orcus | hxxps://njratnik667[.]hopto[.]org/1[.]exe

Analysis

max time kernel
177s
max time network
178s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-01-2025 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://njratnik667.hopto.org/1.exe

Score

10^/10

orcus hacked defense_evasion discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

orcus

Botnet

HacKed

njratnik667.hopto.org:10134

Mutex

ec0265501148482a90b3681c1b46d412

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
C:\Windows\dllhost.exe
reconnect_delay
10000
registry_keyname
Defender Update
taskscheduler_taskname
Windows Update
watchdog_path
AppData\RuntimeBroker.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4112-183-0x0000000006100000-0x000000000610A000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dllhost.exe

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	dllhost.exe

Orcurs Rat Executable 11 IoCs

resource	yara_rule
behavioral1/memory/4112-167-0x0000000000850000-0x0000000000CA4000-memory.dmp	orcus
behavioral1/memory/4112-341-0x0000000000850000-0x0000000000CA4000-memory.dmp	orcus
behavioral1/memory/812-343-0x0000000000F20000-0x0000000001374000-memory.dmp	orcus
behavioral1/memory/812-344-0x0000000000F20000-0x0000000001374000-memory.dmp	orcus
behavioral1/memory/1264-353-0x0000000000F20000-0x0000000001374000-memory.dmp	orcus
behavioral1/memory/1264-354-0x0000000000F20000-0x0000000001374000-memory.dmp	orcus
behavioral1/memory/1264-411-0x0000000000F20000-0x0000000001374000-memory.dmp	orcus
behavioral1/memory/844-436-0x0000000000F10000-0x0000000001364000-memory.dmp	orcus
behavioral1/memory/844-439-0x0000000000F10000-0x0000000001364000-memory.dmp	orcus
behavioral1/memory/844-440-0x0000000000F10000-0x0000000001364000-memory.dmp	orcus
behavioral1/memory/844-524-0x0000000000F10000-0x0000000001364000-memory.dmp	orcus

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3636	powershell.exe
2060	powershell.exe
4928	powershell.exe
3672	powershell.exe
3848	powershell.exe
2420	powershell.exe
1680	powershell.exe
436	powershell.exe
3724	powershell.exe
4952	powershell.exe
3384	powershell.exe
8	powershell.exe
1512	powershell.exe
4400	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1716	1.exe
4112	BUILD45_PROTECTED.EXE
2420	SAVER.EXE
1452	WindowsInput.exe
1416	WindowsInput.exe
812	dllhost.exe
1264	dllhost.exe
440	RuntimeBroker.exe
4556	RuntimeBroker.exe
4336	1.exe
844	BUILD45_PROTECTED.EXE
4208	SAVER.EXE

Loads dropped DLL 11 IoCs

pid	Process
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dllhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	BUILD45_PROTECTED.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	BUILD45_PROTECTED.EXE

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 2 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	dllhost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	api.ipify.org
5	api.ipify.org

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\SharpDX.dll	dllhost.exe
File created	C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\SharpDX.DXGI.dll	dllhost.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	BUILD45_PROTECTED.EXE
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\SharpDX.Direct3D11.dll	dllhost.exe
File created	C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\SharpDX.Direct3D9.dll	dllhost.exe
File created	C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\TurboJpegWrapper.dll	dllhost.exe
File created	C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\x86\turbojpeg.dll	dllhost.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	BUILD45_PROTECTED.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs

pid	Process
4112	BUILD45_PROTECTED.EXE
4112	BUILD45_PROTECTED.EXE
812	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
844	BUILD45_PROTECTED.EXE
844	BUILD45_PROTECTED.EXE
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\dllhost.exe	BUILD45_PROTECTED.EXE
File opened for modification	C:\Windows\dllhost.exe	BUILD45_PROTECTED.EXE
File created	C:\Windows\dllhost.exe.config	BUILD45_PROTECTED.EXE
File opened for modification	C:\Windows\dllhost.exe	attrib.exe
File opened for modification	C:\Windows\dllhost.exe.config	attrib.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\1.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BUILD45_PROTECTED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAVER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BUILD45_PROTECTED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAVER.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	dllhost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133813606234500201"	chrome.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\1.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3468	chrome.exe
3468	chrome.exe
4112	BUILD45_PROTECTED.EXE
4112	BUILD45_PROTECTED.EXE
8	powershell.exe
8	powershell.exe
436	powershell.exe
436	powershell.exe
3636	powershell.exe
3636	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
848	powershell.exe
848	powershell.exe
848	powershell.exe
3724	powershell.exe
3724	powershell.exe
3724	powershell.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
812	dllhost.exe
812	dllhost.exe
1264	dllhost.exe
1264	dllhost.exe
1712	powershell.exe
1712	powershell.exe
1712	powershell.exe
4556	RuntimeBroker.exe
4556	RuntimeBroker.exe
4556	RuntimeBroker.exe
4556	RuntimeBroker.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
812	dllhost.exe
4556	RuntimeBroker.exe
812	dllhost.exe
4556	RuntimeBroker.exe
4556	RuntimeBroker.exe
812	dllhost.exe
812	dllhost.exe
4556	RuntimeBroker.exe
812	dllhost.exe
4556	RuntimeBroker.exe
4556	RuntimeBroker.exe
812	dllhost.exe
812	dllhost.exe
4556	RuntimeBroker.exe
4556	RuntimeBroker.exe
812	dllhost.exe
812	dllhost.exe
4556	RuntimeBroker.exe
4556	RuntimeBroker.exe
812	dllhost.exe
812	dllhost.exe
4556	RuntimeBroker.exe
4556	RuntimeBroker.exe
812	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
812	dllhost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe
Token: SeShutdownPrivilege	3468	chrome.exe
Token: SeCreatePagefilePrivilege	3468	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe

Suspicious use of SendNotifyMessage 42 IoCs

pid	Process
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3468	chrome.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe
3492	Taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4112	BUILD45_PROTECTED.EXE
4432	MiniSearchHost.exe
812	dllhost.exe
812	dllhost.exe
1264	dllhost.exe
844	BUILD45_PROTECTED.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 4180	3468	chrome.exe	77
PID 3468 wrote to memory of 4180	3468	chrome.exe	77
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 484	3468	chrome.exe	78
PID 3468 wrote to memory of 3488	3468	chrome.exe	79
PID 3468 wrote to memory of 3488	3468	chrome.exe	79
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80
PID 3468 wrote to memory of 1620	3468	chrome.exe	80

System policy modification 1 TTPs 14 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0"	BUILD45_PROTECTED.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	dllhost.exe

Views/modifies file attributes 1 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2304	attrib.exe
3936	attrib.exe
768	attrib.exe
2420	attrib.exe
2472	attrib.exe
3892	attrib.exe
1628	attrib.exe
1264	attrib.exe
5068	attrib.exe
4996	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://njratnik667.hopto.org/1.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fa0fcc40,0x7ff8fa0fcc4c,0x7ff8fa0fcc58
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1828,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1992,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2004 /prefetch:3
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2044,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4384,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4528,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3744 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4572,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4532,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4352,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5004,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4664,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4844,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4784,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5184,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5316,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5172,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3240,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4952 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5444,i,12635696485982366971,14779254740013143694,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  PID:712

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4064

C:\Users\Admin\Downloads\1.exe
"C:\Users\Admin\Downloads\1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716
- C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE
  "C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4112
- - C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe" --install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:848
- - C:\Windows\dllhost.exe
    "C:\Windows\dllhost.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1712
  - - C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe" /launchSelfAndExit "C:\Windows\dllhost.exe" 812 /protectFile
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:440
    - - C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe" /watchProcess "C:\Windows\dllhost.exe" 812 "/protectFile"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4556
- C:\Users\Admin\AppData\Local\Temp\SAVER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SAVER.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2420
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9536.tmp\9537.tmp\9538.bat C:\Users\Admin\AppData\Local\Temp\SAVER.EXE"
    3⤵
    PID:1064
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\SAVER.EXE
      4⤵
      Views/modifies file attributes
      PID:1264
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r C:\Windows\dllhost.exe
      4⤵
      Views/modifies file attributes
      PID:3936
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r C:\Windows\dllhost.exe.config
      4⤵
      Views/modifies file attributes
      PID:5068
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r C:\Users\C:\Users\Admin\AppData\RuntimeBroker.exe
      4⤵
      Views/modifies file attributes
      PID:4996
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r C:\Users\C:\Users\Admin\AppData\RuntimeBroker.exe.config
      4⤵
      Views/modifies file attributes
      PID:2472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionExtension .exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:8
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\System32\Microsoft\
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\System32\Microsoft\
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionProcess C:\Windows\dllhost.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionProcess C:\Windows\System32\Microsoft\dllhost.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionPath C:\Users\C:\Users\Admin\AppData\Roaming
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4928

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Windows\dllhost.exe
C:\Windows\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Users\Admin\Downloads\1.exe
"C:\Users\Admin\Downloads\1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4336
- C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE
  "C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:844
- C:\Users\Admin\AppData\Local\Temp\SAVER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SAVER.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4208
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2E0B.tmp\2E0C.tmp\2E0D.bat C:\Users\Admin\AppData\Local\Temp\SAVER.EXE"
    3⤵
    PID:3076
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\SAVER.EXE
      4⤵
      Views/modifies file attributes
      PID:3892
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r C:\Windows\dllhost.exe
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:768
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r C:\Windows\dllhost.exe.config
      4⤵
      Drops file in Windows directory
      Views/modifies file attributes
      PID:2420
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r C:\Users\C:\Users\Admin\AppData\RuntimeBroker.exe
      4⤵
      Views/modifies file attributes
      PID:1628
  - - C:\Windows\system32\attrib.exe
      attrib +h +s +r C:\Users\C:\Users\Admin\AppData\RuntimeBroker.exe.config
      4⤵
      Views/modifies file attributes
      PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionExtension .exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\System32\Microsoft\
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionPath C:\Windows\System32\Microsoft\
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionProcess C:\Windows\dllhost.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionProcess C:\Windows\System32\Microsoft\dllhost.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command Add-MpPreference -ExclusionPath C:\Users\C:\Users\Admin\AppData\Roaming
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2420

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4532

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
939de3ac9196eddbf6cd24fbe419b141

SHA1
8527dbc1cf34e3528a650dd21299509e78a68071

SHA256
d7b550dee3ff0be5126772a8058b6bfc6914a0caae1fa8e46abcdc3a0a2805e9

SHA512
4b313754c6574cab1ce93540b8d625166c5c188a64e3dc13c2acb3ce66e5d0674163c20fe69b9adf9270a0e8aef90b3b1766ff7b9e8bdce4cfe028ea66c9f1e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
192B

MD5
c01449ced81b1645296d2fd48ff81064

SHA1
cde58aa0dab73988d63d7fadd56073070d1e9dcf

SHA256
e3dfef0d466225fd8d33d5020b77ca08863542461209c3063fed53176627835e

SHA512
0b7b05c718c318d6a89da4dabad9eb1ff133d0450228612faddd35f24993f46c98fa0d46f8fc3d1e68d389fef439e7ca22d3463bc4f7eaa6331cea1bb3361f85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\429983a4-0095-46a4-ba48-e0aceb7e852b.tmp

Filesize
354B

MD5
55a2b9b8adb7c34804a2f551f11239fc

SHA1
e73494b639ec6fab757238328e4a0ab66442dd61

SHA256
1026dac48dd194d26916f34f44c6e7e494e0bfd0a0e513f3d5a2348cbf98cac4

SHA512
1addd3dc31b26b7481e919a99f914ea55ebfce1a579b8ad083e79abf413dbab4adba75760797c880d7259a02881618a15c30c33e71b458ed966e5b3d0aa5a799

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0b279f03824c9871c69ba114e5026571

SHA1
f9e56fbb8f649c0865ac3ca13e87e6f3b34deed4

SHA256
5589fc0904352d4b32ee8b134458adf756954e9fa75f23589dfd3798df5c3565

SHA512
3c2f3e274bc97cd7b5ec3c71bac5d2f8eed2033688a76e266e293aa94924a89ce01fe3a8ddc5223bd43879935890092e08bfb14bfc0d02d80ecc6e16b3abfbe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2344c68c3541e2f630936e84d0dcfa33

SHA1
aac39f7045fb061cc3c0e042df479ce8ac4a7375

SHA256
a7b3150c8fb70cc67d6088041bd084bfa72df2ab2119a3a1a653a88345aa9fc8

SHA512
0d160edca3a20d735f235c5f06aa5dcc5ec3355103c30949c9017530a49c1d3050c870a2d06338c6b2cbd0df7170a29751f04b55405b49899285029b13927978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
50b467816eafc4e2ecf859e8fdc0d326

SHA1
12041b300d21c3a3be208ffa6eb67dbb89f06929

SHA256
a3e16eb05961cb7c21080c40181ce8b83e4355fd5e23b8a2b90bf813f5b91fae

SHA512
a133ec81607d1213a8246cd94df3248fd80130416cb909aa78b7fcb3bf71cd4407a44718dc4d0f4ab5bf0392aa5235bca56e8c6080c7ad65f01fc830af2dc0b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc9be0c24e872a8b7684f5962e040b25

SHA1
20513e2c751eb88c7819c70278cbcc00dd1fd876

SHA256
94c2b31a39b7c8002e8b577aced7fdebbe753f45777187065e1b5e2e0d434b13

SHA512
baec6da6bf80f7f63560143432bf0548e44fe6845e59da0bc41d957b6bf0034b773eb0380b769984b93ab25a7045a9be690ad46df8b20501ac7731084696d2e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b40d13069525cd0254d44a62edcc63d3

SHA1
18ad0dd9c07bf746f75e1190fe74d1c1395c0e15

SHA256
41819aac1e2ce848ce8d36a7d0f735518d41f6b43a47a5ddefc3c31c965883ca

SHA512
479b9db9e055b1d5f8bd4eaba226d2004f898dc1afa63e213708a15f49333af791f5fddaf806db7294dba3c906265dd2a5185179fafe8842afc4dad04b6c2633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
11b0232f9acedb9b3b6d5208244df78a

SHA1
2639c0a18c048352d46708635227eeb36b6a81fb

SHA256
67c76300530272124399384f7d98287d90e661c45aa4b72e77a48fb94252cced

SHA512
240fdfc35a5cb695a9b0d4077326f58aa5c46d11191ff4b25fa13ab77fb315ea467f5baea9bf334a9872239bc799204b93dd46f8972692deaf857568b754cca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4370791b7738498a58224cf99714687b

SHA1
1a61148df065e5d426e68462fa02e7f3e4a7623b

SHA256
35bfdb01dfe7f399a32791afeb78d46330387ef28a9038d2a20c1d390b7a6473

SHA512
e1e593891ce047005ead029d50ab35b3c741bd3d421a0d554d986082fa779c7e0837c8c853d98bc867491ffafdb3c545ecd14a71032249a76eb16c69a88cf3d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7f4b1fc5f03e555dd1d3a41d2e281df5

SHA1
39caf04398294fecede98c5ba69942bec9d192d5

SHA256
160cea4a341b0cbc9b5ec12966969b11ec400a98a0b3717ce51cb4108ddc021f

SHA512
82839b6e1a4ee8e00ade5f761358cd237124b16a8b0989442a0c3077730505a03f6ce5af419e5f8fc80f0fdc1d3669c80fbe6ac64c68452f5d2041d9371eca1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
187e1668726ce5a90aab8159d328d5fb

SHA1
bff86c358419f006e128acd6a4b5aff8ff8fc1be

SHA256
5b6601f5276ea0d00d401ab2f214e0ad4517b101dd69820841497ea8bf2b1e8c

SHA512
70ab9088209d0d9f8354478f6767506d3bd632143c66ca92f52d749835c9d0dc42ffe8349338cb0d35f538f061986a2948cbc7344a568fd8eb62016abaef1161

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
78b127dacb5c44f77f5235098fb8d4e3

SHA1
741af58e15ea5197c2b82ee8865531171c69e336

SHA256
1805f8040dcc8d2d9d1603f670319627d2ecb07c99201851d2a1f7969b7b042b

SHA512
6d690bc5eecbd5af8ec5751654f627a4a19036d7a21e6739bae80d86bfc86db99487a4da021ab63752fea22ef9d8b1425180badecac0cd90fea49b9669e9d036

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
814f74b67cb54bce630ff953063c17a7

SHA1
e6e41a3a4099ac0d7d838b533c0aadbdcc1f5157

SHA256
dc5ddaf810c2baf29b682529b2681bbe92b56e169411cb1d9c315ae395458896

SHA512
cef3d38b2192dba11dbc6feb4d36389fe7818830a8de0f7672e6174125a48457db2f62e323b153ce98a552a0074a423fb8688826993f54d9f5d8991cc49efd01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
be6d4aa78f4ea77952121f05a23b35d0

SHA1
7641ce4fcfd3fea589f6c321e49d123a47ed9740

SHA256
a2b0bfd2790690dd18ebc85442a02a3649fe1b9bd969a23ca2dcece477556a9d

SHA512
abb52adbbb67e243ccb7c56406c38c5cc4dd6207ac1c22e7e49400e7bcb0b3f550a179afef7afa389bc3b8498b97c661665e916015a8dd7a64fec91bcd199eed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6c93f2b9a2e38cc932ddaae8c67c5ce1

SHA1
9cd6b112de34ca1cd07a181c62dadbf28fe2f5c2

SHA256
0b4d2cad4c5044cd840db78ff3612e7f3bebc8bc2bf032da7d3fe9607700db2a

SHA512
668898a2d7d16300099ffb811a8291e539ff15a982ec9ee161b1ef9236f58a89356e6877210bb249c2caddec3614471f23b6a27a4a71e621a652e7632d871d6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cf26da2310bc7ea3204bdd70e2ec27f6

SHA1
8446d48e13c0c0077fdae9b5048c77b4812ecc6e

SHA256
51186fc1edb9451152ead63b97ceac7c74dd02f5bca3eb2b9b2f5b8d66e7d35b

SHA512
066f144b6cfee833495f84d2c369b0f3073d22245fbf8196578104aa52e02474ac9ec95223e50798800bb08a73a16e433f77256adaf0b262a1c59bec9d24514e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
89ce38a1c90d9cee9d2418ecd9f50b29

SHA1
dfd73b02781ad0134ac6dc5c0b286c0c958e8a51

SHA256
0952f8ac033da68d35027d023a7ddbc862ba43cd2212eed0e13cb904cb232eab

SHA512
de9e1de35b8038c258db87e375ac250fe1dd22bcff179a988a9a426420643ae2faa2f2859bd2d88d5b8f97e523467aeae4d415ee889581eb81e8d1eb1ec8c598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
db2b9bf5c9c8e8143f82084d01b04349

SHA1
7662673d7816512548c83210a2943ddc026d9dd1

SHA256
3c56c3cb1d9c21f39bd81e2e0b6481db56c275e72efeaa79444b6415c1a9d266

SHA512
c196779d57c75a9244cf83cadebf7872358a8cf1ef09a0467726915a033d9057ac5390fc30f1c55458f194ab89a491df5d36c054b533aa1b53af864e7fefeedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BUILD45_PROTECTED.EXE.log

Filesize
1KB

MD5
209be68810b961fd9592a820991df838

SHA1
4f9c9e290cc05a040faf33dba60fdbfc49b337c9

SHA256
68ee34fdd6d8fbd347165a9ae9f6806d80be06390550bd6901a91fcc16022713

SHA512
dca8e8cb612ff163779a9e65a7eb1cbdc4933560c34f83bd5e1924c7ffbdd69f0ba7c7ff30ab9d22d8c91cb528013eb2472c2432226f27fe3665a08f76a20b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
165d4f43209bffcd62e60929ee8b194f

SHA1
e4786f8ed1ccefe22b07ed081aa0af44bfd59c90

SHA256
efabbdc19ad90ca4968d5b8a5ca8685ba3d2d8f3630df7201d1b5490eab4381b

SHA512
d7c5e32c58e808ebe767b3a718e1af54413d94a235c15f374746dde59a6858e4c36b114d7b32c4fd82037130e204e7fbbd6d4adbd6ba373940cef04c4e17a2ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
25b5dfa92f950c6902e0ba4ba1d1dff0

SHA1
0e8fa7c0e233d35f911ca60881b1a53281bfc502

SHA256
e1e37eac0cf58bade05503cd9ec2e44def48c4588679598e81c705e3dc37beca

SHA512
131a7fdb1f485331256e20fe930d2e13315ebd54a19823192b766b8f74e82eeda8427e72d0a8df9c4ca9ee3017d5e0bd8887aac81a6a0f4f50dbbf7f4bc6e30e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6344564097353c8e7e68991fffa80d88

SHA1
2ac4d108a30ec3fbd2938b0563eb912415ea7c62

SHA256
d0af6d69f8bc0c98e9fb61dead6327bbc8b4f5292529313515382d8f883de0da

SHA512
e2b37a9001a91cb05483d72f88bd70a61ca5655939c2290fd1580710eec9d8d26a5fedbcb5223f5413b5dcc46f1d8b6b408e57be0e4ad4b37b55cbce9023a303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80707036df540b6657f9d443b449e3c3

SHA1
b3e7d5d97274942164bf93c8c4b8a9b68713f46f

SHA256
6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0

SHA512
65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4914eb0b2ff51bfa48484b5cc8454218

SHA1
6a7c3e36ce53b42497884d4c4a3bda438dd4374b

SHA256
7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

SHA512
83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c0fe86517be16d2b0a671148c0274d2

SHA1
bd7a487a037395e9ede9e76b4a455fdf386ba8db

SHA256
5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302

SHA512
642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\34993fdc-d5c1-4029-8357-ec2e83b54ee5.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1e7dd00b69af4d51fb747a9f42c6cffa

SHA1
496cdb3187d75b73c0cd72c69cd8d42d3b97bca2

SHA256
bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771

SHA512
d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b5ec1c651d538125bbad8ae7b5878883

SHA1
fc51a9862cd962c1dcf92da77deca73aa79f0c04

SHA256
7e4836c483ec272727cb1e69f6d1769be0f8ea3783dab5fc6846bea18f8c5114

SHA512
ce915256b7339ce5ae8c12864b66f8c83c4ef31185e46d5877776a4fb21ae18a58c742af77312d54ca77f42d33c63e9b6ff868c078d11d423dac4b72cb599f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9536.tmp\9537.tmp\9538.bat

Filesize
1KB

MD5
38aa62eab695ee35b45640b38d81c6fb

SHA1
dad805dd77f333f65f7b27164be6d84ae7f0f2a6

SHA256
a099bad93b0e8c3e2686c8877a12b14cec058144332a92562fb1f514afc2c588

SHA512
628a74cd801a13a851dfef0866a604c1c57d764a12f852557efbb15f2d23de762b3cea9e8e0ff2c03bceda2aafc9a87c1f2f416ff286b49adb0f2493f5248ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\BUILD45_PROTECTED.EXE

Filesize
1.7MB

MD5
fa60d5addf070e384e17e8947b93736f

SHA1
47231f098d39f0aa6af3d00367db661936a905a9

SHA256
867ff47b1dfb1aceddc866b285de98b9b6174e22c83d772dd48502ad333fc4e6

SHA512
88ba67b3d70f061b0fe14c89a6c8562450d3265a54981057c61bd325cd8aef595a66a2949f67a1f46d3f94a6a065eaaf81d3f4f0d543e5f871e96c7941f6166d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAVER.EXE

Filesize
87KB

MD5
47a0e0b1f184a09c20aabdb3b7fd7d41

SHA1
cdf678618d5f6c3b24a994083280cbd7b9719d53

SHA256
25ae495666d098744d9c5e0a0713358d9c4016052954679379f070aa253338ea

SHA512
405f43a56043f4301bbd9a196df9176008ac0ff84407401f5f7638542d90ad74d4be8ad6910333e79d47c6c9dd325ed1bf87c5c4dbd51ef33604539fc8ec1a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnvu1rca.wqi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\Downloads\1.exe.crdownload

Filesize
1.8MB

MD5
6bd9fa3ef192a80e0fec426bedc752ec

SHA1
4decaa11b295b19927dec63f04102fca745e33f5

SHA256
814336ac249fe8bd2b5700b3603c4f4ec095433d92e96ccf1d4ecd6968ad31f7

SHA512
da1bf9028fe8d369b0909e1395c62664cc4680e442e44cc739db0f8559b4ae3dc205fb5e948ecc3b6c10efd5c8fa57eefa648ec67ad131a6a486f4c9acf35937

Download Submit
C:\Users\Admin\Downloads\1.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SysWOW64\Microsoft\lib_ec0265501148482a90b3681c1b46d412\SharpDX.dll

Filesize
247KB

MD5
ffb4b61cc11bec6d48226027c2c26704

SHA1
fa8b9e344accbdc4dffa9b5d821d23f0716da29e

SHA256
061542ff3fb36039b7bbffdf3e07b66176b264c1dfd834a14b09c08620717303

SHA512
48aa6130bf1f5bd6de19256bbdf754c0158b43dd122cec47bb801a7a7b56f2da268bfdec24d135621764a23278ead3dcc35911a057e2dfa55a348bae8ef7b8a9

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
memory/8-175-0x000001F3BDB90000-0x000001F3BDBB2000-memory.dmp

Filesize
136KB

Download
memory/440-395-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/812-339-0x0000000000F20000-0x0000000001374000-memory.dmp

Filesize
4.3MB

Download
memory/812-344-0x0000000000F20000-0x0000000001374000-memory.dmp

Filesize
4.3MB

Download
memory/812-609-0x0000000007970000-0x0000000007996000-memory.dmp

Filesize
152KB

Download
memory/812-599-0x0000000008370000-0x00000000083BA000-memory.dmp

Filesize
296KB

Download
memory/812-594-0x00000000082D0000-0x0000000008314000-memory.dmp

Filesize
272KB

Download
memory/812-653-0x00000000660C0000-0x000000006614F000-memory.dmp

Filesize
572KB

Download
memory/812-381-0x0000000007400000-0x000000000740A000-memory.dmp

Filesize
40KB

Download
memory/812-638-0x0000000009670000-0x00000000097C4000-memory.dmp

Filesize
1.3MB

Download
memory/812-399-0x0000000008B50000-0x0000000009168000-memory.dmp

Filesize
6.1MB

Download
memory/812-400-0x0000000008560000-0x0000000008572000-memory.dmp

Filesize
72KB

Download
memory/812-552-0x0000000009400000-0x0000000009450000-memory.dmp

Filesize
320KB

Download
memory/812-412-0x0000000000F20000-0x0000000001374000-memory.dmp

Filesize
4.3MB

Download
memory/812-343-0x0000000000F20000-0x0000000001374000-memory.dmp

Filesize
4.3MB

Download
memory/812-604-0x00000000094B0000-0x000000000950A000-memory.dmp

Filesize
360KB

Download
memory/812-345-0x0000000006850000-0x000000000689E000-memory.dmp

Filesize
312KB

Download
memory/812-346-0x0000000006E90000-0x0000000006EA8000-memory.dmp

Filesize
96KB

Download
memory/812-347-0x0000000007070000-0x0000000007088000-memory.dmp

Filesize
96KB

Download
memory/812-408-0x0000000008790000-0x000000000889A000-memory.dmp

Filesize
1.0MB

Download
memory/812-349-0x0000000007420000-0x00000000075E2000-memory.dmp

Filesize
1.8MB

Download
memory/812-351-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/812-407-0x0000000008600000-0x000000000864C000-memory.dmp

Filesize
304KB

Download
memory/812-401-0x00000000085C0000-0x00000000085FC000-memory.dmp

Filesize
240KB

Download
memory/844-436-0x0000000000F10000-0x0000000001364000-memory.dmp

Filesize
4.3MB

Download
memory/844-524-0x0000000000F10000-0x0000000001364000-memory.dmp

Filesize
4.3MB

Download
memory/844-439-0x0000000000F10000-0x0000000001364000-memory.dmp

Filesize
4.3MB

Download
memory/844-440-0x0000000000F10000-0x0000000001364000-memory.dmp

Filesize
4.3MB

Download
memory/848-316-0x0000000007B40000-0x0000000007B5A000-memory.dmp

Filesize
104KB

Download
memory/848-244-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/848-237-0x0000000005010000-0x0000000005046000-memory.dmp

Filesize
216KB

Download
memory/848-242-0x0000000005700000-0x0000000005D2A000-memory.dmp

Filesize
6.2MB

Download
memory/848-245-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/848-243-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/848-254-0x0000000005F90000-0x00000000062E7000-memory.dmp

Filesize
3.3MB

Download
memory/848-256-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/848-257-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/848-287-0x0000000006AA0000-0x0000000006AD4000-memory.dmp

Filesize
208KB

Download
memory/848-288-0x000000006FFE0000-0x000000007002C000-memory.dmp

Filesize
304KB

Download
memory/848-298-0x0000000006AE0000-0x0000000006AFE000-memory.dmp

Filesize
120KB

Download
memory/848-299-0x00000000076E0000-0x0000000007784000-memory.dmp

Filesize
656KB

Download
memory/848-300-0x0000000007E40000-0x00000000084BA000-memory.dmp

Filesize
6.5MB

Download
memory/848-301-0x00000000077F0000-0x000000000780A000-memory.dmp

Filesize
104KB

Download
memory/848-302-0x0000000007870000-0x000000000787A000-memory.dmp

Filesize
40KB

Download
memory/848-303-0x0000000007A80000-0x0000000007B16000-memory.dmp

Filesize
600KB

Download
memory/848-317-0x0000000007B30000-0x0000000007B38000-memory.dmp

Filesize
32KB

Download
memory/848-304-0x0000000007A00000-0x0000000007A11000-memory.dmp

Filesize
68KB

Download
memory/848-315-0x0000000007A40000-0x0000000007A55000-memory.dmp

Filesize
84KB

Download
memory/848-305-0x0000000007A30000-0x0000000007A3E000-memory.dmp

Filesize
56KB

Download
memory/1264-353-0x0000000000F20000-0x0000000001374000-memory.dmp

Filesize
4.3MB

Download
memory/1264-350-0x0000000000F20000-0x0000000001374000-memory.dmp

Filesize
4.3MB

Download
memory/1264-354-0x0000000000F20000-0x0000000001374000-memory.dmp

Filesize
4.3MB

Download
memory/1264-411-0x0000000000F20000-0x0000000001374000-memory.dmp

Filesize
4.3MB

Download
memory/1416-227-0x000000001A4B0000-0x000000001A5BA000-memory.dmp

Filesize
1.0MB

Download
memory/1452-210-0x00000000016D0000-0x00000000016E2000-memory.dmp

Filesize
72KB

Download
memory/1452-211-0x000000001BB20000-0x000000001BB5C000-memory.dmp

Filesize
240KB

Download
memory/1452-201-0x0000000000E70000-0x0000000000E7C000-memory.dmp

Filesize
48KB

Download
memory/1712-379-0x0000000007080000-0x0000000007095000-memory.dmp

Filesize
84KB

Download
memory/1712-368-0x0000000070860000-0x00000000708AC000-memory.dmp

Filesize
304KB

Download
memory/1712-377-0x0000000006DF0000-0x0000000006E94000-memory.dmp

Filesize
656KB

Download
memory/1712-378-0x0000000007040000-0x0000000007051000-memory.dmp

Filesize
68KB

Download
memory/1712-365-0x0000000006030000-0x000000000607C000-memory.dmp

Filesize
304KB

Download
memory/1712-363-0x00000000055D0000-0x0000000005927000-memory.dmp

Filesize
3.3MB

Download
memory/3492-622-0x00000200726E0000-0x00000200726E1000-memory.dmp

Filesize
4KB

Download
memory/3492-633-0x00000200726E0000-0x00000200726E1000-memory.dmp

Filesize
4KB

Download
memory/3492-634-0x00000200726E0000-0x00000200726E1000-memory.dmp

Filesize
4KB

Download
memory/3492-629-0x00000200726E0000-0x00000200726E1000-memory.dmp

Filesize
4KB

Download
memory/3492-630-0x00000200726E0000-0x00000200726E1000-memory.dmp

Filesize
4KB

Download
memory/3492-628-0x00000200726E0000-0x00000200726E1000-memory.dmp

Filesize
4KB

Download
memory/3492-623-0x00000200726E0000-0x00000200726E1000-memory.dmp

Filesize
4KB

Download
memory/3492-632-0x00000200726E0000-0x00000200726E1000-memory.dmp

Filesize
4KB

Download
memory/3492-624-0x00000200726E0000-0x00000200726E1000-memory.dmp

Filesize
4KB

Download
memory/3492-631-0x00000200726E0000-0x00000200726E1000-memory.dmp

Filesize
4KB

Download
memory/4112-167-0x0000000000850000-0x0000000000CA4000-memory.dmp

Filesize
4.3MB

Download
memory/4112-182-0x00000000060F0000-0x00000000060F8000-memory.dmp

Filesize
32KB

Download
memory/4112-180-0x0000000005CF0000-0x0000000005D82000-memory.dmp

Filesize
584KB

Download
memory/4112-183-0x0000000006100000-0x000000000610A000-memory.dmp

Filesize
40KB

Download
memory/4112-165-0x0000000000850000-0x0000000000CA4000-memory.dmp

Filesize
4.3MB

Download
memory/4112-169-0x0000000005BA0000-0x0000000005BFC000-memory.dmp

Filesize
368KB

Download
memory/4112-168-0x0000000005B40000-0x0000000005B4E000-memory.dmp

Filesize
56KB

Download
memory/4112-341-0x0000000000850000-0x0000000000CA4000-memory.dmp

Filesize
4.3MB

Download
memory/4112-179-0x00000000061B0000-0x0000000006756000-memory.dmp

Filesize
5.6MB

Download
memory/4112-184-0x0000000006150000-0x0000000006172000-memory.dmp

Filesize
136KB

Download
memory/4112-181-0x00000000060E0000-0x00000000060F2000-memory.dmp

Filesize
72KB

Download