dcrat | 8cb86bbcb25685ceebc56873baf12f6fd9f876c2d196a3e973aa7449108c63d7

Resubmissions

09-09-2022 20:11

220909-yylvzshac6 10

09-09-2022 19:56

220909-ynnxlacgcl 10

Analysis

max time kernel
1800s
max time network
1776s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2022 20:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31e7391507f0770622741989b7b3a00a.exe
Size

210KB
MD5

31e7391507f0770622741989b7b3a00a
SHA1

2d1730f5a123bedc4af5227a8e403878a07bb0b5
SHA256

8cb86bbcb25685ceebc56873baf12f6fd9f876c2d196a3e973aa7449108c63d7
SHA512

240c2a16265d1a78c98354d99582d6aaf4278877e79e80c31c74b52e38e118abb6a271b0f313aa22fa1a529ddc2937667fc1ba628e84dcfd8c40e043b78d6908
SSDEEP

3072:bCqmzqif9dCcCiyAdH3Jqe2KcfCwCllo5Z6:1Af9dCrAhAe2PfCh

Malware Config

Extracted

Path

C:\_readme.txt

Family

djvu

Ransom Note

ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xuPJqoyzQE Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0557JhyjdA1FW6EW6vvPtmsydtc4cuGx17hzMCbrJ5pTwHxsy

Emails

[email protected]

URLs

https://we.tl/t-xuPJqoyzQE

Extracted

Family

djvu

http://acacaca.org/lancer/get.php

Attributes

extension
.mmdt
offline_id
yd6oYv6aBN90yFzTWdZ34sXSXtXiauzOLXZyWht1
payload_url
http://rgyui.top/dl/build2.exe

http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-xuPJqoyzQE Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0557Jhyjd

rsa_pubkey.plain

Extracted

Family

redline

Botnet

mario_new

176.122.23.55:11768

Attributes

auth_value
eeee8d5fcc3ba3a42094ef260c5bdcb4

Extracted

Family

socelars

https://dfgrthres.s3.eu-west-3.amazonaws.com/asdhs909/

Extracted

Family

redline

Botnet

1337

78.153.144.6:2510

Attributes

auth_value
b0447922bcbc2eda83260a9e7a638f45

Extracted

Family

redline

Botnet

nam5

103.89.90.61:34589

Attributes

auth_value
f23be8e9063fe5d0c6fc3ee8e7d565bd

Extracted

Family

raccoon

Botnet

567d5bff28c2a18132d2f88511f07435

http://116.203.167.5/

http://195.201.248.58/

rc4.plain

Signatures

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

31e7391507f0770622741989b7b3a00a.exeF66D.exeED40.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31e7391507f0770622741989b7b3a00a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	F66D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\77e00c90-fa40-47f5-8f2d-033a4d006b21\\ED40.exe\" --AutoStart"	ED40.exe
8928	schtasks.exe
9280	schtasks.exe

Detected Djvu ransomware 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4600-171-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4600-173-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4600-176-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4528-175-0x00000000048E0000-0x00000000049FB000-memory.dmp	family_djvu
behavioral1/memory/4600-177-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4600-187-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1108-193-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1108-191-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1108-199-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1108-226-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3520-133-0x0000000002BF0000-0x0000000002BF9000-memory.dmp	family_smokeloader
behavioral1/memory/101660-229-0x0000000002BB0000-0x0000000002BB9000-memory.dmp	family_smokeloader

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5884	2332	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6848	2332	rundll32.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/101460-207-0x0000000000400000-0x0000000000460000-memory.dmp	family_redline
behavioral1/memory/101736-268-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/712-275-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/102068-252-0x0000000000400000-0x000000000058E000-memory.dmp	family_socelars
behavioral1/memory/102068-328-0x0000000000400000-0x000000000058E000-memory.dmp	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 8616 created 8476	8616	svchost.exe	F66D.exe
PID 8616 created 8808	8616	svchost.exe	csrss.exe
PID 8616 created 8808	8616	svchost.exe	csrss.exe
PID 8616 created 8808	8616	svchost.exe	csrss.exe
PID 8616 created 8808	8616	svchost.exe	csrss.exe
PID 8616 created 9936	8616	svchost.exe	f801950a962ddba14caaa44bf084b55c.exe
PID 8616 created 9936	8616	svchost.exe	f801950a962ddba14caaa44bf084b55c.exe

Downloads MZ/PE file

Executes dropped EXE 47 IoCs

Processes:

736B.exeED40.exeED40.exeED40.exeED40.exebuild2.exe14CE.exebuild2.exe2B36.exe5573.exe75AE.exe9BC5.exeA089.exeA2BC.exeA667.exeAA8E.exeB3E6.execlient32.exeC387.exeC387.exe30B9.exe30B9.exe60C3.exeC1DF.exeF66D.exeF66D.execsrss.exeinjector.exetor.exewindefender.exewindefender.exef801950a962ddba14caaa44bf084b55c.exeivdreurctdreurED40.exeED40.exeChromeRecovery.exeivdreurctdreurED40.exeED40.exeED40.exeED40.exeivdreurctdreurED40.exeED40.exe

pid	process
1348	736B.exe
4528	ED40.exe
4600	ED40.exe
1124	ED40.exe
1108	ED40.exe
768	build2.exe
3320	14CE.exe
101560	build2.exe
101660	2B36.exe
101900	5573.exe
101948	75AE.exe
102068	9BC5.exe
102240	A089.exe
102360	A2BC.exe
101520	A667.exe
101628	AA8E.exe
3492	B3E6.exe
3152	client32.exe
1288	C387.exe
5124	C387.exe
6664	30B9.exe
6748	30B9.exe
6948	60C3.exe
8364	C1DF.exe
8476	F66D.exe
8644	F66D.exe
8808	csrss.exe
9164	injector.exe
9328	tor.exe
9728	windefender.exe
9820	windefender.exe
9936	f801950a962ddba14caaa44bf084b55c.exe
10656	ivdreur
10672	ctdreur
11908	ED40.exe
11948	ED40.exe
12976	ChromeRecovery.exe
13144	ivdreur
13160	ctdreur
13344	ED40.exe
13364	ED40.exe
14208	ED40.exe
14348	ED40.exe
15136	ivdreur
15152	ctdreur
15396	ED40.exe
15432	ED40.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

8764 netsh.exe

pid	process
8764	netsh.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ED40.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CheckpointUnlock.png => C:\Users\Admin\Pictures\CheckpointUnlock.png.mmdt	ED40.exe
File renamed	C:\Users\Admin\Pictures\LockSkip.crw => C:\Users\Admin\Pictures\LockSkip.crw.mmdt	ED40.exe
File opened for modification	C:\Users\Admin\Pictures\StartWatch.tiff	ED40.exe
File renamed	C:\Users\Admin\Pictures\StartWatch.tiff => C:\Users\Admin\Pictures\StartWatch.tiff.mmdt	ED40.exe
File renamed	C:\Users\Admin\Pictures\UpdateSplit.crw => C:\Users\Admin\Pictures\UpdateSplit.crw.mmdt	ED40.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9BC5.exe	upx
C:\Users\Admin\AppData\Local\Temp\9BC5.exe	upx
behavioral1/memory/102068-252-0x0000000000400000-0x000000000058E000-memory.dmp	upx
behavioral1/memory/102068-328-0x0000000000400000-0x000000000058E000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\75AE.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\75AE.exe	vmprotect
behavioral1/memory/101948-244-0x0000000140000000-0x0000000140608000-memory.dmp	vmprotect
behavioral1/memory/8364-377-0x0000000140000000-0x0000000140608000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build2.exeB3E6.exeC387.exe30B9.exeED40.exeED40.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	build2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	B3E6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	C387.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	30B9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ED40.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ED40.exe

Drops startup file 1 IoCs

Processes:

B3E6.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunsuport.ini.lnk B3E6.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunsuport.ini.lnk	B3E6.exe

Loads dropped DLL 28 IoCs

Processes:

regsvr32.exebuild2.execlient32.exeAppLaunch.exeAA8E.exerundll32.exerundll32.exetor.exe

pid	process
4368	regsvr32.exe
4368	regsvr32.exe
101560	build2.exe
101560	build2.exe
101560	build2.exe
3152	client32.exe
3152	client32.exe
3152	client32.exe
3152	client32.exe
3152	client32.exe
3152	client32.exe
101684	AppLaunch.exe
101684	AppLaunch.exe
101628	AA8E.exe
101628	AA8E.exe
101628	AA8E.exe
5904	rundll32.exe
6868	rundll32.exe
9328	tor.exe
9328	tor.exe
9328	tor.exe
9328	tor.exe
9328	tor.exe
9328	tor.exe
9328	tor.exe
9328	tor.exe
9328	tor.exe
9328	tor.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4472 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4472	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ED40.exeF66D.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\77e00c90-fa40-47f5-8f2d-033a4d006b21\\ED40.exe\" --AutoStart"	ED40.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	F66D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

89 api.2ip.ua
375 api.2ip.ua
376 api.2ip.ua
405 api.2ip.ua
88 api.2ip.ua
360 api.2ip.ua
361 api.2ip.ua
392 api.2ip.ua
404 api.2ip.ua
99 api.2ip.ua

flow	ioc
89	api.2ip.ua
375	api.2ip.ua
376	api.2ip.ua
405	api.2ip.ua
88	api.2ip.ua
360	api.2ip.ua
361	api.2ip.ua
392	api.2ip.ua
404	api.2ip.ua
99	api.2ip.ua

Suspicious use of SetThreadContext 11 IoCs

Processes:

ED40.exeED40.exe14CE.exebuild2.exeA089.exeA2BC.exeA667.exeED40.exeED40.exeED40.exeED40.exe

description	pid	process	target process
PID 4528 set thread context of 4600	4528	ED40.exe	ED40.exe
PID 1124 set thread context of 1108	1124	ED40.exe	ED40.exe
PID 3320 set thread context of 101460	3320	14CE.exe	AppLaunch.exe
PID 768 set thread context of 101560	768	build2.exe	build2.exe
PID 102240 set thread context of 101736	102240	A089.exe	AppLaunch.exe
PID 102360 set thread context of 712	102360	A2BC.exe	AppLaunch.exe
PID 101520 set thread context of 101684	101520	A667.exe	AppLaunch.exe
PID 11908 set thread context of 11948	11908	ED40.exe	ED40.exe
PID 13344 set thread context of 13364	13344	ED40.exe	ED40.exe
PID 14208 set thread context of 14348	14208	ED40.exe	ED40.exe
PID 15396 set thread context of 15432	15396	ED40.exe	ED40.exe

Drops file in Program Files directory 26 IoCs

Processes:

9BC5.exe60C3.exeelevation_service.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	9BC5.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	9BC5.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	9BC5.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	60C3.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	60C3.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	9BC5.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	9BC5.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	60C3.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	60C3.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	60C3.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	60C3.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\manifest.json	elevation_service.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	9BC5.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	60C3.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	60C3.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	9BC5.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	9BC5.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	9BC5.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	60C3.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	9BC5.exe

Drops file in Windows directory 4 IoCs

Processes:

F66D.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	F66D.exe
File created	C:\Windows\rss\csrss.exe	F66D.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

9420 sc.exe
9804 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
9420	sc.exe
9804	sc.exe

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
396	1348	WerFault.exe	736B.exe
101540	3320	WerFault.exe	14CE.exe
102016	101948	WerFault.exe	75AE.exe
5304	101684	WerFault.exe	AppLaunch.exe
5976	5904	WerFault.exe	rundll32.exe
6284	101628	WerFault.exe	AA8E.exe
6908	6868	WerFault.exe	rundll32.exe
8428	8364	WerFault.exe	C1DF.exe
9040	8840	WerFault.exe	explorer.exe
10780	10672	WerFault.exe	ctdreur
13248	13160	WerFault.exe	ctdreur
15236	15152	WerFault.exe	ctdreur

Checks SCSI registry key(s) 3 TTPs 21 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

31e7391507f0770622741989b7b3a00a.exe2B36.exe5573.exeivdreurtaskmgr.exeivdreurivdreur

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31e7391507f0770622741989b7b3a00a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2B36.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5573.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ivdreur
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ivdreur
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ivdreur
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31e7391507f0770622741989b7b3a00a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5573.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ivdreur
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ivdreur
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ivdreur
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ivdreur
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2B36.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2B36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5573.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ivdreur
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	31e7391507f0770622741989b7b3a00a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ivdreur

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppLaunch.exebuild2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

8928 schtasks.exe
9280 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

5604 timeout.exe
101824 timeout.exe

pid	process
8928	schtasks.exe
9280	schtasks.exe

pid	process
5604	timeout.exe
101824	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

101780 taskkill.exe
101700 taskkill.exe
5400 taskkill.exe
7124 taskkill.exe

pid	process
101780	taskkill.exe
101700	taskkill.exe
5400	taskkill.exe
7124	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies data under HKEY_USERS 64 IoCs

Processes:

F66D.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	F66D.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	F66D.exe

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "50"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "650"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000761be9f37eaed8014ca4ad338baed8014ca4ad338baed80114000000
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	197	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	245	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2576

pid	process
2576

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

31e7391507f0770622741989b7b3a00a.exe

pid	process
3520	31e7391507f0770622741989b7b3a00a.exe
3520	31e7391507f0770622741989b7b3a00a.exe
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2576

pid	process
2576

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

31e7391507f0770622741989b7b3a00a.exe2B36.exe5573.exeexplorer.exeexplorer.exe

pid	process
3520	31e7391507f0770622741989b7b3a00a.exe
101660	2B36.exe
101900	5573.exe
2576
2576
2576
2576
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
2576
2576
2576
2576
5512	explorer.exe
5512	explorer.exe
1172	explorer.exe
1172	explorer.exe
5512	explorer.exe
5512	explorer.exe
2576
2576
5512	explorer.exe
5512	explorer.exe
5512	explorer.exe
5512	explorer.exe
2576
2576
5512	explorer.exe
5512	explorer.exe
5512	explorer.exe
5512	explorer.exe
2576
2576
5512	explorer.exe
5512	explorer.exe
5512	explorer.exe
5512	explorer.exe
2576
2576
2576
2576
5512	explorer.exe
5512	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
1172	explorer.exe
5512	explorer.exe
5512	explorer.exe
1172	explorer.exe
1172	explorer.exe
5512	explorer.exe
5512	explorer.exe
5512	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid	process
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
1508	chrome.exe
7164	chrome.exe
7164	chrome.exe
7164	chrome.exe
7164	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeDebugPrivilege	3952	taskmgr.exe
Token: SeSystemProfilePrivilege	3952	taskmgr.exe
Token: SeCreateGlobalPrivilege	3952	taskmgr.exe
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: 33	3952	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3952	taskmgr.exe
Token: SeShutdownPrivilege	2576
Token: SeCreatePagefilePrivilege	2576
Token: SeShutdownPrivilege	2576

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
2576
4848	chrome.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
2576
2576
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe
3952	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exe

pid	process
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
4848	chrome.exe
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576
2576

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

pid process

2576
2576
2576

pid	process
2576
2576
2576

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2576 wrote to memory of 4848	2576		chrome.exe
PID 2576 wrote to memory of 4848	2576		chrome.exe
PID 4848 wrote to memory of 3904	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 3904	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1740	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1668	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1668	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe
PID 4848 wrote to memory of 1276	4848	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe
"C:\Users\Admin\AppData\Local\Temp\31e7391507f0770622741989b7b3a00a.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8580d4f50,0x7ff8580d4f60,0x7ff8580d4f70
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:2
2⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:8
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2380 /prefetch:8
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
2⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:8
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,12665759011627795117,16287781817268950271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
PID:2676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3208

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3952

C:\Users\Admin\AppData\Local\Temp\736B.exe
C:\Users\Admin\AppData\Local\Temp\736B.exe
1⤵
- Executes dropped EXE
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1276
2⤵
- Program crash
PID:396

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B8F1.dll
1⤵
PID:2892

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\B8F1.dll
2⤵
- Loads dropped DLL
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1348 -ip 1348
1⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\ED40.exe
C:\Users\Admin\AppData\Local\Temp\ED40.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4528

C:\Users\Admin\AppData\Local\Temp\ED40.exe
C:\Users\Admin\AppData\Local\Temp\ED40.exe
2⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:4600

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:4472

C:\Users\Admin\AppData\Local\Temp\ED40.exe
"C:\Users\Admin\AppData\Local\Temp\ED40.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1124

C:\Users\Admin\AppData\Local\Temp\ED40.exe
"C:\Users\Admin\AppData\Local\Temp\ED40.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
PID:1108

C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe
"C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:768

C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe
"C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
PID:101560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe" & del C:\PrograData\*.dll & exit
7⤵
PID:101720

C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
8⤵
- Kills process with taskkill
PID:101780

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:101824

C:\Users\Admin\AppData\Local\Temp\14CE.exe
C:\Users\Admin\AppData\Local\Temp\14CE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:101460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 97600
2⤵
- Program crash
PID:101540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3320 -ip 3320
1⤵
PID:101496

C:\Users\Admin\AppData\Local\Temp\2B36.exe
C:\Users\Admin\AppData\Local\Temp\2B36.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:101660

C:\Users\Admin\AppData\Local\Temp\5573.exe
C:\Users\Admin\AppData\Local\Temp\5573.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:101900

C:\Users\Admin\AppData\Local\Temp\75AE.exe
C:\Users\Admin\AppData\Local\Temp\75AE.exe
1⤵
- Executes dropped EXE
PID:101948

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 101948 -s 424
2⤵
- Program crash
PID:102016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 101948 -ip 101948
1⤵
PID:101996

C:\Users\Admin\AppData\Local\Temp\9BC5.exe
C:\Users\Admin\AppData\Local\Temp\9BC5.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:102068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:101584

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:101700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8580d4f50,0x7ff8580d4f60,0x7ff8580d4f70
3⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:2
3⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
3⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2284 /prefetch:8
3⤵
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
3⤵
PID:5280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
3⤵
PID:5292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
3⤵
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
3⤵
PID:5584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4724 /prefetch:8
3⤵
PID:5700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4072 /prefetch:8
3⤵
PID:5784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
3⤵
PID:5816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
3⤵
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8
3⤵
PID:6380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
3⤵
PID:6412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
3⤵
PID:6456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
3⤵
PID:6488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 /prefetch:8
3⤵
PID:6524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
3⤵
PID:6564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,1080823904366895809,4323297674129791997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1592 /prefetch:8
3⤵
PID:6996

C:\Users\Admin\AppData\Local\Temp\A089.exe
C:\Users\Admin\AppData\Local\Temp\A089.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:102240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:101736

C:\Users\Admin\AppData\Local\Temp\A2BC.exe
C:\Users\Admin\AppData\Local\Temp\A2BC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:102360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\A667.exe
C:\Users\Admin\AppData\Local\Temp\A667.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:101520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:101684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im AppLaunch.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" & del C:\PrograData\*.dll & exit
3⤵
PID:1008

C:\Windows\SysWOW64\taskkill.exe
taskkill /im AppLaunch.exe /f
4⤵
- Kills process with taskkill
PID:5400

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 101684 -s 1932
3⤵
- Program crash
PID:5304

C:\Users\Admin\AppData\Local\Temp\AA8E.exe
C:\Users\Admin\AppData\Local\Temp\AA8E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:101628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 101628 -s 760
2⤵
- Program crash
PID:6284

C:\Users\Admin\AppData\Local\Temp\B3E6.exe
C:\Users\Admin\AppData\Local\Temp\B3E6.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
PID:3492

C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe
"C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3152

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2168

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1172

C:\Users\Admin\AppData\Local\Temp\C387.exe
C:\Users\Admin\AppData\Local\Temp\C387.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1288

C:\Users\Admin\AppData\Local\Temp\C387.exe
"C:\Users\Admin\AppData\Local\Temp\C387.exe" -h
2⤵
- Executes dropped EXE
PID:5124

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 101684 -ip 101684
1⤵
PID:5228

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5668

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5792

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:5884

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 600
3⤵
- Program crash
PID:5976

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5904 -ip 5904
1⤵
PID:5952

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6016

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 101628 -ip 101628
1⤵
PID:6264

C:\Users\Admin\AppData\Local\Temp\30B9.exe
C:\Users\Admin\AppData\Local\Temp\30B9.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:6664

C:\Users\Admin\AppData\Local\Temp\30B9.exe
"C:\Users\Admin\AppData\Local\Temp\30B9.exe" -h
2⤵
- Executes dropped EXE
PID:6748

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:6848

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:6868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6868 -s 600
3⤵
- Program crash
PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6868 -ip 6868
1⤵
PID:6888

C:\Users\Admin\AppData\Local\Temp\60C3.exe
C:\Users\Admin\AppData\Local\Temp\60C3.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6948

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:7064

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:7124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:7164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff867254f50,0x7ff867254f60,0x7ff867254f70
3⤵
PID:7184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1800 /prefetch:8
3⤵
PID:7340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1688 /prefetch:2
3⤵
PID:7332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:8
3⤵
PID:7404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
3⤵
PID:7672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
3⤵
PID:7664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
3⤵
PID:7744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
3⤵
PID:7848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 /prefetch:8
3⤵
PID:7932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8
3⤵
PID:8068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
3⤵
PID:8100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:8
3⤵
PID:8112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:8
3⤵
PID:8284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
3⤵
PID:9076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2816 /prefetch:8
3⤵
PID:9228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:8
3⤵
PID:9476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:8
3⤵
PID:9628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
3⤵
PID:9880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
3⤵
PID:10168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1596 /prefetch:2
3⤵
PID:10212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
3⤵
PID:10376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1392 /prefetch:8
3⤵
PID:10864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:8
3⤵
PID:11592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
3⤵
PID:12452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
3⤵
PID:12888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 /prefetch:8
3⤵
PID:12960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8
3⤵
PID:13832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
3⤵
PID:14668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1672,12264205893954131032,1825738882829726117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 /prefetch:8
3⤵
PID:15328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7568

C:\Users\Admin\AppData\Local\Temp\C1DF.exe
C:\Users\Admin\AppData\Local\Temp\C1DF.exe
1⤵
- Executes dropped EXE
PID:8364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8364 -s 424
2⤵
- Program crash
PID:8428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 8364 -ip 8364
1⤵
PID:8404

C:\Users\Admin\AppData\Local\Temp\F66D.exe
C:\Users\Admin\AppData\Local\Temp\F66D.exe
1⤵
- Executes dropped EXE
PID:8476

C:\Users\Admin\AppData\Local\Temp\F66D.exe
"C:\Users\Admin\AppData\Local\Temp\F66D.exe"
2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:8644

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:8712

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
PID:8764

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
PID:8808

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:8928

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:8960

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:9164

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:9280

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
4⤵
PID:9364

C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
- Launches sc.exe
PID:9420

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:9728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:9788

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:9804

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
4⤵
- Executes dropped EXE
PID:9936

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "csrss" /f
5⤵
PID:10044

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "ScheduledUpdate" /f
5⤵
PID:10092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:8616

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8840 -s 872
2⤵
- Program crash
PID:9040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 8840 -ip 8840
1⤵
PID:9024

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9124

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:9328

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:9820

C:\Users\Admin\AppData\Roaming\ivdreur
C:\Users\Admin\AppData\Roaming\ivdreur
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:10656

C:\Users\Admin\AppData\Roaming\ctdreur
C:\Users\Admin\AppData\Roaming\ctdreur
1⤵
- Executes dropped EXE
PID:10672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10672 -s 340
2⤵
- Program crash
PID:10780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 10672 -ip 10672
1⤵
PID:10760

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:11908

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task
2⤵
- Executes dropped EXE
PID:11948

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:12928

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir12928_733837519\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={89c48b89-bade-467f-9ba6-5dad3cf7c696} --system
2⤵
- Executes dropped EXE
PID:12976

C:\Users\Admin\AppData\Roaming\ivdreur
C:\Users\Admin\AppData\Roaming\ivdreur
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:13144

C:\Users\Admin\AppData\Roaming\ctdreur
C:\Users\Admin\AppData\Roaming\ctdreur
1⤵
- Executes dropped EXE
PID:13160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 13160 -s 312
2⤵
- Program crash
PID:13248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 13160 -ip 13160
1⤵
PID:13224

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:13344

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task
2⤵
- Executes dropped EXE
PID:13364

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:14208

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task
2⤵
- Executes dropped EXE
PID:14348

C:\Users\Admin\AppData\Roaming\ivdreur
C:\Users\Admin\AppData\Roaming\ivdreur
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:15136

C:\Users\Admin\AppData\Roaming\ctdreur
C:\Users\Admin\AppData\Roaming\ctdreur
1⤵
- Executes dropped EXE
PID:15152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 15152 -s 308
2⤵
- Program crash
PID:15236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 15152 -ip 15152
1⤵
PID:15212

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:15396

C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe --Task
2⤵
- Executes dropped EXE
PID:15432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\sqlite3.dll
Filesize
630KB

MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
215064dd8b4566627489319b46e9ca43

SHA1
7fa698eef5f02a961b5862df135d7ebfd8a12292

SHA256
390f76fdb79029603900524df2f0fbfd05bf18a3bbc74b9b05b2a6dc5938393c

SHA512
2a5b12b41d728ce30f1712d23226bbefe73111b786156b97126d6497ef234e78feaf6db08c7412eaa336c869b93ab239cd46b33cc31ff2c8497214cba5927753

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
1KB

MD5
0a751af8dec7cee3bcf5b1a312787045

SHA1
482a3e15f36bbb9bfd7d1f46c28978bcc3778de6

SHA256
435533a9bd06ac185c18269e5bd20d15721bb24f4974f09ae10777bcbe60261b

SHA512
84d4b0f742d958773fa2bac487c8f04df1ee28cf213b51a2e7b036d1b583c1797213e9f833d8fe90e6b4257eb7d3f1e75aa9c7e837659ebb98d4f73501170932

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D
Filesize
1KB

MD5
94bb7b19ef48e17751eed332b19aaa74

SHA1
cf003b66ff44c26fa60fa21d83540e0552db82c8

SHA256
c7f950b7e35d8b5d6d60b450e118f30d97e1b5d8934699310b2ff4ec84c916bc

SHA512
5ad11c01e417118e9f45d5e0633b67ae9e8f59f7e94fb01f30f841621ab13a690bed36e4bc55671408096f6e51f72eed6badb6074ab2c1cc49f58adbf187569a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
a6a0160f7dee79a316edde54d910ebaa

SHA1
9b374842b8954e8b27a06f22f1c0de15ea768c31

SHA256
f3646358e7a0d83e1140296fb384dc20e38a165f8f086cf240ace49e27e5b7c0

SHA512
1510a5ac8bb5d3f7a3be3397ef5266861df92bb72d013d8f9432dae8f4310d7d494e67f6b49b712519fb96ef085eb1e233eb8bd4e42bfee10faf0f6da64e4b98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
1KB

MD5
0f659548fdffadc13e95d9f96228d48e

SHA1
65d187f2ccd310e9c7d9b2374fdca882372962dc

SHA256
3f8869afed7cdff14420af9b82b83823f3df3b63a5e5b1e6c4af4bc65162b171

SHA512
37599e87deee460b973f88b91031fbfb156aa68b1314039ab1748bff356210808e78b44b096a55eef7e97fad15ae2b0e3585036faefd8b44f8b76fe112768917

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
e9339a94c679e0b8175865495623293b

SHA1
cda8a83d18b90bb5ea384db0f16d1f7494da1e4f

SHA256
49fb16c5369f16f0f1e26ea890b45b2e2b1dd3fd769999b73d1df68e8ff5224b

SHA512
e3b724a071cbbdf4f69a4cbb88ddfaaf42c46a4ef5706c164a8fc6e135c15b96deade85078921f3ff7f6ed36b6d229852f9ad2ccfb62037fee18c6d2207899b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
450B

MD5
ebfe59c22fe7d0eaa840502169d8e483

SHA1
ea18df8d7de0934f444ad56d8f3bb106d1a00ccb

SHA256
199c935ee9ff8d041c6efebef56ec7d4bb6f68278e9d16645c0b8748851d0d80

SHA512
96e257159061c767ebdefcbd9c16dbb3bedd8503766e49cfd226eb15864de415517bfd93e7a4a4cfd238944015e92a7c8b64a9e5d02b1bf5fe7bad4d8f677bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D
Filesize
474B

MD5
859fa9fa9c01f80587eceb5e131aba60

SHA1
a536af7cadc404a06c5ebbd96e7068d5ce453433

SHA256
9d2efb781da9bc0d288129ddd4f8f4a28f3c459b12a9e31e7f6efc38645fe187

SHA512
ca49d9f63bc9dab9d426f512d15f6ba4649a6ee0fd2423d12e1b3dbca5b4422cadb7607b6db4a08c8f1b783dc5780288c2e580983b57d99903ec439ebd70e193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
e0a6e5edaa81c8c7c6867e617270d1e1

SHA1
d07908a63100d12787a377adea0fa58ec088e4ed

SHA256
94afcda42b4d811bca6d73342409f85256300c9c4cb73efde59724f0ff2b2c7c

SHA512
fa1c6dd9be0eb2cd5487b035e3cc61a7de93bb4d7ecd397cb3c51f16d748188aaef98263b4b4769a06b3cb98aef35b613070796ab244d50e929343e4a69fc171

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
83543062e4bcb4f1ae50eb4f4686d302

SHA1
fa1b490bc2a329bc3d2a4e4f80bf0f36739fd741

SHA256
77fbf1cba5a2d74933f8915c47c3a700073837d294c74d65beb23e7605c407ce

SHA512
bcc71d3a5b22a0876d80170946e41ec807b1b9c5397e3d8728f2d58c240f456ccc281b9ac2e2fa57ff6bf0b27a89c885cead88c72156ca65d9835f252a97b57d

Download Submit
C:\Users\Admin\AppData\Local\77e00c90-fa40-47f5-8f2d-033a4d006b21\ED40.exe
Filesize
725KB

MD5
63fbba2c86860c166b25c7849532c0e1

SHA1
32446a756c0cbf25d358ed5a5285e6588b1fde3e

SHA256
fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa

SHA512
a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
fdb7b41860e6e129b01d357e66781133

SHA1
fd0c4af1a884b188749337f0ee92a1feb2bc68b5

SHA256
49ba4a07016f322c6c78fb7f53f11776cd6655558f987029217a1efadde901da

SHA512
3365b8eaf73503c9a1f64dc71e2924bf224c422f7e138be4b87d20867f28967bd6ec061b56c5dd35ea61d6f4ab982927fcf3cdd35d1a0231e0a2d8b5e01b43c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
92KB

MD5
12769bc4cd44cec7064839508d7217fa

SHA1
334cf07e25dd1979d7e5b65be6966fc5cb1a5488

SHA256
c8c35f9302e39608fa3ae5ffca4a4b8d993721388df6120c2a29df011ca69eeb

SHA512
ab49340368ae340da66617833565f2cce735d6b2484a4da86aef58983dd346ee1f378f2b8cf1c3ffa8f3574da0005148760de054628efc2864dbe45638ddf98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
2KB

MD5
09f87ebf033076d4019bf0a9ee1eb2e9

SHA1
b6f912c024056fd8b8353010f948dcbf3836e54a

SHA256
e9328bdf85ab57bacc3b598afe0f3f5da4bab5fbe43f60a8e11df110ecbb949a

SHA512
c7fd8c5b4a770a85c96da0b4dda5953398456f0d5ed9164b0d795835b338e6e5bb194dbfdde25372813e651730da3ccbd4eacd18f9a8524aa804209fb38d5618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
7b07d0f85b76867011ceee0c1b906350

SHA1
dbdfb3ace24ff0ec4f46029116b8b7a7fdc9d7d7

SHA256
8d820dad44da63c0999e3b5bb79ebf299190d441dd357bae3e29a648d4a2d923

SHA512
ca7c3e70c798f7dcaed3f499ac1281c88feeb86d73c2e6823fd0c4f71dfa3f2d007f01554565f8f3cdbefd1b0042220220c2545a8e937a3da1ac352239f52301

Download Submit
C:\Users\Admin\AppData\Local\Temp\14CE.exe
Filesize
701KB

MD5
e23bcbf0e2d0e527c3ded13c38529e45

SHA1
0743b3295b0b51532541531626884dd39a1caffb

SHA256
1b6e45ac04753507e206951ec78dad28671859ae9de7963799cfb9ddb6715bec

SHA512
c4f5e108f89906c3ebdadf2d147766c34701d88bc858df987138a030399c0760ae94ad8d05576d998dff81b78421a1daa5d911b9c66a50d9557c54cd39dde419

Download Submit
C:\Users\Admin\AppData\Local\Temp\14CE.exe
Filesize
701KB

MD5
e23bcbf0e2d0e527c3ded13c38529e45

SHA1
0743b3295b0b51532541531626884dd39a1caffb

SHA256
1b6e45ac04753507e206951ec78dad28671859ae9de7963799cfb9ddb6715bec

SHA512
c4f5e108f89906c3ebdadf2d147766c34701d88bc858df987138a030399c0760ae94ad8d05576d998dff81b78421a1daa5d911b9c66a50d9557c54cd39dde419

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B36.exe
Filesize
207KB

MD5
f743240965c804b072992fb9c4745da7

SHA1
12f05100ab53dbe2d1424c35c18b82436ea4e49c

SHA256
29d59f7c3921481456a5acb73125f543ff20f7b2b3aa3e03d5ff70fdb6006732

SHA512
69d7e3d7e7a1db994b51355cc834686ff8248bfe87c147e8963e03a9bde489f1973bfd84122eb4dfe89077afdb51b27f17270f2b2274e0d453221039e3dc591c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B36.exe
Filesize
207KB

MD5
f743240965c804b072992fb9c4745da7

SHA1
12f05100ab53dbe2d1424c35c18b82436ea4e49c

SHA256
29d59f7c3921481456a5acb73125f543ff20f7b2b3aa3e03d5ff70fdb6006732

SHA512
69d7e3d7e7a1db994b51355cc834686ff8248bfe87c147e8963e03a9bde489f1973bfd84122eb4dfe89077afdb51b27f17270f2b2274e0d453221039e3dc591c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5573.exe
Filesize
207KB

MD5
327c4866682df9566e7f6379bc3af70d

SHA1
a30b624bd413bfe0910f13ce2fd274e7f913ad3a

SHA256
b534f2d22a5f8a0e2acfdb77bc21e3c13172725a4bb9a8a1e22cf89dfb16a727

SHA512
7e1bfcd8b2c811da59c32bd666da48412a52196592f27237f0f108d1b773eb9338a3f4ba570d1137b1ea09c858577186a3e285cda5df476bc2f498e404a9e048

Download Submit
C:\Users\Admin\AppData\Local\Temp\5573.exe
Filesize
207KB

MD5
327c4866682df9566e7f6379bc3af70d

SHA1
a30b624bd413bfe0910f13ce2fd274e7f913ad3a

SHA256
b534f2d22a5f8a0e2acfdb77bc21e3c13172725a4bb9a8a1e22cf89dfb16a727

SHA512
7e1bfcd8b2c811da59c32bd666da48412a52196592f27237f0f108d1b773eb9338a3f4ba570d1137b1ea09c858577186a3e285cda5df476bc2f498e404a9e048

Download Submit
C:\Users\Admin\AppData\Local\Temp\736B.exe
Filesize
419KB

MD5
7ee26071eccd624c58596bb7e356c8c3

SHA1
2c61201ce36e236c30c350bfae82fa74d21c89cb

SHA256
69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b

SHA512
7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

Download Submit
C:\Users\Admin\AppData\Local\Temp\736B.exe
Filesize
419KB

MD5
7ee26071eccd624c58596bb7e356c8c3

SHA1
2c61201ce36e236c30c350bfae82fa74d21c89cb

SHA256
69fde9e6449ac4f800f47188a10e04db056c0b570876b254c93d3a8d94d2016b

SHA512
7cd53f55077e02d2982c15963da8ad0ccb254063196c21a8cc0803f474a86ddf5e8ba48c4d6b8f74020074b76319fde082fcc12bedd7c69e75e3597f2ec5f562

Download Submit
C:\Users\Admin\AppData\Local\Temp\75AE.exe
Filesize
3.5MB

MD5
5a5818de3886c0ffaa7071e70d003eb6

SHA1
c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e

SHA256
4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2

SHA512
07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\75AE.exe
Filesize
3.5MB

MD5
5a5818de3886c0ffaa7071e70d003eb6

SHA1
c4e62f5c1b674a80fdd48b6fe37e3e59607a7f2e

SHA256
4fac63cb799cc9da04b4332602ad9b4538dd2429ffcf2f8065ec598b2c6aa6a2

SHA512
07ba01218477f3cacd9846b16d9dc742b0e8b4afdca43aba3696b742063316d7fe0c15504c8ebbee20f3f4b42532960698308b45e5d2b55fcc536af28522b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BC5.exe
Filesize
675KB

MD5
9e9e7ad2a575a1ee322b618cb9cfdf05

SHA1
42dba5e712f382a684deb20ededef154c74b24bc

SHA256
1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1

SHA512
0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BC5.exe
Filesize
675KB

MD5
9e9e7ad2a575a1ee322b618cb9cfdf05

SHA1
42dba5e712f382a684deb20ededef154c74b24bc

SHA256
1a90eaf03ec44e61a6ee97be6b8757cc12b9d0a5c2904fa3652d651a92bbd6f1

SHA512
0c48cc0988b1153d5442a0409911be9dbee1db5b2ea1d3f12847b12a4e70eb9416600ee079eac58d0c3ac628d388c6037574278f69d0e8e69f7c9f24a127bc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A089.exe
Filesize
225KB

MD5
5e21b82f9633191086c02370b8e0fcef

SHA1
6922b4babff8a6e7db284b48d24c9e9413dc571e

SHA256
293f76c9298e68bd0a6518479dc1c0a56b9067750b417000622f36974c3adf51

SHA512
0bd3fa11744010c9c49e2cc6d6175b34ef9dd4d72077de2a10c65d9ca0cd779b7e652255288c12a7f52e35581ac57c435383b4c9bbb41c18cb3f61e0603ecc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\A089.exe
Filesize
225KB

MD5
5e21b82f9633191086c02370b8e0fcef

SHA1
6922b4babff8a6e7db284b48d24c9e9413dc571e

SHA256
293f76c9298e68bd0a6518479dc1c0a56b9067750b417000622f36974c3adf51

SHA512
0bd3fa11744010c9c49e2cc6d6175b34ef9dd4d72077de2a10c65d9ca0cd779b7e652255288c12a7f52e35581ac57c435383b4c9bbb41c18cb3f61e0603ecc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2BC.exe
Filesize
195KB

MD5
680941072df99398bee3f58c238c3e78

SHA1
4b74318d563669210fb193abaa90dda3eb98d457

SHA256
d83ad1fabcac2137e84d25d86b6d219eb5d21f9b7f283445494096e81105a9ef

SHA512
29a30bd4434e1c03a741574900795054818fe0b29f9d5060c24b752b3aa6d47f135a325d30630c59ac20444ab8b7dc704438ba32184414b9062963308b67e8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2BC.exe
Filesize
195KB

MD5
680941072df99398bee3f58c238c3e78

SHA1
4b74318d563669210fb193abaa90dda3eb98d457

SHA256
d83ad1fabcac2137e84d25d86b6d219eb5d21f9b7f283445494096e81105a9ef

SHA512
29a30bd4434e1c03a741574900795054818fe0b29f9d5060c24b752b3aa6d47f135a325d30630c59ac20444ab8b7dc704438ba32184414b9062963308b67e8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\A667.exe
Filesize
375KB

MD5
d311d95c1cbae9b5a21e2c52995a2ae6

SHA1
e6334f2bd1a4fc2926acff2888abb6835605ce70

SHA256
33736e8940993c97705403cdbef1ceacb862b4a2fd126cd99b58718b937a9362

SHA512
abe975a92068a9a77f9e0bff43bc12d66f330e2ae92edc45abc1367168c61477cf6fcba1368e20467576f473aca7d09ad14c97d3417b557f26fb79221a4bcf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\A667.exe
Filesize
375KB

MD5
d311d95c1cbae9b5a21e2c52995a2ae6

SHA1
e6334f2bd1a4fc2926acff2888abb6835605ce70

SHA256
33736e8940993c97705403cdbef1ceacb862b4a2fd126cd99b58718b937a9362

SHA512
abe975a92068a9a77f9e0bff43bc12d66f330e2ae92edc45abc1367168c61477cf6fcba1368e20467576f473aca7d09ad14c97d3417b557f26fb79221a4bcf24

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA8E.exe
Filesize
206KB

MD5
a84c8e2c77a17507decaca28d86e7d57

SHA1
6afcb4c306e76b9bbd896081240567ea82ff0436

SHA256
5604e7359f09162873d428b90304789ddd59b1dbacfd03e4b4f9735e47c40708

SHA512
07d8a6b2277904cc7dcfbf844dcc5e4c227e55710751ad5c66df48440791e1a1c21e9f23f2e54517edeb736d672d2f064fad1f096d55f61c3867a1e5e69ba85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA8E.exe
Filesize
206KB

MD5
a84c8e2c77a17507decaca28d86e7d57

SHA1
6afcb4c306e76b9bbd896081240567ea82ff0436

SHA256
5604e7359f09162873d428b90304789ddd59b1dbacfd03e4b4f9735e47c40708

SHA512
07d8a6b2277904cc7dcfbf844dcc5e4c227e55710751ad5c66df48440791e1a1c21e9f23f2e54517edeb736d672d2f064fad1f096d55f61c3867a1e5e69ba85c

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3E6.exe
Filesize
2.5MB

MD5
789598a08bc57fea514d9ffd8f072b71

SHA1
7fc3b548b599eca588b54a5d78378be24ba4fc91

SHA256
6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8

SHA512
6bf941b0a72bd9d0ec56b834b9c090d9dbbb4f30e8e63a1d984638e6bfa391d49e99d69cb89ec4de564ed8222dc8ee22ca5708640a52e1e50b8ca1e0d36adf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3E6.exe
Filesize
2.5MB

MD5
789598a08bc57fea514d9ffd8f072b71

SHA1
7fc3b548b599eca588b54a5d78378be24ba4fc91

SHA256
6a9677534228b1e25cb6b978f465b98c19b08844ea9b559e7538f7ff45bb04c8

SHA512
6bf941b0a72bd9d0ec56b834b9c090d9dbbb4f30e8e63a1d984638e6bfa391d49e99d69cb89ec4de564ed8222dc8ee22ca5708640a52e1e50b8ca1e0d36adf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8F1.dll
Filesize
1.2MB

MD5
43aa7572e12c1a6abc3693dc21263f3c

SHA1
03407624fb118ad0ee214a597e034e96da83dc5b

SHA256
3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c

SHA512
f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8F1.dll
Filesize
1.2MB

MD5
43aa7572e12c1a6abc3693dc21263f3c

SHA1
03407624fb118ad0ee214a597e034e96da83dc5b

SHA256
3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c

SHA512
f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

Download Submit
C:\Users\Admin\AppData\Local\Temp\B8F1.dll
Filesize
1.2MB

MD5
43aa7572e12c1a6abc3693dc21263f3c

SHA1
03407624fb118ad0ee214a597e034e96da83dc5b

SHA256
3446ad49d514cc5847556076ec821602a48353fd794647b0df6092a2e5db0e8c

SHA512
f7660d97d2f7882b99d931b13c7a0b5ef74350dffffbdcdad01259e19cbd5fa3d6597c6d96b0fa937a07e6b88f6e977f2e3f1fd1c50dfa22c32151061d773071

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED40.exe
Filesize
725KB

MD5
63fbba2c86860c166b25c7849532c0e1

SHA1
32446a756c0cbf25d358ed5a5285e6588b1fde3e

SHA256
fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa

SHA512
a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED40.exe
Filesize
725KB

MD5
63fbba2c86860c166b25c7849532c0e1

SHA1
32446a756c0cbf25d358ed5a5285e6588b1fde3e

SHA256
fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa

SHA512
a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED40.exe
Filesize
725KB

MD5
63fbba2c86860c166b25c7849532c0e1

SHA1
32446a756c0cbf25d358ed5a5285e6588b1fde3e

SHA256
fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa

SHA512
a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED40.exe
Filesize
725KB

MD5
63fbba2c86860c166b25c7849532c0e1

SHA1
32446a756c0cbf25d358ed5a5285e6588b1fde3e

SHA256
fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa

SHA512
a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED40.exe
Filesize
725KB

MD5
63fbba2c86860c166b25c7849532c0e1

SHA1
32446a756c0cbf25d358ed5a5285e6588b1fde3e

SHA256
fe84604ed272e27b4962752b90be7b12eaf3f056b86aa1f8b05ddf75297b59aa

SHA512
a796874aeb58336591f1120932db96152fb05fac55cbe07855c669cf739f18d656ffb02180fe40c6f706070840ba1e5d13c05d37bd547cc87d87f70c9bd10063

Download Submit
C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe
Filesize
383KB

MD5
8d7db6982df46c3b0f0cc879d892c08a

SHA1
64e3d7ab4793aeb05d18a82159c579e05c45fd71

SHA256
116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6

SHA512
0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

Download Submit
C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe
Filesize
383KB

MD5
8d7db6982df46c3b0f0cc879d892c08a

SHA1
64e3d7ab4793aeb05d18a82159c579e05c45fd71

SHA256
116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6

SHA512
0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

Download Submit
C:\Users\Admin\AppData\Local\c3431e54-b722-41b1-8785-7de30dbab01d\build2.exe
Filesize
383KB

MD5
8d7db6982df46c3b0f0cc879d892c08a

SHA1
64e3d7ab4793aeb05d18a82159c579e05c45fd71

SHA256
116e15e94d70dde65f91f155580bd9b34ff1956b9ebe1a53b6bce912b281c1f6

SHA512
0eeb242e6e1356a2a9e3183f12439ef36fac40e27ac8c0df5f591c7b3c1324145627c92c3fee15aedee2c1e8cc3b966152af73a33196166c2c1bfbbd979bdb5b

Download Submit
C:\Users\Admin\AppData\Roaming\windows_update_253746\PCICL32.dll
Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe
Filesize
109KB

MD5
b2b27ccaded1db8ee341d5bd2c373044

SHA1
1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

SHA256
e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

SHA512
0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

Download Submit
C:\Users\Admin\AppData\Roaming\windows_update_253746\client32.exe
Filesize
109KB

MD5
b2b27ccaded1db8ee341d5bd2c373044

SHA1
1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d

SHA256
e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911

SHA512
0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

Download Submit
\??\pipe\crashpad_4848_JRVTAXFHQGYDRIPV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/712-275-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/712-273-0x0000000000000000-mapping.dmp

Download
memory/768-200-0x0000000000000000-mapping.dmp

Download
memory/768-215-0x00000000008DA000-0x0000000000906000-memory.dmp

Filesize
176KB

Download
memory/768-217-0x00000000023B0000-0x00000000023F9000-memory.dmp

Filesize
292KB

Download
memory/1008-334-0x0000000000000000-mapping.dmp

Download
memory/1108-193-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1108-191-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1108-226-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1108-199-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1108-188-0x0000000000000000-mapping.dmp

Download
memory/1124-185-0x0000000000000000-mapping.dmp

Download
memory/1124-192-0x0000000002D96000-0x0000000002E28000-memory.dmp

Filesize
584KB

Download
memory/1172-327-0x0000000000000000-mapping.dmp

Download
memory/1172-330-0x0000000000730000-0x0000000000739000-memory.dmp

Filesize
36KB

Download
memory/1172-331-0x0000000000720000-0x000000000072F000-memory.dmp

Filesize
60KB

Download
memory/1288-329-0x0000000000000000-mapping.dmp

Download
memory/1348-151-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/1348-147-0x00000000058B0000-0x0000000005EC8000-memory.dmp

Filesize
6.1MB

Download
memory/1348-148-0x00000000056D0000-0x00000000057DA000-memory.dmp

Filesize
1.0MB

Download
memory/1348-149-0x0000000005800000-0x0000000005812000-memory.dmp

Filesize
72KB

Download
memory/1348-146-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1348-150-0x0000000005820000-0x000000000585C000-memory.dmp

Filesize
240KB

Download
memory/1348-145-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/1348-144-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download
memory/1348-143-0x0000000000B10000-0x0000000000B4E000-memory.dmp

Filesize
248KB

Download
memory/1348-142-0x0000000000B79000-0x0000000000BAA000-memory.dmp

Filesize
196KB

Download
memory/1348-139-0x0000000000000000-mapping.dmp

Download
memory/1348-152-0x0000000000B79000-0x0000000000BAA000-memory.dmp

Filesize
196KB

Download
memory/1348-153-0x0000000000B10000-0x0000000000B4E000-memory.dmp

Filesize
248KB

Download
memory/1348-155-0x0000000006930000-0x0000000006AF2000-memory.dmp

Filesize
1.8MB

Download
memory/1348-156-0x0000000006B10000-0x000000000703C000-memory.dmp

Filesize
5.2MB

Download
memory/1348-164-0x0000000000400000-0x000000000086C000-memory.dmp

Filesize
4.4MB

Download
memory/1348-163-0x0000000000B79000-0x0000000000BAA000-memory.dmp

Filesize
196KB

Download
memory/2168-325-0x0000000000E10000-0x0000000000E17000-memory.dmp

Filesize
28KB

Download
memory/2168-326-0x0000000000E00000-0x0000000000E0B000-memory.dmp

Filesize
44KB

Download
memory/2168-309-0x0000000000000000-mapping.dmp

Download
memory/2268-335-0x0000000000E10000-0x0000000000E15000-memory.dmp

Filesize
20KB

Download
memory/2268-336-0x0000000000E00000-0x0000000000E09000-memory.dmp

Filesize
36KB

Download
memory/2268-332-0x0000000000000000-mapping.dmp

Download
memory/2892-157-0x0000000000000000-mapping.dmp

Download
memory/3152-301-0x0000000000000000-mapping.dmp

Download
memory/3320-203-0x0000000000000000-mapping.dmp

Download
memory/3492-288-0x0000000000000000-mapping.dmp

Download
memory/3520-135-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/3520-133-0x0000000002BF0000-0x0000000002BF9000-memory.dmp

Filesize
36KB

Download
memory/3520-134-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/3520-132-0x0000000002D58000-0x0000000002D69000-memory.dmp

Filesize
68KB

Download
memory/3952-137-0x0000000000000000-mapping.dmp

Download
memory/4368-162-0x00000000020E0000-0x000000000221F000-memory.dmp

Filesize
1.2MB

Download
memory/4368-166-0x0000000002680000-0x000000000279C000-memory.dmp

Filesize
1.1MB

Download
memory/4368-184-0x0000000002680000-0x000000000279C000-memory.dmp

Filesize
1.1MB

Download
memory/4368-165-0x0000000002440000-0x000000000255C000-memory.dmp

Filesize
1.1MB

Download
memory/4368-179-0x00000000027A0000-0x0000000002849000-memory.dmp

Filesize
676KB

Download
memory/4368-159-0x0000000000000000-mapping.dmp

Download
memory/4368-178-0x0000000002000000-0x00000000020BE000-memory.dmp

Filesize
760KB

Download
memory/4472-182-0x0000000000000000-mapping.dmp

Download
memory/4528-174-0x00000000046F1000-0x0000000004783000-memory.dmp

Filesize
584KB

Download
memory/4528-167-0x0000000000000000-mapping.dmp

Download
memory/4528-175-0x00000000048E0000-0x00000000049FB000-memory.dmp

Filesize
1.1MB

Download
memory/4600-173-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4600-187-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4600-177-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4600-171-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4600-176-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4600-170-0x0000000000000000-mapping.dmp

Download
memory/5124-333-0x0000000000000000-mapping.dmp

Download
memory/5400-337-0x0000000000000000-mapping.dmp

Download
memory/5512-338-0x0000000000000000-mapping.dmp

Download
memory/5512-340-0x0000000000D90000-0x0000000000D96000-memory.dmp

Filesize
24KB

Download
memory/5512-341-0x0000000000D80000-0x0000000000D8C000-memory.dmp

Filesize
48KB

Download
memory/5604-339-0x0000000000000000-mapping.dmp

Download
memory/5668-342-0x0000000000000000-mapping.dmp

Download
memory/5668-343-0x0000000001120000-0x0000000001142000-memory.dmp

Filesize
136KB

Download
memory/5668-344-0x00000000010F0000-0x0000000001117000-memory.dmp

Filesize
156KB

Download
memory/5792-348-0x0000000000E00000-0x0000000000E09000-memory.dmp

Filesize
36KB

Download
memory/5792-345-0x0000000000000000-mapping.dmp

Download
memory/5792-347-0x0000000000E10000-0x0000000000E15000-memory.dmp

Filesize
20KB

Download
memory/5904-346-0x0000000000000000-mapping.dmp

Download
memory/5928-349-0x0000000000000000-mapping.dmp

Download
memory/5928-350-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/5928-351-0x0000000000340000-0x000000000034B000-memory.dmp

Filesize
44KB

Download
memory/6016-353-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/6016-354-0x0000000000170000-0x000000000017D000-memory.dmp

Filesize
52KB

Download
memory/6016-352-0x0000000000000000-mapping.dmp

Download
memory/6072-355-0x0000000000000000-mapping.dmp

Download
memory/6664-368-0x0000000000000000-mapping.dmp

Download
memory/6748-369-0x0000000000000000-mapping.dmp

Download
memory/6868-370-0x0000000000000000-mapping.dmp

Download
memory/6948-371-0x0000000000000000-mapping.dmp

Download
memory/7064-373-0x0000000000000000-mapping.dmp

Download
memory/7124-374-0x0000000000000000-mapping.dmp

Download
memory/8364-376-0x0000000000000000-mapping.dmp

Download
memory/8364-377-0x0000000140000000-0x0000000140608000-memory.dmp

Filesize
6.0MB

Download
memory/8476-381-0x0000000000000000-mapping.dmp

Download
memory/8644-384-0x0000000000000000-mapping.dmp

Download
memory/8712-387-0x0000000000000000-mapping.dmp

Download
memory/8764-388-0x0000000000000000-mapping.dmp

Download
memory/8808-390-0x0000000000000000-mapping.dmp

Download
memory/8840-392-0x0000000000000000-mapping.dmp

Download
memory/8928-394-0x0000000000000000-mapping.dmp

Download
memory/8960-395-0x0000000000000000-mapping.dmp

Download
memory/9124-399-0x0000000000000000-mapping.dmp

Download
memory/9164-401-0x0000000000000000-mapping.dmp

Download
memory/9280-403-0x0000000000000000-mapping.dmp

Download
memory/101460-206-0x0000000000000000-mapping.dmp

Download
memory/101460-207-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/101520-259-0x0000000000000000-mapping.dmp

Download
memory/101560-218-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/101560-213-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/101560-216-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/101560-219-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/101560-230-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/101560-212-0x0000000000000000-mapping.dmp

Download
memory/101584-261-0x0000000000000000-mapping.dmp

Download
memory/101628-292-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/101628-299-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/101628-356-0x0000000002DB9000-0x0000000002DCA000-memory.dmp

Filesize
68KB

Download
memory/101628-264-0x0000000000000000-mapping.dmp

Download
memory/101628-291-0x0000000002DB9000-0x0000000002DCA000-memory.dmp

Filesize
68KB

Download
memory/101660-220-0x0000000000000000-mapping.dmp

Download
memory/101660-228-0x0000000002D19000-0x0000000002D2A000-memory.dmp

Filesize
68KB

Download
memory/101660-229-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/101660-234-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/101660-233-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/101660-235-0x0000000002D19000-0x0000000002D2A000-memory.dmp

Filesize
68KB

Download
memory/101684-287-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/101684-305-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/101684-280-0x0000000000000000-mapping.dmp

Download
memory/101684-281-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/101700-263-0x0000000000000000-mapping.dmp

Download
memory/101720-227-0x0000000000000000-mapping.dmp

Download
memory/101736-267-0x0000000000000000-mapping.dmp

Download
memory/101736-268-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/101780-231-0x0000000000000000-mapping.dmp

Download
memory/101824-232-0x0000000000000000-mapping.dmp

Download
memory/101900-240-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/101900-248-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/101900-239-0x0000000002C09000-0x0000000002C1A000-memory.dmp

Filesize
68KB

Download
memory/101900-236-0x0000000000000000-mapping.dmp

Download
memory/101948-244-0x0000000140000000-0x0000000140608000-memory.dmp

Filesize
6.0MB

Download
memory/101948-241-0x0000000000000000-mapping.dmp

Download
memory/102068-252-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/102068-328-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/102068-249-0x0000000000000000-mapping.dmp

Download
memory/102240-253-0x0000000000000000-mapping.dmp

Download
memory/102360-256-0x0000000000000000-mapping.dmp

Download