eternity | hxxps://www[.]upload[.]ee/files/16777205/CrystalProxy[.]exe[.]html

Analysis

max time kernel
405s
max time network
404s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.upload.ee/files/16777205/CrystalProxy.exe.html

Score

10^/10

eternity stealer

Malware Config

Signatures

Detects Eternity stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000700000002343d-134.dat	eternity_stealer
behavioral1/memory/2036-157-0x0000000000550000-0x0000000000650000-memory.dmp	eternity_stealer
behavioral1/files/0x000600000001dabe-469.dat	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Executes dropped EXE 16 IoCs

pid	Process
2036	CrystalProxy.exe
2212	dcd.exe
3236	CrystalProxy.exe
4996	dcd.exe
2036	CrystalProxy.exe
2232	dcd.exe
4416	CrystalProxy.exe
3060	dcd.exe
4648	CrystalProxy.exe
4712	dcd.exe
4268	CrystalProxy.exe
1640	dcd.exe
388	CrystalProxy.exe
1700	dcd.exe
2536	CrystalProxy.exe
1812	dcd.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635403428818828"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByDirection = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874385"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Mode = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "3"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-52#immutable1 = "File History"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\eter0_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\LogicalViewMode = "2"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\eter0_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-1#immutable1 = "Network and Sharing Center"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\.eter0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\IconSize = "48"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 0c0001008421de39080000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\LogicalViewMode = "3"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5076	explorer.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2692	chrome.exe
2692	chrome.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1912	chrome.exe
1912	chrome.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe
3176	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
5108	OpenWith.exe
2980	OpenWith.exe
1532	OpenWith.exe
1576	OpenWith.exe
1424	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeDebugPrivilege	2036	CrystalProxy.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe
Token: SeCreatePagefilePrivilege	2692	chrome.exe
Token: SeShutdownPrivilege	2692	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
2692	chrome.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
4468	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe
1668	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
5108	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2740	2692	chrome.exe	83
PID 2692 wrote to memory of 2740	2692	chrome.exe	83
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 428	2692	chrome.exe	84
PID 2692 wrote to memory of 2964	2692	chrome.exe	85
PID 2692 wrote to memory of 2964	2692	chrome.exe	85
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86
PID 2692 wrote to memory of 2768	2692	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.upload.ee/files/16777205/CrystalProxy.exe.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad3f7ab58,0x7ffad3f7ab68,0x7ffad3f7ab78
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:2
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4024 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4360 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4712 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5068 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5156 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5544 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4872 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5520 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5716 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Users\Admin\Downloads\CrystalProxy.exe
  "C:\Users\Admin\Downloads\CrystalProxy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4220 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=2276 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5964 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3240 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5572 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5628 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5068 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=1884 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4224 --field-trial-handle=1900,i,4726115719747192072,5537307313655537860,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1912

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4244

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3492

C:\Users\Admin\Downloads\CrystalProxy.exe
"C:\Users\Admin\Downloads\CrystalProxy.exe"
1⤵
- Executes dropped EXE
PID:3236
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4996

C:\Users\Admin\Downloads\CrystalProxy.exe
"C:\Users\Admin\Downloads\CrystalProxy.exe"
1⤵
- Executes dropped EXE
PID:2036
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:2232

C:\Users\Admin\Downloads\CrystalProxy.exe
"C:\Users\Admin\Downloads\CrystalProxy.exe"
1⤵
- Executes dropped EXE
PID:4416
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:3060

C:\Users\Admin\Downloads\CrystalProxy.exe
"C:\Users\Admin\Downloads\CrystalProxy.exe"
1⤵
- Executes dropped EXE
PID:4648
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:4712

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:1668

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:5076

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:4160

C:\Users\Admin\Downloads\CrystalProxy.exe
"C:\Users\Admin\Downloads\CrystalProxy.exe"
1⤵
- Executes dropped EXE
PID:4268
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1640

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CrystalProxy\" -ad -an -ai#7zMap7053:86:7zEvent20612
1⤵
PID:1716

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CrystalProxy\.rsrc\version.txt
1⤵
PID:2180

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5108
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CrystalProxy\.rsrc\MANIFEST\1
  2⤵
  PID:1808

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2980
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CrystalProxy\.rsrc\ICON\2
  2⤵
  PID:4336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1532
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CrystalProxy\.rsrc\GROUP_ICON\32512
  2⤵
  PID:3996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1576
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CrystalProxy\.eter0
  2⤵
  PID:4492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3620
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\CrystalProxy\.eter1"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:680
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=57078F3ACF218F983186B87A3F670211 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3184
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7A182F3DA15CFF10A95E1DECDB5C55CA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7A182F3DA15CFF10A95E1DECDB5C55CA --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:724
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=653DFC112A920D98407A3CF24769F746 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2536
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=727D66AFB859468D8FBFF963132A90A5 --mojo-platform-channel-handle=1972 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4368
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A416E2D80E04103DF22FCA8A0E034507 --mojo-platform-channel-handle=1980 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:836
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3D69F407B7992E5177992EFBB3AA540C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3D69F407B7992E5177992EFBB3AA540C --renderer-client-id=8 --mojo-platform-channel-handle=2132 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4428

C:\Users\Admin\Downloads\CrystalProxy.exe
"C:\Users\Admin\Downloads\CrystalProxy.exe"
1⤵
- Executes dropped EXE
PID:388
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1700

C:\Users\Admin\Downloads\CrystalProxy.exe
"C:\Users\Admin\Downloads\CrystalProxy.exe"
1⤵
- Executes dropped EXE
PID:2536
- C:\Users\Admin\AppData\Local\Temp\dcd.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
  2⤵
  - Executes dropped EXE
  PID:1812

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\CrystalProxy.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1424

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap26083:86:7zEvent17368
1⤵
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
67ad1c8199df3a56546419dc02286cfc

SHA1
582a0149b3067be9b9ec13b507e5a8399ca29e52

SHA256
c2c27f56b62da8f6bdb32b6ad68ef386e5e5c15ae5d02db9266304853dfd41c7

SHA512
074c74bd5c9c70069e1e45e6cc62ce8793b7d32f90870964741fa5b59356d5f27ad27ae503ae02a630e011241cd16728293ee85d1f1ca58092d0ee8d1cf5d293

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
c9fa90fb9c2a1c15ddec0a9e65995654

SHA1
df511427febf613116847d0b9744e3ba2edc4426

SHA256
8efbe8bdc256d735fadf3861a6869b3e91cbb380b8c69decc77da2ae45c97126

SHA512
0613275561a929a3e66a3f44089a44c7dd85300cc850226b89db1adaf1b06536032525de721ab5ca4846dde613b505e33e00140f0a663db8569c17ba4548ca7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
3270061d4f0d2e63122bf451a7f47d79

SHA1
311afdc3ae3bf61f761d84950b571deb123e4896

SHA256
7df61001a3f140726632bcf1f883ca6ca5495fc8a1ccc5903c111bb523e3c352

SHA512
4feaba9516854dd8d2e97ae6725dc4e50ee08726b040df50dc913c152b7e4c599e78cb3ee1d3f0947797e5d084ad5850c8510aa3a924aa676d617b29296d3ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
6444eba18ca33c67f62d59ee1d0abec1

SHA1
7d43f3d11fc2d987b8ffa45d9c1deca5493e1c35

SHA256
7ce4aabd79707f81a9b0a6c5f974fb4f818efa26a272ce2bc63b22ed98582270

SHA512
847d37936fe4d393b1a99536aca8c1a22030546bfd8c01075bfd1f77aff0fec7b8818374b1b95fd008df6fcc74b16ac5b1e220add5b91157c95b03a05254254e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
b0a0c78a24a42a4079ff1b521aee4b45

SHA1
fbfd9dbed47b764177a434369bb6a07b36e30dc6

SHA256
ff88cd1004a440dbebceeb1e4abf64ede20bb1fcc6cb7f9e4f501f5cf94a14fd

SHA512
0b93496bc6e07cf63a07b804ac4178a37fee37a419657c8ee6eb0f9769c89a45ce8ef43eb2052563c21334bfbb63cbdf8f650a364a23fb1f594298c83c1d9c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
cedbeae23fbf4ccedc4d0b56701490c0

SHA1
414fa6409f755e47ce29d8024d2db3e91ad7f9bd

SHA256
5b8d247596035f0c065b32e2a4c9433abbd8b2383300d3119687d7dd8e815cbc

SHA512
5487f4ea3c6e6cc9aca5882f61fa8b0e15d34b422210dd318103b9fc7ee568f52959c89d7db41eecb55c1ae3b2aae16d9499775527aaf2f98d00730bcb5dc16d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e78f6e1a0dded01a447353037a95f849

SHA1
718d3fc4dd5650ffc9d7771b062a9ab4d840d686

SHA256
6a2e1595b3f6e1d93edc05a949acf2b68525901ae94cfa7af48892680d0d59dd

SHA512
9df237a508325113f246529e4a7d23797fe2630283ce3491283a1ca48924b8a0cd12a839a31ba65713967f090dffe89819e918b7fb10fa8f66d91ba7867b7506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
366e14a2b655186a27f3b03d485ac100

SHA1
b4206e9ae94ac5ef3573aac64f18eb1134c85f20

SHA256
b55bdf1e43b6e1261eb6d6ad1f944c22e2cb98f45e6e6467de7164d89d510223

SHA512
99c744912b6dae072657bc15ab8c0df9d37327ef97c21a9053daee111a3fd0d646d9456fbd6aba201be9f4ba17db501e07ee1df2b093544776e828c6ceb3e443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
873e74f4a688fc1afa3fe8a71ad24f74

SHA1
dad98dbddf3bb4a4a474e0b190091e089dd92061

SHA256
11f172c74bc69ca22315aa3963675a8bd49ec5d5520b4753d0685e79763d936d

SHA512
43b6556c9cbd5362c9c2ee9576267b5bb9d32baf5e2052eb34cc6a0cdcbf95bc086e6e4ee5d9224e8a4112b85f359985350cef4bfd74b1a277dde7d36533dd28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6c36fa841a4b6f3e31170f9136d31ed6

SHA1
4dd0e14e4cd6b074aaa76e30683c4f4718de76c4

SHA256
07707182e96399139a04e56db9daa2242ef8aa680048d418385b22e184d31378

SHA512
6f7abc0bf1f503c1fb2d0159c03bc277803186bb63f6b4bd4d1df44b954e2dec5688314456c11b34cffad3f0cf538f582f3028f14bf950c351a8c31728a6d737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fcb5942ac0eaa7805fdd3cc08ad10f29

SHA1
17904c4f69b31d42ecc4dea5812e270b7e58b806

SHA256
5c9600953e11bebd7746566df0e5125d84c5a02ff6423ab37afbac7b4c8c3c97

SHA512
10132e489ec8a08dea20973baa20a285e40c23126e0d3d1e9baf7a3611190225cfdce6c2dcb26bfa87cc6560bc428dcc1d5cec0410232570909657611520e509

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ec428a0ab62c33389cf7e8ff46cf0000

SHA1
f059772e48fbbd1f54827ccf5029006e0153d5e4

SHA256
ac708449e5bc28f51e15ac1963d81842cacabc3fa594828fab1e5b4bed608fc3

SHA512
fb022e1a42632096f345a85fd67ea0de4375871333769b3822e87363ca4381e704f80e1ee8b673f5efe3fd9310fab870d406aa0d9f2cb8a9d41964ee6bb29f17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b9ee76a8fce688043994bc2f5c49bdf8

SHA1
64128a01001554f80c38a3d1860ce8d7f4db1517

SHA256
c2249639dd774954735ca44282e97dc8a7d547a5388492e360b3240af6b863e8

SHA512
f7aed0a96dd1e743650c6ca19d15a0e659e7043537760876a1bfce2f22ff0eccbcceb68560342048bca3f0dd107271de9b470d4a51b53e878f5fc7ceca4a169e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9e8163b907b350eca9e503e38f7a066f

SHA1
0ca930114473976e0be5ca948b814bb9464ada9a

SHA256
fd8c435d6f4f1f5b60a8128077aeff029da3fa4fe2d8120d9022083a559d9d56

SHA512
68787703f740645a46e8253ae9556337cf9f52e8a2dd18c3aa13ea6e8f37f910ba2ff5b2a77564b5137ad6d31cf64a18ba22019e2fcd02369c48f4d12fdcbedb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ccb4dcde7893f2cadebf165a5453740b

SHA1
2947926e0cbb24c6f0dee9fe08a65392fa284032

SHA256
ed0495df4cb468297338e13d00e24b023b156905ed6645e1d2116758b64be954

SHA512
6a6795c9e8e5b5d28ccf2f8752718076f850ecda08832a5117fde13e2aad801776252d104edbce0a6840f94bb27adddbc0ccef3699aaabfe35130c2063652329

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
152f397540e5dad30df47029782c9c6a

SHA1
6a0e83d62f0ba286beadfaa0feb833f582b70bf0

SHA256
0ec12819c64bd8f6fe80da724c100199f0483ef94d2c34d6b1404d4f6ad8a93e

SHA512
98cba27568888b3b3415463962ffb0d89a5a36f556a311e1d37220b9374b92b7733daab2e596b7c9f08a23b87b188a7acad33ddd41255ddac270189c6859c8dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
37ac446d6fc1270778be3dc6f6e8452f

SHA1
56c58159e6477404cfd53719261656ee7841e675

SHA256
5067e6665581697654f9576250b78b15dd2d5a8a2e76ff0d29142ab8805bada3

SHA512
dc89651e4b8028f9e9f4d055568a1e372029a632a13c3d76ae9e2efd73747d4b2289a57320944aa84703d4c3d569f6b485bbc60e81c1bec2fe0fff550344e0e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2b97531d89a8fb040e48f9f071562660

SHA1
b84e5e49e3506df19b5157018c6e22bd2b39bab6

SHA256
78fcbec77ee2b0a82cb4d2c2f84954c78d920e9ecb443cbf183a6b7f9df09ac1

SHA512
48fcc34e8881095282843713f2aba98865e5983de3029b36a8c175cfde1bcabaf1e595d83894c3a5b087dab1bddb7596bb39410455363751bdc8bc39015dd2d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
0ca5ef5e84e5eea4927d45962bda33ee

SHA1
0de616619e59cdff022832ecd3fd324c42acff06

SHA256
ebe2ab9220be817c883be38b9de9545ab6d51658d6e54cef20d499d33a5787ec

SHA512
df83e8978b7576e77166a66b089170034a975eb9dc10c11278873030fd5f7ba932133fd8a33af5890d179ee9258bcef2d60db22ed6ea680eb80004fd7f5097fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
c0a1058d46af83574970c240a5c251e4

SHA1
2752de795bd7f46fdf6cfe7e37a5364059f953da

SHA256
e9786349a5a9f0df2da3526d6e9f8c1e3c609d3fe2013c47dd9d248c15095d75

SHA512
558d807aeec7a78d126f5b0217e26afd7e493dfc88dd8a53ec537491b817509e3b8e69d67159e0b057df9b99ab2f3638354da979ca1c0b47b212d1256efc1d7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
ab3ae122ff2289637f7bad5ed548b54b

SHA1
7765c47fe7295533d307b58a11dfc8e4b4ceab70

SHA256
df335c51225378edc28f0d6e030343dac5a7e17e905196ca7fe8753e637166d0

SHA512
0e62a52ad5ea3ab988384a8da85e4a155ea308fa9be73d9ffcb9168e5cd7115b5210b55063ed7f35f398665fb24a53457bfc0ff269a1859cf7102ffce88f7d3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
924fbb74f2deeac30002ef2667187958

SHA1
59794e04397ac6aafbf11ad3343391c0d320b172

SHA256
3cf1905c37af0da18c818f8c14685d18119ef81711d718a023a439d830fa0cab

SHA512
b6ccd02164cbb202f415fa51bce971813e2d2e21459256772d0ca137c9d56e08937e2689cfa4fed22257e8c99cc674a8e3be7feda21c131c3f2e4bdc8ad391dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
c7c4af1de2130599d5b0c13ecc9a38e9

SHA1
b96e9b448e0804ee381152b440838b94d1ec4c84

SHA256
d343bc6fc7a0927dfbbfcd7e0c581cc576a7d127309d85347693a15c2b34ab6e

SHA512
cb3f2b99642513e3da7fd6b7ff817fcab66e27dcc18e1ad94b985394e672048ef370b7e2eec5790fdd98a425a72dc8eb76e6d9aaa64f7c7b3b74679a6829dff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57c6bb.TMP

Filesize
96KB

MD5
7a7d5d53c96b20ebb96426b3ce3a7c6a

SHA1
34b04c641ae427ed8e011ca88c80398c95b4c98e

SHA256
97986206009a54fe08c2d3b2fe95f1f0014e775febe2783f49c24ea5e1d6aac6

SHA512
c560199f13b323a5e52d9978b3bd9c4319c743ce03dba40179df1fb36e31c31e8139588d9b074b1f063b0bb1c0ca9587358e4e28e230043e7c7eb47443ead3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\Downloads\CrystalProxy.exe

Filesize
1.1MB

MD5
0ea2a69c8b96207ab3765f1c494b9b42

SHA1
85d35dda29d09788e545a2ef48e7a9ff05f508f2

SHA256
63c450f49690f5f67c3c2cf5a8f8cb4e5b9fe0de876cbe0af28f326bde1cb5c2

SHA512
97ea3bd68eacfd6dab02954047342f1098e3175bfd84dad629147ccfb22f658da005d51756471371e58261b252938bb25c9e4f38d963eba1540fb390c749e53b

Download Submit
C:\Users\Admin\Downloads\CrystalProxy\.eter0

Filesize
442KB

MD5
03609ceed6b0718dcc6524b2a6d846d0

SHA1
44e75082c5cca3eb073e830b4f4e9fb563229690

SHA256
de70d621552ddb84ab397a13df08a042f549d759cf378dbc32731dbf4133b267

SHA512
5b1426e1743028a8c8097d7ddbf9225882cb500b217b217857680ef520df46df4fe88760d4c305e1166813e14c4ddacf06468ae2f165742750256c5cedcbec73

Download Submit
C:\Users\Admin\Downloads\CrystalProxy\.eter1

Filesize
173KB

MD5
0ef6cc70389e3173b1077a1524f308cb

SHA1
117929a0cff61774c99d482d835f7e90f650ee9e

SHA256
374b53e2fa31fedca2c6b418ad551c382e8a41c0b666397a681d44772ef94324

SHA512
56dcc3f68e6d7766489b5f75b699e2e833e6105fda424d0ffd8524a091d0e31bbb0fcfe9267d5a19de1636cc746a0b63a4765045e3a09cb0000ae36440cfc791

Download Submit
C:\Users\Admin\Downloads\CrystalProxy\.rsrc\GROUP_ICON\32512

Filesize
20B

MD5
a3215d066e9b1c60c7e10263f5e3645a

SHA1
048f7cd4dca4be603f9cea80988e70ed30672e68

SHA256
29bf6b99a15a9cef81c4c815cd8b45f4441f48e105bccd94513bfd12e6139d38

SHA512
74daf6db140f9968b5946e00e42580acf6ec971b484124f71e7def26eb3f52f5bac257dc0cba2e55cad810acfbd2ebdca3df804fa97b934116e3d3ffde85cf65

Download Submit
C:\Users\Admin\Downloads\CrystalProxy\.rsrc\ICON\2

Filesize
104KB

MD5
d44803397c4fc9e42fe3266b5fb0fc85

SHA1
7a52b865f01a46acfec987132754582af2a961f6

SHA256
189380a77f5ece75b93bc08c7488c6141f28fefd8a1422f22e656989596e516b

SHA512
bb8391d87eb9292f1ec617213db0d2d75b342a961b045c2ee1f625908a2f3d4c4aa8533b1fa2c89de359ba565329da1254ec465ef234733e72d15dfb2dd404f8

Download Submit
C:\Users\Admin\Downloads\CrystalProxy\.rsrc\MANIFEST\1

Filesize
479B

MD5
f8c1ec655694857b59693bd9af0eb04d

SHA1
b03f97c7cd7214aff3ce98c28be9cf77ced47fcc

SHA256
82e29455def142c8dfd8c6297592ddccd92c78d424904be21032e2c90ba51bf0

SHA512
07c8e6a5e9d3b3757c5da570c8a98b1eed339b9b38a7d17786f662a4c4ca09f5119a8a8286c29d6143fda879224868ea91023867a8d391460a6484f1729d4801

Download Submit
C:\Users\Admin\Downloads\CrystalProxy\.rsrc\version.txt

Filesize
1KB

MD5
ff532a14f761d146a4e5fee28a98ca75

SHA1
29090ca11900ef89302d5577c85c66d2e19202a6

SHA256
5e29bf7f47c82aa17b9a4a4319c3688cc3e6bdd686f7d76bfeefc71fdbab3dbf

SHA512
9f87d551da0f2c066fb53a5e47176a932b441db7c59965caf97ce52d7c33b76feb8db55b856c175ab0aa859b9b96b1c21b2251a3cece7f7faa4b9a50d863b366

Download Submit
memory/1668-413-0x00000251B49B0000-0x00000251B49B1000-memory.dmp

Filesize
4KB

Download
memory/1668-411-0x00000251B49B0000-0x00000251B49B1000-memory.dmp

Filesize
4KB

Download
memory/1668-412-0x00000251B49B0000-0x00000251B49B1000-memory.dmp

Filesize
4KB

Download
memory/1668-405-0x00000251B49B0000-0x00000251B49B1000-memory.dmp

Filesize
4KB

Download
memory/1668-403-0x00000251B49B0000-0x00000251B49B1000-memory.dmp

Filesize
4KB

Download
memory/1668-410-0x00000251B49B0000-0x00000251B49B1000-memory.dmp

Filesize
4KB

Download
memory/1668-415-0x00000251B49B0000-0x00000251B49B1000-memory.dmp

Filesize
4KB

Download
memory/1668-414-0x00000251B49B0000-0x00000251B49B1000-memory.dmp

Filesize
4KB

Download
memory/1668-404-0x00000251B49B0000-0x00000251B49B1000-memory.dmp

Filesize
4KB

Download
memory/2036-165-0x00007FFAC0B10000-0x00007FFAC15D1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-160-0x00007FFAC0B10000-0x00007FFAC15D1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-156-0x00007FFAC0B13000-0x00007FFAC0B15000-memory.dmp

Filesize
8KB

Download
memory/2036-157-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2036-158-0x00000000028A0000-0x00000000028F0000-memory.dmp

Filesize
320KB

Download
memory/2036-159-0x0000000000F60000-0x0000000000F9E000-memory.dmp

Filesize
248KB

Download
memory/2036-166-0x00007FFAC0B10000-0x00007FFAC15D1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-167-0x00007FFAC0B10000-0x00007FFAC15D1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-168-0x00007FFAC0B10000-0x00007FFAC15D1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-169-0x00007FFAC0B10000-0x00007FFAC15D1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-170-0x00007FFAC0B10000-0x00007FFAC15D1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-191-0x000002B5E3530000-0x000002B5E3531000-memory.dmp

Filesize
4KB

Download
memory/4468-192-0x000002B5E3530000-0x000002B5E3531000-memory.dmp

Filesize
4KB

Download
memory/4468-193-0x000002B5E3530000-0x000002B5E3531000-memory.dmp

Filesize
4KB

Download
memory/4468-203-0x000002B5E3530000-0x000002B5E3531000-memory.dmp

Filesize
4KB

Download
memory/4468-202-0x000002B5E3530000-0x000002B5E3531000-memory.dmp

Filesize
4KB

Download
memory/4468-197-0x000002B5E3530000-0x000002B5E3531000-memory.dmp

Filesize
4KB

Download
memory/4468-201-0x000002B5E3530000-0x000002B5E3531000-memory.dmp

Filesize
4KB

Download
memory/4468-200-0x000002B5E3530000-0x000002B5E3531000-memory.dmp

Filesize
4KB

Download
memory/4468-199-0x000002B5E3530000-0x000002B5E3531000-memory.dmp

Filesize
4KB

Download
memory/4468-198-0x000002B5E3530000-0x000002B5E3531000-memory.dmp

Filesize
4KB

Download