gozi | 83394afef201b339640f94c5d7a054be01a94852edda1efb154de52cd49203e8

Analysis

max time kernel
889s
max time network
933s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
05/11/2023, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Electron.exe
Size

4.0MB
MD5

5aad6da9eb1e06fb7a249afc9f4927a8
SHA1

c603222e26d5f43a1b5f6fc5347f44ca52df0a58
SHA256

83394afef201b339640f94c5d7a054be01a94852edda1efb154de52cd49203e8
SHA512

2b997dea2fffc33720bb400d46d3c41549be4481c6dc0e7016a657bab01cf1b4cf35419ea421231c787ea8e3379b97725ac0766575b51b13f723cf21ec302de8
SSDEEP

98304:CibxzWoWCzGKFeRWCcqnfN7WSxP1l/RcblYTT4ROHiq1mOc9d8:Cibx/WWFCjJWblw4ROCq10

Score

10^/10

gozi banker evasion isfb trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 10 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Electron.exe

Checks BIOS information in registry 2 TTPs 20 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Electron.exe

Loads dropped DLL 18 IoCs

pid	Process
2796	Electron.exe
2796	Electron.exe
1860	Electron.exe
1860	Electron.exe
1676	Electron.exe
1676	Electron.exe
4432	Electron.exe
4432	Electron.exe
3028	Electron.exe
3028	Electron.exe
2412	Electron.exe
2412	Electron.exe
2432	Electron.exe
2432	Electron.exe
1860	Electron.exe
1860	Electron.exe
3592	Electron.exe
3592	Electron.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Electron.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	api.ipify.org
96	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
2796	Electron.exe
1860	Electron.exe
1676	Electron.exe
2268	Electron.exe
4432	Electron.exe
3028	Electron.exe
2412	Electron.exe
2432	Electron.exe
1860	Electron.exe
3592	Electron.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Program crash 13 IoCs

pid	pid_target	Process	procid_target
2440	2796	WerFault.exe	70
4444	1860	WerFault.exe	120
3112	1676	WerFault.exe	123
3388	2268	WerFault.exe	127
96	4432	WerFault.exe	132
4040	3028	WerFault.exe	137
304	2412	WerFault.exe	139
812	2432	WerFault.exe	141
1712	1860	WerFault.exe	143
4548	4116	WerFault.exe	186
2324	4056	WerFault.exe	192
2696	3944	WerFault.exe	188
4516	164	WerFault.exe	187

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133436927281111270"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "6"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e80922b16d365937a46956b92703aca08af0000	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	notepad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	notepad.exe
Key created	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	notepad.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 01000000030000000200000000000000ffffffff	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	notepad.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	notepad.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
2244	NOTEPAD.EXE
4932	NOTEPAD.EXE
164	NOTEPAD.EXE
4576	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	Electron.exe
2796	Electron.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4656	chrome.exe
4656	chrome.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4740	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	taskmgr.exe
Token: SeSystemProfilePrivilege	4740	taskmgr.exe
Token: SeCreateGlobalPrivilege	4740	taskmgr.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe
Token: SeCreatePagefilePrivilege	4656	chrome.exe
Token: SeShutdownPrivilege	4656	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4740	taskmgr.exe
4656	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4656	chrome.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe
4740	taskmgr.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2268	Electron.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
4004	OpenWith.exe
1296	notepad.exe
1296	notepad.exe
3088	notepad.exe
3088	notepad.exe
3088	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 1192	4656	chrome.exe	76
PID 4656 wrote to memory of 1192	4656	chrome.exe	76
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 3268	4656	chrome.exe	79
PID 4656 wrote to memory of 2188	4656	chrome.exe	78
PID 4656 wrote to memory of 2188	4656	chrome.exe	78
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80
PID 4656 wrote to memory of 720	4656	chrome.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Electron.exe
"C:\Users\Admin\AppData\Local\Temp\Electron.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 2716
  2⤵
  - Program crash
  PID:2440

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa375f9758,0x7ffa375f9768,0x7ffa375f9778
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:2
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2888 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2880 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4484 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4464 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3084 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3080 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4972 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4608 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3180 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2224 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5504 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5704 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6128 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5240 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3084 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5244 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6084 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4624 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5604 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4592 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=4624 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6164 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6188 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=3068 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=1524 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6400 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6108 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6624 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7000 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6616 --field-trial-handle=1780,i,5843747649684432740,2048669042114604756,131072 /prefetch:2
  2⤵
  PID:1388

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1944

C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
"C:\Users\Admin\Downloads\Electron\Electron\Electron.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 2648
  2⤵
  - Program crash
  PID:4444

C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
"C:\Users\Admin\Downloads\Electron\Electron\Electron.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 2632
  2⤵
  - Program crash
  PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:4184

C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
"C:\Users\Admin\Downloads\Electron\Electron\Electron.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1112
  2⤵
  - Program crash
  PID:3388

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Electron\Electron\PLEASE EXTRACT IT.txt
1⤵
PID:3796

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Electron\Electron\README_IMPORTANT.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4932

C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
"C:\Users\Admin\Downloads\Electron\Electron\Electron.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 2636
  2⤵
  - Program crash
  PID:96

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1212

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4004
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Electron\Electron\WebView2Loader.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:164

C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
"C:\Users\Admin\Downloads\Electron\Electron\Electron.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 2520
  2⤵
  - Program crash
  PID:4040

C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
"C:\Users\Admin\Downloads\Electron\Electron\Electron.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 2516
  2⤵
  - Program crash
  PID:304

C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
"C:\Users\Admin\Downloads\Electron\Electron\Electron.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 2520
  2⤵
  - Program crash
  PID:812

C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
"C:\Users\Admin\Downloads\Electron\Electron\Electron.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 2516
  2⤵
  - Program crash
  PID:1712

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:4432

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Documents\meal.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:4292

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Documents\meal.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\meal.bat" "
1⤵
PID:4032

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4312
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3592

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\beec0177129a41a7921c40f01b1fbd43 /t 812 /p 3592
1⤵
PID:3484

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\8045121752ee437994872a090f12d7c0 /t 812 /p 3592
1⤵
PID:3948

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Grapes.bat" "
1⤵
PID:4620
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 2588
    3⤵
    - Program crash
    PID:4548
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 164 -s 2592
    3⤵
    - Program crash
    PID:4516
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:3944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 2584
    3⤵
    - Program crash
    PID:2696
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:2440
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4168
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:5108
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 2584
    3⤵
    - Program crash
    PID:2324
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:3852
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1340
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1672
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:2160
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:2072
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:2068
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1572
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:2128
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1924
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1696
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1668
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:5032
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:3028
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:3384
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Grapes.bat" "
1⤵
PID:2344
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4324
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:572
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4868
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1564
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:3460
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4752
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1432
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:616
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:2100
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:2728
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:2844
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1848
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1944
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:2852
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:888
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:660
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4872
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1396
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4148
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1300
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:68
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4600
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4804
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:792
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:4852
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:3948
- C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  C:\Users\Admin\Downloads\Electron\Electron\Electron.exe
  2⤵
  PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
f6cc21c211df9e42aa16a6894ea3c71b

SHA1
b4811ce472b8f69efebd1cbfec6c163450259e41

SHA256
f75f91625e679c48cddc0ddf878eac20b983d1039f34b48740f6baea00f8766c

SHA512
e9f065b196a1822e43305696374a87b6a35469d19a1c7d3c8bebf82b0c9fbb0e3b33ebdfa7ccfdc7bb5b067446bf7fc95771a2e58f35138ab2260d07c517820a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
54a614c6acc382bf5ba0c1e2fd8c845e

SHA1
0516050410449e1949f4430799ff9be0e85cb177

SHA256
e003e5869b1c4d863975caa572af2a569ad512f20ae9d8447193cdb24ac30ad6

SHA512
f557cd72779f40967fde4ca7203c875736774c9af2eecd5149eaa6eb7c26f4be04f6ffd0c93af74a5bb231aef1ae7f288a38f9f43676eb59f8ffb4c11eed4623

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d0a98373e15c0401a5e3b7d7e18e33fe

SHA1
dd5338c4bb0b362a22596a370e85a26269731097

SHA256
0b402eb368092142c3e109779746f159916000b83dc171776711a16e8812fcfa

SHA512
bad8805947404e4ed7956f6bdd77edd31de025cb946a73e69d440f49fc3f46ca3718ca48a826a1babf483bf5e72af73db848ba0544327f387b8a5e116eb6cccf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
bb21590329d4bc9e221d9a38771df655

SHA1
68a712ff05bbe4e7b425f367eca1a6d737a7bfce

SHA256
fb4cc49678be59ce67a51db6a5c66530be070bebd43725be3dea85dadeeb0c2f

SHA512
631e202b0a0d6c37e7bc6c34a4c515c9e44f0a9e068b9e6decea3232f2b0dfc88ae1be738ff29d33f0c93fe5def77c223dcb5e04f9d2e344e0976bb354a9b8a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
8fce0f48a7c1984631309535d1090a5d

SHA1
1d4d96f5154b32f90b1a11022310d81204206707

SHA256
906aae887ee91d5b0c5e8d508d441a074c35236452e709a17a22602214220fb9

SHA512
11958b167b3d486272a57eb6a8ec5b9a7e7c532c0e2a8b099ce19e07f62063979df29352f6090ecfe109f66003302bd52282601a50ef7a4dc168a1c34ed9465f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
d03e5498f7dfb049c41489b8413bef99

SHA1
96feecde58aad9aaf8364681ae54db8e5a08c1db

SHA256
622ecf67f17dc138ccf4ea106485d73bb2cedb9d620b923a8a4401c4556b1329

SHA512
b693be17571890e9e3c00fa71e0819e96b7ec3de7f2e33f2d9780693a0360c818cad0c08eb9023b8eb17457c87df69ee16bd507003bbee87f6bad503e269b054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
872B

MD5
cc9020bce447b3e1daa55c7d36cc640f

SHA1
08f7b53031cd1544c7fdfb853afcecc3c8826b9f

SHA256
e4fa89245c2d6021472e5c1120ca25aad5a4f79e212be0169752fe47bbd7e59a

SHA512
2b1c10589eb9deca20a92d822c3f0513daa15f9fe1a0cf8e4a926f0afaac293609517975365033efedf6c4a42fec574e771d6d8b7891d0f625d0048f426f67f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
eadd97632d0c2f4e65ae7399a3d88c9e

SHA1
6d917a057e31009edbbf1afea5d4558db4266865

SHA256
a1cbfde469fdc05a2f4dbe9b27e4aa38f99a639384dbbdaea9b4fcd3ab011607

SHA512
c08c793550395cd25e1beef2181af4f935fb1a0de888af5fd57a32d9eecb80a9937152822e9a3c38212d65a7b37e15c4c5609b2396eaf74ef120a7f47030eb26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
13c4a70281be673abb632a6a0476760f

SHA1
56bb6b529e77ff0338643e19dbdc007a850cf3b6

SHA256
8089d4ed8114c9c6ec178ef1415f546b5541190c78c1e2c5c9f840085471a454

SHA512
c802b779da0c4ac729a54e4276de3bcc272cd10cfc92d4d61adc4ef7e32246fbc208f7f7afaccad3cbf32601f6cbae417da7983aac946871daa14fcbdc4847b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
f23d0823fa69682873fe26aeb9577de7

SHA1
82dd8eb10d29a82ad7c54f7e7d32be99feef6874

SHA256
e16ddb7e2599beb3357589371b633ce2342fa35805d2d39647b33f2351999d0e

SHA512
ecca337b3cfcca86f0be5e845350d9ae7dab9d88a762891d8052dc9c6519eb7db0353da40c28f316a409b5540d98f7ee9d1416ae3cebc4583f1b4b46715e9258

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
7724980b3be28a64ef96eeb9596a2796

SHA1
ba585d169df5927aa80da57206dfda0259db7813

SHA256
583261a27857734c72e3d853bf7686a5fbc8b62e1b459f9ec2bfe7fa9b644293

SHA512
95806252391912970345e541ea90441c9697527985e5bfc3be6bfb0ee9e0f4dc6c1b39c85522afd8bb0c5e7fecc435665dded1fe50d8a84741092ef62d1f550c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
534678b0644659a830f8daac005d5c07

SHA1
5087854aacfdfbe50553a391de11b453d2c9714d

SHA256
8bedd2f20dbda14e758954c710b604f892dfe85a1c0e6991578fdaf6e3d3aa50

SHA512
b0d54a976bc5381b7518e06308f14634c6aea8a284feebb52af3f512b21515c3385a534020111d4784f14edcd74cb7aea64d2449716fdcafb60cc049c16edaa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
27b2e009dad526dafaaf1911dbc30834

SHA1
63885dd23ea1a8e6293550f86e242654a1eaca0a

SHA256
be8337e61226196a56db5bc33934a313327ca0643310e639b6caf8374fb8691c

SHA512
be60b8ce8d7354d79d35ed74cfc9cbf10dd60a0163330c65b6aa153690f1a42a618d9a0f118c155a573a04187a7295f5b59c36d25ce319eff42a060a07275f07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
9867004eea717fb30cb301bfc3814eb7

SHA1
1be523e87b1b33b925ec5c79ead9dae8ce7a711b

SHA256
dd4d8711c56fc8a7b3e561b3d4277f37c0473f6dba2a988596fdb65a1970666d

SHA512
8357b19e74d98a74debcc355e6932ca31375e881e321e7a7acc721e4f3e342e17b98d7fd5385a454d2fb09d16eff31ac121632ab4ce7f7d187a5c702b1530fd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9ce08a69202af3482067e772101423a4

SHA1
4e4d6d54bec821d1f0e8b27ceff2eda10715ca41

SHA256
1e7208b7a6ba35ac35ca2e83331ea801c3a0451b252e25a8ebeaa6b1f431ae6a

SHA512
1d7f55e595eb47eea9055145a4a1fd2673e0639e2055fe37a7414140a772d561a01ac2a59ea15de71e9bb3a16fa8a7cde533e9ccf4d1ff71acc6094ccdad7353

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b5a8d574a06df6228c5fc3240db7ccb0

SHA1
5f685b398b47447e8ae300b6de08e4eebcf73685

SHA256
a5a58fa7337a27adb8e3afd78d13618d1aebfc5fd4fd4d967d9ed9a7ada220ea

SHA512
deb579a2daceaeb5f25f2fece44a19a238390fe00dbbd55768f34cdf50bb7756876df77630b9557eb615bb5e245013a7509cdb6b6b3becf62e632e7787e170c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d543f017e53f89f04dd1e440a1fe2572

SHA1
8e893c43b8c53e11f9538f1576080c0f255c87f8

SHA256
18ce30b4a7087ef445a0610cebf35d1a14c9378f2bdc823f74747677178c9a57

SHA512
a58db9c40b52638070c41d2fc4750b66f641ed8b4a556600042e5c626b360e6a78470f21905d2d7ed4d735f8e4d49bb0047aa3ee0c5c2b60c45b761820440b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8f06c8fb80c7ed414fe4da50529db800

SHA1
f4fcf7b0e639437db0fddbf370a5822232684303

SHA256
f7817a24cce0f67e5593e75ccfa142ba3c1aa45c059d3286f75d52222abb519d

SHA512
deaaa7ec259b0ebadc9ce14e988b106b485407e0eb626c3e1db55814d00b8030a0aa9d27c26e9f14854673d8c8881d0deaba7310ecd00ff046f26cc82b792875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b3cb4ff07e6e11d4ec94ba3f8c50d30d

SHA1
fa4055f386b2c95e01e396397aeb8b459d72ff10

SHA256
4aa600b04ce5a250cebd3700bcbbd56d087fcaf9ab3678df62096b665918c0c0

SHA512
2f855ef8925fecf6444e406f48130f07d7cd5a2963a62c8705a72b67039c54e9ea821d301d7b2bf347bfc39306f8c2eaf2f8ee86020b9cf50347983712d87950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f5b41038d6d3d072685d4ec487289ced

SHA1
addc66d04e6222f6abe3788c79dab0b1b44dccf8

SHA256
0660a136a0b76226897cd30d5c371e163320c1296c1b0e4219b32013265306b4

SHA512
5daaaff779125b4209032628263aa2056105c017f75ef93ee1173fb21cb4bd4da0c9c6369714c45d55e852db80669de7a8f4683abfcda19a7974e03b4f589e99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
026cb07c447253d0c493342a19ad76a5

SHA1
84523ea623d86872ccbbae967643147010262ca5

SHA256
1f2e7b46d47a9825dda61b085eb89c00c70ea1b052c32ae2fbb078b9436073cd

SHA512
14f922dffe12d4532448b9a52ebbebb94110b0acf18f1a26975e88093e62d793f6e85ddf7d92c87ed5b4d3e8763681afb8ef9a68331e0bf4d21a80df350e13a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
3b17e6d969639a52f5cda59b8ff9d703

SHA1
7a9d9f1040d0183a19de6efac311087e6d7a6c1b

SHA256
43596fc58491582b530cf6918ee91599791b472a9b3fe94819777def310b9bd4

SHA512
486a6263376da7a9d20ff75e84ce80d0e54d36294a338bd3e3204cb69de37bb936160ccfb3f5c502f83ce3a23ec0709138c64fd5dabae007bc84bec2e5f28c17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
219KB

MD5
40e0b44ee4be3329b458e6638d5f8b45

SHA1
1006720c5cf730a210660e9514f59665ad425288

SHA256
6f29b549fc829d06574e357c93cfa335abd13382d405f00d9ba0903132a65ba7

SHA512
e7b6314f30ddb7eeaeba2d772c429df00bf837cfb18b38282882155b496a01951fcd55e6b722c161655b53c6baeafb71ee5abc5e9c9df368f25db143a10e147d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
219KB

MD5
4b6b0c7488eb8dee134657c79a2865ae

SHA1
655eb18134e3b6189ce4009a367741dfeb3c10f8

SHA256
26c7c4f9079d2fa48d7c7f38c7036aaabc0c45f39c378b7144ccbe359a953c17

SHA512
3f78bd6ecccdc408f800238bc0ef1642404923f66999921d6c6226fe4141fc1a513e9b81d1524d51a2b1f203d6c20bce9df945b09e2175cb0842b916c3e1e331

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
219KB

MD5
5192b1df4d535f226a0e8a016ccdffb0

SHA1
06faa52e975480103cac32e52567c7316a82e512

SHA256
064ea69012452196f766ce1835b1872ed1d5ff17e19924efa47c7d629cd69d26

SHA512
a9b56c029b8e7283ccecae02c1ad190b728ae78f45019d68fc87544a88c7ffc772fbf2f45c8caeff7f50e15ebbfb01da108df0f76c798e33bbb296492a8940f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
219KB

MD5
e45fca2bcca29802a05af20f43af7dc6

SHA1
b3a1d2f711ed23e8ee695103edd7e80ceedff3e9

SHA256
af1bbad6352c025d6800468241664037f029f1b0974db15528acaca3ea818e4d

SHA512
80ca9ba225ff5fc6e8212a6f90d4f200a59977117102299ebbb9c6671fb223894dcdc861ab7c8c7927e27eabbee4a20cda77d6b75a7072be23b826104ea923ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
219KB

MD5
a845e8769916584edb6b0950b17c57a9

SHA1
ab62e9c9022c33d1cca959b5d9d16a7dd34cb6e0

SHA256
4593d358f150ea8ceb93ac8bdf6f1ed1c96aa65cf3b3d862dc0b2647176ad73d

SHA512
4540753321e5c3aa128c9397c52dfbfd5018989f15950b3725ad165c70e0326985078b0a0f4ee3549f7ecba47ab0d98582e4fbca7d7fcf6386adc13041450f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
ec52fa0b85131c69f5e27c8979efb7ec

SHA1
b672a35fa23fc65cb82a72c5337927b0938e6d31

SHA256
b002654e755eb4eab7027561659226d848370d2bd3586bfac17f9aea26348de8

SHA512
6f76d688d823535e4c23afc3f96836a60283196ccadc2fc2e26f3f23bf39f28759ea1de6db326ba1d2de06b40984a87b27e5e456f4b18dba554f420d8d607136

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
d337af203965e1229b648cbe4c0f15a6

SHA1
468748f32982df223faef8acb91e215849237e5b

SHA256
a8cfa7eea81ed8dffc1b16923db611e10c0102c530a068272c3a29b7e74f88d1

SHA512
2ecba9bc7f441a1f1f5e7b8ad3b102f372ab8eb13e18e0846b65cea8cb31d645673bd391588dc21f9c0c303e773cb07b38a3ef7c552f95e1285b0163b119b186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
d6ce17a18ab0b6e26ff1f5e300218acc

SHA1
2b0a80040135c644db2952138ef7b20e706f27c4

SHA256
9f9d574a932b035bda1052a6ed25f183cabaf5421432452dff0037f2276bcc0c

SHA512
12e6512ee0d2d94229919eeef14ec7cbf92dfdf1f46f0f51195980545f7492a5e8d4513dadf71e7d3190087f714165e3bcbeac977dc046ccc645972172d3c21e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
5976a96cdb484a9063b9f42705ffb874

SHA1
b0d03240ef929e85352c247243fbde5345e685e3

SHA256
4e4d30115d247093a49c0098db696de2c63906f1a102a65099878ac9969cdb9a

SHA512
65be464db327e123a2e7fbbfdde9b38a193aa8a722045e2ebe3c49c0bf627b71b1603b5326a53752e3490ce631377c661410a479fa20b104350ee76471454062

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe590882.TMP

Filesize
93KB

MD5
1d79b2a1e715decc9ccc91166e099075

SHA1
bf1d1194d7f0e59875d3440b1870d7300f57451c

SHA256
a68e7890c364db22f0963c34609499ce27c6e60fcac45f39597c80449c600510

SHA512
c8d2cec5b80cf9dbe28d24b687a3d637f6a6a6da79792197d8b73afffb8211bdafd3e4e3195439ca1a3d438fac186bf464187c2f958b7717df127a0c41128bc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
11KB

MD5
2b263ac12637062029283e2858ddff76

SHA1
48c6221dcef1496d4f524dbde57355c215b2c2ae

SHA256
88a667546c4b0f577445094384a3bafa1f1d83cc410aea75673f879732cc131c

SHA512
bcca9116ae49e7b3266f3e42d9a638120b7d5461549e273323f6238bcc921a81e0abd82df34274b82b350360b4a89667bc9895c6f3266b0c9a3ff47641ab578d

Download Submit
C:\Users\Admin\Documents\meal.bat

Filesize
87B

MD5
2ba356f1ccc5b66f194ba58d2a0633b4

SHA1
d1aa93d425c769015ede1c6b897e0b1bc6cc394d

SHA256
e071d1d67da0c279085980d1e03bb647c64584f83d68adf00b11045516564db2

SHA512
ca61723f6210338f101b46a77e3b9f99c00c80258c7026382673d3dbcaea0b0f563be6a1ca010f9dc9862ca8fd5ab4787e3cc39cff222ddcdaf199fae653c5bf

Download Submit
C:\Users\Admin\Documents\meal.bat

Filesize
87B

MD5
7971aa3cc1d01ccbad6aafee79bef9c4

SHA1
0e91aa4ac8c57b2d14afd0c62ea978cb283502d9

SHA256
9d225edddbcea632598896c03e09f0a5f20f53aad064ef60321f58cd3e61a3d2

SHA512
18142f8551a7eba64d6b21fda229b4291130b4fe30bd1f4ba85a8276812e178b4d7ac69c8a14017b0ef03704b03712b6757088efa68a565f399698abea9a20bf

Download Submit
C:\Users\Admin\Documents\meal.bat

Filesize
94B

MD5
68e83b43cda7a8820fa4a7891fcc6e09

SHA1
6f0f245b4fd669efe8acb21739695b43794cc2d4

SHA256
a35ec168e10d3e33b69b309eade194e4f56217d78e4da7f5c7cdc3a99b9e58bd

SHA512
69fa7741de7d0cece173bc9cea93f3bde8b7bffe82a23fa11a8c4c666c60b1cc6366238c9bfbb76651f2e14cc90d23afd5f4a12116344c48cdb68253937ebd8d

Download Submit
C:\Users\Admin\Downloads\Electron.zip.crdownload

Filesize
3.9MB

MD5
e4f7021381d73388b2ba9ccdff4c7338

SHA1
a2a5451492e95d31d638eab0b380ea668f937d87

SHA256
e89d3160f87ebffc0394b1f40d13795aac1a7187e732f3ae634427d5995f6f92

SHA512
3d5a40a74e38940ec2bfe0cf392b642c91be302d9c3ac2672ebb80f2d64b52613ecce6d20cf8f7ce7f46c66fe620e89468243b7f0156ce1500f1961253675707

Download Submit
C:\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
C:\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Wpf.dll

Filesize
42KB

MD5
240bd782a3480dee44dbb4632ddc7240

SHA1
590e339cdfd0c90ff57f2e05e2c7436d947d8c17

SHA256
034872ce8a62bd5d7bc1627058cb0b16435e895e398ea5ad0d6b0114b4eedffa

SHA512
03e74d8263b0e71af812338823f26efb2f45f99ac73011083d63c6c20ffec79b8575836564b09ecd4c0532565cdc0daee53bed40b7eb7cf47a685123e20d461b

Download Submit
C:\Users\Admin\Downloads\Electron\Electron\WebView2Loader.dll

Filesize
112KB

MD5
5b17da9adfc5a07fa499dded4fd52747

SHA1
d1c37478f1029930a03b6bc195c8ef7093ac49b1

SHA256
9d5918cec81470225be7478c7e092c24f248e8caa824d667fb57431cad94be71

SHA512
f50196d520d77b920c32a12e6c6de20a2dbdf84c88e2c66e086813017a2bda909caa1aabfb4545de4f2b8cd23f2dad1e10b1571abdc62524d44bcfb355ef5432

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
\Users\Admin\Downloads\Electron\Electron\Microsoft.Web.WebView2.Core.dll

Filesize
418KB

MD5
f342d254fdd33e76b2fd6a3f8b517de3

SHA1
79c91621ea96a6635e3934e9b46dcf23d1fc762e

SHA256
8ccde337ed97230a54e20db8608e3e74e6dbe3f4d153846a07484c2fa5ae596a

SHA512
618963615db38d9ead4855555e7ca7558b0f3c9cc425a950e3f3457d49a5b50645fc9718a0693398d07bc1d822067e9fd8289d45f889586884daf25aedeb6cba

Download Submit
memory/1676-725-0x000000000AAD0000-0x000000000AAE0000-memory.dmp

Filesize
64KB

Download
memory/1676-726-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/1676-728-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/1676-730-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/1676-721-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/1676-720-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/1676-719-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/1676-713-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/1676-712-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/1676-711-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/1676-731-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/1676-709-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/1676-710-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/1860-675-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/1860-688-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/1860-703-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/1860-704-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/1860-707-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/1860-708-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/1860-700-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/1860-699-0x0000000009EE0000-0x0000000009EF0000-memory.dmp

Filesize
64KB

Download
memory/1860-689-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/1860-701-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/1860-687-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/1860-674-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/1860-676-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/1860-677-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/1860-678-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/2268-859-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/2268-860-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/2268-856-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/2268-863-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/2796-6-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2796-40-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/2796-21-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/2796-27-0x0000000009DC0000-0x0000000009DC8000-memory.dmp

Filesize
32KB

Download
memory/2796-28-0x0000000009F10000-0x0000000009F48000-memory.dmp

Filesize
224KB

Download
memory/2796-7-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/2796-19-0x0000000005590000-0x0000000005A8E000-memory.dmp

Filesize
5.0MB

Download
memory/2796-5-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/2796-4-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2796-0-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/2796-8-0x0000000077124000-0x0000000077125000-memory.dmp

Filesize
4KB

Download
memory/2796-17-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/2796-18-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/2796-55-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/2796-54-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/2796-1-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2796-2-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2796-29-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download
memory/2796-33-0x000000000ADB0000-0x000000000AE1C000-memory.dmp

Filesize
432KB

Download
memory/2796-34-0x000000000AE30000-0x000000000AE3A000-memory.dmp

Filesize
40KB

Download
memory/2796-36-0x000000000AE70000-0x000000000AE80000-memory.dmp

Filesize
64KB

Download
memory/2796-37-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2796-20-0x0000000005A90000-0x0000000005B22000-memory.dmp

Filesize
584KB

Download
memory/2796-41-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2796-42-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/2796-44-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/2796-45-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/2796-3-0x0000000076FB0000-0x0000000077080000-memory.dmp

Filesize
832KB

Download
memory/4432-867-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/4432-866-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/4432-865-0x0000000074AF0000-0x0000000074CB2000-memory.dmp

Filesize
1.8MB

Download
memory/4432-864-0x0000000000400000-0x0000000000EBA000-memory.dmp

Filesize
10.7MB

Download