Malware Analysis Report

2024-08-06 11:13

Sample ID 240614-h92gtateqq
Target Client-built.exe
SHA256 bba5ce847c62bb82236b5c5e9469f24d7f8f3d605bfaf4b5c5901b4fad1b84ac
Tags
triage quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bba5ce847c62bb82236b5c5e9469f24d7f8f3d605bfaf4b5c5901b4fad1b84ac

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

triage quasar spyware trojan

Quasar RAT

Quasar payload

Quasar family

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:26

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:26

Reported

2024-06-14 07:30

Platform

win10v2004-20240508-en

Max time kernel

87s

Max time network

86s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\system32\WindowsManager\winrmt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\system32\WindowsManager\winrmt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\system32\WindowsManager\winrmt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\system32\WindowsManager\winrmt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\system32\WindowsManager\winrmt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\system32\WindowsManager\winrmt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A
N/A N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A
N/A N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A
N/A N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A
N/A N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A
N/A N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\WindowsManager\winrmt.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\WindowsManager\winrmt.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WindowsManager C:\Windows\system32\WindowsManager\winrmt.exe N/A
File opened for modification C:\Windows\system32\WindowsManager C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\WindowsManager\winrmt.exe N/A
File opened for modification C:\Windows\system32\WindowsManager C:\Windows\system32\WindowsManager\winrmt.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WindowsManager C:\Windows\system32\WindowsManager\winrmt.exe N/A
File created C:\Windows\system32\WindowsManager\winrmt.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\WindowsManager\winrmt.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\WindowsManager\winrmt.exe N/A
File opened for modification C:\Windows\system32\WindowsManager C:\Windows\system32\WindowsManager\winrmt.exe N/A
File opened for modification C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\WindowsManager\winrmt.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\WindowsManager C:\Windows\system32\WindowsManager\winrmt.exe N/A
File opened for modification C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\WindowsManager\winrmt.exe N/A
File opened for modification C:\Windows\system32\WindowsManager C:\Windows\system32\WindowsManager\winrmt.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs C:\Windows\System32\svchost.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\system32\mspaint.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsManager\winrmt.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4792 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4792 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4792 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 4792 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 1760 wrote to memory of 4720 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1760 wrote to memory of 4720 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1760 wrote to memory of 4980 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 4980 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 4980 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4980 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4980 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4980 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4980 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 4980 wrote to memory of 1588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 1588 wrote to memory of 4112 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1588 wrote to memory of 4112 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1588 wrote to memory of 3932 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 1588 wrote to memory of 3932 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 3932 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3932 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3932 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3932 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3932 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 3932 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 4240 wrote to memory of 1080 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4240 wrote to memory of 1080 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4240 wrote to memory of 4936 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 4240 wrote to memory of 4936 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 4936 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4936 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4936 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4936 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4936 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 4936 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 4796 wrote to memory of 4000 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4796 wrote to memory of 4000 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4796 wrote to memory of 1792 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 4796 wrote to memory of 1792 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 1792 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1792 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1792 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1792 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1792 wrote to memory of 3844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 1792 wrote to memory of 3844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 3844 wrote to memory of 1796 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3844 wrote to memory of 1796 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3844 wrote to memory of 1588 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 3844 wrote to memory of 1588 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 1588 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1588 wrote to memory of 4508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1588 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1588 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1588 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 1588 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\WindowsManager\winrmt.exe
PID 4800 wrote to memory of 3204 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4800 wrote to memory of 3204 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4800 wrote to memory of 4568 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 4800 wrote to memory of 4568 N/A C:\Windows\system32\WindowsManager\winrmt.exe C:\Windows\system32\cmd.exe
PID 4568 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4568 wrote to memory of 4628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4568 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4568 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Device Manager" /sc ONLOGON /tr "C:\Windows\system32\WindowsManager\winrmt.exe" /rl HIGHEST /f

C:\Windows\system32\WindowsManager\winrmt.exe

"C:\Windows\system32\WindowsManager\winrmt.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Device Manager" /sc ONLOGON /tr "C:\Windows\system32\WindowsManager\winrmt.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7n86LWpSnEB1.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\WindowsManager\winrmt.exe

"C:\Windows\system32\WindowsManager\winrmt.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Device Manager" /sc ONLOGON /tr "C:\Windows\system32\WindowsManager\winrmt.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SbvZV1zgGcnU.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\WindowsManager\winrmt.exe

"C:\Windows\system32\WindowsManager\winrmt.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Device Manager" /sc ONLOGON /tr "C:\Windows\system32\WindowsManager\winrmt.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qj0eQuiuYGaj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ResumeCompare.jpe" /ForceBootstrapPaint3D

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\WindowsManager\winrmt.exe

"C:\Windows\system32\WindowsManager\winrmt.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Device Manager" /sc ONLOGON /tr "C:\Windows\system32\WindowsManager\winrmt.exe" /rl HIGHEST /f

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\FindDisable.odp" /ou ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qvlbQDA5ATwg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\WindowsManager\winrmt.exe

"C:\Windows\system32\WindowsManager\winrmt.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Device Manager" /sc ONLOGON /tr "C:\Windows\system32\WindowsManager\winrmt.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\69JS2fMiqnvL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\WindowsManager\winrmt.exe

"C:\Windows\system32\WindowsManager\winrmt.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Device Manager" /sc ONLOGON /tr "C:\Windows\system32\WindowsManager\winrmt.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pxqE9k7mxakY.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 daongochuy.ddns.net udp
US 8.8.8.8:53 daongochuy.ddns.net udp
US 8.8.8.8:53 daongochuy.ddns.net udp

Files

memory/4792-0-0x00007FF9F8C03000-0x00007FF9F8C05000-memory.dmp

memory/4792-1-0x00000000003E0000-0x0000000000704000-memory.dmp

memory/4792-2-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

C:\Windows\System32\WindowsManager\winrmt.exe

MD5 7f113430d45982dd16a92095a0734593
SHA1 7c054a7e0ded31b23b94f59159b47df5e37135dd
SHA256 bba5ce847c62bb82236b5c5e9469f24d7f8f3d605bfaf4b5c5901b4fad1b84ac
SHA512 c17264d90431123207abd10998c4f8e068a7fcba7ab9763952741c52eccd80791bc48e2a053eec51499d9c2ae8a7f454f9ab74b0970fc219c57dd49a244753a1

memory/4792-9-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

memory/1760-10-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

memory/1760-11-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

memory/1760-12-0x000000001D620000-0x000000001D670000-memory.dmp

memory/1760-13-0x000000001D730000-0x000000001D7E2000-memory.dmp

memory/1760-18-0x00007FF9F8C00000-0x00007FF9F96C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7n86LWpSnEB1.bat

MD5 29aa7b7db860419334c6f12cbbb90d7b
SHA1 e3c70510f84c122fddd4d1036fdb3bb9b30ac77a
SHA256 6bb636bb9d6d430eba9adc4acd2a6fb04df1dc7840449ab1c5bc86d9e5fa943c
SHA512 9d640fc8d4dccbeb89f4c13e46e442d00cb12cc652e9c87ad2545360ade131d85055b25ed37cae6aff49459738c80a383de4166d049b72681cafe12200616ecb

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winrmt.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\SbvZV1zgGcnU.bat

MD5 d0d0187cc2c038b9bbf0f3ae6d547f50
SHA1 9dba093303faf22e4100b8cbfb8fa14383641e3c
SHA256 a16b1c2d5ca07c779e0351f81e89502efb5d78b47011012117a85c03d55c8750
SHA512 f6cad21ab3096b588856f50850e6a3067fdc07ee20ffe2100cba03ef7cbd7a788ae2775cd32df8e917ec5aaa00e75cad9a5a733adbcd8764218657787d0b8ddc

memory/4804-26-0x000001F0985C0000-0x000001F0985C1000-memory.dmp

memory/4804-28-0x000001F0985C0000-0x000001F0985C1000-memory.dmp

memory/4804-27-0x000001F0985C0000-0x000001F0985C1000-memory.dmp

memory/4804-38-0x000001F0985C0000-0x000001F0985C1000-memory.dmp

memory/4804-37-0x000001F0985C0000-0x000001F0985C1000-memory.dmp

memory/4804-36-0x000001F0985C0000-0x000001F0985C1000-memory.dmp

memory/4804-35-0x000001F0985C0000-0x000001F0985C1000-memory.dmp

memory/4804-34-0x000001F0985C0000-0x000001F0985C1000-memory.dmp

memory/4804-33-0x000001F0985C0000-0x000001F0985C1000-memory.dmp

memory/4804-32-0x000001F0985C0000-0x000001F0985C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qj0eQuiuYGaj.bat

MD5 9f3a4d7216af5a5a305006f251f7ce7e
SHA1 dbcc6e698ad0939e2775c998e923cff9ab5ee77d
SHA256 27ce02365f70d97037bccda48aba0838107f1d8ef0e0e49f254998d5c5573394
SHA512 a72a917304e0433747983980d34c7b9aee63674ced774894040d530b89dfbfa338fd308c7edd3d3d4dba0023b9faccf79cd51dfa30e98ccdf42362b225b9772e

memory/952-48-0x000001C991190000-0x000001C9911A0000-memory.dmp

memory/952-44-0x000001C991150000-0x000001C991160000-memory.dmp

memory/952-55-0x000001C999DE0000-0x000001C999DE1000-memory.dmp

memory/952-57-0x000001C999E60000-0x000001C999E61000-memory.dmp

memory/952-59-0x000001C999E60000-0x000001C999E61000-memory.dmp

memory/952-60-0x000001C999EF0000-0x000001C999EF1000-memory.dmp

memory/952-61-0x000001C999EF0000-0x000001C999EF1000-memory.dmp

memory/952-62-0x000001C999F00000-0x000001C999F01000-memory.dmp

memory/952-63-0x000001C999F00000-0x000001C999F01000-memory.dmp

memory/4160-66-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmp

memory/4160-68-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmp

memory/4160-67-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmp

memory/4160-69-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmp

memory/4160-70-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmp

memory/4160-71-0x00007FF9D4A70000-0x00007FF9D4A80000-memory.dmp

memory/4160-72-0x00007FF9D4A70000-0x00007FF9D4A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qvlbQDA5ATwg.bat

MD5 93924f194d9ae38c2523704c0ad74a96
SHA1 ff0ae11d8533e974dd9c0138f3512d8f4372530e
SHA256 2bc7f547f54d7a46372b95481403c09075fa6a44b92a8ecca8078eeb0dc65c54
SHA512 9a6148c64f197c2ccf98accf0a0881c17cc78a145854c8a00a54982b56c0675c5a9875469ad587a0dba5dd18644dc3cc4a8917f784336b5c01c8d443c5a839a2

C:\Users\Admin\AppData\Local\Temp\69JS2fMiqnvL.bat

MD5 ef762f0f4c04130324f8f20740bab2a5
SHA1 57290194400c73b4282d1834d3e74d96caf95223
SHA256 5a3715a18979f0fb2faf5eddc6896b06ef9ea3381639779807f26e306edba2ea
SHA512 4b1e2508e1dcbfc9ae20a0a8d1ee6fefe94db12ca8c58aabf46469514bed616b7e7983cff8503c29edafe516aa110cfed0fa40ac27a87c5beceeca30380d4bfb

C:\Users\Admin\AppData\Local\Temp\pxqE9k7mxakY.bat

MD5 356bd90459a8c9060c938876f25cecf4
SHA1 310118631046c42447324a892b4d8362bebcec4d
SHA256 ba04824f6a184a0af6e2b889393a3d1373d74feda320fa33c1206c77bb9ccf5e
SHA512 922e49d1bffe40450eca59ca97a89e67d144b6f7646faa56a2ca4404da085f5b417fdfe9e2fac0e90a16b1be2c1851e562b8092b9c5c6d7f64b27b28f1a5046f

memory/4160-98-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmp

memory/4160-99-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmp

memory/4160-101-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmp

memory/4160-100-0x00007FF9D6C50000-0x00007FF9D6C60000-memory.dmp