02190c5e84d7e7b3866816742f5258fbea919c2cbe581a04b7013b9bdddc565a

Resubmissions

19-11-2022 16:53

221119-vefm3sbe39 8

19-11-2022 16:41

221119-t7bddsbb32 8

Analysis

max time kernel
294s
max time network
506s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
19-11-2022 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

511AM.png
Size

966B
MD5

5c51a8836f1c31af4517ff739cb3e7fa
SHA1

49af67355378b659a38686c6b02e7de32915a1f8
SHA256

02190c5e84d7e7b3866816742f5258fbea919c2cbe581a04b7013b9bdddc565a
SHA512

9cd3a607d9c9ad59f63c983a20fd8a8eb1565700cb06b8f3bf162565fece8bf7363cac6e953fd9f1b1bdf5cdb799486ace5180fbabbab69fdc4cc24d06980bda

Score

8^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

Holzer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Holzer.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

ChromeRecovery.exe

pid process

4996 ChromeRecovery.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4724 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Holzer.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Holzer.exe

pid	process
4996	ChromeRecovery.exe

pid	process
4724	icacls.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Holzer.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4396_908693569\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4396_908693569\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4396_908693569\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4396_908693569\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4396_908693569\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4396_908693569\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4396_908693569\manifest.json	elevation_service.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3524 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3524	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bootcfg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	bootcfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	bootcfg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

7032 ipconfig.exe
6476 NETSTAT.EXE
Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings chrome.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

7300 PING.EXE
Runs regedit.exe 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

8108 regedit.exe
3764 regedit.exe

pid	process
7032	ipconfig.exe
6476	NETSTAT.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	chrome.exe

pid	process
7300	PING.EXE

pid	process
8108	regedit.exe
3764	regedit.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4280	chrome.exe
4280	chrome.exe
4772	chrome.exe
4772	chrome.exe
3380	chrome.exe
3380	chrome.exe
5096	chrome.exe
5096	chrome.exe
1092	chrome.exe
1092	chrome.exe
1376	chrome.exe
1376	chrome.exe
1016	chrome.exe
1016	chrome.exe
2680	chrome.exe
2680	chrome.exe
4608	chrome.exe
4608	chrome.exe
3652	chrome.exe
3652	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Holzer.exe

pid process

4620 Holzer.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

4772 chrome.exe
4772 chrome.exe
4772 chrome.exe
4772 chrome.exe
4772 chrome.exe
4772 chrome.exe
4772 chrome.exe
4772 chrome.exe

pid	process
4620	Holzer.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AUDIODG.EXEHolzer.exeauditpol.exe

description	pid	process
Token: 33	2796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2796	AUDIODG.EXE
Token: SeSystemtimePrivilege	4620	Holzer.exe
Token: SeSystemtimePrivilege	4620	Holzer.exe
Token: SeSystemtimePrivilege	4620	Holzer.exe
Token: SeSecurityPrivilege	3024	auditpol.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4772 wrote to memory of 4796	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4796	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4284	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4280	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 4280	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe
PID 4772 wrote to memory of 1436	4772	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1412 attrib.exe

pid	process
1412	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\511AM.png
1⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa64124f50,0x7ffa64124f60,0x7ffa64124f70
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
2⤵
PID:4284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1708 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:8
2⤵
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
2⤵
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
2⤵
PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
2⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4420 /prefetch:8
2⤵
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4348 /prefetch:8
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4600 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4496 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4556 /prefetch:8
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:8
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:8
2⤵
PID:3792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
2⤵
PID:496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=856 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3704 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
2⤵
PID:1320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2488 /prefetch:1
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
2⤵
PID:652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
2⤵
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 /prefetch:8
2⤵
PID:3344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5204 /prefetch:2
2⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
PID:3524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
2⤵
PID:3180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5272 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2672 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,385472246210963164,12810375945638265305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
2⤵
PID:4448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4492

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4396

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4396_908693569\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4396_908693569\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={cab720f7-25f7-4c57-abc7-2a0a21d6156f} --system
2⤵
- Executes dropped EXE
PID:4996

C:\Users\Admin\AppData\Local\Temp\Temp1_Holzer.zip\Holzer.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Holzer.zip\Holzer.exe"
1⤵
- Disables RegEdit via registry modification
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\SysWOW64\appidtel.exe
"C:\Windows\System32\appidtel.exe"
2⤵
PID:4552

C:\Windows\SysWOW64\ARP.EXE
"C:\Windows\System32\ARP.EXE"
2⤵
PID:1896

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
2⤵
PID:4044

C:\Windows\SysWOW64\AtBroker.exe
"C:\Windows\System32\AtBroker.exe"
2⤵
PID:436

C:\Windows\SysWOW64\attrib.exe
"C:\Windows\System32\attrib.exe"
2⤵
- Views/modifies file attributes
PID:1412

C:\Windows\SysWOW64\auditpol.exe
"C:\Windows\System32\auditpol.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\System32\autochk.exe"
2⤵
PID:576

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\System32\autoconv.exe"
2⤵
PID:2320

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\System32\autofmt.exe"
2⤵
PID:3968

C:\Windows\SysWOW64\backgroundTaskHost.exe
"C:\Windows\System32\backgroundTaskHost.exe"
2⤵
PID:2080

C:\Windows\SysWOW64\BackgroundTransferHost.exe
"C:\Windows\System32\BackgroundTransferHost.exe"
2⤵
PID:432

C:\Windows\SysWOW64\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe"
2⤵
PID:5032

C:\Windows\SysWOW64\bitsadmin.exe
"C:\Windows\System32\bitsadmin.exe"
2⤵
PID:2648

C:\Windows\SysWOW64\bootcfg.exe
"C:\Windows\System32\bootcfg.exe"
2⤵
- Checks processor information in registry
PID:4688

C:\Windows\SysWOW64\bthudtask.exe
"C:\Windows\System32\bthudtask.exe"
2⤵
PID:512

C:\Windows\SysWOW64\ByteCodeGenerator.exe
"C:\Windows\System32\ByteCodeGenerator.exe"
2⤵
PID:5116

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe"
2⤵
PID:4148

C:\Windows\SysWOW64\calc.exe
"C:\Windows\System32\calc.exe"
2⤵
PID:4300

C:\Windows\SysWOW64\CameraSettingsUIHost.exe
"C:\Windows\System32\CameraSettingsUIHost.exe"
2⤵
PID:4128

C:\Windows\SysWOW64\CertEnrollCtrl.exe
"C:\Windows\System32\CertEnrollCtrl.exe"
2⤵
PID:348

C:\Windows\SysWOW64\certreq.exe
"C:\Windows\System32\certreq.exe"
2⤵
PID:2628

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe"
2⤵
PID:64

C:\Windows\SysWOW64\charmap.exe
"C:\Windows\System32\charmap.exe"
2⤵
PID:4548

C:\Windows\SysWOW64\CheckNetIsolation.exe
"C:\Windows\System32\CheckNetIsolation.exe"
2⤵
PID:352

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\System32\chkdsk.exe"
2⤵
PID:2616

C:\Windows\SysWOW64\chkntfs.exe
"C:\Windows\System32\chkntfs.exe"
2⤵
PID:1036

C:\Windows\SysWOW64\choice.exe
"C:\Windows\System32\choice.exe"
2⤵
PID:2772

C:\Windows\SysWOW64\cipher.exe
"C:\Windows\System32\cipher.exe"
2⤵
PID:1380

C:\Windows\SysWOW64\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe"
2⤵
PID:1088

C:\Windows\SysWOW64\cliconfg.exe
"C:\Windows\System32\cliconfg.exe"
2⤵
PID:4468

C:\Windows\SysWOW64\clip.exe
"C:\Windows\System32\clip.exe"
2⤵
PID:2120

C:\Windows\SysWOW64\CloudNotifications.exe
"C:\Windows\System32\CloudNotifications.exe"
2⤵
PID:4252

C:\Windows\SysWOW64\CloudStorageWizard.exe
"C:\Windows\System32\CloudStorageWizard.exe"
2⤵
PID:648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:4680

C:\Windows\SysWOW64\cmdkey.exe
"C:\Windows\System32\cmdkey.exe"
2⤵
PID:4808

C:\Windows\SysWOW64\cmdl32.exe
"C:\Windows\System32\cmdl32.exe"
2⤵
PID:4404

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\System32\cmmon32.exe"
2⤵
PID:1376

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\System32\cmstp.exe"
2⤵
PID:744

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\System32\colorcpl.exe"
2⤵
PID:4040

C:\Windows\SysWOW64\comp.exe
"C:\Windows\System32\comp.exe"
2⤵
PID:652

C:\Windows\SysWOW64\compact.exe
"C:\Windows\System32\compact.exe"
2⤵
PID:2444

C:\Windows\SysWOW64\ComputerDefaults.exe
"C:\Windows\System32\ComputerDefaults.exe"
2⤵
PID:3144

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe"
2⤵
PID:5068

C:\Windows\SysWOW64\credwiz.exe
"C:\Windows\System32\credwiz.exe"
2⤵
PID:4996

C:\Windows\SysWOW64\convert.exe
"C:\Windows\System32\convert.exe"
2⤵
PID:2732

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\System32\cscript.exe"
2⤵
PID:1728

C:\Windows\SysWOW64\ctfmon.exe
"C:\Windows\System32\ctfmon.exe"
2⤵
PID:3344

C:\Windows\SysWOW64\cttune.exe
"C:\Windows\System32\cttune.exe"
2⤵
PID:3720

C:\Windows\SysWOW64\cttunesvr.exe
"C:\Windows\System32\cttunesvr.exe"
2⤵
PID:1008

C:\Windows\SysWOW64\dccw.exe
"C:\Windows\System32\dccw.exe"
2⤵
PID:4960

C:\Windows\SysWOW64\dcomcnfg.exe
"C:\Windows\System32\dcomcnfg.exe"
2⤵
PID:2488

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
3⤵
PID:160

C:\Windows\SysWOW64\ddodiag.exe
"C:\Windows\System32\ddodiag.exe"
2⤵
PID:4372

C:\Windows\SysWOW64\DevicePairingWizard.exe
"C:\Windows\System32\DevicePairingWizard.exe"
2⤵
PID:4304

C:\Windows\SysWOW64\dfrgui.exe
"C:\Windows\System32\dfrgui.exe"
2⤵
PID:3312

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\System32\dialer.exe"
2⤵
PID:4380

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\System32\diskperf.exe"
2⤵
PID:1184

C:\Windows\SysWOW64\diskraid.exe
"C:\Windows\System32\diskraid.exe"
2⤵
PID:704

C:\Windows\SysWOW64\diskpart.exe
"C:\Windows\System32\diskpart.exe"
2⤵
PID:1740

C:\Windows\SysWOW64\Dism.exe
"C:\Windows\System32\Dism.exe"
2⤵
PID:1896

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
2⤵
PID:4712

C:\Windows\SysWOW64\dllhst3g.exe
"C:\Windows\System32\dllhst3g.exe"
2⤵
PID:4684

C:\Windows\SysWOW64\doskey.exe
"C:\Windows\System32\doskey.exe"
2⤵
PID:3932

C:\Windows\SysWOW64\dpapimig.exe
"C:\Windows\System32\dpapimig.exe"
2⤵
PID:1460

C:\Windows\SysWOW64\DpiScaling.exe
"C:\Windows\System32\DpiScaling.exe"
2⤵
PID:4148

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" ms-settings:display
3⤵
PID:6008

C:\Windows\SysWOW64\driverquery.exe
"C:\Windows\System32\driverquery.exe"
2⤵
PID:3364

C:\Windows\SysWOW64\dtdump.exe
"C:\Windows\System32\dtdump.exe"
2⤵
PID:2276

C:\Windows\SysWOW64\dvdplay.exe
"C:\Windows\System32\dvdplay.exe"
2⤵
PID:1416

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
/device:dvd
3⤵
PID:5344

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
4⤵
PID:4520

C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
5⤵
PID:4280

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce: /device:dvd
4⤵
PID:4744

C:\Windows\SysWOW64\DWWIN.EXE
"C:\Windows\System32\DWWIN.EXE"
2⤵
PID:1184

C:\Windows\SysWOW64\dxdiag.exe
"C:\Windows\System32\dxdiag.exe"
2⤵
PID:3148

C:\Windows\SysWOW64\EaseOfAccessDialog.exe
"C:\Windows\System32\EaseOfAccessDialog.exe"
2⤵
PID:2188

C:\Windows\SysWOW64\edpnotify.exe
"C:\Windows\System32\edpnotify.exe"
2⤵
PID:5300

C:\Windows\SysWOW64\efsui.exe
"C:\Windows\System32\efsui.exe"
2⤵
PID:5440

C:\Windows\SysWOW64\EhStorAuthn.exe
"C:\Windows\System32\EhStorAuthn.exe"
2⤵
PID:5744

C:\Windows\SysWOW64\esentutl.exe
"C:\Windows\System32\esentutl.exe"
2⤵
PID:5944

C:\Windows\SysWOW64\eudcedit.exe
"C:\Windows\System32\eudcedit.exe"
2⤵
PID:4220

C:\Windows\SysWOW64\eventcreate.exe
"C:\Windows\System32\eventcreate.exe"
2⤵
PID:5484

C:\Windows\SysWOW64\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
2⤵
PID:5616

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
3⤵
PID:5784

C:\Windows\system32\mmc.exe
"C:\Windows\system32\eventvwr.msc" "C:\Windows\system32\eventvwr.msc"
4⤵
PID:5604

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe"
2⤵
PID:5836

C:\Windows\SysWOW64\fc.exe
"C:\Windows\System32\fc.exe"
2⤵
PID:6140

C:\Windows\SysWOW64\find.exe
"C:\Windows\System32\find.exe"
2⤵
PID:5296

C:\Windows\SysWOW64\extrac32.exe
"C:\Windows\System32\extrac32.exe"
2⤵
PID:5964

C:\Windows\SysWOW64\findstr.exe
"C:\Windows\System32\findstr.exe"
2⤵
PID:1068

C:\Windows\SysWOW64\finger.exe
"C:\Windows\System32\finger.exe"
2⤵
PID:6028

C:\Windows\SysWOW64\expand.exe
"C:\Windows\System32\expand.exe"
2⤵
PID:4764

C:\Windows\SysWOW64\FlashPlayerApp.exe
"C:\Windows\System32\FlashPlayerApp.exe"
2⤵
PID:2188

C:\Windows\SysWOW64\fltMC.exe
"C:\Windows\System32\fltMC.exe"
2⤵
PID:6020

C:\Windows\SysWOW64\Fondue.exe
"C:\Windows\System32\Fondue.exe"
2⤵
PID:1476

C:\Windows\SysWOW64\fontdrvhost.exe
"C:\Windows\System32\fontdrvhost.exe"
2⤵
PID:5456

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\System32\fontview.exe"
2⤵
PID:6056

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe"
2⤵
PID:6084

C:\Windows\SysWOW64\cmd.exe
/c echo "0409"
3⤵
PID:5484

C:\Windows\SysWOW64\fsquirt.exe
"C:\Windows\System32\fsquirt.exe"
2⤵
PID:3356

C:\Windows\SysWOW64\fsutil.exe
"C:\Windows\System32\fsutil.exe"
2⤵
PID:660

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:352

C:\Windows\SysWOW64\ftp.exe
"C:\Windows\System32\ftp.exe"
2⤵
PID:6128

C:\Windows\SysWOW64\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe"
2⤵
PID:5308

C:\Windows\SysWOW64\GamePanel.exe
"C:\Windows\System32\GamePanel.exe"
2⤵
PID:4568

C:\Windows\SysWOW64\getmac.exe
"C:\Windows\System32\getmac.exe"
2⤵
PID:6104

C:\Windows\SysWOW64\gpresult.exe
"C:\Windows\System32\gpresult.exe"
2⤵
PID:1244

C:\Windows\SysWOW64\gpscript.exe
"C:\Windows\System32\gpscript.exe"
2⤵
PID:3932

C:\Windows\SysWOW64\fixmapi.exe
"C:\Windows\System32\fixmapi.exe"
2⤵
PID:5372

C:\Windows\SysWOW64\gpupdate.exe
"C:\Windows\System32\gpupdate.exe"
2⤵
PID:5968

C:\Windows\SysWOW64\grpconv.exe
"C:\Windows\System32\grpconv.exe"
2⤵
PID:920

C:\Windows\SysWOW64\help.exe
"C:\Windows\System32\help.exe"
2⤵
PID:5712

C:\Windows\SysWOW64\hh.exe
"C:\Windows\System32\hh.exe"
2⤵
PID:5204

C:\Windows\SysWOW64\hdwwiz.exe
"C:\Windows\System32\hdwwiz.exe"
2⤵
PID:4940

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe"
2⤵
- Modifies file permissions
PID:4724

C:\Windows\SysWOW64\HOSTNAME.EXE
"C:\Windows\System32\HOSTNAME.EXE"
2⤵
PID:6140

C:\Windows\SysWOW64\icsunattend.exe
"C:\Windows\System32\icsunattend.exe"
2⤵
PID:5748

C:\Windows\SysWOW64\ieUnatt.exe
"C:\Windows\System32\ieUnatt.exe"
2⤵
PID:5460

C:\Windows\SysWOW64\iexpress.exe
"C:\Windows\System32\iexpress.exe"
2⤵
PID:2648

C:\Windows\SysWOW64\InfDefaultInstall.exe
"C:\Windows\System32\InfDefaultInstall.exe"
2⤵
PID:5560

C:\Windows\SysWOW64\InstallAgent.exe
"C:\Windows\System32\InstallAgent.exe"
2⤵
PID:6488

C:\Windows\SysWOW64\InstallAgentUserBroker.exe
"C:\Windows\System32\InstallAgentUserBroker.exe"
2⤵
PID:6664

C:\Windows\SysWOW64\instnm.exe
"C:\Windows\System32\instnm.exe"
2⤵
PID:6784

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe"
2⤵
- Gathers network information
PID:7032

C:\Windows\SysWOW64\iscsicli.exe
"C:\Windows\System32\iscsicli.exe"
2⤵
PID:2488

C:\Windows\SysWOW64\iscsicpl.exe
"C:\Windows\System32\iscsicpl.exe"
2⤵
PID:660

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL iscsicpl.dll,,0
3⤵
PID:6596

C:\Windows\SysWOW64\ktmutil.exe
"C:\Windows\System32\ktmutil.exe"
2⤵
PID:6648

C:\Windows\SysWOW64\label.exe
"C:\Windows\System32\label.exe"
2⤵
PID:6868

C:\Windows\SysWOW64\isoburn.exe
"C:\Windows\System32\isoburn.exe"
2⤵
PID:6372

C:\Windows\SysWOW64\LaunchTM.exe
"C:\Windows\System32\LaunchTM.exe"
2⤵
PID:7004

C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
3⤵
PID:4760

C:\Windows\SysWOW64\LaunchWinApp.exe
"C:\Windows\System32\LaunchWinApp.exe"
2⤵
PID:4528

C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\System32\lodctr.exe"
2⤵
PID:6288

C:\Windows\SysWOW64\logagent.exe
"C:\Windows\System32\logagent.exe"
2⤵
PID:6536

C:\Windows\SysWOW64\logman.exe
"C:\Windows\System32\logman.exe"
2⤵
PID:6420

C:\Windows\SysWOW64\Magnify.exe
"C:\Windows\System32\Magnify.exe"
2⤵
PID:7072

C:\Windows\SysWOW64\makecab.exe
"C:\Windows\System32\makecab.exe"
2⤵
PID:3568

C:\Windows\SysWOW64\mavinject.exe
"C:\Windows\System32\mavinject.exe"
2⤵
PID:6276

C:\Windows\SysWOW64\mcbuilder.exe
"C:\Windows\System32\mcbuilder.exe"
2⤵
PID:6152

C:\Windows\SysWOW64\mfpmp.exe
"C:\Windows\System32\mfpmp.exe"
2⤵
PID:6616

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\System32\mmc.exe"
2⤵
PID:6916

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe"
3⤵
PID:6540

C:\Windows\SysWOW64\mmgaserver.exe
"C:\Windows\System32\mmgaserver.exe"
2⤵
PID:7144

C:\Windows\SysWOW64\mobsync.exe
"C:\Windows\System32\mobsync.exe"
2⤵
PID:6724

C:\Windows\SysWOW64\mountvol.exe
"C:\Windows\System32\mountvol.exe"
2⤵
PID:5196

C:\Windows\SysWOW64\MRINFO.EXE
"C:\Windows\System32\MRINFO.EXE"
2⤵
PID:4428

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\System32\msdt.exe"
2⤵
PID:944

C:\Windows\SysWOW64\msfeedssync.exe
"C:\Windows\System32\msfeedssync.exe"
2⤵
PID:2756

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe"
2⤵
PID:6148

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe"
2⤵
PID:6592

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\System32\mspaint.exe"
2⤵
PID:2828

C:\Windows\SysWOW64\msinfo32.exe
"C:\Windows\System32\msinfo32.exe"
2⤵
PID:3348

C:\Windows\SysWOW64\msra.exe
"C:\Windows\System32\msra.exe"
2⤵
PID:6760

C:\Windows\system32\msra.exe
"C:\Windows\system32\msra.exe"
3⤵
PID:3700

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\System32\mstsc.exe"
2⤵
PID:1520

C:\Windows\system32\mstsc.exe
"C:\Windows\System32\mstsc.exe"
3⤵
PID:7728

C:\Windows\SysWOW64\mtstocom.exe
"C:\Windows\System32\mtstocom.exe"
2⤵
PID:6524

C:\Windows\SysWOW64\MuiUnattend.exe
"C:\Windows\System32\MuiUnattend.exe"
2⤵
PID:6612

C:\Windows\SysWOW64\ndadmin.exe
"C:\Windows\System32\ndadmin.exe"
2⤵
PID:5428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe"
2⤵
PID:3652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1
3⤵
PID:5972

C:\Windows\SysWOW64\net1.exe
"C:\Windows\System32\net1.exe"
2⤵
PID:4844

C:\Windows\SysWOW64\netbtugc.exe
"C:\Windows\System32\netbtugc.exe"
2⤵
PID:2128

C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe
"C:\Windows\System32\NetCfgNotifyObjectHost.exe"
2⤵
PID:2732

C:\Windows\SysWOW64\netiougc.exe
"C:\Windows\System32\netiougc.exe"
2⤵
PID:5152

C:\Windows\SysWOW64\Netplwiz.exe
"C:\Windows\System32\Netplwiz.exe"
2⤵
PID:2724

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe"
2⤵
PID:3032

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\System32\NETSTAT.EXE"
2⤵
- Gathers network information
PID:6476

C:\Windows\SysWOW64\newdev.exe
"C:\Windows\System32\newdev.exe"
2⤵
PID:5440

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
2⤵
PID:4776

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\System32\nslookup.exe"
2⤵
PID:5436

C:\Windows\SysWOW64\ntprint.exe
"C:\Windows\System32\ntprint.exe"
2⤵
PID:2844

C:\Windows\SysWOW64\odbcad32.exe
"C:\Windows\System32\odbcad32.exe"
2⤵
PID:6244

C:\Windows\SysWOW64\odbcconf.exe
"C:\Windows\System32\odbcconf.exe"
2⤵
PID:2692

C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\System32\OneDriveSetup.exe"
2⤵
PID:484

C:\Windows\SysWOW64\OneDriveSetup.exe
C:\Windows\SysWOW64\OneDriveSetup.exe /peruser /childprocess
3⤵
PID:5460

C:\Windows\SysWOW64\openfiles.exe
"C:\Windows\System32\openfiles.exe"
2⤵
PID:5088

C:\Windows\SysWOW64\OpenWith.exe
"C:\Windows\System32\OpenWith.exe"
2⤵
PID:4708

C:\Windows\SysWOW64\OposHost.exe
"C:\Windows\System32\OposHost.exe"
2⤵
PID:3228

C:\Windows\SysWOW64\osk.exe
"C:\Windows\System32\osk.exe"
2⤵
PID:7380

C:\Windows\SysWOW64\PasswordOnWakeSettingFlyout.exe
"C:\Windows\System32\PasswordOnWakeSettingFlyout.exe"
2⤵
PID:7628

C:\Windows\SysWOW64\PATHPING.EXE
"C:\Windows\System32\PATHPING.EXE"
2⤵
PID:7736

C:\Windows\SysWOW64\pcaui.exe
"C:\Windows\System32\pcaui.exe"
2⤵
PID:8164

C:\Windows\SysWOW64\perfhost.exe
"C:\Windows\System32\perfhost.exe"
2⤵
PID:7332

C:\Windows\SysWOW64\PackagedCWALauncher.exe
"C:\Windows\System32\PackagedCWALauncher.exe"
2⤵
PID:7448

C:\Windows\SysWOW64\PickerHost.exe
"C:\Windows\System32\PickerHost.exe"
2⤵
PID:6384

C:\Windows\SysWOW64\perfmon.exe
"C:\Windows\System32\perfmon.exe"
2⤵
PID:8136

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\perfmon.msc" /32
3⤵
PID:8124

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\System32\PING.EXE"
2⤵
- Runs ping.exe
PID:7300

C:\Windows\SysWOW64\PkgMgr.exe
"C:\Windows\System32\PkgMgr.exe"
2⤵
PID:7464

C:\Windows\SysWOW64\poqexec.exe
"C:\Windows\System32\poqexec.exe"
2⤵
PID:7484

C:\Windows\SysWOW64\powercfg.exe
"C:\Windows\System32\powercfg.exe"
2⤵
PID:7676

C:\Windows\SysWOW64\PresentationHost.exe
"C:\Windows\System32\PresentationHost.exe"
2⤵
PID:7784

C:\Windows\SysWOW64\prevhost.exe
"C:\Windows\System32\prevhost.exe"
2⤵
PID:7996

C:\Windows\SysWOW64\print.exe
"C:\Windows\System32\print.exe"
2⤵
PID:8048

C:\Windows\SysWOW64\printui.exe
"C:\Windows\System32\printui.exe"
2⤵
PID:2396

C:\Windows\SysWOW64\proquota.exe
"C:\Windows\System32\proquota.exe"
2⤵
PID:3732

C:\Windows\SysWOW64\psr.exe
"C:\Windows\System32\psr.exe"
2⤵
PID:7180

C:\Windows\system32\psr.exe
"C:\Windows\system32\psr.exe"
3⤵
PID:6712

C:\Windows\SysWOW64\quickassist.exe
"C:\Windows\System32\quickassist.exe"
2⤵
PID:6992

C:\Windows\SysWOW64\rasautou.exe
"C:\Windows\System32\rasautou.exe"
2⤵
PID:4360

C:\Windows\SysWOW64\rasdial.exe
"C:\Windows\System32\rasdial.exe"
2⤵
PID:2528

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\System32\raserver.exe"
2⤵
PID:8132

C:\Windows\SysWOW64\RdpSa.exe
"C:\Windows\System32\RdpSa.exe"
2⤵
PID:8008

C:\Windows\SysWOW64\rasphone.exe
"C:\Windows\System32\rasphone.exe"
2⤵
PID:7812

C:\Windows\SysWOW64\RdpSaProxy.exe
"C:\Windows\System32\RdpSaProxy.exe"
2⤵
PID:6164

C:\Windows\SysWOW64\RdpSa.exe
"C:\Windows\system32\RdpSa.exe"
3⤵
PID:7804

C:\Windows\SysWOW64\RdpSaUacHelper.exe
"C:\Windows\System32\RdpSaUacHelper.exe"
2⤵
PID:2140

C:\Windows\SysWOW64\rdrleakdiag.exe
"C:\Windows\System32\rdrleakdiag.exe"
2⤵
PID:748

C:\Windows\SysWOW64\ReAgentc.exe
"C:\Windows\System32\ReAgentc.exe"
2⤵
PID:1480

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe"
2⤵
PID:7916

C:\Windows\SysWOW64\regedt32.exe
"C:\Windows\System32\regedt32.exe"
2⤵
PID:7704

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\regedit.exe"
3⤵
- Runs regedit.exe
PID:3764

C:\Windows\SysWOW64\regini.exe
"C:\Windows\System32\regini.exe"
2⤵
PID:7436

C:\Windows\SysWOW64\Register-CimProvider.exe
"C:\Windows\System32\Register-CimProvider.exe"
2⤵
PID:7632

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe"
2⤵
PID:7752

C:\Windows\SysWOW64\rekeywiz.exe
"C:\Windows\System32\rekeywiz.exe"
2⤵
PID:7100

C:\Windows\SysWOW64\relog.exe
"C:\Windows\System32\relog.exe"
2⤵
PID:4208

C:\Windows\SysWOW64\replace.exe
"C:\Windows\System32\replace.exe"
2⤵
PID:7792

C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe"
2⤵
- Runs regedit.exe
PID:8108

C:\Windows\SysWOW64\recover.exe
"C:\Windows\System32\recover.exe"
2⤵
PID:4956

C:\Windows\SysWOW64\resmon.exe
"C:\Windows\System32\resmon.exe"
2⤵
PID:7004

C:\Windows\SysWOW64\perfmon.exe
"C:\Windows\System32\perfmon.exe" /res
3⤵
PID:5564

C:\Windows\SysWOW64\RMActivate.exe
"C:\Windows\System32\RMActivate.exe"
2⤵
PID:4764

C:\Windows\SysWOW64\RMActivate_isv.exe
"C:\Windows\System32\RMActivate_isv.exe"
2⤵
PID:7516

C:\Windows\SysWOW64\RMActivate_ssp.exe
"C:\Windows\System32\RMActivate_ssp.exe"
2⤵
PID:6724

C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
"C:\Windows\System32\RMActivate_ssp_isv.exe"
2⤵
PID:6576

C:\Windows\SysWOW64\RmClient.exe
"C:\Windows\System32\RmClient.exe"
2⤵
PID:3108

C:\Windows\SysWOW64\Robocopy.exe
"C:\Windows\System32\Robocopy.exe"
2⤵
PID:4576

C:\Windows\SysWOW64\ROUTE.EXE
"C:\Windows\System32\ROUTE.EXE"
2⤵
PID:8004

C:\Windows\SysWOW64\RpcPing.exe
"C:\Windows\System32\RpcPing.exe"
2⤵
PID:7856

C:\Windows\SysWOW64\rrinstaller.exe
"C:\Windows\System32\rrinstaller.exe"
2⤵
PID:2172

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe"
2⤵
PID:7088

C:\Windows\SysWOW64\RunLegacyCPLElevated.exe
"C:\Windows\System32\RunLegacyCPLElevated.exe"
2⤵
PID:6448

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe"
2⤵
PID:4824

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe"
2⤵
- Launches sc.exe
PID:3524

C:\Windows\SysWOW64\runonce.exe
"C:\Windows\System32\runonce.exe"
2⤵
PID:6860

C:\Windows\SysWOW64\runas.exe
"C:\Windows\System32\runas.exe"
2⤵
PID:6424

C:\Windows\SysWOW64\sdchange.exe
"C:\Windows\System32\sdchange.exe"
2⤵
PID:6260

C:\Windows\SysWOW64\sdbinst.exe
"C:\Windows\System32\sdbinst.exe"
2⤵
PID:4708

C:\Windows\SysWOW64\sdiagnhost.exe
"C:\Windows\System32\sdiagnhost.exe"
2⤵
PID:6200

C:\Windows\SysWOW64\SearchFilterHost.exe
"C:\Windows\System32\SearchFilterHost.exe"
2⤵
PID:8080

C:\Windows\SysWOW64\SearchIndexer.exe
"C:\Windows\System32\SearchIndexer.exe"
2⤵
PID:8016

C:\Windows\SysWOW64\SearchProtocolHost.exe
"C:\Windows\System32\SearchProtocolHost.exe"
2⤵
PID:4256

C:\Windows\SysWOW64\SecEdit.exe
"C:\Windows\System32\SecEdit.exe"
2⤵
PID:6784

C:\Windows\SysWOW64\sethc.exe
"C:\Windows\System32\sethc.exe"
2⤵
PID:8004

C:\Windows\SysWOW64\SettingSyncHost.exe
"C:\Windows\System32\SettingSyncHost.exe"
2⤵
PID:7692

C:\Windows\SysWOW64\secinit.exe
"C:\Windows\System32\secinit.exe"
2⤵
PID:7652

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x208
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3740

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2716

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TapiSrv
1⤵
PID:4968

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3168

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:3292

C:\Windows\system32\dashost.exe
dashost.exe {c68d7eae-cd43-45be-b9e8255cc62dd756}
2⤵
PID:5232

C:\Windows\system32\dashost.exe
dashost.exe {be6eaeaa-bb08-4555-85387b9cdf771899}
2⤵
PID:5540

C:\Windows\system32\dashost.exe
dashost.exe {76ef6107-3a4d-4a54-b300eae025892a81}
2⤵
PID:5856

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:868

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:5976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5356

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:6496

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a71f952314d74112a413d9e40c2551a4 /t 0 /p 7120
1⤵
PID:2512

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:7292

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:1424

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:6620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:7404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7120

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:7028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4396_908693569\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\914972f6593156977cf4509d646a1278_16efa387-a50f-4c14-af28-bdcb77494366
Filesize
108B

MD5
e8b24667c7ed7c92620c99d83a0959bf

SHA1
221ebf42fcee4a47ca66d25b98391146236eb69a

SHA256
e1f7472c709a7f6c7f32e3cde25b6d754f89bafa6cfeb9a91b4b5ed69752c67d

SHA512
8218acb0bfa31bd919d34f82d3263510085fddf799820aca8e7f412cffa4a9d256167cc90bcc0d902a4876a6d92aff5f58983f152a39dc08d7716db6b525ab95

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\914972f6593156977cf4509d646a1278_16efa387-a50f-4c14-af28-bdcb77494366
Filesize
2KB

MD5
f6dca32fd291691748108284ccf6a805

SHA1
047a42b8b22df0ce516f60da8e7a63a976445fe9

SHA256
2bf4b651db9f116707602fcae9311d69cb936dfa2ad49347776b2bfbb066fe66

SHA512
57e30146a10508517613e69bce1b21f9703fbcadbd7fe30a91565da5df86068791ef9c4be9ae721088dc2612fba4ba048bdaee35be895e2be897f667bf1b93d4

Download Submit
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-1099808672-3828198950-1535142148-1000\CERT-Machine-2048.drm
Filesize
28KB

MD5
c437ee8238cba516aa8fbfd577201921

SHA1
1409eb444f12a4a727c19e52dbb8c13bf0de4954

SHA256
5f9a1d77f491010d48dd767073988d99ade2d277f2172527ced1393d6752a6f9

SHA512
3497b74f318db708ca8d61a7ecc070b25f7f4b0e8d96601534c291501a6bfdd9bfde21ebe84442024b880bcfe8e740ba966c64d3215d629d6febd0a77cdf46b4

Download Submit
C:\ProgramData\Microsoft\DRM\Server\S-1-5-21-1099808672-3828198950-1535142148-1000\CERT-Machine.drm
Filesize
25KB

MD5
8d7888c8a97be1d3b56a9546dc9304a8

SHA1
a082b48c0031c74ba4438ef2b48382334ed4a290

SHA256
61dc860508b577a7e61b7a41c530bc7b88d5f39b3f37c4dd9eb7b010a1ffb5a3

SHA512
e656c26faa347bf4bc652a3926b16b4b662d229829f577a60e01b60c23f7f6f752b216789325922bd56039c01c8e68586c7ce08543b0c57215d2913c7137b644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\DRM\CERT-Machine.drm
Filesize
25KB

MD5
5e8e31bb4abbbdbf13fd37a86ea8c9f8

SHA1
eef3ccc88ba985e7f8809934cb724bf025f2b985

SHA256
d4ccf627ef97036f74d4b8cc14ff2e576ea1b46cb50c8a7bb7f914fd0b06f68e

SHA512
df3f68b8ef72b3dc0095088c3f349ca411e5fc5c8142036b1dabd30e37e62956f3142bca35d0f96a81aac3b987224719056a73348fe1f71d92199fd688c9290a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
a3b62a1b87a8080f50611f648a8d3035

SHA1
42f7ed7dc07253fc2303d338dd3df69a6edc6a9f

SHA256
9cac606bd12e71d2b45e72da51a62f1867b62fa3a3396d07d2a1e3b699962b08

SHA512
5efe5829e38f7eb2cf59c62a01be4620449a0216e0b04a41c30e0bbec66be40682ecc3451058b0f61fe7e35e72378796c60c7993e386129bf256ad922679be4a

Download Submit
C:\Windows\INF\netsstpa.PNF
Filesize
6KB

MD5
01e21456e8000bab92907eec3b3aeea9

SHA1
39b34fe438352f7b095e24c89968fca48b8ce11c

SHA256
35ad0403fdef3fce3ef5cd311c72fef2a95a317297a53c02735cda4bd6e0c74f

SHA512
9d5153450e8fe3f51f20472bae4a2ab2fed43fad61a89b04a70325559f6ffed935dd72212671cc6cfc0288458d359bc71567f0d9af8e5770d696adc5bdadd7ec

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
11KB

MD5
b6e420ae668853bd47727fb17b42f18d

SHA1
89d35cd046d619adc0468b1a401b5cd88acfdc8b

SHA256
3e6bd338a08c54ac0136028198bb871ad983077aca945b54fdf5b885f512fd05

SHA512
5f5085e659571c285711fc51c66104c221a1dede0874af4b5a93301881017c78e537fb806b57668bbc50e3de8b9b646d04be47e050d4d3bffff4b6a2f3db537d

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
14KB

MD5
7bf0bfaa153f24def2f7b95e1495ecb7

SHA1
6bbf1810aaf4364cd4f18eb7d18d8c941c655b5f

SHA256
eb5311dc5a11fecefad2e1c56fe73356815b8aa241aeaf0cb3303dbfd0212dd9

SHA512
a62f813b33e40bbeec032e83fad7a7b1ffc93d2a1ff49ab6ef4ab447fc7d2cfba322c33dee51d7cb5bc5328dd77012440e0bd25d4b94de4473ad1da4f9addab4

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml
Filesize
16KB

MD5
683639258b18bcccfc7543192e5cc7fe

SHA1
f68ae5b2cf128dc1486329eba39530b9567d3e34

SHA256
aeb59f0a5d48a8d4c0777f559fb9501308efff14f3ec568862a3d726c6b80680

SHA512
f778c08498112383f9c91a9e7955c4f537ce7079def44c9fd6dc6ce813a7558025aea9b29a9180f1cdcd318c3b892d09739d7df1bedf94c9d95b7754b2742f56

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
12KB

MD5
f1c84b8764c3ff96b72c2644dd104ffc

SHA1
4d457d1ba23ec4f159081895c4be3f154598ccb6

SHA256
1c143a046b2ce4d40dcfd3e68e2e87f3398f252a3fc209397b52ec8855e7383b

SHA512
ca19adc69cb70c85833a78cc70d83065897d4a24adb5e8ff1f0aefbc97fd49df34fd87331dd38e48bccf3a2afc9f93f8a8274828aeaa7c0838527256af1dc306

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
14KB

MD5
263fb854335c9017f77384e582811c81

SHA1
4c970b61c134c971a4190c16148ab13b25fed01e

SHA256
4506f49411ba1215ab1c5a106e4d92c75a1b8915e5c68f6b380104a4457b7641

SHA512
a9156541b210b95faf4d80c763dd3a1fb73aa2d794e2a7c026b964043e6d9f05fa16aa496155b1de0e13914729b041ec3db0ab0d7867d4fd3447fbf3342c58b5

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml
Filesize
16KB

MD5
79369908303fe21f6ab6af760f4ac908

SHA1
1f1209d2f8671b21f76f3280bbc31fdfed747696

SHA256
62c0084be6a98c15053f778ec13e3c758f9ae75661140e194a958c02085d7f0a

SHA512
55b1e88c671a47849e225e7c6fec5bd0c54aafe4dc81d6e0d6db9a5a6de1eef04e13895bb68306e57c70c2855ea69b84bac8c32907b894a1d56cfca6faf99c19

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
49KB

MD5
1f9691c991bd845a8fa7d300847acc70

SHA1
459031b076947194a1d4f41df31eaecbcacebf2a

SHA256
32af655adae002dae2971f02528c7e8e305640fc53a0be4363567c1c743fb213

SHA512
5beab622ea85c53720be2a7b4f0233520c5cd9ffdcbfd6ced1070554b964a3f0272e95eeb98b2e02a11048d53553c6b84fb4c743728537a680aadd609d7ec033

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
49KB

MD5
8d6f4fcd4be0f8053a1dd4db2d6abc6c

SHA1
722323ae62d02b4d63683c2a957e8e7cd6a63d4d

SHA256
786322dead8ae0f7d4f3a273a443a14445653d9cc70e7aec7fcc332fccb4e624

SHA512
c53b5ea8f27a97ad5f87fdadc2c772c9ce0e7ee787b26a38ca3c7a2b3759dc7895994625e98ba278ad031988d0cfc32c26974bb161dfe390bf20c78bcde27204

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log
Filesize
50KB

MD5
bd18024550687ad91e24a8547be5c40e

SHA1
c6acf855602f1649fc5af8dd75e96c49afae007e

SHA256
d8b0a191b44b39790cc83c8a36b3ad7e549254d78fafda1fb4300f4c114744e4

SHA512
89c287c9b017417f9f180f67c786dbd22d638e68f76113f50f675db36c5f77b7c926e0e9f4d1cc2a3fca6ee0a110552337be37c98ac530aa973198435c5d1400

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
305B

MD5
dbbb57ab8563b65db6c832eba4dfeb5d

SHA1
d2156a764d4de177236623c63a1b77b6b9907290

SHA256
62d3e70dd23e2c193a201a72507bfe7f723fcbfcae3ed45339782b043cfa3427

SHA512
55753feb3f754ac189fd4ddcadaf887c19b2f5ad9a5d22bdbdc84f297f75fb5431e2acedc01dfcfbef7d8b76ca771b263ac55797d1c0cf58cdc01d0f69893695

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
585B

MD5
4027aa3f6496f64416bbd27c0b93b4d5

SHA1
609f8976adc96cda32bdc92411b910e3055191d5

SHA256
7d0c539906b9d9db16f8db09567f60c8c1ec9b4d5471e7ca7e7af300a7c1412f

SHA512
702e0144827289fe954bad5954f74ebae39e84573114c5b14d28bc342364042899af2ebf5954a57160f831c5df5a96b34e556b3e1962da47566f02808db0bb59

Download Submit
C:\Windows\Panther\UnattendGC\setuperr.log
Filesize
811B

MD5
2d01d668b66993d34a9cc0101dc22f7a

SHA1
9b1165ee1941184c17b64c17517b1200d5afd094

SHA256
70a96002f618034ddfe9538a9236d45db8501f4c6680c3397320e0a66b3e2ee8

SHA512
eaa2ff98dedcb30bc0c9424b18d8f781d25cf2d9b713d4eb6ce6c5e9607f98b6befd0fdf5dfe75044359dd58252442401caa485b756cd41879a1a7764e31963c

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4772_EDXAQWBZRGZMDCXT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-566-0x0000000000000000-mapping.dmp

Download
memory/160-1646-0x0000000000000000-mapping.dmp

Download
memory/348-522-0x0000000000000000-mapping.dmp

Download
memory/352-608-0x0000000000000000-mapping.dmp

Download
memory/432-369-0x0000000000000000-mapping.dmp

Download
memory/436-298-0x0000000000000000-mapping.dmp

Download
memory/512-434-0x0000000000000000-mapping.dmp

Download
memory/648-837-0x0000000000000000-mapping.dmp

Download
memory/652-1085-0x0000000000000000-mapping.dmp

Download
memory/704-1709-0x0000000000000000-mapping.dmp

Download
memory/744-1009-0x0000000000000000-mapping.dmp

Download
memory/1008-1346-0x0000000000000000-mapping.dmp

Download
memory/1036-648-0x0000000000000000-mapping.dmp

Download
memory/1088-718-0x0000000000000000-mapping.dmp

Download
memory/1184-1681-0x0000000000000000-mapping.dmp

Download
memory/1376-972-0x0000000000000000-mapping.dmp

Download
memory/1380-696-0x0000000000000000-mapping.dmp

Download
memory/1412-321-0x0000000000000000-mapping.dmp

Download
memory/1460-1868-0x0000000000000000-mapping.dmp

Download
memory/1728-1255-0x0000000000000000-mapping.dmp

Download
memory/1740-1634-0x0000000000000000-mapping.dmp

Download
memory/1896-258-0x0000000000000000-mapping.dmp

Download
memory/1896-1754-0x0000000000000000-mapping.dmp

Download
memory/2080-350-0x0000000000000000-mapping.dmp

Download
memory/2120-770-0x0000000000000000-mapping.dmp

Download
memory/2444-1115-0x0000000000000000-mapping.dmp

Download
memory/2488-1406-0x0000000000000000-mapping.dmp

Download
memory/2616-628-0x0000000000000000-mapping.dmp

Download
memory/2628-542-0x0000000000000000-mapping.dmp

Download
memory/2648-403-0x0000000000000000-mapping.dmp

Download
memory/2732-1203-0x0000000000000000-mapping.dmp

Download
memory/2772-672-0x0000000000000000-mapping.dmp

Download
memory/3024-336-0x0000000000000000-mapping.dmp

Download
memory/3144-1146-0x0000000000000000-mapping.dmp

Download
memory/3312-1509-0x0000000000000000-mapping.dmp

Download
memory/3344-1284-0x0000000000000000-mapping.dmp

Download
memory/3364-1967-0x0000000000000000-mapping.dmp

Download
memory/3720-1317-0x0000000000000000-mapping.dmp

Download
memory/3932-1836-0x0000000000000000-mapping.dmp

Download
memory/4040-1042-0x0000000000000000-mapping.dmp

Download
memory/4044-279-0x0000000000000000-mapping.dmp

Download
memory/4128-503-0x0000000000000000-mapping.dmp

Download
memory/4148-1906-0x0000000000000000-mapping.dmp

Download
memory/4148-466-0x0000000000000000-mapping.dmp

Download
memory/4252-800-0x0000000000000000-mapping.dmp

Download
memory/4300-484-0x0000000000000000-mapping.dmp

Download
memory/4304-1472-0x0000000000000000-mapping.dmp

Download
memory/4372-1435-0x0000000000000000-mapping.dmp

Download
memory/4380-1547-0x0000000000000000-mapping.dmp

Download
memory/4404-938-0x0000000000000000-mapping.dmp

Download
memory/4468-744-0x0000000000000000-mapping.dmp

Download
memory/4548-588-0x0000000000000000-mapping.dmp

Download
memory/4552-253-0x0000000000000000-mapping.dmp

Download
memory/4680-867-0x0000000000000000-mapping.dmp

Download
memory/4684-1809-0x0000000000000000-mapping.dmp

Download
memory/4688-419-0x0000000000000000-mapping.dmp

Download
memory/4712-1782-0x0000000000000000-mapping.dmp

Download
memory/4764-7555-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4764-7350-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4764-7060-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4764-6966-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4808-898-0x0000000000000000-mapping.dmp

Download
memory/4960-1376-0x0000000000000000-mapping.dmp

Download
memory/4996-147-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-155-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-178-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-177-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-176-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-175-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-174-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-173-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-172-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-171-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-170-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-169-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-168-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-180-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-167-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-166-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-163-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-165-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-164-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-160-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-162-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-161-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-159-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-145-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-120-0x0000000000000000-mapping.dmp

Download
memory/4996-158-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-157-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-156-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-181-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-144-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-154-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-153-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-152-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-151-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-150-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-149-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-148-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-182-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-146-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-183-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-1226-0x0000000000000000-mapping.dmp

Download
memory/4996-179-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-122-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-142-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-141-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-140-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-139-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-138-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-137-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-136-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-135-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-134-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-133-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-132-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-131-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-130-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-129-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-128-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-127-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-126-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-123-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-184-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-124-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-185-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-143-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/4996-125-0x0000000077B40000-0x0000000077CCE000-memory.dmp

Filesize
1.6MB

Download
memory/5032-387-0x0000000000000000-mapping.dmp

Download
memory/5068-1178-0x0000000000000000-mapping.dmp

Download
memory/5116-450-0x0000000000000000-mapping.dmp

Download
memory/6576-7114-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/6576-7104-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/6576-7439-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/6576-7286-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/6724-7091-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/6724-6999-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/6724-7454-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/6724-6983-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/6724-7293-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/7516-6950-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/7516-7075-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/7516-6934-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/7516-7503-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/7516-7522-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/7516-7341-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download