 4400 wrote to memory of 1016	4400	937A.exe	937A.exe
PID 4400 wrote to memory of 1016	4400	937A.exe	937A.exe
PID 4400 wrote to memory of 1016	4400	937A.exe	937A.exe
PID 4400 wrote to memory of 1016	4400	937A.exe	937A.exe
PID 4400 wrote to memory of 1016	4400	937A.exe	937A.exe
PID 4400 wrote to memory of 1016	4400	937A.exe	937A.exe
PID 4400 wrote to memory of 1016	4400	937A.exe	937A.exe
PID 4400 wrote to memory of 1016	4400	937A.exe	937A.exe
PID 4400 wrote to memory of 1016	4400	937A.exe	937A.exe
PID 4400 wrote to memory of 1016	4400	937A.exe	937A.exe
PID 2576 wrote to memory of 536	2576		B7EB.exe
PID 2576 wrote to memory of 536	2576		B7EB.exe
PID 2576 wrote to memory of 536	2576		B7EB.exe
PID 1016 wrote to memory of 1296	1016	937A.exe	build2.exe
PID 1016 wrote to memory of 1296	1016	937A.exe	build2.exe
PID 1016 wrote to memory of 1296	1016	937A.exe	build2.exe
PID 536 wrote to memory of 3516	536	B7EB.exe	cmd.exe
PID 536 wrote to memory of 3516	536	B7EB.exe	cmd.exe
PID 536 wrote to memory of 3516	536	B7EB.exe	cmd.exe
PID 3516 wrote to memory of 4880	3516	cmd.exe	taskkill.exe
PID 3516 wrote to memory of 4880	3516	cmd.exe	taskkill.exe
PID 3516 wrote to memory of 4880	3516	cmd.exe	taskkill.exe
PID 2576 wrote to memory of 3088	2576		CAE7.exe
PID 2576 wrote to memory of 3088	2576		CAE7.exe
PID 2576 wrote to memory of 3088	2576		CAE7.exe
PID 1296 wrote to memory of 3452	1296	build2.exe	build2.exe

C:\Users\Admin\AppData\Local\Temp\566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe
"C:\Users\Admin\AppData\Local\Temp\566e9b735f5b0c644a29c22260a003d9a2fc29939807cb23ee34fc33e7beee9b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1748

C:\Users\Admin\AppData\Local\Temp\3BF0.exe
C:\Users\Admin\AppData\Local\Temp\3BF0.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:101740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 98420
2⤵
- Program crash
PID:101860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 212 -p 2804 -ip 2804
1⤵
PID:101812

C:\Users\Admin\AppData\Local\Temp\5DFF.exe
C:\Users\Admin\AppData\Local\Temp\5DFF.exe
1⤵
- Executes dropped EXE
PID:101956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 101956 -s 340
2⤵
- Program crash
PID:102208

C:\Users\Admin\AppData\Local\Temp\62A4.exe
C:\Users\Admin\AppData\Local\Temp\62A4.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:102032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 101956 -ip 101956
1⤵
PID:102188

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8BF7.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:102372

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\8BF7.dll
2⤵
- Loads dropped DLL
PID:102396

C:\Users\Admin\AppData\Local\Temp\937A.exe
C:\Users\Admin\AppData\Local\Temp\937A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:101812

C:\Users\Admin\AppData\Local\Temp\937A.exe
C:\Users\Admin\AppData\Local\Temp\937A.exe
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ccca4610-3070-4d47-b72e-938255b6473b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3316

C:\Users\Admin\AppData\Local\Temp\937A.exe
"C:\Users\Admin\AppData\Local\Temp\937A.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\937A.exe
"C:\Users\Admin\AppData\Local\Temp\937A.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\77a322fa-d9e6-43e4-a311-1047c1ba8ce3\build2.exe
"C:\Users\Admin\AppData\Local\77a322fa-d9e6-43e4-a311-1047c1ba8ce3\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\77a322fa-d9e6-43e4-a311-1047c1ba8ce3\build2.exe
"C:\Users\Admin\AppData\Local\77a322fa-d9e6-43e4-a311-1047c1ba8ce3\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:3452

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\77a322fa-d9e6-43e4-a311-1047c1ba8ce3\build2.exe" & del C:\PrograData\*.dll & exit
7⤵
PID:5392

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:5476

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:5512

C:\Users\Admin\AppData\Local\Temp\B7EB.exe
C:\Users\Admin\AppData\Local\Temp\B7EB.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8151b4f50,0x7ff8151b4f60,0x7ff8151b4f70
3⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1696 /prefetch:2
3⤵
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1924 /prefetch:8
3⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2332 /prefetch:8
3⤵
PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
3⤵
PID:5164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
3⤵
PID:5156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
3⤵
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
3⤵
PID:5408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:8
3⤵
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
3⤵
PID:5620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5012 /prefetch:8
3⤵
PID:5676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
3⤵
PID:5728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4724 /prefetch:8
3⤵
PID:6808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
3⤵
PID:6840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5832 /prefetch:8
3⤵
PID:6856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
3⤵
PID:6980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 /prefetch:8
3⤵
PID:7052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,773061162929864292,8260973399924444007,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
3⤵
PID:7152

C:\Users\Admin\AppData\Local\Temp\CAE7.exe
C:\Users\Admin\AppData\Local\Temp\CAE7.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\CF0F.exe
C:\Users\Admin\AppData\Local\Temp\CF0F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\D346.exe
C:\Users\Admin\AppData\Local\Temp\D346.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\DD59.exe
C:\Users\Admin\AppData\Local\Temp\DD59.exe
1⤵
- Executes dropped EXE
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 272
2⤵
- Program crash
PID:6096

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5812

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5132 -ip 5132
1⤵
PID:6068

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6156

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6340

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6604

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6784

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7112

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7264

C:\Users\Admin\AppData\Local\Temp\2AED.exe
C:\Users\Admin\AppData\Local\Temp\2AED.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:7340

C:\Users\Admin\AppData\Local\Temp\2AED.exe
"C:\Users\Admin\AppData\Local\Temp\2AED.exe" -h
2⤵
- Executes dropped EXE
PID:7436

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:7536

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:7552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7552 -s 608
3⤵
- Program crash
PID:7596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 7552 -ip 7552
1⤵
PID:7576

C:\Users\Admin\AppData\Local\Temp\361A.exe
C:\Users\Admin\AppData\Local\Temp\361A.exe
1⤵
- Executes dropped EXE
PID:7628

C:\Users\Admin\AppData\Local\Temp\361A.exe
"C:\Users\Admin\AppData\Local\Temp\361A.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:7912

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:8212

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:8264

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:8308

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:8400

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:8432

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:8508

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:9512

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
4⤵
PID:9648

C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
- Launches sc.exe
PID:9728

C:\Users\Admin\AppData\Local\Temp\3B5B.exe
C:\Users\Admin\AppData\Local\Temp\3B5B.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:7660

C:\Users\Admin\AppData\Local\Temp\3B5B.exe
"C:\Users\Admin\AppData\Local\Temp\3B5B.exe" -h
2⤵
- Executes dropped EXE
PID:7736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7884

C:\Users\Admin\AppData\Local\Temp\43D7.exe
C:\Users\Admin\AppData\Local\Temp\43D7.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:7940

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:8096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:8144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:8556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8151b4f50,0x7ff8151b4f60,0x7ff8151b4f70
3⤵
PID:8572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1764 /prefetch:8
3⤵
PID:8720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1716 /prefetch:2
3⤵
PID:8712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3016 /prefetch:8
3⤵
PID:8872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
3⤵
PID:8860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
3⤵
PID:8848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
3⤵
PID:8952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
3⤵
PID:9096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 /prefetch:8
3⤵
PID:9244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5216 /prefetch:8
3⤵
PID:9328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5260 /prefetch:8
3⤵
PID:9344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5252 /prefetch:8
3⤵
PID:9336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,3706869727894597319,6756648041178447964,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
3⤵
PID:9440

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:8000

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:8012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 608
3⤵
- Program crash
PID:8056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 8012 -ip 8012
1⤵
PID:8040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8916

C:\Users\Admin\AppData\Local\Temp\7BC1.exe
C:\Users\Admin\AppData\Local\Temp\7BC1.exe
1⤵
- Executes dropped EXE
PID:9576

C:\Users\Admin\AppData\Local\Temp\7BC1.exe
"C:\Users\Admin\AppData\Local\Temp\7BC1.exe"
2⤵
- Executes dropped EXE
PID:9836

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9600

C:\Users\Admin\AppData\Local\Temp\8BA0.exe
C:\Users\Admin\AppData\Local\Temp\8BA0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9876 -s 760
2⤵
- Program crash
PID:10096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 9876 -ip 9876
1⤵
PID:10076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:10148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10148 -s 872
2⤵
- Program crash
PID:10200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 10148 -ip 10148
1⤵
PID:10180

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png
Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js
Filesize
19KB

MD5
0d3f3433dbce2df1c3e7087e343e962c

SHA1
6017eff323f9e59c8f048765d7060c187c34841a

SHA256
772c9b0bfbcd7764d1dcbedd9161de27397aec147d1d2e06e996026f8807ca4e

SHA512
ba6dbffdd01947b9d31a76846906a09c192984a5eb7ef1fda616b33667be0f4e28fbe48d2eb17c07c5bbd9a550c262568d81994249c26798603d736bcefe3995

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json
Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
215064dd8b4566627489319b46e9ca43

SHA1
7fa698eef5f02a961b5862df135d7ebfd8a12292

SHA256
390f76fdb79029603900524df2f0fbfd05bf18a3bbc74b9b05b2a6dc5938393c

SHA512
2a5b12b41d728ce30f1712d23226bbefe73111b786156b97126d6497ef234e78feaf6db08c7412eaa336c869b93ab239cd46b33cc31ff2c8497214cba5927753

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
7c27ffae0cbd6d55b86f387667635294

SHA1
6df10a537a970852086711da85ae84f7355bff72

SHA256
b6a9400010fea1af51104c2b48fdd4383d8b7a81bd62a22c188db3cdb7413503

SHA512
140752fd448ed5cd01c5463d67b7dd2c5c111fd4256d3686b792bc0ff788bed49fdfe901402fdb080b9a6c0789725dda6256280120fadc5aca1f127a552e13d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
5157233536fda441b95750e51e0bc93d

SHA1
3417451385ad7bdfa4ddd55da7ea03105dce0824

SHA256
c99397c673230c51c7b2b190200c7cd288eb5e26299248f4f3b826229ec06bf1

SHA512
d83c0137b4b41133532877dd1d38f6552b93f2b0759a7d28865cbebabf9017b3a471c8bf6b9f7c665b6ccda401e4ec5abd6927b2540b7dbed0c7a1454035a2e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
a844b02be0bd334b92188c9d53da7964

SHA1
df0cf772c454d33e2cba2dd768feb14d79389f31

SHA256
81a3472f89905a4ed919ea75262c208d0d485c9d3a1ef29f445e26a994cbd76d

SHA512
4f0c00ed3c936f64e9e050aa6237ab8222af818a0f7ec7dcb1d1bed860c079713cec571cc8ba015478f26d28db26058029f86dcea2852cfe615941a261031a46

Download Submit
C:\Users\Admin\AppData\Local\77a322fa-d9e6-43e4-a311-1047c1ba8ce3\build2.exe
Filesize
383KB

MD5
8d7db6982df46c3b0f0cc879d892c08a

SHA1
64e3d7ab4793aeb05d18a82159c579e05c45fd71

SHA256
116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6

SHA512
0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

Download Submit
C:\Users\Admin\AppData\Local\77a322fa-d9e6-43e4-a311-1047c1ba8ce3\build2.exe
Filesize
383KB

MD5
8d7db6982df46c3b0f0cc879d892c08a

SHA1
64e3d7ab4793aeb05d18a82159c579e05c45fd71

SHA256
116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6

SHA512
0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

Download Submit
C:\Users\Admin\AppData\Local\77a322fa-d9e6-43e4-a311-1047c1ba8ce3\build2.exe
Filesize
383KB

MD5
8d7db6982df46c3b0f0cc879d892c08a

SHA1
64e3d7ab4793aeb05d18a82159c579e05c45fd71

SHA256
116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6

SHA512
0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
eb12b384d6265240ddbf17207687c61c

SHA1
22b1587468fb41647d620cc4b0a14cc051a1ecc6

SHA256
c86a931924fbfc684cd0d1d34a29bb0a636f8019a7bf349b2f70ab493db89540

SHA512
a714b887b9931b04eefc2d7c6dd3b34d98c26d5bfd0818f07c68c518cd2a8684f138fa128bc83773b48051f86252bc971b74bbd8be188a5f9cfc9ea39ac799ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
92KB

MD5
44340a4d9c41cd020237781daa541459

SHA1
23026406f4ddad80360dbfb7a92cc656fcd10dea

SHA256
afa4ce85db0c6ff0536993cc0d0accb06962400dc1032e929c2bca66c09fb76e

SHA512
ca6abe0e66c056f8ca8d407cf6517357b5864b0fdc3653e581b8411ceb4695fd16dca2e9c48437a8e2e365c5d9064ce3533376d994cff8e3b018394aae95eb72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
2KB

MD5
97666365f5a60c0019db21bea991eec0

SHA1
0d348c08d1a58f6e3bb6c62b60cb6e968cafbf78

SHA256
0fd5cabf357b48d0cfa6c24dfc5ed92fffeae10f4cbb970ec63d806bd5c3f243

SHA512
007524ebc2e430e75bc56111069c72ee3f32bb67fcd7ac36cf9cd0fcfe422f0ec76df6f2350a64cf3da4b194fd9ae40369705711faa52b27d385c536ba0d22cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2AED.exe
Filesize
84KB

MD5
2f60ef19334491b0800f818fe87c42f9

SHA1
a54541d84ffdd10c71053a4da5d2635129c1a5fa

SHA256
2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095

SHA512
97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2AED.exe
Filesize
84KB

MD5
2f60ef19334491b0800f818fe87c42f9

SHA1
a54541d84ffdd10c71053a4da5d2635129c1a5fa

SHA256
2b29136f3622d331c86855ab5298b22a996d7f894bd45c4d4a61a9460dfe2095

SHA512
97459e126e789b9425e8c6ea4afbc1f61732f98bad1539af6455e7154c72affd2b5ee2a6ad258a0da0fd19fd6b332c797be06aa2a757c0df90eed4f4426d5fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BF0.exe
Filesize
671KB

MD5
b5217bb7be0e5f48d7a63d86ed10d79e

SHA1
8eda656c588396f74c1abeb019992015ec134a0c

SHA256
f1127c9264936045acc1c0f3d10d8683d78c865171a7ef485ecdf5d8aa2704f5

SHA512
1b2ad5d7af43702d065493accd7416df2c258996642d8b472ac54af96a8282c87baf22ae4155a0a490f4ec70498bf6846b364ef6a00cd99a6de2c4e45b7c6144

Download Submit
C:\Users\Admin\AppData\Local\Temp\3BF0.exe
Filesize
671KB

MD5
b5217bb7be0e5f48d7a63d86ed10d79e

SHA1
8eda656c588396f74c1abeb019992015ec134a0c

SHA256
f1127c9264936045acc1c0f3d10d8683d78c865171a7ef485ecdf5d8aa2704f5

SHA512
1b2ad5d7af43702d065493accd7416df2c258996642d8b472ac54af96a8282c87baf22ae4155a0a490f4ec70498bf6846b364ef6a00cd99a6de2c4e45b7c6144

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DFF.exe
Filesize
243KB

MD5
e217d6bc93ea9a438bcb2de790e28b8c

SHA1
8f8e486908f85f3d79e7b046761737cae7cdb1b5

SHA256
0ad21ef01587dcaf115b17d5050fa6d3ee9d26c927d9e94af285b728e151c163

SHA512
091cd0635f287edad984c47d42f0866f4cd110f9d945662b2ae70c92bf2fa3c093b391526c5d3f137acf3f1b8e12acf0dd1ea954054f1b37c9c960ead109074f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DFF.exe
Filesize
243KB

MD5
e217d6bc93ea9a438bcb2de790e28b8c

SHA1
8f8e486908f85f3d79e7b046761737cae7cdb1b5

SHA256
0ad21ef01587dcaf115b17d5050fa6d3ee9d26c927d9e94af285b728e151c163

SHA512
091cd0635f287edad984c47d42f0866f4cd110f9d945662b2ae70c92bf2fa3c093b391526c5d3f137acf3f1b8e12acf0dd1ea954054f1b37c9c960ead109074f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62A4.exe
Filesize
210KB

MD5
250f7a54f9bbd18c111ecf63ac226909

SHA1
db63b9a8bb1edf6f42a4fdbd8369060c66a5d6d8

SHA256
0811b6b50d68c34e17270aa6829d5ade57f52d35852ad798626964b96d671584

SHA512
b2edb82fca10ee4de2c844e0d8d9917beb33594e0915a3120383c75d2036419ee71b3847aaf0e8c46a94fff1e958b079495af8de42d2887ef866bf2a09ee3342

Download Submit
C:\Users\Admin\AppData\Local\Temp\62A4.exe
Filesize
210KB

MD5
250f7a54f9bbd18c111ecf63ac226909

SHA1
db63b9a8bb1edf6f42a4fdbd8369060c66a5d6d8

SHA256
0811b6b50d68c34e17270aa6829d5ade57f52d35852ad798626964b96d671584

SHA512
b2edb82fca10ee4de2c844e0d8d9917beb33594e0915a3120383c75d2036419ee71b3847aaf0e8c46a94fff1e958b079495af8de42d2887ef866bf2a09ee3342

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BF7.dll
Filesize
1.7MB

MD5
e62500fbfcf2ca07201bec90256359ed

SHA1
02a4db1e53e6805d6b9e4492692b654f853a7b42

SHA256
2dedf7d9eac9537569c6ab778b6386b2d7df3d0441238dde5452c2ed7ecb88ca

SHA512
4ab423221e78c64672f1865e58f53cd1ed0a6dd40eafb00e1e29702288231ed4e28575213601c00ca765177b6c9105590ddefd68b99dad975739e88f136a9735

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BF7.dll
Filesize
1.7MB

MD5
e62500fbfcf2ca07201bec90256359ed

SHA1
02a4db1e53e6805d6b9e4492692b654f853a7b42

SHA256
2dedf7d9eac9537569c6ab778b6386b2d7df3d0441238dde5452c2ed7ecb88ca

SHA512
4ab423221e78c64672f1865e58f53cd1ed0a6dd40eafb00e1e29702288231ed4e28575213601c00ca765177b6c9105590ddefd68b99dad975739e88f136a9735

Download Submit
C:\Users\Admin\AppData\Local\Temp\937A.exe
Filesize
718KB

MD5
025ad42411f9cdade15865b6f919e088

SHA1
6e232fb741de630efe4ff7300f82358abfebc3e6

SHA256
2bbf6f031519e3a719c717075fa6e95349913c4279be2a6e69ce6d7760f8e5e2

SHA512
df36f5731739565df5a18b36499cc4fbfdeee4388f891d53719af8eee0c44c473046a934cd8338337c0ed138d69444f520f18dd0181f8ad83b4cc404e256e5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\937A.exe
Filesize
718KB

MD5
025ad42411f9cdade15865b6f919e088

SHA1
6e232fb741de630efe4ff7300f82358abfebc3e6

SHA256
2bbf6f031519e3a719c717075fa6e95349913c4279be2a6e69ce6d7760f8e5e2

SHA512
df36f5731739565df5a18b36499cc4fbfdeee4388f891d53719af8eee0c44c473046a934cd8338337c0ed138d69444f520f18dd0181f8ad83b4cc404e256e5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\937A.exe
Filesize
718KB

MD5
025ad42411f9cdade15865b6f919e088

SHA1
6e232fb741de630efe4ff7300f82358abfebc3e6

SHA256
2bbf6f031519e3a719c717075fa6e95349913c4279be2a6e69ce6d7760f8e5e2

SHA512
df36f5731739565df5a18b36499cc4fbfdeee4388f891d53719af8eee0c44c473046a934cd8338337c0ed138d69444f520f18dd0181f8ad83b4cc404e256e5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\937A.exe
Filesize
718KB

MD5
025ad42411f9cdade15865b6f919e088

SHA1
6e232fb741de630efe4ff7300f82358abfebc3e6

SHA256
2bbf6f031519e3a719c717075fa6e95349913c4279be2a6e69ce6d7760f8e5e2

SHA512
df36f5731739565df5a18b36499cc4fbfdeee4388f891d53719af8eee0c44c473046a934cd8338337c0ed138d69444f520f18dd0181f8ad83b4cc404e256e5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\937A.exe
Filesize
718KB

MD5
025ad42411f9cdade15865b6f919e088

SHA1
6e232fb741de630efe4ff7300f82358abfebc3e6

SHA256
2bbf6f031519e3a719c717075fa6e95349913c4279be2a6e69ce6d7760f8e5e2

SHA512
df36f5731739565df5a18b36499cc4fbfdeee4388f891d53719af8eee0c44c473046a934cd8338337c0ed138d69444f520f18dd0181f8ad83b4cc404e256e5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7EB.exe
Filesize
675KB

MD5
1209eb5280434f121fa888e5d9665bef

SHA1
d85f7e6ab0486f32bc51c772215488dcfb299941

SHA256
30a2d83678b8e9a39debd957bf3e4dea8d97423fe19ca7b21a87ff1434f9b3d3

SHA512
79cdf89289871b1a89b65bb36353437d4c2fa11fb0bc6a4c60affc43ad1eab6d836c17a9a0bccdbaff365713b508b130af9eda338acb08d03af8fad0a1fa5c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7EB.exe
Filesize
675KB

MD5
1209eb5280434f121fa888e5d9665bef

SHA1
d85f7e6ab0486f32bc51c772215488dcfb299941

SHA256
30a2d83678b8e9a39debd957bf3e4dea8d97423fe19ca7b21a87ff1434f9b3d3

SHA512
79cdf89289871b1a89b65bb36353437d4c2fa11fb0bc6a4c60affc43ad1eab6d836c17a9a0bccdbaff365713b508b130af9eda338acb08d03af8fad0a1fa5c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE7.exe
Filesize
466KB

MD5
d25181138b1295651d9440faa881a5e8

SHA1
bf0a5ce2bfc3a6d235f1a6c328d3246b6484b432

SHA256
a002edc2b66f33a02c1292cc95567d487b3ef5c76acc6146b25c8ad7c4d7bf93

SHA512
6ed0a3e9299d10c28c59630bb153b299fc9479667da0cc17be5f55eacd12a7e20651dc2bf69c7e6c69e2e09011720f6c738fa991e3c3670e5f05a1a29885e2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE7.exe
Filesize
466KB

MD5
d25181138b1295651d9440faa881a5e8

SHA1
bf0a5ce2bfc3a6d235f1a6c328d3246b6484b432

SHA256
a002edc2b66f33a02c1292cc95567d487b3ef5c76acc6146b25c8ad7c4d7bf93

SHA512
6ed0a3e9299d10c28c59630bb153b299fc9479667da0cc17be5f55eacd12a7e20651dc2bf69c7e6c69e2e09011720f6c738fa991e3c3670e5f05a1a29885e2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF0F.exe
Filesize
436KB

MD5
626f70b80df56306653bf1fa4bbe2f0f

SHA1
da47e5a88190eefee1e37a1d78152bafd32bb176

SHA256
2cfc599ed129c7805a74b57c6b4361e02e5f5f442ecacb2bde327791154575f5

SHA512
ccbb5d4104fcddf545ab34c93cc4223fc153e4659b3862f4fbfb5e01ae57ba00538f8187660ffea8002a2d0e18b41a1f8a18a43dc48926b7c9bf61bb089b4af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CF0F.exe
Filesize
436KB

MD5
626f70b80df56306653bf1fa4bbe2f0f

SHA1
da47e5a88190eefee1e37a1d78152bafd32bb176

SHA256
2cfc599ed129c7805a74b57c6b4361e02e5f5f442ecacb2bde327791154575f5

SHA512
ccbb5d4104fcddf545ab34c93cc4223fc153e4659b3862f4fbfb5e01ae57ba00538f8187660ffea8002a2d0e18b41a1f8a18a43dc48926b7c9bf61bb089b4af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D346.exe
Filesize
615KB

MD5
bd40b5f8ae13c2a8b23376a86fc44180

SHA1
acc29144ac656c9c6b23a5edf87162d6b3d9e355

SHA256
002d0341d1c38f40a8b28fba9fdc37146cff0fc81c7850400a31da1d7a5ded9b

SHA512
5457e2c0977abb9308169402881d2bca60a535c6cfabaa4e4910cd9122722d8341c6e1b375a2a23cf25a4a4e9a3174f1525c8579a7f2357ec1e8953e987eea62

Download Submit
C:\Users\Admin\AppData\Local\Temp\D346.exe
Filesize
615KB

MD5
bd40b5f8ae13c2a8b23376a86fc44180

SHA1
acc29144ac656c9c6b23a5edf87162d6b3d9e355

SHA256
002d0341d1c38f40a8b28fba9fdc37146cff0fc81c7850400a31da1d7a5ded9b

SHA512
5457e2c0977abb9308169402881d2bca60a535c6cfabaa4e4910cd9122722d8341c6e1b375a2a23cf25a4a4e9a3174f1525c8579a7f2357ec1e8953e987eea62

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD59.exe
Filesize
768KB

MD5
1ed1a6c53ec37af6a2df99a410159174

SHA1
e18361a961757ae7c494ea885cec219193fa1373

SHA256
b1a104adf3ad1846195ffb5213106fc76a29b4d5edcfd9bf1c4a142cceeb13b4

SHA512
7d45162a5d704853b3fca3116d7fabb759419ef4647cd699173e29ca0b489b4463d480f5f4956744fee77af6e9e3c8677ca530d325f6c8e5a9d3639aa3db3a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD59.exe
Filesize
768KB

MD5
1ed1a6c53ec37af6a2df99a410159174

SHA1
e18361a961757ae7c494ea885cec219193fa1373

SHA256
b1a104adf3ad1846195ffb5213106fc76a29b4d5edcfd9bf1c4a142cceeb13b4

SHA512
7d45162a5d704853b3fca3116d7fabb759419ef4647cd699173e29ca0b489b4463d480f5f4956744fee77af6e9e3c8677ca530d325f6c8e5a9d3639aa3db3a25

Download Submit
C:\Users\Admin\AppData\Local\ccca4610-3070-4d47-b72e-938255b6473b\937A.exe
Filesize
718KB

MD5
025ad42411f9cdade15865b6f919e088

SHA1
6e232fb741de630efe4ff7300f82358abfebc3e6

SHA256
2bbf6f031519e3a719c717075fa6e95349913c4279be2a6e69ce6d7760f8e5e2

SHA512
df36f5731739565df5a18b36499cc4fbfdeee4388f891d53719af8eee0c44c473046a934cd8338337c0ed138d69444f520f18dd0181f8ad83b4cc404e256e5d9

Download Submit
\??\pipe\crashpad_1408_HUYHNRAUDXVZHTWA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/536-213-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/536-207-0x0000000000000000-mapping.dmp

Download
memory/536-244-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1016-230-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1016-196-0x0000000000000000-mapping.dmp

Download
memory/1016-199-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1016-201-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1016-206-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1296-210-0x0000000000000000-mapping.dmp

Download
memory/1296-223-0x0000000000BC8000-0x0000000000BF4000-memory.dmp

Filesize
176KB

Download
memory/1296-225-0x00000000009B0000-0x00000000009F9000-memory.dmp

Filesize
292KB

Download
memory/1748-133-0x00000000008C0000-0x00000000008C9000-memory.dmp

Filesize
36KB

Download
memory/1748-132-0x0000000000908000-0x0000000000919000-memory.dmp

Filesize
68KB

Download
memory/1748-135-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1748-134-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2804-136-0x0000000000000000-mapping.dmp

Download
memory/3088-216-0x0000000000000000-mapping.dmp

Download
memory/3316-190-0x0000000000000000-mapping.dmp

Download
memory/3452-220-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3452-262-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3452-224-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3452-222-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3452-219-0x0000000000000000-mapping.dmp

Download
memory/3452-226-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3516-214-0x0000000000000000-mapping.dmp

Download
memory/3588-231-0x0000000000000000-mapping.dmp

Download
memory/3980-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3980-183-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3980-180-0x0000000000000000-mapping.dmp

Download
memory/3980-181-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3980-195-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3980-186-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4400-200-0x000000000478F000-0x0000000004820000-memory.dmp

Filesize
580KB

Download
memory/4400-193-0x0000000000000000-mapping.dmp

Download
memory/4592-235-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4592-281-0x0000000006DE0000-0x0000000006E30000-memory.dmp

Filesize
320KB

Download
memory/4592-234-0x0000000000000000-mapping.dmp

Download
memory/4804-272-0x0000000006EF0000-0x0000000006F66000-memory.dmp

Filesize
472KB

Download
memory/4804-274-0x0000000006E30000-0x0000000006E4E000-memory.dmp

Filesize
120KB

Download
memory/4804-246-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4804-245-0x0000000000000000-mapping.dmp

Download
memory/4880-215-0x0000000000000000-mapping.dmp

Download
memory/5032-227-0x0000000000000000-mapping.dmp

Download
memory/5132-278-0x00000000025A0000-0x00000000026A4000-memory.dmp

Filesize
1.0MB

Download
memory/5132-279-0x0000000000400000-0x00000000008C3000-memory.dmp

Filesize
4.8MB

Download
memory/5132-277-0x00000000023C1000-0x0000000002454000-memory.dmp

Filesize
588KB

Download
memory/5132-257-0x0000000000000000-mapping.dmp

Download
memory/5392-261-0x0000000000000000-mapping.dmp

Download
memory/5476-267-0x0000000000000000-mapping.dmp

Download
memory/5512-268-0x0000000000000000-mapping.dmp

Download
memory/5812-269-0x0000000000000000-mapping.dmp

Download
memory/5812-271-0x0000000000620000-0x000000000062B000-memory.dmp

Filesize
44KB

Download
memory/5812-270-0x0000000000630000-0x0000000000637000-memory.dmp

Filesize
28KB

Download
memory/5812-303-0x0000000000630000-0x0000000000637000-memory.dmp

Filesize
28KB

Download
memory/5904-304-0x0000000000D30000-0x0000000000D39000-memory.dmp

Filesize
36KB

Download
memory/5904-275-0x0000000000D30000-0x0000000000D39000-memory.dmp

Filesize
36KB

Download
memory/5904-273-0x0000000000000000-mapping.dmp

Download
memory/5904-276-0x0000000000D20000-0x0000000000D2F000-memory.dmp

Filesize
60KB

Download
memory/6156-282-0x00000000008E0000-0x00000000008E5000-memory.dmp

Filesize
20KB

Download
memory/6156-305-0x00000000008E0000-0x00000000008E5000-memory.dmp

Filesize
20KB

Download
memory/6156-283-0x00000000008D0000-0x00000000008D9000-memory.dmp

Filesize
36KB

Download
memory/6156-280-0x0000000000000000-mapping.dmp

Download
memory/6340-308-0x00000000007A0000-0x00000000007A6000-memory.dmp

Filesize
24KB

Download
memory/6340-286-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/6340-285-0x00000000007A0000-0x00000000007A6000-memory.dmp

Filesize
24KB

Download
memory/6340-284-0x0000000000000000-mapping.dmp

Download
memory/6604-287-0x0000000000000000-mapping.dmp

Download
memory/6604-311-0x00000000010F0000-0x0000000001112000-memory.dmp

Filesize
136KB

Download
memory/6604-288-0x00000000010F0000-0x0000000001112000-memory.dmp

Filesize
136KB

Download
memory/6604-289-0x00000000010C0000-0x00000000010E7000-memory.dmp

Filesize
156KB

Download
memory/6784-292-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/6784-290-0x0000000000000000-mapping.dmp

Download
memory/6784-291-0x0000000000610000-0x0000000000615000-memory.dmp

Filesize
20KB

Download
memory/7112-314-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/7112-295-0x0000000000450000-0x000000000045B000-memory.dmp

Filesize
44KB

Download
memory/7112-294-0x0000000000460000-0x0000000000466000-memory.dmp

Filesize
24KB

Download
memory/7112-293-0x0000000000000000-mapping.dmp

Download
memory/7220-315-0x0000000000CB0000-0x0000000000CB7000-memory.dmp

Filesize
28KB

Download
memory/7220-299-0x0000000000CA0000-0x0000000000CAD000-memory.dmp

Filesize
52KB

Download
memory/7220-298-0x0000000000CB0000-0x0000000000CB7000-memory.dmp

Filesize
28KB

Download
memory/7220-296-0x0000000000000000-mapping.dmp

Download
memory/7264-301-0x00000000010D0000-0x00000000010D8000-memory.dmp

Filesize
32KB

Download
memory/7264-300-0x0000000000000000-mapping.dmp

Download
memory/7264-302-0x00000000010C0000-0x00000000010CB000-memory.dmp

Filesize
44KB

Download
memory/7340-306-0x0000000000000000-mapping.dmp

Download
memory/7436-310-0x0000000000000000-mapping.dmp

Download
memory/7552-312-0x0000000000000000-mapping.dmp

Download
memory/7628-313-0x0000000000000000-mapping.dmp

Download
memory/7660-316-0x0000000000000000-mapping.dmp

Download
memory/7736-317-0x0000000000000000-mapping.dmp

Download
memory/7912-322-0x0000000000000000-mapping.dmp

Download
memory/7940-324-0x0000000000000000-mapping.dmp

Download
memory/8012-326-0x0000000000000000-mapping.dmp

Download
memory/8096-327-0x0000000000000000-mapping.dmp

Download
memory/8144-328-0x0000000000000000-mapping.dmp

Download
memory/8212-329-0x0000000000000000-mapping.dmp

Download
memory/8264-330-0x0000000000000000-mapping.dmp

Download
memory/8308-332-0x0000000000000000-mapping.dmp

Download
memory/8400-335-0x0000000000000000-mapping.dmp

Download
memory/8432-337-0x0000000000000000-mapping.dmp

Download
memory/8508-339-0x0000000000000000-mapping.dmp

Download
memory/9512-341-0x0000000000000000-mapping.dmp

Download
memory/9576-342-0x0000000000000000-mapping.dmp

Download
memory/9600-344-0x0000000073700000-0x000000007372A000-memory.dmp

Filesize
168KB

Download
memory/9600-343-0x0000000073120000-0x00000000731E1000-memory.dmp

Filesize
772KB

Download
memory/9600-345-0x00000000008D0000-0x0000000000D1C000-memory.dmp

Filesize
4.3MB

Download
memory/9648-346-0x0000000000000000-mapping.dmp

Download
memory/9728-352-0x0000000000000000-mapping.dmp

Download
memory/9836-355-0x0000000000000000-mapping.dmp

Download
memory/9876-358-0x0000000000000000-mapping.dmp

Download
memory/10148-371-0x0000000000000000-mapping.dmp

Download
memory/10228-374-0x0000000000000000-mapping.dmp

Download
memory/101740-154-0x0000000006640000-0x00000000066D2000-memory.dmp

Filesize
584KB

Download
memory/101740-139-0x0000000000000000-mapping.dmp

Download
memory/101740-140-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/101740-145-0x0000000005B30000-0x0000000006148000-memory.dmp

Filesize
6.1MB

Download
memory/101740-146-0x0000000005650000-0x000000000575A000-memory.dmp

Filesize
1.0MB

Download
memory/101740-147-0x0000000005580000-0x0000000005592000-memory.dmp

Filesize
72KB

Download
memory/101740-148-0x00000000055E0000-0x000000000561C000-memory.dmp

Filesize
240KB

Download
memory/101740-160-0x0000000008DC0000-0x00000000092EC000-memory.dmp

Filesize
5.2MB

Download
memory/101740-152-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/101740-153-0x0000000006BF0000-0x0000000007194000-memory.dmp

Filesize
5.6MB

Download
memory/101740-159-0x00000000069B0000-0x0000000006B72000-memory.dmp

Filesize
1.8MB

Download
memory/101812-184-0x00000000046D9000-0x000000000476A000-memory.dmp

Filesize
580KB

Download
memory/101812-185-0x00000000049A0000-0x0000000004ABB000-memory.dmp

Filesize
1.1MB

Download
memory/101812-176-0x0000000000000000-mapping.dmp

Download
memory/101956-149-0x0000000000000000-mapping.dmp

Download
memory/101956-164-0x00000000008A9000-0x00000000008B9000-memory.dmp

Filesize
64KB

Download
memory/101956-165-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/102032-161-0x0000000002BD0000-0x0000000002CD0000-memory.dmp

Filesize
1024KB

Download
memory/102032-163-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/102032-166-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/102032-162-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/102032-155-0x0000000000000000-mapping.dmp

Download
memory/102372-167-0x0000000000000000-mapping.dmp

Download
memory/102396-169-0x0000000000000000-mapping.dmp

Download
memory/102396-171-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/102396-175-0x0000000002910000-0x0000000002916000-memory.dmp

Filesize
24KB

Download
memory/102396-179-0x0000000002BB0000-0x0000000002C6F000-memory.dmp

Filesize
764KB

Download
memory/102396-187-0x0000000002C70000-0x0000000002D19000-memory.dmp

Filesize
676KB

Download