quasar | hxxp://94[.]156[.]66[.]151/

Resubmissions

18-03-2024 18:43

240318-xddhfafd78 10

18-03-2024 18:31

240318-w6jz9afh4s 10

18-03-2024 18:08

240318-wqytgaeg87 10

Analysis

max time kernel
231s
max time network
237s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://94.156.66.151/

Score

10^/10

quasar rhadamanthys xmrig zgrat office04 miner rat spyware stealer trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

gjhfhgdg.insane.wang:3634

Mutex

5943d26f-e34d-4af2-bb6f-9aa3b1840ec8

Attributes

encryption_key
997411AC284CD97048B61F90B41B906864F1171B
install_name
dfsdff.exe
log_directory
Logs
reconnect_delay
3000
startup_key
windows defender process
subdirectory
fsfsf

Signatures

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5632-112-0x000001BC7AEE0000-0x000001BC7AFE2000-memory.dmp	family_zgrat_v1

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ijvcoeh.exe	family_quasar
behavioral1/memory/5556-206-0x0000000000470000-0x0000000000794000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\fsfsf\dfsdff.exe	family_quasar

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

hghghjhfhleviticus.exe

description pid process target process

PID 5904 created 2416 5904 hghghjhfhleviticus.exe sihost.exe
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 5904 created 2416	5904	hghghjhfhleviticus.exe	sihost.exe

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/5448-253-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5448-254-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5448-258-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5448-260-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5448-261-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5448-262-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5448-263-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

gfgghdhwhatsup.exefgfdgd.exefgfdgd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	gfgghdhwhatsup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	fgfdgd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	fgfdgd.exe

Executes dropped EXE 14 IoCs

Processes:

ghfhhminfudk.exehghghjhfhleviticus.exegfgghdhwhatsup.exeghghghg.exeijvcoeh.exedfsdff.exefgfdgd.exefgfdgd.exeghghghg.exefgfdgd.exeghghghg.exedfsdff.exefgfdgd.exefgfdgd.exe

pid	process
5560	ghfhhminfudk.exe
5904	hghghjhfhleviticus.exe
5448	gfgghdhwhatsup.exe
3480	ghghghg.exe
5556	ijvcoeh.exe
4700	dfsdff.exe
5128	fgfdgd.exe
1352	fgfdgd.exe
3712	ghghghg.exe
4116	fgfdgd.exe
3320	ghghghg.exe
1184	dfsdff.exe
3904	fgfdgd.exe
4856	fgfdgd.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5448-245-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-246-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-250-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-249-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-251-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-253-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-254-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-258-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-260-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-261-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-262-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5448-263-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\taskschd.msc mmc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ghfhhminfudk.exeghghghg.exe

description	pid	process	target process
PID 5560 set thread context of 5632	5560	ghfhhminfudk.exe	vbc.exe
PID 3480 set thread context of 5448	3480	ghghghg.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5096 schtasks.exe
5724 schtasks.exe
6068 schtasks.exe
1184 schtasks.exe
5560 schtasks.exe
2308 schtasks.exe
3660 schtasks.exe

pid	process
5096	schtasks.exe
5724	schtasks.exe
6068	schtasks.exe
1184	schtasks.exe
5560	schtasks.exe
2308	schtasks.exe
3660	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133552590170870469"	chrome.exe

Modifies registry class 6 IoCs

Processes:

taskmgr.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5464 NOTEPAD.EXE

pid	process
5464	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exehghghjhfhleviticus.exedialer.exevbc.exetaskmgr.exeghghghg.exeexplorer.exe

pid	process
4000	chrome.exe
4000	chrome.exe
5904	hghghjhfhleviticus.exe
5904	hghghjhfhleviticus.exe
3880	dialer.exe
3880	dialer.exe
5632	vbc.exe
5632	vbc.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
3480	ghghghg.exe
3480	ghghghg.exe
3480	ghghghg.exe
3480	ghghghg.exe
3480	ghghghg.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5448	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskmgr.exeOpenWith.exemmc.exe

pid process

5444 taskmgr.exe
2056 OpenWith.exe
6024 mmc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

4000 chrome.exe
4000 chrome.exe
4000 chrome.exe
4000 chrome.exe
4000 chrome.exe

pid	process
5444	taskmgr.exe
2056	OpenWith.exe
6024	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe
Token: SeShutdownPrivilege	4000	chrome.exe
Token: SeCreatePagefilePrivilege	4000	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exeexplorer.exe

pid	process
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
4000	chrome.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5444	taskmgr.exe
5448	explorer.exe
5444	taskmgr.exe
5448	explorer.exe
5448	explorer.exe
5444	taskmgr.exe
5444	taskmgr.exe
5448	explorer.exe
5444	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

mmc.exeOpenWith.exe

pid	process
6024	mmc.exe
6024	mmc.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4000 wrote to memory of 3984	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 3984	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 2804	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 4952	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 4952	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe
PID 4000 wrote to memory of 1332	4000	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2416

C:\Windows\system32\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://94.156.66.151/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97bd99758,0x7ff97bd99768,0x7ff97bd99778
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:2
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:1
2⤵
PID:3628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:1
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:3668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4352 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:1
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4940 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4972 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4968 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:1
2⤵
PID:5200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5316 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:1
2⤵
PID:5280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5288 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4988 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4932 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4704 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3036 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5324 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3364 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5684 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5752 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5940

C:\Users\Admin\Downloads\ghfhhminfudk.exe
"C:\Users\Admin\Downloads\ghfhhminfudk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5560

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5632

C:\Users\Admin\AppData\Local\Temp\ijvcoeh.exe
"C:\Users\Admin\AppData\Local\Temp\ijvcoeh.exe"
4⤵
- Executes dropped EXE
PID:5556

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows defender process" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\fsfsf\dfsdff.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1184

C:\Users\Admin\AppData\Roaming\fsfsf\dfsdff.exe
"C:\Users\Admin\AppData\Roaming\fsfsf\dfsdff.exe"
5⤵
- Executes dropped EXE
PID:4700

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "windows defender process" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\fsfsf\dfsdff.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:5560

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\hgjfhdgh"
3⤵
PID:1220

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hgjfhdgh\hgjfhdgh.exe'" /f
3⤵
PID:3480

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\hgjfhdgh\hgjfhdgh.exe'" /f
4⤵
- Creates scheduled task(s)
PID:5724

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\ghfhhminfudk.exe" "C:\Users\Admin\AppData\Roaming\hgjfhdgh\hgjfhdgh.exe"
3⤵
PID:1612

C:\Users\Admin\Downloads\hghghjhfhleviticus.exe
"C:\Users\Admin\Downloads\hghghjhfhleviticus.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5632 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5036 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:8
2⤵
PID:5144

C:\Users\Admin\Downloads\gfgghdhwhatsup.exe
"C:\Users\Admin\Downloads\gfgghdhwhatsup.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
PID:5448

C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
"C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:6128

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:6124

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:5896

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:6040

C:\Windows\explorer.exe
explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5448

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
3⤵
PID:1196

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
3⤵
PID:5936

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
4⤵
- Creates scheduled task(s)
PID:6068

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c copy "C:\Users\Admin\Downloads\gfgghdhwhatsup.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
3⤵
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2556 --field-trial-handle=1904,i,123868974064576822,2310964821097692026,131072 /prefetch:2
2⤵
PID:5960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:5176

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:5444

C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
1⤵
- Executes dropped EXE
PID:5128

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6024

C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1352

C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
"C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
2⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:3404

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:1104

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:2596

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:5388

C:\Windows\system32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
2⤵
PID:4528

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
2⤵
PID:2464

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
2⤵
PID:1904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe.config
2⤵
- Opens file in notepad (likely ransom note)
PID:5464

C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4116

C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
"C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
2⤵
- Executes dropped EXE
PID:3320

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:5380

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:1176

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:4452

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:2252

C:\Windows\system32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
2⤵
PID:5388

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
2⤵
PID:6028

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
2⤵
PID:5304

C:\Users\Admin\AppData\Roaming\fsfsf\dfsdff.exe
C:\Users\Admin\AppData\Roaming\fsfsf\dfsdff.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
1⤵
- Executes dropped EXE
PID:3904

C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
1⤵
- Executes dropped EXE
PID:4856

C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
"C:\Users\Admin\AppData\Local\Temp\ghghghg.exe"
2⤵
PID:5836

C:\Windows\system32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfdgd"
2⤵
PID:428

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
2⤵
PID:5376

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe'" /f
3⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe" "C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe"
2⤵
PID:5676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
e36ddd87b634eedc4ee7f7a93261e66f

SHA1
1ffbcd4cddaddf9e83f348c7e412a0184f68fc6b

SHA256
61569df3e80de10c9c9453c43e6fc446fbfed4a89eac1d17c9fa4de24d4a5570

SHA512
0fd97aafa8341826bc501a962d251c1e3b9a8dfd111f9cda176661070ea6087020df7f3fb80e1f870963bee095dacf7e3f93117997ece8f060f96fd84855dd7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4229de70f29d932598d8f70376e51da6

SHA1
5ccb975812b4750bfd6f26f3e0f37d4158218210

SHA256
0afc8cd45cd20ce2b4f2fc183c0e618a7bee6fa8ef70d6a35a66884a3d87ef74

SHA512
9d58777af9c14ba2de2d98802455b5f2ea7474cb071184f24f330cfb8b6e4b4bd4bc983fe7ea079002688d0557113f48357ceacf573bc9d52b5ddb5a21837ed5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
e5c4bc21e263f0bfd951d72b748fac09

SHA1
11e34e78c9b8c931ef71f30a19974a91fbbf7ec7

SHA256
64c3d30b3c53725562b1e44be14716c0e0e24d3a104f924449d0e2a04daffcf7

SHA512
22482521470c18a47a5cef29d4f4712053df9d3735fc2cb4a6b4a836221b73b6d8934fcd776310fc0449b820a53a81835668e201eff411b31b0114978d05588d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
df1b6c862d39694729c8c72aa6a79186

SHA1
ef7c26892ff167762e4a30991c7752601b95dcbc

SHA256
5c63419afb6bc039f78da051d1d9cfa4d62fb2d5a45daecdd4fc5bd1149fc814

SHA512
ed44c1f4812bb3b9e12fd086a3e1ab22c2ab6d9dd68b57a84deda8ed25b2945520ba692ec0a54795668d83e8304c065ec5a47c2d04e974f55813fd5adb79e234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
d9f3a5e1880d50c3d42881c3dc18c192

SHA1
d7221e7a33327f0d7c03bce59db4bf697a06b888

SHA256
8f3ae140d71fa7a8a44661c93ba0cc15a6afb83fee1c95395a36c736e7c3bdc7

SHA512
63bc534fe827cbd28322e112ca9b88f289a4d524ec6539de2ece370b0556ced44268e87050f303beed0d1ede8f14bea5976cd590618b738e36f3a5298e549cc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
ade9b0fa50693d26aab87ef6081eccac

SHA1
9fe2eea98b7e6c7058c77e3c944576e45c2b3d21

SHA256
7327d69e81e52a2272e2fc80fab03b5e25192ec8d3d7881a37a26d69e66e9c3d

SHA512
3b23b7eedf5ce2d0c578e2ca87d0605d2488c60032740b5df6a3fcabcd8f6f61b1a1be21dd56bd224d90eb7f45f999f85a792e890364481a72ae6276ccef2751

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
65fa9d8ee0b6fc764738ac38e3fa84fd

SHA1
63c1047c85e353c329f5e43b2c99dfbcae315502

SHA256
8bcdfd2718ba4144628ccb816403e874f81935a1c71171662b4bfacab4908442

SHA512
4f3052806af71a2d9e9babdeb6c32ffa5e0a491c5ca90ac0ff9e46037bbd61449b1274b98cac81d8fb45e886a5cc18de8639d1fd0a668114426bf7afb7857c31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fgfdgd.exe.log
Filesize
660B

MD5
1c5e1d0ff3381486370760b0f2eb656b

SHA1
f9df6be8804ef611063f1ff277e323b1215372de

SHA256
f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

SHA512
78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
956KB

MD5
851d7111baf2cf3c1432150ee0141ed5

SHA1
c6c04ce0003e13d30671224589c61581f7268aa8

SHA256
997603a6b613ee7934c2081dfaf157d17cdb7025cdd8be8a19c008ac4f7c1865

SHA512
6347aeeb2f40b2975dc03a8051af4e1acac555b1ca7dbcaf101d3782d01969b7f656853827f8db830ffbab28c33d769d6009c1abbf033b79161b4e093b4916d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
1.1MB

MD5
7a9e6b2718ff49f6c940561e567f616a

SHA1
0e369aafe24b3a6c5e4efd6f18d255f31b96eb5b

SHA256
c598a5bfbc1266467ec37f4c357b5b982d6108cb06c1ed2f1a522c037ccacafd

SHA512
483d13b60c50a33e4e4aa73e6e8dc4c51d4c293f896de537d86f6f43573b5767bd7974ccc0c58aa1c1852ac277d2f25563beaa24d9e4ff2b1a731ba8f6a80c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
691KB

MD5
9fe56cfb6f76946aff6aa16d69043413

SHA1
98eda9a407f0d47e0766842bc8a39c38b553ff28

SHA256
e76f60efb8ac29263aacbc68335fc281df9b80a8c50de345f37e676278ab3498

SHA512
4e385e81c601b0163576ed71da1ea240399e06426ab4125f90379911496230581b020c63bf7f7ffa698259e214950941b02af1d4462b90cf4d377f18641a213c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
4.3MB

MD5
e9cf1d1fe0ab3547577c1218fb5772ae

SHA1
4801617024649a1e977fe563a01311cea045ff64

SHA256
cdf1a1a4d4e6db52b0db64419f58932964a5a12af242640d98a03dc860459f2a

SHA512
e62515cb27ee9c51e4df2dcb854fd832e8aafe862ad16e90edb482159fd2c4e5578c0b85d480db76652ea25dad58cea760bcc394da42f10c4c88e052bd84678f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
5.0MB

MD5
d3cd8232d7097dc4953b61b86afd7fd2

SHA1
e1733674bc7c3c7aa5b156b66049dbfd3191bd11

SHA256
6fd8206d1f38ac41c23a6c9dead21eb3ff7421200f6185edf63c70da8fbb398c

SHA512
2404a989b0d400d621056e7326d465c6a5646cac175920d0cb9bc2e7c0aa6d5b08996c42db963c2b5e5c7d14814616986d985a15f3ea1d84f4ca23720ff1e95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghghghg.exe
Filesize
4.2MB

MD5
f9f8328a5008eab5d6cca1244603fc9b

SHA1
f35440475f087019e0ef91bc738800104b63f3bd

SHA256
465132f2b190269629ac02f26379f563427825c4e1126b46b7ea224f22ff20e2

SHA512
52eb477223c99ea997399210d8b37279e5c6babfba6b462fedad627a376f4b95154f82e3c31e2850e0f42dbd622a83302262628544ff204cfd666262687da2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\haaczrnyavrj.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijvcoeh.exe
Filesize
3.1MB

MD5
f0e2c9077145df06fc292d0d7583c5e5

SHA1
7c6182b7d61fe8a12670021f8499326b83e1e3f4

SHA256
a841a1fe8b81516cb7d07d1bf57d663a26ce360e61f2f90c9dc046e9280bd318

SHA512
a5a64a73d8d310974849998d7288d763b63397c67d7c4a1cf4102d7bf588b3891af8e7ed6d1322e6e3c35ca258bd06a8d7aa23bda551372ead819fa90126f701

Download Submit
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
Filesize
4.7MB

MD5
d2c9bec170d6293657f7f01bd742c9e9

SHA1
700621894d25482de2edd7b044d2d911c131c6c6

SHA256
11625fb140066e8c0e2c691d42fb1dfce25c4d1394c9074d8728b578d63a2e05

SHA512
a9365daabc3f49b41b41ed3ccd69921b0fb850ece20a1518efebdbd39741ac4b0b7a366e486fcaad6dccc5beca75878aeb687b932b76b93d91c574ca90a9e95e

Download Submit
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
Filesize
4.3MB

MD5
26b13279deee482cc9393df19d59c3e3

SHA1
0c5ebd4cedb765f6fa9b1fc4e6c59fb6f50ec314

SHA256
2eeb79b53d325b05a96d6b047eda11dbb13170d92ff95af2d9d7a282f9e47729

SHA512
ff213f3201c842af005457ed6be3e4b1ce3e5b2d368e940a7ca02045f79b2b677d52a39bfe3af8c41e8a6b0943e01581789a1150c5761f7f7f8da74e31bf5871

Download Submit
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
Filesize
342KB

MD5
fdf6ce3dbea3c61ae2320d84aa0c0685

SHA1
cd1c2a8ce22b74a302f80c31989ce463b14f8677

SHA256
c2a56dd818ab3125e22d57c1cc2bd3f3d98bd90951affa02c80449b67bdb0ef8

SHA512
35320b858ac19a0f504766f961b6ccd7c8132936bee5c195b71cc60c61d4f0abde9cdf2c405dcfd3de884db38a8c35d8616b7eccbdfeedfe3c09ec5d8e4c9a7e

Download Submit
C:\Users\Admin\AppData\Roaming\fgfdgd\fgfdgd.exe
Filesize
960KB

MD5
bccace07ee68a2e3be492e98daa3b63a

SHA1
2e66116394d27717d85e415468138e0bbf226c14

SHA256
dba8bab46ea7ee8cd9351fca81ec387953071b3812f55c42007fc96bac2c2d04

SHA512
35ae288889d2bd3b3d11009b847f9209611d5cea56d59f05812eb6bb87b1b59c6cc25918a9ecafddad332ac41224ea6f2cc5bc158d15d471196f5be43abe777d

Download Submit
C:\Users\Admin\AppData\Roaming\fsfsf\dfsdff.exe
Filesize
2.0MB

MD5
a20fe13c93b4312570d0a4e7673f7244

SHA1
105c17ff02fab02964eb2e551efda41b48eb352a

SHA256
dda88326f9c5f6b9a353cc4de8d01cd63906f00564a3ea87529dd6f44132ee4f

SHA512
b8541e29de4fecba714b059e6b4d154fff954d68fe1a79c25f22d885d999afca659d232b894a500259ee4614d86862c6f5de92b43ecba1961cc80b6dae8fbac2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 339238.crdownload
Filesize
539KB

MD5
585cc99fbf9df24009231d70d007c236

SHA1
cd0e58b6a885580d048b4041bad3b92059bad5b9

SHA256
39ccc224c2c6d89d0bce3d9e2c677465cbc7524f2d2aa903f79ad26b340dec3d

SHA512
0cbf32cfcb2c76e175a479a0e35fe9aea4ce9f7a4eb57f09ec5ec099a6b968d6e5cd97617f07bf60798c76f36d7d6bd1aeb8313ab0f72fa75c660a525c252609

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 653412.crdownload
Filesize
640KB

MD5
39a992b9199b7b4dab2aa0d1c1d4a675

SHA1
1def43230c2aedfcc443236abc521b30533c5dc3

SHA256
b24a0a35c0a19d86df772ee13ecae2719dc7fb4d4f947588e2e4c0cc26dbe0ec

SHA512
0ff3052405963392311e0dda42d4ad94d16525ddee8c43bb57230807b5a7c3846d8929fadfe967ade1d8099cbf6118ea0bd7516cb71a049a3f71b2fa4b30c72c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 900198.crdownload
Filesize
5.0MB

MD5
b03c2d7df7eabc44f36397cb66ac3e77

SHA1
486f521d16d96878a74ff9212cf2da5b184e0430

SHA256
4489ff33e7a91c7485a1c1dd8a6102868e385f74fd8b5dbdbf4b505bbe9193b3

SHA512
5cffc7a0ba01e5db793a62a3fc1dc2454cbd5b768f66959adac11e1523958bc48ef4c1dd5ff074988c04b6269853671ab480074a117d30184631d9936c154051

Download Submit
C:\Users\Admin\Downloads\gfgghdhwhatsup.exe
Filesize
4.1MB

MD5
0318f3e883bcd6492670f1eed8e43cee

SHA1
091bc77189edc1ebbcd38a8a82a0197a34f8053c

SHA256
fe3d854a05a2a6830247691fbcf991885884bc8fbc0cbb0c4c72983d82d8c4c7

SHA512
eeb433cda25a378ce823784e891896b382d87194f1f41714f66e53c8bbda0a7629312dc5097623740890f2e242b719dd29e0150649909d061189630c65111f18

Download Submit
C:\Users\Admin\Downloads\gfgghdhwhatsup.exe
Filesize
3.5MB

MD5
8073df07110ef9e56f95b2a0a5664529

SHA1
95e1da65063c0e907697d341923328a5c87d52c3

SHA256
d172d6b13ae78324371650a652f3c15983b27d066569386afc897d6197ca4b38

SHA512
c2438c0c04bb228644ae7c6d68a6715e8570eb94ee24c159c6c8cd656ec28b069430e7f19cd75244a528844a00723c31c96524e081f7db5ab45fa23a06ba7b33

Download Submit
C:\Users\Admin\Downloads\ghfhhminfudk.exe
Filesize
665KB

MD5
06366656ad8ddb302958398f10d38e7b

SHA1
47d24c5030044907eae07d6d17be4d34dc333cc1

SHA256
06dbcee1c5c8b50c3a3c47660d0bdbb52181861bbc9edede1d8b1674e82d074e

SHA512
6970ba9b1cff501e27bb10602f858031d5acb6abc01311542d42c84eadcaf96e4407b859c7b3e590528c92ed2ec847b4550a1bcc2bac9110034ae32a900cd356

Download Submit
\??\pipe\crashpad_4000_CDQXOIDDJWCARZRK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1184-326-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1184-327-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/1184-329-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1352-291-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1352-292-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

Filesize
64KB

Download
memory/1352-301-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3880-152-0x000001B06E050000-0x000001B06E450000-memory.dmp

Filesize
4.0MB

Download
memory/3880-158-0x00007FF998390000-0x00007FF998659000-memory.dmp

Filesize
2.8MB

Download
memory/3880-163-0x000001B06E050000-0x000001B06E450000-memory.dmp

Filesize
4.0MB

Download
memory/3880-155-0x00007FF99AA90000-0x00007FF99AC85000-memory.dmp

Filesize
2.0MB

Download
memory/3880-153-0x000001B06E050000-0x000001B06E450000-memory.dmp

Filesize
4.0MB

Download
memory/3880-149-0x000001B06C440000-0x000001B06C449000-memory.dmp

Filesize
36KB

Download
memory/3880-156-0x00007FF999B20000-0x00007FF999BDE000-memory.dmp

Filesize
760KB

Download
memory/3880-157-0x000001B06E050000-0x000001B06E450000-memory.dmp

Filesize
4.0MB

Download
memory/3904-333-0x0000000001CA0000-0x0000000001CB0000-memory.dmp

Filesize
64KB

Download
memory/3904-332-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4116-314-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4116-324-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4116-315-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/4700-274-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4700-242-0x000000001C300000-0x000000001C350000-memory.dmp

Filesize
320KB

Download
memory/4700-243-0x000000001C410000-0x000000001C4C2000-memory.dmp

Filesize
712KB

Download
memory/4700-257-0x000000001C380000-0x000000001C392000-memory.dmp

Filesize
72KB

Download
memory/4700-259-0x000000001CF10000-0x000000001CF4C000-memory.dmp

Filesize
240KB

Download
memory/4700-227-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5128-252-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5128-232-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5444-219-0x0000022F430B0000-0x0000022F430B1000-memory.dmp

Filesize
4KB

Download
memory/5444-208-0x0000022F430B0000-0x0000022F430B1000-memory.dmp

Filesize
4KB

Download
memory/5444-215-0x0000022F430B0000-0x0000022F430B1000-memory.dmp

Filesize
4KB

Download
memory/5444-216-0x0000022F430B0000-0x0000022F430B1000-memory.dmp

Filesize
4KB

Download
memory/5444-218-0x0000022F430B0000-0x0000022F430B1000-memory.dmp

Filesize
4KB

Download
memory/5444-217-0x0000022F430B0000-0x0000022F430B1000-memory.dmp

Filesize
4KB

Download
memory/5444-209-0x0000022F430B0000-0x0000022F430B1000-memory.dmp

Filesize
4KB

Download
memory/5444-220-0x0000022F430B0000-0x0000022F430B1000-memory.dmp

Filesize
4KB

Download
memory/5444-214-0x0000022F430B0000-0x0000022F430B1000-memory.dmp

Filesize
4KB

Download
memory/5444-210-0x0000022F430B0000-0x0000022F430B1000-memory.dmp

Filesize
4KB

Download
memory/5448-245-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-250-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-263-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-260-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-176-0x0000000000180000-0x0000000000680000-memory.dmp

Filesize
5.0MB

Download
memory/5448-198-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5448-258-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-262-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-246-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-261-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-249-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-251-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-178-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5448-253-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-254-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5448-255-0x0000000000B20000-0x0000000000B40000-memory.dmp

Filesize
128KB

Download
memory/5556-228-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5556-207-0x000000001B460000-0x000000001B470000-memory.dmp

Filesize
64KB

Download
memory/5556-206-0x0000000000470000-0x0000000000794000-memory.dmp

Filesize
3.1MB

Download
memory/5556-205-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5560-105-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5560-106-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/5560-104-0x0000000000210000-0x00000000002BA000-memory.dmp

Filesize
680KB

Download
memory/5560-111-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5632-154-0x000001BC7AED0000-0x000001BC7AEE0000-memory.dmp

Filesize
64KB

Download
memory/5632-164-0x000001BC7AED0000-0x000001BC7AEE0000-memory.dmp

Filesize
64KB

Download
memory/5632-231-0x000001BC7AED0000-0x000001BC7AEE0000-memory.dmp

Filesize
64KB

Download
memory/5632-179-0x000001BC7AED0000-0x000001BC7AEE0000-memory.dmp

Filesize
64KB

Download
memory/5632-177-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5632-107-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/5632-109-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/5632-264-0x000001BC7AED0000-0x000001BC7AEE0000-memory.dmp

Filesize
64KB

Download
memory/5632-110-0x000001BC7AED0000-0x000001BC7AEE0000-memory.dmp

Filesize
64KB

Download
memory/5632-112-0x000001BC7AEE0000-0x000001BC7AFE2000-memory.dmp

Filesize
1.0MB

Download
memory/5632-115-0x000001BC7AFE0000-0x000001BC7B036000-memory.dmp

Filesize
344KB

Download
memory/5632-116-0x000001BC7B040000-0x000001BC7B08C000-memory.dmp

Filesize
304KB

Download
memory/5904-146-0x0000000003180000-0x0000000003580000-memory.dmp

Filesize
4.0MB

Download
memory/5904-144-0x0000000003180000-0x0000000003580000-memory.dmp

Filesize
4.0MB

Download
memory/5904-148-0x00007FF998390000-0x00007FF998659000-memory.dmp

Filesize
2.8MB

Download
memory/5904-128-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5904-142-0x0000000003180000-0x0000000003580000-memory.dmp

Filesize
4.0MB

Download
memory/5904-150-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5904-147-0x00007FF999B20000-0x00007FF999BDE000-memory.dmp

Filesize
760KB

Download
memory/5904-143-0x0000000003180000-0x0000000003580000-memory.dmp

Filesize
4.0MB

Download
memory/5904-145-0x00007FF99AA90000-0x00007FF99AC85000-memory.dmp

Filesize
2.0MB

Download
memory/6024-285-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-283-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-304-0x000000001E500000-0x000000001E600000-memory.dmp

Filesize
1024KB

Download
memory/6024-287-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-290-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-289-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-284-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-303-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-282-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download
memory/6024-281-0x000000001E500000-0x000000001E600000-memory.dmp

Filesize
1024KB

Download
memory/6024-280-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-279-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-278-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-277-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-276-0x00000000046D0000-0x00000000046E0000-memory.dmp

Filesize
64KB

Download
memory/6024-275-0x00007FF977220000-0x00007FF977CE1000-memory.dmp

Filesize
10.8MB

Download