orcus | 4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580

Resubmissions

03-10-2024 21:19

241003-z6m9fsxcjn 10

03-10-2024 21:14

241003-z3g82azhmb 10

03-10-2024 21:10

241003-z1h3jszglg 10

03-10-2024 21:03

241003-zv1emszeje 10

Analysis

max time kernel
72s
max time network
113s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

snos.exe
Size

916KB
MD5

defc2abbed64bb0a53c7b9fa04d9d114
SHA1

926cbb5e1d9ea1249aa034afa5d0e510322b5ee6
SHA256

4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580
SHA512

00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842
SSDEEP

24576:NVWC4MROxnFD3krXYf1rrcI0AilFEvxHPdmoo6:NqMiJtrrcI0AilFEvxHP

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Extracted

Family

orcus

45.200.148.205:10134

Mutex

2857e61aa1024db89df5be17078af5ab

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programfiles%\sistemwinhost\winhost1235.exe
reconnect_delay
10000
registry_keyname
registry
taskscheduler_taskname
registre
watchdog_path
AppData\Servicemanagaer.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Program Files (x86)\sistemwinhost\winhost1235.exe	family_orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2360-1-0x0000000000B90000-0x0000000000C7A000-memory.dmp	orcus
C:\Program Files (x86)\sistemwinhost\winhost1235.exe	orcus
behavioral1/memory/2616-32-0x00000000012E0000-0x00000000013CA000-memory.dmp	orcus

Executes dropped EXE 7 IoCs

Processes:

WindowsInput.exeWindowsInput.exewinhost1235.exeServicemanagaer.exeServicemanagaer.exewinhost1235.exeWindowsInput.exe

pid	process
2816	WindowsInput.exe
2912	WindowsInput.exe
2616	winhost1235.exe
2136	Servicemanagaer.exe
380	Servicemanagaer.exe
2084	winhost1235.exe
2152	WindowsInput.exe

Loads dropped DLL 3 IoCs

Processes:

snos.exewinhost1235.exe

pid process

2360 snos.exe
2360 snos.exe
2616 winhost1235.exe

pid	process
2360	snos.exe
2360	snos.exe
2616	winhost1235.exe

Drops file in System32 directory 3 IoCs

Processes:

WindowsInput.exesnos.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	snos.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	snos.exe

Drops file in Program Files directory 4 IoCs

Processes:

winhost1235.exesnos.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\sistemwinhost\winhost1235.exe	winhost1235.exe
File created	C:\Program Files (x86)\sistemwinhost\winhost1235.exe	snos.exe
File opened for modification	C:\Program Files (x86)\sistemwinhost\winhost1235.exe	snos.exe
File created	C:\Program Files (x86)\sistemwinhost\winhost1235.exe.config	snos.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winhost1235.exeServicemanagaer.execmd.exePING.EXEcmd.execmd.execmd.exesnos.exeServicemanagaer.exewinhost1235.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost1235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Servicemanagaer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Servicemanagaer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhost1235.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

2448 PING.EXE

pid	process
2448	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2448 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

2224 vlc.exe

pid	process
2448	PING.EXE

pid	process
2224	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Servicemanagaer.exewinhost1235.exe

pid	process
380	Servicemanagaer.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
380	Servicemanagaer.exe
380	Servicemanagaer.exe
2616	winhost1235.exe
2616	winhost1235.exe
380	Servicemanagaer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

vlc.exe

pid process

2224 vlc.exe

pid	process
2224	vlc.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

winhost1235.exeServicemanagaer.exeServicemanagaer.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2616	winhost1235.exe
Token: SeDebugPrivilege	2136	Servicemanagaer.exe
Token: SeDebugPrivilege	380	Servicemanagaer.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

winhost1235.exevlc.exechrome.exe

pid	process
2616	winhost1235.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe

Suspicious use of SendNotifyMessage 46 IoCs

Processes:

winhost1235.exevlc.exechrome.exe

pid	process
2616	winhost1235.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

2224 vlc.exe

pid	process
2224	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

snos.exewinhost1235.exeServicemanagaer.exetaskeng.execmd.exechrome.exe

description	pid	process	target process
PID 2360 wrote to memory of 2816	2360	snos.exe	WindowsInput.exe
PID 2360 wrote to memory of 2816	2360	snos.exe	WindowsInput.exe
PID 2360 wrote to memory of 2816	2360	snos.exe	WindowsInput.exe
PID 2360 wrote to memory of 2816	2360	snos.exe	WindowsInput.exe
PID 2360 wrote to memory of 2616	2360	snos.exe	winhost1235.exe
PID 2360 wrote to memory of 2616	2360	snos.exe	winhost1235.exe
PID 2360 wrote to memory of 2616	2360	snos.exe	winhost1235.exe
PID 2360 wrote to memory of 2616	2360	snos.exe	winhost1235.exe
PID 2616 wrote to memory of 2136	2616	winhost1235.exe	Servicemanagaer.exe
PID 2616 wrote to memory of 2136	2616	winhost1235.exe	Servicemanagaer.exe
PID 2616 wrote to memory of 2136	2616	winhost1235.exe	Servicemanagaer.exe
PID 2616 wrote to memory of 2136	2616	winhost1235.exe	Servicemanagaer.exe
PID 2136 wrote to memory of 380	2136	Servicemanagaer.exe	Servicemanagaer.exe
PID 2136 wrote to memory of 380	2136	Servicemanagaer.exe	Servicemanagaer.exe
PID 2136 wrote to memory of 380	2136	Servicemanagaer.exe	Servicemanagaer.exe
PID 2136 wrote to memory of 380	2136	Servicemanagaer.exe	Servicemanagaer.exe
PID 2232 wrote to memory of 2084	2232	taskeng.exe	winhost1235.exe
PID 2232 wrote to memory of 2084	2232	taskeng.exe	winhost1235.exe
PID 2232 wrote to memory of 2084	2232	taskeng.exe	winhost1235.exe
PID 2232 wrote to memory of 2084	2232	taskeng.exe	winhost1235.exe
PID 2616 wrote to memory of 2152	2616	winhost1235.exe	WindowsInput.exe
PID 2616 wrote to memory of 2152	2616	winhost1235.exe	WindowsInput.exe
PID 2616 wrote to memory of 2152	2616	winhost1235.exe	WindowsInput.exe
PID 2616 wrote to memory of 2152	2616	winhost1235.exe	WindowsInput.exe
PID 2616 wrote to memory of 1548	2616	winhost1235.exe	cmd.exe
PID 2616 wrote to memory of 1548	2616	winhost1235.exe	cmd.exe
PID 2616 wrote to memory of 1548	2616	winhost1235.exe	cmd.exe
PID 2616 wrote to memory of 1548	2616	winhost1235.exe	cmd.exe
PID 1548 wrote to memory of 2448	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 2448	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 2448	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 2448	1548	cmd.exe	PING.EXE
PID 1548 wrote to memory of 812	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 812	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 812	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 812	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 876	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 876	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 876	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 876	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 956	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 956	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 956	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 956	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 552	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 552	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 552	1548	cmd.exe	cmd.exe
PID 1548 wrote to memory of 552	1548	cmd.exe	cmd.exe
PID 2332 wrote to memory of 700	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 700	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 700	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe
PID 2332 wrote to memory of 2760	2332	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\snos.exe
"C:\Users\Admin\AppData\Local\Temp\snos.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2816
- C:\Program Files (x86)\sistemwinhost\winhost1235.exe
  "C:\Program Files (x86)\sistemwinhost\winhost1235.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe
    "C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe" /launchSelfAndExit "C:\Program Files (x86)\sistemwinhost\winhost1235.exe" 2616 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe
      "C:\Users\Admin\AppData\Roaming\Servicemanagaer.exe" /watchProcess "C:\Program Files (x86)\sistemwinhost\winhost1235.exe" 2616 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:380
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --uninstall
    3⤵
    - Executes dropped EXE
    PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\{e12c7f98-12d2-420d-91e2-99af655bb05f}.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo j "
      4⤵
      System Location Discovery: System Language Discovery
      PID:812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del "C:\Program Files (x86)\sistemwinhost\winhost1235.exe""
      4⤵
      System Location Discovery: System Language Discovery
      PID:876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo j "
      4⤵
      System Location Discovery: System Language Discovery
      PID:956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" del C:\Users\Admin\AppData\Local\Temp\{e12c7f98-12d2-420d-91e2-99af655bb05f}.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:552

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\system32\taskeng.exe
taskeng.exe {793E9024-0FF1-4201-ACB0-0ECFCA89EF4D} S-1-5-21-3434294380-2554721341-1919518612-1000:ELZYPTFV\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Program Files (x86)\sistemwinhost\winhost1235.exe
  "C:\Program Files (x86)\sistemwinhost\winhost1235.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2084

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UseRename.TS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65b9758,0x7fef65b9768,0x7fef65b9778
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:2
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1144 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:2
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3148 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3640 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3816 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2824 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2520 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3448 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3228 --field-trial-handle=1092,i,7618840336123998130,11318048575054262525,131072 /prefetch:1
  2⤵
  PID:1776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2408

C:\Windows\system32\SndVol.exe
SndVol.exe -f 45286545 14430
1⤵
PID:1048

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
1⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\sistemwinhost\winhost1235.exe

Filesize
916KB

MD5
defc2abbed64bb0a53c7b9fa04d9d114

SHA1
926cbb5e1d9ea1249aa034afa5d0e510322b5ee6

SHA256
4a5b24522b79e54b2c901946eb492dac5bf83631681a2d99b1f6b303268e0580

SHA512
00084691a0ae0c52aac630a1fca9bca0fb245ad4597c99b12016119ce289500002c6b23e47bfcd2bc220c26068615c972b8e5551b0b3dd721fd06c6387e0d842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6c3f20daf33d64022f50dfbd84f6cd8

SHA1
f5961033e0b950765253ee75fdf07ab1d7851160

SHA256
07411f15696a66baa27a05bcf27f99f5ee8b60013e08102a4fc66984acd60169

SHA512
456cc527fc9da0b07cd1eca3385f16bae2c92e945e60388c5101452648a0b33016be0c7cbcbcc46fb92ee7fe19c56b1ebc07b5b71a4142d5196724b9bd2eb7b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
520a65a00aabc9d885524ca9004f5641

SHA1
e992c576cb2696a542fb1cd7574cb18cb00c4f97

SHA256
23d752e88e7dc00bec3200329e943e83712e38dec293e4e6e8dcc11b0f233edb

SHA512
a6d0eb1e09d76c910d5f2aef5da539410745c92f5a280556cdccd059f68648320a7485641f4a67c145e7a844b7f620d747ed1661e65534391b4a5cc671c1f904

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8c51e00d822881f8d3ea7533f0e00d7

SHA1
83a4ae0e0571ddff29df7d2474eb33e87944c50b

SHA256
5adc5c4092dba3c54c74a7bd57f0989beafc80fef574a93fa5c6793f63ae2b89

SHA512
f561f53786d5fbb4a9032e38c9ecb7404c99b728f7d2eb839de8cd5ee3b06357a60d59a223b5b70b1b2a5be003cbd28bd2856ffa4ee2e1259d4e45e41b8798be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b2663a97865a1732155d39ac2876b2a

SHA1
261e256d990d4d334fa4e08781be87c488fb31f1

SHA256
1fa7d62a34e98e26b367d707182cd304a32a9fd557aa5b496401829325323811

SHA512
ec1d19684dcb0f13d2389de7966ebfae45da9bfc16f4249b6c5ad841eb8ed1e10e7ddfaea1917530fc25c6e5f6d640b004eee91b8dacbb546604dd62d1bae9ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
024e1abba08a2670dbe7417f3d2f27e1

SHA1
713edeeebf2f77bbaa7d5453710e9d9d25a054cb

SHA256
08c430ac3c862dda352c99040d8846d18033bd784830efa846db0902d48da23b

SHA512
a590d5d90548866819406f764b5908e418f555c7833502ea9aa8f9cdbcdf5f41191d0ac99b7211b0c38cdf0b50113b34ce0dfba8d6f42b7a5c2bd5669f04974b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07fd85fe59057a3b4ca77746446db75f

SHA1
06ba9cd8e8d24f609b29cf1aba65cc1c5aaf879f

SHA256
64612174e6d8d1177c24eafcefbcbe9fe433534cdfd1189f65b86aae1aa5f71c

SHA512
7bb696664bbeddcfe2d7cfd9bc5a5917a88f532f5012d3575ce61437745bacf78616ec5fa47b9e473e88fd026aeb4440328216bcd53df16c984d3de09c915a02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7f54e72d8de82f97351b58630664a33

SHA1
dfd4e52f7c67511e0ef3b0ae450d4a0906d75abc

SHA256
3e280bd32896208041b67568d9fc6e4cb94f567bb40bfd60143c4d8a46159153

SHA512
022a9cffdd2ab6998ca28723206aaf779972deddd0828ce2b61c7f3f64e3c061bb9af2a412843a76ba1fe52531a289f9a7f3fbbc8c05ad9d9fe2c31207c85c18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
547c2273e7105ba2369b4690faf22c38

SHA1
fc91e494d4999cc96149d4d702b44b7820ea6fd8

SHA256
a37e893f5cc6d0e11b100f8c682ca3c39a76ab4d7e39662ce59ef93325132102

SHA512
1d2572094702fcc6ed41285cd8f924f03d67bd326c8789a922d1ed52b2f07c093b5ef21dbc8495f467aa69039e0964e78d9a0279c6656becf4742ff3a9d57394

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f7c75a34e472bf5cfe051d36e8b8d2d

SHA1
b80f1690358a528e82e8cb744715cba94a2ba43d

SHA256
aef3b93eeed689801ad5e637536f440a6ba387433ee9651061ef3b9233e8b341

SHA512
d360d63d8b61a2a397a8cc7ec339919347f2b2215afe3075d1d1edc0ea2471dfc84e634a35c484872caf1aa9ee642b8cb1cbdbc7eb0285a825c3407d9dbe2c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
611aa68f3434f0c7774d8fe074051cc4

SHA1
1f879ad9d6b8e041c5ec0920fa2220e876e99bdd

SHA256
0058b1e46d92cf169642ba24703fb41989c93cac2a6dc3579267905faf0a01c8

SHA512
adac2ec15851b0526eb567b75c8825f36fa3f063b814309901fdae72dfd41c2e8d5f7111e5e7a5747afac47b55047aacebd0e4a3301617584ab60f29a540ab46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e2512c4787d8102c2eaebf23cb2a32aa

SHA1
b3bb502e6f3e9356e3b8efb2c38c3da8c13ed3bc

SHA256
1125d30a5e76b1ed337caba5f94bebf974d52dfdfe161fc01a210cffa0e2e2e8

SHA512
42693420f3f41e59d27fab8982a74075b51345e9fbbe992cc6d3ae05b5f831acfa0c0bdeded7f050d4b77cd65bd7ce5181d76e5f3e201cafc2207df131b7694c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a64c03a5edeeef8ad723c30ec5dd8bfb

SHA1
c6c49b0b7258f08aac872d80d6d4dcde1784c89d

SHA256
b35535629501ae2042cfde1a9aa89e6a1d09331fe22fe43c80e52f92d156a731

SHA512
5832bdf6a9e635830ccf1f1924e07fd63ad569e4accd3aee8c45d2f73b37c8e6021f3e7bbf77c557f4810faed790aa8b4db4afc66e0827825a1f2a446e87f0bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab91A7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB0D9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e12c7f98-12d2-420d-91e2-99af655bb05f}.bat

Filesize
191B

MD5
966ef2857230abe885c2ecc0135c2c12

SHA1
16e2d9d349de7a119eeb8cf9d211224ec93951ac

SHA256
59f2fb2605f3850ac47cbf670c164dc6afeb29646adac4405264d9d80b26ff77

SHA512
da2443f227dcbd463d0d85c4e6bda18eecc5fcf6857cc205776481292a4558d20f601be92c11296513b511bcf7800bd4bb15c4c4b41bac88d43b4b126f30caf1

Download Submit
C:\Windows\SysWOW64\WindowsInput.InstallState

Filesize
7KB

MD5
362ce475f5d1e84641bad999c16727a0

SHA1
6b613c73acb58d259c6379bd820cca6f785cc812

SHA256
1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

SHA512
7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\pipe\crashpad_2332_CNBHXTRCZDWCYGZN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\Servicemanagaer.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
memory/2136-47-0x00000000011E0000-0x00000000011E8000-memory.dmp

Filesize
32KB

Download
memory/2224-93-0x000007FEF71D0000-0x000007FEF71E7000-memory.dmp

Filesize
92KB

Download
memory/2224-90-0x000007FEF6490000-0x000007FEF64C4000-memory.dmp

Filesize
208KB

Download
memory/2224-92-0x000007FEF7320000-0x000007FEF7338000-memory.dmp

Filesize
96KB

Download
memory/2224-89-0x000000013FB20000-0x000000013FC18000-memory.dmp

Filesize
992KB

Download
memory/2224-94-0x000007FEF6430000-0x000007FEF6441000-memory.dmp

Filesize
68KB

Download
memory/2224-95-0x000007FEF5780000-0x000007FEF5797000-memory.dmp

Filesize
92KB

Download
memory/2224-96-0x000007FEF5760000-0x000007FEF5771000-memory.dmp

Filesize
68KB

Download
memory/2224-97-0x000007FEF5740000-0x000007FEF575D000-memory.dmp

Filesize
116KB

Download
memory/2224-98-0x000007FEF5720000-0x000007FEF5731000-memory.dmp

Filesize
68KB

Download
memory/2224-91-0x000007FEF1B10000-0x000007FEF1DC6000-memory.dmp

Filesize
2.7MB

Download
memory/2224-108-0x000007FEF6490000-0x000007FEF64C4000-memory.dmp

Filesize
208KB

Download
memory/2224-109-0x000007FEF1B10000-0x000007FEF1DC6000-memory.dmp

Filesize
2.7MB

Download
memory/2224-107-0x000000013FB20000-0x000000013FC18000-memory.dmp

Filesize
992KB

Download
memory/2224-110-0x000007FEEC220000-0x000007FEED2D0000-memory.dmp

Filesize
16.7MB

Download
memory/2224-99-0x000007FEEC220000-0x000007FEED2D0000-memory.dmp

Filesize
16.7MB

Download
memory/2360-5-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2360-1-0x0000000000B90000-0x0000000000C7A000-memory.dmp

Filesize
936KB

Download
memory/2360-2-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2360-3-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-0-0x0000000073ECE000-0x0000000073ECF000-memory.dmp

Filesize
4KB

Download
memory/2360-33-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/2360-4-0x0000000000980000-0x00000000009DC000-memory.dmp

Filesize
368KB

Download
memory/2616-34-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/2616-32-0x00000000012E0000-0x00000000013CA000-memory.dmp

Filesize
936KB

Download
memory/2616-35-0x00000000047D0000-0x000000000481E000-memory.dmp

Filesize
312KB

Download
memory/2616-36-0x0000000000820000-0x0000000000838000-memory.dmp

Filesize
96KB

Download
memory/2616-37-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/2816-19-0x000007FEF4CD0000-0x000007FEF56BC000-memory.dmp

Filesize
9.9MB

Download
memory/2816-16-0x000007FEF4CD0000-0x000007FEF56BC000-memory.dmp

Filesize
9.9MB

Download
memory/2816-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2816-13-0x000007FEF4CD3000-0x000007FEF4CD4000-memory.dmp

Filesize
4KB

Download
memory/2912-21-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download