rhadamanthys | hxxps://www[.]youtube[.]com/channel/UC0G6UimTOf4mIRvW11yPZXQ/about

Resubmissions

12-09-2024 04:15

240912-evq6ra1cjd 10

12-09-2024 04:12

240912-es1mea1bme 8

Analysis

max time kernel
170s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/channel/UC0G6UimTOf4mIRvW11yPZXQ/about

Score

10^/10

rhadamanthys xmrig discovery evasion execution miner persistence stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

w.exew.exe

description pid process target process

PID 4172 created 2928 4172 w.exe sihost.exe
PID 1416 created 2928 1416 w.exe sihost.exe
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 4172 created 2928	4172	w.exe	sihost.exe
PID 1416 created 2928	1416	w.exe	sihost.exe

XMRig Miner payload 15 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4400-690-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-688-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-685-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-692-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-689-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-694-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-696-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-698-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-697-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-700-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-699-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-691-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-687-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-686-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral1/memory/4400-714-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

396 powershell.exe
1988 powershell.exe
2588 powershell.exe
2644 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
396	powershell.exe
1988	powershell.exe
2588	powershell.exe
2644	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

HealthTool.exewww.exewww.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	HealthTool.exe
File created	C:\Windows\system32\drivers\etc\hosts	www.exe
File created	C:\Windows\system32\drivers\etc\hosts	www.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 14 IoCs

Processes:

w.exeww.exewww.exeHealthTool.exeWmiPrvSE.exew.exeww.exew.exeww.exewww.exeHealthTool.exew.exeww.exeWmiPrvSE.exe

pid	process
4172	w.exe
1664	ww.exe
400	www.exe
516	HealthTool.exe
720	WmiPrvSE.exe
1416	w.exe
2588	ww.exe
628	w.exe
2924	ww.exe
748	www.exe
1672	HealthTool.exe
4724	w.exe
1524	ww.exe
1684	WmiPrvSE.exe

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	process
2376	powercfg.exe
4172	powercfg.exe
3340	powercfg.exe
4420	powercfg.exe
4572	powercfg.exe
1164	powercfg.exe
2800	powercfg.exe
4444	powercfg.exe
5068	powercfg.exe
3472	powercfg.exe
3524	powercfg.exe
2308	powercfg.exe

Drops file in System32 directory 5 IoCs

Processes:

www.exewww.exepowershell.exeHealthTool.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	www.exe
File opened for modification	C:\Windows\system32\MRT.exe	www.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	HealthTool.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

HealthTool.exe

description	pid	process	target process
PID 516 set thread context of 2604	516	HealthTool.exe	conhost.exe
PID 516 set thread context of 4400	516	HealthTool.exe	explorer.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3108	sc.exe
4488	sc.exe
2940	sc.exe
3256	sc.exe
5088	sc.exe
5044	sc.exe
3004	sc.exe
4660	sc.exe
3300	sc.exe
3604	sc.exe
2084	sc.exe
1444	sc.exe
2148	sc.exe
4776	sc.exe
4540	sc.exe
1692	sc.exe
4592	sc.exe
4860	sc.exe
5092	sc.exe
1164	sc.exe
2604	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

w.exeopenwith.exeSetLoader.exew.exeopenwith.exeSetLoader.exeSetLoader.exew.exeSetLoader.exew.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705881803465902"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Modifies registry class 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{36ABB549-0FAC-488D-ACCD-38BBEC37ED9B}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2376 schtasks.exe

pid	process
2376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exew.exetaskmgr.exeopenwith.exeww.exewww.exepowershell.exeHealthTool.exepowershell.exe

pid	process
4428	chrome.exe
4428	chrome.exe
4172	w.exe
4172	w.exe
3980	taskmgr.exe
3980	taskmgr.exe
4172	w.exe
4172	w.exe
3980	taskmgr.exe
3596	openwith.exe
3596	openwith.exe
3596	openwith.exe
3596	openwith.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
1664	ww.exe
1664	ww.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
400	www.exe
400	www.exe
3980	taskmgr.exe
3980	taskmgr.exe
400	www.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
400	www.exe
400	www.exe
400	www.exe
400	www.exe
400	www.exe
400	www.exe
400	www.exe
400	www.exe
400	www.exe
400	www.exe
400	www.exe
3980	taskmgr.exe
3980	taskmgr.exe
400	www.exe
3980	taskmgr.exe
400	www.exe
400	www.exe
400	www.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
516	HealthTool.exe
516	HealthTool.exe
516	HealthTool.exe
3980	taskmgr.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
3980	taskmgr.exe
3980	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4428 chrome.exe
4428 chrome.exe
4428 chrome.exe
4428 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: 33	1552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1552	AUDIODG.EXE
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe
Token: SeShutdownPrivilege	4428	chrome.exe
Token: SeCreatePagefilePrivilege	4428	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
4428	chrome.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe
3980	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

SetLoader.exew.exeww.exeSetLoader.exew.exeww.exeSetLoader.exew.exeww.exeSetLoader.exew.exeww.exe

pid	process
4744	SetLoader.exe
4172	w.exe
1664	ww.exe
5088	SetLoader.exe
1416	w.exe
2588	ww.exe
4764	SetLoader.exe
628	w.exe
2924	ww.exe
2796	SetLoader.exe
4724	w.exe
1524	ww.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4428 wrote to memory of 3884	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 3884	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 2848	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 1232	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 1232	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe
PID 4428 wrote to memory of 4616	4428	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2928
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3596
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/channel/UC0G6UimTOf4mIRvW11yPZXQ/about
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff85f4bcc40,0x7ff85f4bcc4c,0x7ff85f4bcc58
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2480 /prefetch:3
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2112,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4344,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4868,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4668,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5136,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5536,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4796,i,4242895511375137877,17730172251801046487,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=724 /prefetch:8
  2⤵
  PID:552

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1104

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x34c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\Temp1_RG_Catalyst.zip\SetLoader.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_RG_Catalyst.zip\SetLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4744
- C:\Users\Admin\AppData\Local\Temp\w.exe
  C:\Users\Admin\AppData\Local\Temp\w.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4172
- C:\Users\Admin\AppData\Local\Temp\ww.exe
  C:\Users\Admin\AppData\Local\Temp\ww.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1664
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /tn WmiPrvSES /tr "C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe" /sc minute /mo 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2376
- C:\Users\Admin\AppData\Local\Temp\www.exe
  C:\Users\Admin\AppData\Local\Temp\www.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:556
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2560
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5044
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1164
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3004
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:3108
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4172
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:3340
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:5068
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4420
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PcHealthTool"
    3⤵
    - Launches sc.exe
    PID:2148
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PcHealthTool" binpath= "C:\ProgramData\PcHealthTool\HealthTool.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4776
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2604
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PcHealthTool"
    3⤵
    - Launches sc.exe
    PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\www.exe"
    3⤵
    PID:4404
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3648

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3980

C:\ProgramData\PcHealthTool\HealthTool.exe
C:\ProgramData\PcHealthTool\HealthTool.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:516
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2412
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1628
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4860
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4540
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2940
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4660
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:5092
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4572
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1164
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2800
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4444
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2604
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:4400

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4496

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:4508

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3240

C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe
C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe
1⤵
- Executes dropped EXE
PID:720

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:1668

C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe
"C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5088
- C:\Users\Admin\AppData\Local\Temp\w.exe
  C:\Users\Admin\AppData\Local\Temp\w.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1416
- C:\Users\Admin\AppData\Local\Temp\ww.exe
  C:\Users\Admin\AppData\Local\Temp\ww.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\www.exe
  C:\Users\Admin\AppData\Local\Temp\www.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:748
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2184
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4276
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3256
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1692
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3300
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:5088
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:3604
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2308
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:3524
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3472
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2376
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1444
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PcHealthTool"
    3⤵
    - Launches sc.exe
    PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\www.exe"
    3⤵
    PID:3004
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4308

C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe
"C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4764
- C:\Users\Admin\AppData\Local\Temp\w.exe
  C:\Users\Admin\AppData\Local\Temp\w.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:628
- C:\Users\Admin\AppData\Local\Temp\ww.exe
  C:\Users\Admin\AppData\Local\Temp\ww.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2924

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1684

C:\ProgramData\PcHealthTool\HealthTool.exe
C:\ProgramData\PcHealthTool\HealthTool.exe
1⤵
- Executes dropped EXE
PID:1672
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:2644

C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe
"C:\Users\Admin\Downloads\RG_Catalyst\SetLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2796
- C:\Users\Admin\AppData\Local\Temp\w.exe
  C:\Users\Admin\AppData\Local\Temp\w.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\ww.exe
  C:\Users\Admin\AppData\Local\Temp\ww.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1524

C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe
C:\Users\Admin\AppData\Roaming\Microsoft\WmiPrvSE.exe
1⤵
- Executes dropped EXE
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a3302a31aefa69f1d4a24b4c35079430

SHA1
754dd17bcd590a3f0707337d04150f85c43d4de1

SHA256
2fd373b596795374a230cb1f93752d99fa24d74bf4d6cae07449e7f5d1de1b5e

SHA512
8bbdbb8b9fb31e52642288385bcb77a7dadbe5d191577cfd93e1ac4d6284c006c36ee0d9f21588c32eb4cb0807cdb7830a730847424d9145ea067c9c0a2bf797

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
f2d4b7e83464ec59b59d6ed9732a3e16

SHA1
e489f54b4f0bca8f33bec935f3f34fda04292517

SHA256
48d540812ca216bce91c2d53acb9b04fa529c1afbd70ec67a48a0571add9f3e1

SHA512
3f329bf5e9e510b4d17ca9c89b67f652e8b210e08974978b46cf12c03f9e4e0ee7ca74d19d5da71c374cf2494abdafef21f5f995695aa66d1df63feb8c51ba55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
84ddfd8a129439bbbd49e862e383fffd

SHA1
fb1185a843d182bfcc771162c630a225dc076f2c

SHA256
712a3d4df0fad812634680e0b074db50921cc0664c06dc8fc83b16a375b7eb1d

SHA512
bd40a7f0344750fc4ea77346d5bacc662673e230a01f718a9fcbddf41d8faec57dde16998d0b53e9cefe0572a99855288f628fd68f739c5907221f563561cbee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
317a3873949725053187c11c366eba36

SHA1
a100df86e55825e5dd56ffcc248aa539b5f94d28

SHA256
b66e06dfada7b2e70b4f25263dbeb8b1e2bdd8d20851982f58c15c1b63d8791b

SHA512
6b94606d5e28fb8abadec55401038b95758077b9d9a8358abf8295dd0db83b5661c86d27db6e5b525c4c5ca419a757f4176995199d40f3548a32b13f69b3e322

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
f53ba5266197106e4ba217b1bb4579b4

SHA1
018b507a4b05545146a429d73511bcd757aca3bf

SHA256
d528f5d8bdcec2aee2ff2275289e2e3caf6481549b7dcd82dbea710c96d36b0a

SHA512
6485695ea49995bd86d81a820e980da416842bcfef8c1cba9135920d044560f4d14f8ca2a04ca7c9f86bd613d8627b361e2af97293a179473b1bd86e4f4dc8f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e27b84a013652d85b7774d969b388417

SHA1
d09626fc677f7c275e1ea7de5804690f6753720b

SHA256
9cde0c8c46bdd910305bd4b190c1b5c6bb58fd2f651f576e58c2dd3731d2c671

SHA512
1c617422048e04ba50eb2df842944894db3e765234a0a64814dc6c3dac162f23fb0dc7fb07608b338aee5c38a0f1ac252d043b37f69e81da24f284c35b04ebbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
001963fde7827d92a484a1cee6e72178

SHA1
4ec97927df44f41fc5b8b3eb830b572387d60981

SHA256
5c39d7d4a8b9081c86d8605ce5bcc6365dd98e792d9c658d8f30bc74bb74e9d4

SHA512
b319dab98ce7164fa27bfd6c1616b0bce342a3ca55fc93d17c5c408ad3554f82acad076f5742495e81a17b9cbcd8cce9109f26f11b3744a174b261cc53f40c45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8e8d960298d286bb41c54f29e4764648

SHA1
9cb2f43c02bec6d28ba1a8c4f6c23ffcb962f85d

SHA256
479ae1e89ea96e6931aef6206c3a5a4851573d4d36a554d299eb3b398fc0d53a

SHA512
dbb23789ab8b65427ba81b9bd24e543bef94acecd3f325ba27ae7bba14c71a27944276dfa66467f62c266de19ada40ce230dfda6daecf4c9942c351c485ece54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5989903f8f61c9fdc98ac8426fbd7846

SHA1
9a6eb03ebfea9eea8b5abb06a24301d36ec3ff01

SHA256
ec2dbd7ccfd6a0e82a2536cb217746c23d2d993e52a2a268381aefc4b6de03cf

SHA512
d9df09641778f0425ee6ad64af2cbde66342b3b2df8f85a200934f8ac9f4813a80b5fe6ff8f57ee918e60be2c5b0c62860c2dca4cd6bf57c74718f30607c63e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0ca77316ec4384257fbf25b9b7dc0ff4

SHA1
89a5d6f3d4483aef71b56c060580d46ef52f56e1

SHA256
916ed674234ddf564848ba5c662d228edb7082ada82e014b00c6297ae228b6b1

SHA512
ed25fbbe048f4207363f81b4c84d29b2b00260824c022cd0d03597f666fd04cb29ed0f6fb2d0efc863ccb9985e143eb8369c525d1d44efc7186657a51f11c474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c1c97a6dd430b6a72a81949e853d1ffa

SHA1
b1bdd0c72669a4d2ba3045fbd6a38e3511267eb3

SHA256
23a3d761089214bacb77866597e26f4989b59c784eefad81f0f9f0ea58e8c788

SHA512
3f94256484b1cd4e4bff0f4d752fab1d38533b94c4d54fa6ac2a0be8295d6e8af3ea074d45a09cb6351cdf6fb1ff26e98c8de047a3b32cc65eb5a602e273d6e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
82cd390c290cdd13f5128744a443f715

SHA1
cb0f603ed47c16292225da597d87e9764b590247

SHA256
f954bc998604b64ea7c29c391b54d3b03f3629b306b2620883719094ff0ad514

SHA512
6a9eeaaccb28e6ecc971b748faec36854ede5db8bbdd689b4ce7348ec63295593625aad9618609291c68bb142dded92a619bec676261405cf11ceb104b608fd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
05d8060508563ca42c27ed1c4375b35e

SHA1
a2cefbc418445a5368455a9e3fd5af26c54c5f77

SHA256
4f32aedd8e39fdd3bf4be02f76cb5e54da0a4f8a48b0dcbd54fb15f0fc8aec4c

SHA512
cee7d83d5f123d4420ea6ce5988fae037470a50e358ba83f2f6a54d418d6c1e4ba576165438aee180c262adc3f9527b1169bfc8150abbd3c31f84c2aa55cc346

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
55ff5316a434db27e35b898342428edc

SHA1
2d8a15f959de63e4a1e193f220f0ddf924a1de6b

SHA256
7516ffe74c45ab0ee9c41f7a511523228c637b928b10998ae41f8f3bad3afa0f

SHA512
6c7e4cb95999af30ca44461519a65a57dc688249bbd53fdf756e8200d9935c588630610ef10cadeec822edb56413de85b33c4227de71ad434fa6342258db157e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
54665873bf5e86df322c00827ccaed29

SHA1
df4d66c6a77551ea2996b5f27aa686923d9eff3b

SHA256
7e76723d6e7aa5f5dec08a1cb2a9f4417bd51a6e8097e44a2cbc44d6301e9af5

SHA512
3afd424a8810b65cc60bd55c6bcb9de64c89eec410b4af70903be8ca68fe710bbc10a38efd5d2e65cd00ac530cd1d90c93b16448ef18458dd574a2123f6d2af6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fbd90223ed4bf8cc1c9f3aef908c4775

SHA1
6ecfd7f6b332bcca71b056171596021d2e4594e9

SHA256
14953feae300efe64959c876e36b08f48f12d46711c63d5c0f042f3006f83536

SHA512
537ddce3d91a69dd0e07097ce4596ae9872e6946e5e39e5bdd4ed4e3c65bb571cf6ccb71f4652052228ba5c5319ddd77021c8bc6449a4a8cf80cf10431e09127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
35a8158bf1d11a2e84ad34b2ddb8ff1b

SHA1
3ca9f066636fa2d5901e29ebaa2be43543303eb4

SHA256
766b8e1564f2d48980efb863b4f1e68e12e2f69b5773382e069d0a467373b632

SHA512
f6e920329666102cc1df780dc84442f7800d0eb62f4560b4072abd649052c3161ecef7ae355543793a0810e3fc7638abed6503667fa6324298e885293d61eafa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\eb2cfdc9-ee2e-4c46-8a3f-3b976981a29d\index-dir\the-real-index

Filesize
2KB

MD5
cf90f9c4baefa3d240e7f9ccc60baa7e

SHA1
65837957cdd39e0b43eee34d1bd8a5433fe79620

SHA256
7368ab9cc79c54d2309be56c957ec9c8d2e725153ce58c469fadc2101ebb6e3d

SHA512
1a62f67bca579d5824fff13b54a487eca302cec5b5e9afec4901e98ac9540a7731083627845cfe0607205f54c3a87684b8165ecb01c6f09ead2ab7108f4fb5de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\eb2cfdc9-ee2e-4c46-8a3f-3b976981a29d\index-dir\the-real-index~RFe57edfa.TMP

Filesize
48B

MD5
882d46fb9ffba47b7fe71311db6885b4

SHA1
2df7c77d6ab09ac88cfd6fb9d77fd7f5598d2d5b

SHA256
1e6644717a826f41225f540a1b61aaea6e3e87e370b9eb5fd1094b4eee56e325

SHA512
7712b0aea9aa15c66ed8c4aba8040a41b3097d30e1d0f1c1de0de56f8e5634ee5c8514f67b5b6a8b28636aac8ea0661a840113aad6263fd9cbe3515fc023bf1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f7ee3b25-5409-4723-8649-e5a277ead34f\index-dir\the-real-index

Filesize
624B

MD5
99bb35cda90b0763820c48863375ed88

SHA1
d0f9e927debcae670eed668b69ce91377245b810

SHA256
db20177c0f162b0c3c5ba0e32b7c399a8b4d96b0d8b6eccfcaed123ed6cd4c2f

SHA512
4dbde9baf6e33fe4623351a5f8426061fe71399534b21d75b8947c789c349394bb8b507675d494f70bfcf29ef86cc134f5af9a5cff60f20513c5eef39d0cb3f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f7ee3b25-5409-4723-8649-e5a277ead34f\index-dir\the-real-index~RFe57f52d.TMP

Filesize
48B

MD5
98a652c481f2ac1b832d2752cf925781

SHA1
47cf63dbac245a47e784826024c2573abc0b3747

SHA256
56fa5e2e2bad2adb335f2d9e9c66e7f3d61a278b6cd9fe6255fa3ab7eba7c4de

SHA512
2273415585c9cb931ddbabd1d9f838a91ec7fcd4168174550ba71bd783180df519e70e6c3b396a5b566d8ad63185467d0ab097d6e5731430886280171681efc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
6be79b9e0c69e249a2b09d321f85abc9

SHA1
6f9d17c715de86a79a3c1062357d6cd32f1829de

SHA256
23ef15932355599cc85e12322eb5472ecf55048d478350027a8266242dfd649b

SHA512
032b7a91347c34216445c515e1b58a8498884af646844b1649f9ad4be52d52a5234994a6ea13d2840e5e27dbf73465d61deb993370a1a8520b8ec50291239290

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
9ae9547ecd5b845f87dba1bd6b486019

SHA1
1670638dcb650afde4247deb11791ca4063c3c00

SHA256
e64c90e4b18dee1f78fac8d4a20dc156298e555c50f83c6a0ddb90f9bb2f6482

SHA512
ed00027487d78867df9712771d9a490420c8b3196c7dff609a4a9a9460bb9df9d95474be7dd0eb2386cd9a5a2d57f5d58fa4cc466abb69234ea8e7601b2a2582

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
185B

MD5
a2f5bfbf97286861315cbf2a53b1e05f

SHA1
88b84b4c36274e481d9cfc1cad4d1e9d2828cac3

SHA256
5045db128724dcdb80d26821262ebcf6c8f4561bf79e03f7c3e2a9f0aa9cd4c1

SHA512
ad40516230f41b483f0baa653c26cb5537a89f5093753a3ec20c8ca3ffbffaec6977b3c008a753f550bef6b88f7c95bc201720bf2e4bcd1403b7c7a0130181d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
51d0c90ad91b3c23391c0b0b240bd86e

SHA1
65e0025950f1ec74a4599ee5bbb2bdc8d2af742a

SHA256
4d3ec5e67a851743f4ffc87838a760cd06e2fb27ca0ce318582cd9f08939207e

SHA512
577a260b7df64fe9dd530aee134054ef994383628112da5a7398f2a2288fbefb8f778d56cbbf16c252b9e5bf613df0d302ed03486cfde1a1aeb6bd3dd6913950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5798a6.TMP

Filesize
119B

MD5
a30bc8b0418a2f0e7fcaa05d8719f5f0

SHA1
f31c5ae9d5bf04ee62fa256cb90e3fa12b01376d

SHA256
2be875f77de3e109c334c01fb3bac1cb08906e5117dff082ffbb35bf3932ef7b

SHA512
18b53c5200eee1519d923c99b0514ff1d5cbca492c20b594641514bf1e934c502a525db5aafd92ed0c63cf392d5c7cb18b86607b79364e65b86608ff1e7fce1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\ba23d8ecda68de77_0

Filesize
163KB

MD5
d196a82469fd12e1a551b3edc811b40d

SHA1
ad60592d82e593ecf21200424769996d7cda3d2c

SHA256
773175166e49b1b276f17ae641201babf362ff3f1a59750285c7fb84f5f896c8

SHA512
ab9cd02897c35ebd822fddc9dd7036ad964bbb8ee088d668a5d9483c3c25fa34b8860c7e408e08cb3bae85fc7a54987b6c5ed5526859deb64b9741d6a8262c29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
16KB

MD5
18905174783451f915ad6954aff4dcb3

SHA1
e6f280b54613b926faca887b6d8c24f617a404d0

SHA256
00968cb623530d55cfe5c4b4aceaf78a30b6601349b8f21035d04449b6791b79

SHA512
7cf9379b77c0c047a1c260e5a53c64d4df6308d439b7481f777d0118ec96356ed3443e0f7e7e356f807e07c3ed1f17d34ebad68af71a8911dc5b9dbaab59c8a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
f07f922abf7b04a0733791528b2a3fce

SHA1
1a97a7f2ac95f9448623e20c3cdbbc4b23123a53

SHA256
52fcd0e15f4729f5f99dc35d00b0558e288e20dfb14690e59feec3ecfa531918

SHA512
cb67cf7216ad14841e3cd83580d7537abaad1a4454f990a204064bf3effb8404a90271ba9a995656a734c17a22c968cd15363d6124fdd736964dc631d55f8fa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4428_1205578633\Shortcuts Menu Icons\0\512.png

Filesize
2KB

MD5
206fd9669027c437a36fbf7d73657db7

SHA1
8dee68de4deac72e86bbb28b8e5a915df3b5f3a5

SHA256
0d17a989f42bc129aca8e755871a7025acb6292ce06ca2437e95bedbc328fa18

SHA512
2c89878ec8466edf1f214d918aefc6a9b3de46d06ffacff4fdb85566560e94068601b1e4377d9d2eabefdc1c7f09eb46b00cf4545e377cc84a69edf8e57e48b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4428_1205578633\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
529a0ad2f85dff6370e98e206ecb6ef9

SHA1
7a4ff97f02962afeca94f1815168f41ba54b0691

SHA256
31db550eb9c0d9afd316dc85cdfd832510e2c48e7d37d4a610c175667a4599c6

SHA512
d00e2d741a0a6321c92a4aab632f8f3bafd33c0e2875f37868e195ed5e7200a647b4c83358edcef5fc7acbc5c57f70410903f39eac76e23e88a342ac5c9c21cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4428_1470640777\Icons Monochrome\16.png

Filesize
214B

MD5
1b3a4d1adc56ac66cd8b46c98f33e41b

SHA1
de87dc114f12e1865922f89ebc127966b0b9a1b7

SHA256
0fb35eacb91ab06f09431370f330ba290725119417f166facaf5f134499978bd

SHA512
ce89a67b088bae8dcd763f9a9b3655ed90485b24646d93de44533744dfcf947c96571e252d1ad80bdec1530ff2b72b012e8fff7178f1b4e957090f0f4c959e0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
15f36a2987d80adfc97f99013120b0ad

SHA1
9d926bc27c99680ae30c7e0a38892cfba40418c0

SHA256
9b40b9fb043d50f33959ea504c6da6ae74d76da311a1c90dab5447a8db75a0e1

SHA512
72a1d8da5b6754bf9d26e2ddb0c3916a6adf63ce46838fc22ddeed5cb03d4cdca77fb791351343d1917322bbfbf9cc1e1f52b3608369150f5ece151205368670

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
fcfc1946b985d4304cf069f1154f4cab

SHA1
bd91b22a14d29cb9d5a3d749fc7a35b06e458b0c

SHA256
3aec8142d551f57636d37fd2d8bf08d7149b1439ecdfa59de1f887ed2348f4ab

SHA512
bfbaa47b6d901b1658e73c619bdc5c64663840cbe28e84e2d82042f569db023faeb241c38a623b5572b5d858453c4a878f9835adea57d9df4b95f3624dec6fc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
83b595eea1f72c7fe0ab4ec08125a52c

SHA1
08c69134ef0264c26ec49943ced7e248ca2548b3

SHA256
144b4b6fab29d7f7d395a50e69f4223caf2dfc9cda582eb81c1c0c54f77148a0

SHA512
afaa894eeb8a9a3fead3c4d7a66fe46a249a7bda7642875e7347f907da4f6290c5522193c9c92316d5323ab757dfc98996231d98995e965a6fea6e0e9df8951d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40yikmot.203.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
5a624fe0d3f6f460b485035054b22c21

SHA1
2d8a3557572a4b605ef34aedbeb8173beb2c1c38

SHA256
8fe25ed6498e37c488f3969ddafa5bbd6400ddc15bc81e8b926d03927a60f4fa

SHA512
aa20e24532cdbc6b2faac5e79c75627ba8ede7ce48e262406f82360033473001e1e6d52dce7039e5669a3df3e83d7bf184c699b73153aca6017371747417555a

Download Submit
\??\pipe\crashpad_4428_AJHPLAUJAVNRKTTB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/396-624-0x000001B2DB5E0000-0x000001B2DB602000-memory.dmp

Filesize
136KB

Download
memory/400-620-0x00007FF86EE90000-0x00007FF86EE92000-memory.dmp

Filesize
8KB

Download
memory/400-621-0x0000000140000000-0x0000000140F26000-memory.dmp

Filesize
15.1MB

Download
memory/516-642-0x0000000140000000-0x0000000140F26000-memory.dmp

Filesize
15.1MB

Download
memory/628-799-0x00000000001A0000-0x00000000006D8000-memory.dmp

Filesize
5.2MB

Download
memory/628-777-0x00000000001A0000-0x00000000006D8000-memory.dmp

Filesize
5.2MB

Download
memory/720-750-0x0000000140000000-0x0000000140519000-memory.dmp

Filesize
5.1MB

Download
memory/1416-795-0x00000000001A0000-0x00000000006D8000-memory.dmp

Filesize
5.2MB

Download
memory/1416-769-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1416-768-0x00000000001A0000-0x00000000006D8000-memory.dmp

Filesize
5.2MB

Download
memory/1664-599-0x0000000140000000-0x0000000140519000-memory.dmp

Filesize
5.1MB

Download
memory/1664-597-0x00007FF86EE90000-0x00007FF86EE92000-memory.dmp

Filesize
8KB

Download
memory/1988-668-0x000002521DF50000-0x000002521DF6A000-memory.dmp

Filesize
104KB

Download
memory/1988-667-0x000002521DEF0000-0x000002521DEFA000-memory.dmp

Filesize
40KB

Download
memory/1988-671-0x000002521DF40000-0x000002521DF4A000-memory.dmp

Filesize
40KB

Download
memory/1988-663-0x000002521DCC0000-0x000002521DCDC000-memory.dmp

Filesize
112KB

Download
memory/1988-664-0x000002521DCE0000-0x000002521DD95000-memory.dmp

Filesize
724KB

Download
memory/1988-665-0x000002521DDA0000-0x000002521DDAA000-memory.dmp

Filesize
40KB

Download
memory/1988-666-0x000002521DF10000-0x000002521DF2C000-memory.dmp

Filesize
112KB

Download
memory/1988-670-0x000002521DF30000-0x000002521DF36000-memory.dmp

Filesize
24KB

Download
memory/1988-669-0x000002521DF00000-0x000002521DF08000-memory.dmp

Filesize
32KB

Download
memory/2604-683-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2604-675-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2604-679-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2604-678-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2604-677-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2604-676-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2644-876-0x00000263A1670000-0x00000263A1725000-memory.dmp

Filesize
724KB

Download
memory/3596-575-0x0000000000AE0000-0x0000000000AE9000-memory.dmp

Filesize
36KB

Download
memory/3596-589-0x00007FF86EC90000-0x00007FF86EE85000-memory.dmp

Filesize
2.0MB

Download
memory/3596-588-0x0000000002660000-0x0000000002A60000-memory.dmp

Filesize
4.0MB

Download
memory/3596-591-0x00000000758C0000-0x0000000075AD5000-memory.dmp

Filesize
2.1MB

Download
memory/3980-582-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

Filesize
4KB

Download
memory/3980-583-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

Filesize
4KB

Download
memory/3980-584-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

Filesize
4KB

Download
memory/3980-585-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

Filesize
4KB

Download
memory/3980-586-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

Filesize
4KB

Download
memory/3980-573-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

Filesize
4KB

Download
memory/3980-581-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

Filesize
4KB

Download
memory/3980-580-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

Filesize
4KB

Download
memory/3980-572-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

Filesize
4KB

Download
memory/3980-574-0x0000021B1C670000-0x0000021B1C671000-memory.dmp

Filesize
4KB

Download
memory/4172-566-0x00000000005A0000-0x0000000000AD8000-memory.dmp

Filesize
5.2MB

Download
memory/4172-587-0x00000000005A0000-0x0000000000AD8000-memory.dmp

Filesize
5.2MB

Download
memory/4172-564-0x00000000005A0000-0x0000000000AD8000-memory.dmp

Filesize
5.2MB

Download
memory/4172-565-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/4172-567-0x0000000003E40000-0x0000000004240000-memory.dmp

Filesize
4.0MB

Download
memory/4172-568-0x0000000003E40000-0x0000000004240000-memory.dmp

Filesize
4.0MB

Download
memory/4172-569-0x00007FF86EC90000-0x00007FF86EE85000-memory.dmp

Filesize
2.0MB

Download
memory/4172-571-0x00000000758C0000-0x0000000075AD5000-memory.dmp

Filesize
2.1MB

Download
memory/4400-700-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-690-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-696-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-694-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-695-0x00000000010C0000-0x00000000010E0000-memory.dmp

Filesize
128KB

Download
memory/4400-689-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-692-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-685-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-688-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-698-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-697-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-687-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-699-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-714-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-691-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-684-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4400-686-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/4724-882-0x0000000000390000-0x00000000008C8000-memory.dmp

Filesize
5.2MB

Download
memory/4724-899-0x0000000000390000-0x00000000008C8000-memory.dmp

Filesize
5.2MB

Download