blacknet | hxxps://github[.]com

max time kernel
163s
max time network
402s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2022 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com

Score

10^/10

blacknet darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes

InstallPath
AudioDriver\taskhost.exe
gencode
EWSsWwgyJrUD
install
true
offline_keylogger
true
persistence
false
reg_key
AudioDriver

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

upx_compresser.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe

Executes dropped EXE 12 IoCs

Processes:

ChromeRecovery.exesvshost.exejusched.exeWinlockerBuilderv5.exeupx_compresser.exeupx_compresser.exetaskhost.exetaskhost.exesvshost.exeWinlockerBuilderv5.exeupx_compresser.exeupx_compresser.exe

pid	process
4364	ChromeRecovery.exe
1040	svshost.exe
3624	jusched.exe
548	WinlockerBuilderv5.exe
3312	upx_compresser.exe
2816	upx_compresser.exe
5108	taskhost.exe
4340	taskhost.exe
3804	svshost.exe
2520	WinlockerBuilderv5.exe
4784	upx_compresser.exe
4432	upx_compresser.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/548-172-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/2520-181-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/2520-184-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/548-185-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/624-199-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/5080-206-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/624-209-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/5080-211-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/624-214-0x0000000000400000-0x0000000000C89000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svshost.exeupx_compresser.exejusched.exesvshost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	svshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	upx_compresser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	jusched.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	svshost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WinlockerBuilderv5.exeupx_compresser.exejusched.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\Desktop\\WinlockerBuilderv5.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AudioDriver = "C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	jusched.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

upx_compresser.exetaskhost.exeupx_compresser.exe

description	pid	process	target process
PID 3312 set thread context of 2816	3312	upx_compresser.exe	upx_compresser.exe
PID 5108 set thread context of 4340	5108	taskhost.exe	taskhost.exe
PID 4784 set thread context of 4432	4784	upx_compresser.exe	upx_compresser.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3140_298319691\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3140_298319691\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3140_298319691\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3140_298319691\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3140_298319691\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3140_298319691\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3140_298319691\ChromeRecovery.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1392	332	WerFault.exe
3496	624	WerFault.exe	WinlockerBuilderv5.exe
3408	624	WerFault.exe	WinlockerBuilderv5.exe
2228	4388	WerFault.exe	dwm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeupx_compresser.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	upx_compresser.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeWinlockerBuilderv5.exeupx_compresser.exejusched.exe

pid	process
4264	chrome.exe
4264	chrome.exe
3448	chrome.exe
3448	chrome.exe
3088	chrome.exe
3088	chrome.exe
1592	chrome.exe
1592	chrome.exe
4204	chrome.exe
4204	chrome.exe
628	chrome.exe
628	chrome.exe
1152	chrome.exe
1152	chrome.exe
4308	chrome.exe
4308	chrome.exe
3520	chrome.exe
3520	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
4740	chrome.exe
4740	chrome.exe
3480	chrome.exe
3480	chrome.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
3312	upx_compresser.exe
3312	upx_compresser.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe
3624	jusched.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

upx_compresser.exetaskhost.exeupx_compresser.exe

pid process

3312 upx_compresser.exe
5108 taskhost.exe
4784 upx_compresser.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

3448 chrome.exe
3448 chrome.exe
3448 chrome.exe
3448 chrome.exe
3448 chrome.exe
3448 chrome.exe
3448 chrome.exe
3448 chrome.exe
3448 chrome.exe

pid	process
3312	upx_compresser.exe
5108	taskhost.exe
4784	upx_compresser.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WinlockerBuilderv5.exeupx_compresser.exejusched.exetaskhost.exeupx_compresser.exe

description	pid	process
Token: SeDebugPrivilege	2120	WinlockerBuilderv5.exe
Token: SeIncreaseQuotaPrivilege	2816	upx_compresser.exe
Token: SeSecurityPrivilege	2816	upx_compresser.exe
Token: SeTakeOwnershipPrivilege	2816	upx_compresser.exe
Token: SeLoadDriverPrivilege	2816	upx_compresser.exe
Token: SeSystemProfilePrivilege	2816	upx_compresser.exe
Token: SeSystemtimePrivilege	2816	upx_compresser.exe
Token: SeProfSingleProcessPrivilege	2816	upx_compresser.exe
Token: SeIncBasePriorityPrivilege	2816	upx_compresser.exe
Token: SeCreatePagefilePrivilege	2816	upx_compresser.exe
Token: SeBackupPrivilege	2816	upx_compresser.exe
Token: SeRestorePrivilege	2816	upx_compresser.exe
Token: SeShutdownPrivilege	2816	upx_compresser.exe
Token: SeDebugPrivilege	2816	upx_compresser.exe
Token: SeSystemEnvironmentPrivilege	2816	upx_compresser.exe
Token: SeChangeNotifyPrivilege	2816	upx_compresser.exe
Token: SeRemoteShutdownPrivilege	2816	upx_compresser.exe
Token: SeUndockPrivilege	2816	upx_compresser.exe
Token: SeManageVolumePrivilege	2816	upx_compresser.exe
Token: SeImpersonatePrivilege	2816	upx_compresser.exe
Token: SeCreateGlobalPrivilege	2816	upx_compresser.exe
Token: 33	2816	upx_compresser.exe
Token: 34	2816	upx_compresser.exe
Token: 35	2816	upx_compresser.exe
Token: 36	2816	upx_compresser.exe
Token: SeDebugPrivilege	3624	jusched.exe
Token: SeIncreaseQuotaPrivilege	4340	taskhost.exe
Token: SeSecurityPrivilege	4340	taskhost.exe
Token: SeTakeOwnershipPrivilege	4340	taskhost.exe
Token: SeLoadDriverPrivilege	4340	taskhost.exe
Token: SeSystemProfilePrivilege	4340	taskhost.exe
Token: SeSystemtimePrivilege	4340	taskhost.exe
Token: SeProfSingleProcessPrivilege	4340	taskhost.exe
Token: SeIncBasePriorityPrivilege	4340	taskhost.exe
Token: SeCreatePagefilePrivilege	4340	taskhost.exe
Token: SeBackupPrivilege	4340	taskhost.exe
Token: SeRestorePrivilege	4340	taskhost.exe
Token: SeShutdownPrivilege	4340	taskhost.exe
Token: SeDebugPrivilege	4340	taskhost.exe
Token: SeSystemEnvironmentPrivilege	4340	taskhost.exe
Token: SeChangeNotifyPrivilege	4340	taskhost.exe
Token: SeRemoteShutdownPrivilege	4340	taskhost.exe
Token: SeUndockPrivilege	4340	taskhost.exe
Token: SeManageVolumePrivilege	4340	taskhost.exe
Token: SeImpersonatePrivilege	4340	taskhost.exe
Token: SeCreateGlobalPrivilege	4340	taskhost.exe
Token: 33	4340	taskhost.exe
Token: 34	4340	taskhost.exe
Token: 35	4340	taskhost.exe
Token: 36	4340	taskhost.exe
Token: SeIncreaseQuotaPrivilege	4432	upx_compresser.exe
Token: SeSecurityPrivilege	4432	upx_compresser.exe
Token: SeTakeOwnershipPrivilege	4432	upx_compresser.exe
Token: SeLoadDriverPrivilege	4432	upx_compresser.exe
Token: SeSystemProfilePrivilege	4432	upx_compresser.exe
Token: SeSystemtimePrivilege	4432	upx_compresser.exe
Token: SeProfSingleProcessPrivilege	4432	upx_compresser.exe
Token: SeIncBasePriorityPrivilege	4432	upx_compresser.exe
Token: SeCreatePagefilePrivilege	4432	upx_compresser.exe
Token: SeBackupPrivilege	4432	upx_compresser.exe
Token: SeRestorePrivilege	4432	upx_compresser.exe
Token: SeShutdownPrivilege	4432	upx_compresser.exe
Token: SeDebugPrivilege	4432	upx_compresser.exe
Token: SeSystemEnvironmentPrivilege	4432	upx_compresser.exe

Suspicious use of FindShellTrayWindow 47 IoCs

Processes:

chrome.exe

pid	process
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe
3448	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WinlockerBuilderv5.exejusched.exeWinlockerBuilderv5.exetaskhost.exeWinlockerBuilderv5.exe

pid	process
2120	WinlockerBuilderv5.exe
2120	WinlockerBuilderv5.exe
3624	jusched.exe
3624	jusched.exe
548	WinlockerBuilderv5.exe
4340	taskhost.exe
2520	WinlockerBuilderv5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3448 wrote to memory of 2760	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2760	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4432	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4264	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 4264	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe
PID 3448 wrote to memory of 2580	3448	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99e524f50,0x7ff99e524f60,0x7ff99e524f70
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2292 /prefetch:8
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
2⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4292 /prefetch:8
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4316 /prefetch:8
2⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4444 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:8
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5088 /prefetch:8
2⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
2⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5012 /prefetch:8
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=992 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2696 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5252 /prefetch:8
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3172 /prefetch:8
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3232 /prefetch:8
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3600 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3580 /prefetch:8
2⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
2⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
2⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
2⤵
PID:2944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5628 /prefetch:8
2⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5320 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1548 /prefetch:1
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,7519068249753095537,17993246205359467358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4268

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3140

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3140_298319691\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3140_298319691\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={890c6fea-1aed-4c02-b82b-2e8ad9f14ba5} --system
2⤵
- Executes dropped EXE
PID:4364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3488

C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
"C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:1040

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:548

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3312

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Users\Admin\Documents\AudioDriver\taskhost.exe
"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:5108

C:\Users\Admin\Documents\AudioDriver\taskhost.exe
"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3624

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3804

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:4784

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4020

C:\Users\Admin\Desktop\svchosts.exe
"C:\Users\Admin\Desktop\svchosts.exe"
1⤵
PID:2120

C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
"C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
2⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
3⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
4⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 3008
5⤵
- Program crash
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 2168
5⤵
- Program crash
PID:3408

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
4⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
5⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
3⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
4⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
5⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
5⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
6⤵
PID:840

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 7464
4⤵
PID:3748

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2932

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4500

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2464

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 332 -ip 332
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 624 -ip 624
1⤵
PID:2128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 332 -s 3504
1⤵
- Program crash
PID:1392

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 624 -ip 624
1⤵
PID:4448

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4388 -s 2112
2⤵
- Program crash
PID:2228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 640 -p 4388 -ip 4388
1⤵
PID:476

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1276

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3140_298319691\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\Desktop\ApproveUnpublish.ADTS
Filesize
501KB

MD5
345d1626dd1c62f33d61c3afae6d0fa1

SHA1
97eccaf72baac11f573a1a69072dfe8f1c093953

SHA256
a7650b274ad98d99fb6480609529929f1ada131010da8324bcc9da18f2476825

SHA512
bf1627207b4f8bb274d2c94f7b1d5d3d04cef5389665b80d8cbfc7c44579f09c041e91838ef77bcb9027020456c668647b2aa5031d36c5947274293d34e7e118

Download Submit
C:\Users\Admin\Desktop\DebugApprove.xltm
Filesize
358KB

MD5
66b808121a50ab6b174f793d84a9f7f4

SHA1
de23daa585b5013f9cad464f810f8cf836d9d220

SHA256
5fd6ef7f89dd597397a49aa3d2065819abf496bbecb6872c035a7c84e25d1e55

SHA512
6d83f3ee9aaf3efbe8086f82cf1742096c8e39e734d547396bc1fd917f1393ec101e52fbbafe712314180fdbc9063d65c0915827c840e79d90c0fd0909308da1

Download Submit
C:\Users\Admin\Desktop\DenyComplete.au3
Filesize
215KB

MD5
faa3d685c7a1d1a7ea6d8c880c81148a

SHA1
1845347c66553ec5747ccbb4570742d4f0e6d7c6

SHA256
d8e76259996904f65d1d8f6fe54d1ff42893f01e80f1451767456ea60a512a49

SHA512
41c6c0cb5af731cf1d62cc6e5cfb818be16604b8a4ce96c597e9e82b2180515027187e28c790cd0a2a263db7618e3a14def3ca1ad2fc58e33c0a4e1e9448665c

Download Submit
C:\Users\Admin\Desktop\DenyProtect.emz
Filesize
394KB

MD5
9a65ea5394b42fa1e3cad09de75e3584

SHA1
f5202c817725f37c8bd071e8fa0e9d3ea0fb5623

SHA256
692899e22ba4de6fe4400e55268a9b27648cd49b16f211ee5fb2cdfceab92996

SHA512
9ad04a065b691b86de080257433652882278900f0f6cb9356bca8dd10435b3815f11d0698ac9e0363a550428f14133337f2058db7fc4050756ac2f9b0282f01d

Download Submit
C:\Users\Admin\Desktop\FindGrant.avi
Filesize
197KB

MD5
8964d59a4d64c532c51cbe7e1e1ec634

SHA1
118cf6a7bf6839da18ffe009760d8074f2f256bf

SHA256
095d45c35311ac99264480cbed9e3764e68d203342de14f9e7efb09f2b14bdaf

SHA512
b6872d9ca639d73d97387acdc65d02a019a9d225714f2f99cad0c9a8f1e96b1c98359b9e8c7ccee990d05fd59f20a611b4cbd9bb6d7696d5d5e3cc986abd9f80

Download Submit
C:\Users\Admin\Desktop\OutRemove.hta
Filesize
250KB

MD5
437e9971a29a966683907cce31943ae0

SHA1
cdd2b6da69aeef6763ba0cdd94c4c3ed69031aa2

SHA256
b21b6814cee70f1991fbeb63ba4ba3eff8151d36432c48362cbb0dea308925cb

SHA512
05dc9115194813c8bde88be7191176cc0346be1ad1a55a3f05b301ae1cf3ac4ec574afde2e00c59d8e377b4347427b96f353e7f93368924ddd1c9dcc0d7ec4e5

Download Submit
C:\Users\Admin\Desktop\PopEnable.css
Filesize
430KB

MD5
7b0b67a65853dd83aad6cdc7293042e6

SHA1
5e61e026aec1362b138bedf4f1f986536360bd09

SHA256
f51234fd383abdd61450a097a603f2214e17be45dc122c8c99f768cc1c74a786

SHA512
6d12e75647d2736c01590c9a7e67868e2f2a4408e7abe36160bb39e5c284ed6aab79eb5c79bd12bcc6b808c49e8238877745e9d06ac9576193afde980d4ecb31

Download Submit
C:\Users\Admin\Desktop\PublishRegister.crw
Filesize
698KB

MD5
a7492806f1a92b8dd9cc59e8d2f80535

SHA1
70e6a15d0f603b46f546a85d95d748394569b3c4

SHA256
be1d6b6b0ce4fe8344772092d612247206d7daab930546a2051993ed79db0531

SHA512
13b819cf18c69a8604c36a216780742e775adfbbdf91ad97a1a0898ce8fd5d26e32ac33a7621fb3c040b01acb253281fe641deacd0c429fef213bab05d00ea7d

Download Submit
C:\Users\Admin\Desktop\PublishSave.mpp
Filesize
465KB

MD5
03df91f1ae7fc59cde073196d130703a

SHA1
1a1cd7b039870e146bca8e718a88aaff38e90cb6

SHA256
00a367337243e4e105877b2bf1a114c0c3b64fff73bece431e29839a97e23ea2

SHA512
edce3a328c03800a4e4b278d95d25af843638cfa58ca439def6324fac877dbe7f04c1a42ecfee2116d13198c24377dadc0746e1b3e9e21c2f6c8902892ce553e

Download Submit
C:\Users\Admin\Desktop\RemoveRedo.xla
Filesize
179KB

MD5
bc20b64596ba4ed64cab820db8173262

SHA1
a417024ddb34ebfdad8d559bac79dd79ec241fca

SHA256
b237e9d15fbf086b74a24f5aca432c9ccaa606fe5c28710c11de451d1bcbd8fe

SHA512
623636712a4f72e9f05b61076607348cfcf5b4c265f968984b7d2e2236ab72e569d2dd198fa14133f5bd9065c6f52bc43f91f852c7688c59c514fe9e0edc84d7

Download Submit
C:\Users\Admin\Desktop\ResetDebug.easmx
Filesize
376KB

MD5
6aaa27ff1670645a356710f17acbb1f1

SHA1
918df9ea223023d52c434f3dec8b5073330b497d

SHA256
1601b89b37b95dfd5c812ddb62daf86ade200581240fb0a23ecb125dd4d22d4f

SHA512
4df26060d85ef8481ae07d32519750318b0b58e0b58cc11deb33053dc346d551034b0bfb869bd183c9700577caa1fe97e33bda2464552d240691a1455058c7f1

Download Submit
C:\Users\Admin\Desktop\RevokeOpen.mpg
Filesize
483KB

MD5
0f84a4f77fc56eb79f770d5ed3c0ed7e

SHA1
487f120a49fb49e45b3a3e6e6baebe833ca73728

SHA256
95fe24f2d6bb2261a2dcdd01e6c98eeb89f63c295f1c8a6a30ebe10f140f8a04

SHA512
5e5f97473b7726bab378e281f89a3476683094948588a3e72d0be86d7567c36333c39c83e422face944bea654821839679a824677084e9066a27ff9e3cbf6b24

Download Submit
C:\Users\Admin\Desktop\StartSkip.vbs
Filesize
447KB

MD5
4dbf72a316b116727fc15604fbcc2571

SHA1
193a6115417e8a6a586e7f0ba288ad25f8d1b32f

SHA256
f2cced2c328594807f7aed4bf2b5b242186f4892ef06abdfb214b42226dc2941

SHA512
4d7ecd20d0c006587bf02b73286f4fa8c0f1fa75a33f150a78ba7591f7148c0ddb9990b0c1ef27d0240582c2c2e5088220c18511f8f75c207867c4f3b69c94d5

Download Submit
C:\Users\Admin\Desktop\StepMount.ppsx
Filesize
322KB

MD5
49a2fef19a302e1c6e8906bfce7eeb26

SHA1
d98fc54deb23fe2ba306a071d0002a29ea112269

SHA256
8c2c04158ede71f61244f801642a25528ace525fb8b9cfe68e1f42793681ef46

SHA512
d316aa22059f510b2ec4b65076848241c162d6db7e740d5bf58dcdf75936508b3ca74cad685c3f5b38cdc15b7f86dc15555d473709248dda2e87a240a0894b55

Download Submit
C:\Users\Admin\Desktop\SwitchNew.xml
Filesize
304KB

MD5
fe426dff58d7e7ed05228314e9440a7c

SHA1
46d56fa645360d47f0ea0717d4a067d1e4cf43dc

SHA256
e3e1dcdfd826423b8c48526a1e02151b56cf17e9119d634208432965b3f5956d

SHA512
66a058b63e9b3add28c4ffde50e5237dc7f0b04d70b83279e7ee0ceabaa58d4b321d82a474c3b472bc5181885bb200cf2d40cde76f8378b8957b857ddb647f05

Download Submit
C:\Users\Admin\Desktop\SyncWrite.png
Filesize
340KB

MD5
2a9473ba2fcb95898ffe93b63e898eca

SHA1
e9dcca27b87da3eb845902b6c53602ad32b09244

SHA256
6f069bf1e0548a08a0076b7cc9b2f669398017d13b88200d927112fb79e94107

SHA512
542452ec9481d3237c10ce50cbef215092b9a6f17fd8dfda9edcd9a27b7d4ec02a758d288db12eb1514037c16607bbe2a47fcea12a605749358f525a9970a2db

Download Submit
C:\Users\Admin\Desktop\TracePop.snd
Filesize
286KB

MD5
93505c304d77a0a883104776b813c9c6

SHA1
50f2077c8f30e809a44d583e272ab6a6f8ee77d0

SHA256
67abc83ca0c05ab1411c0bcad3e34f9a460dad445906ef0f287af290f57fe5e0

SHA512
94549210052f7582d2cab4be8b779dcb743e7d18f30cae4a28409ea432d8b00e1c4026cc14743a7a3c12069680761536534d865ca273f14fc15f2c734e509847

Download Submit
C:\Users\Admin\Desktop\UnblockEnable.potx
Filesize
268KB

MD5
5628071fa72aee97264e6cebd2156d96

SHA1
c927922dd9d68b9fec48b8e088956d994d52aa00

SHA256
71edb5729f914cfd5cec30d65affaf9d72a1bb825bdcec97a768f2d7642edfcc

SHA512
0de94afde8eb1c3a37172942e36ae7c1f770edfde0996f0b23b5c8a2d2759ed8cddd07d87c98903b3738e58e2dbd4d41c9595f0d44c25db484c92447ea813a8a

Download Submit
C:\Users\Admin\Desktop\UnlockMove.vstm
Filesize
412KB

MD5
d39a12fadbb150842529193fcf13fc87

SHA1
c174d3b9c5066a6b69b481248eda8df10e236562

SHA256
43dedb7777962359f520d8396e9252c93d8c758a8adc5e425ac5697e299cfa1f

SHA512
d420b8967b10c4f979b3e6cd6efa911b48719983907f04f3a9d37cc69a028027422a9a9413ecefecea77249ba613b1bc94c9c2c1f12ec18277ee598282de6bbc

Download Submit
C:\Users\Admin\Desktop\UpdateComplete.pptx
Filesize
232KB

MD5
ff25944e49faec5dc9cf784b18b77c3f

SHA1
96fc446a37f8869450fb38437833502830b7d6b4

SHA256
8e27db8efa31d2f7c9ff7171d9a961ca8401608bcb09d044bc334f7bc8ef47dd

SHA512
bb30d252e96f458437310a2c5a5394a00ec0970077e13021c79e44a6a8f976a07bd1c4b8fdde95d126a59bbc807a62a23b240e7d7dbbe73750ab920769073bda

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
Filesize
2KB

MD5
22b9770809478f4b7938f463e6697e24

SHA1
0f444dfd78b31d831c0b9a59ebc30c04db1a324e

SHA256
cd9249f2aa782d026346ed4bcd7bfa7b8e8a21b3aa596a24fcb5924664545ae5

SHA512
143b10440147bbb3bb2bab7fbf81e146810d1bfac8fb9af7e1a52707e61d06ab4e92129db67e8cd0e79785a9fb92ac8193e0811359b2f712f1dfe36c3915e65f

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
Filesize
1000B

MD5
debd38c15bbee4ae9c96eddc03924287

SHA1
f61b97b8829897bcd9af7fbcd13882b82eae8e2d

SHA256
917a5ab064fa271ab2e1ee3f4fd1ee5774a7d075769a422346f96923b243e905

SHA512
00ca595b2440e30f149eec984f724096671eefe8ead3d7679fbd70bf69a5b205c2e913e3d13679a47c8d3932afd0ebb63051999296aadc8309150ffa1d55e5e2

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
3d33dc109439aaee99755699a39d7af2

SHA1
5c6d5f13110d9b17e37c9fdf43e72c3772c7dca8

SHA256
807fd0a98d5c652c6479babf5ba94573645e343a3db23eb9bbaa19d38f71fd80

SHA512
79741bdb34a18ba643445318ef45347fafa31d36f48557ecec987e09e3164a0499a25974926dde8f1920157936a43a32f66a08215e32fb03cfc3ca32a5205ac0

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
0a33c8cc5f3c6777886b53f6fcb7896f

SHA1
9ff1adc6dc48c89aa8f3e84aae76d59e8967bac1

SHA256
13a17d18561f559df873eacb07b6809ea2153dbb2bcacb2ac8b41707e56ae37a

SHA512
aa95202af6a3dc6ae5878c3f21e9a1139cebd859c13dbeb9e004b092baf19a6d8955b629dfb2d3e061329f24298d1bf94cd9a5021d8b11d7cffd2e5cfb90e181

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
923B

MD5
2290d3b29d2cccef99e913346032f835

SHA1
b5a7b250a09abd96d0e4a57c5563402bbd751e72

SHA256
72dedc6e7728ac16956b0e426b5b049c84656a44c745d074223378cd21df59ec

SHA512
80d17473046a1087f41ae03778e37634f98ff063b69dd32db1a2fc96747891c7fcdb2e4f6b215987210be9059c733d686546683801e063bb56410abbb902d7f6

Download Submit
\??\pipe\crashpad_3448_GUCQREFKJNKQIGBL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/548-166-0x0000000000000000-mapping.dmp

Download
memory/548-185-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/548-172-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/624-214-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/624-209-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/624-194-0x0000000000000000-mapping.dmp

Download
memory/624-199-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/840-208-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/840-207-0x0000000000000000-mapping.dmp

Download
memory/1040-163-0x0000000000000000-mapping.dmp

Download
memory/1884-196-0x0000000000000000-mapping.dmp

Download
memory/1884-197-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2120-162-0x000000000184A000-0x000000000184F000-memory.dmp

Filesize
20KB

Download
memory/2120-168-0x000000000184A000-0x000000000184F000-memory.dmp

Filesize
20KB

Download
memory/2120-161-0x00007FF994160000-0x00007FF994B96000-memory.dmp

Filesize
10.2MB

Download
memory/2120-189-0x00007FF998020000-0x00007FF998A56000-memory.dmp

Filesize
10.2MB

Download
memory/2444-205-0x0000000000000000-mapping.dmp

Download
memory/2520-181-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/2520-178-0x0000000000000000-mapping.dmp

Download
memory/2520-184-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/2816-173-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2816-169-0x0000000000000000-mapping.dmp

Download
memory/3312-167-0x0000000000000000-mapping.dmp

Download
memory/3312-170-0x00000000020C0000-0x00000000020C9000-memory.dmp

Filesize
36KB

Download
memory/3444-201-0x0000000001E2A000-0x0000000001E2F000-memory.dmp

Filesize
20KB

Download
memory/3444-190-0x0000000000000000-mapping.dmp

Download
memory/3444-191-0x00007FF998020000-0x00007FF998A56000-memory.dmp

Filesize
10.2MB

Download
memory/3444-192-0x0000000001E2A000-0x0000000001E2F000-memory.dmp

Filesize
20KB

Download
memory/3464-198-0x0000000000000000-mapping.dmp

Download
memory/3464-213-0x000000000236A000-0x000000000236F000-memory.dmp

Filesize
20KB

Download
memory/3464-210-0x000000000236A000-0x000000000236F000-memory.dmp

Filesize
20KB

Download
memory/3464-202-0x000000000236A000-0x000000000236F000-memory.dmp

Filesize
20KB

Download
memory/3464-200-0x00007FF998020000-0x00007FF998A56000-memory.dmp

Filesize
10.2MB

Download
memory/3624-171-0x000000000100A000-0x000000000100F000-memory.dmp

Filesize
20KB

Download
memory/3624-164-0x0000000000000000-mapping.dmp

Download
memory/3624-165-0x00007FF994160000-0x00007FF994B96000-memory.dmp

Filesize
10.2MB

Download
memory/3624-188-0x000000000100A000-0x000000000100F000-memory.dmp

Filesize
20KB

Download
memory/3624-186-0x000000000100A000-0x000000000100F000-memory.dmp

Filesize
20KB

Download
memory/3748-195-0x0000000000000000-mapping.dmp

Download
memory/3748-212-0x0000000000000000-mapping.dmp

Download
memory/3804-177-0x0000000000000000-mapping.dmp

Download
memory/4056-193-0x0000000000000000-mapping.dmp

Download
memory/4140-203-0x0000000000000000-mapping.dmp

Download
memory/4340-176-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4340-187-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4340-175-0x0000000000000000-mapping.dmp

Download
memory/4364-134-0x0000000000000000-mapping.dmp

Download
memory/4432-180-0x0000000000000000-mapping.dmp

Download
memory/4432-183-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4432-182-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4784-179-0x0000000000000000-mapping.dmp

Download
memory/5080-204-0x0000000000000000-mapping.dmp

Download
memory/5080-206-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/5080-211-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/5108-174-0x0000000000000000-mapping.dmp

Download