hxxp://135[.]181[.]253[.]8[:]8181/

Resubmissions

25-01-2024 15:35

240125-s1c3zahgh5 10

25-01-2024 15:18

240125-sp351shfg9 8

Analysis

max time kernel
121s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://135.181.253.8:8181/

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

revsocks.exe

pid process

2816 revsocks.exe

pid	process
2816	revsocks.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133506695618772733"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1080 notepad.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exepowershell.exe

pid process

3008 chrome.exe
3008 chrome.exe
3008 chrome.exe
1492 powershell.exe
1492 powershell.exe
1492 powershell.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3008 chrome.exe
3008 chrome.exe
3008 chrome.exe
3008 chrome.exe

pid	process
1080	notepad.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe
Token: SeShutdownPrivilege	3008	chrome.exe
Token: SeCreatePagefilePrivilege	3008	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe
3008	chrome.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

OpenWith.exe

pid	process
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe
672	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3008 wrote to memory of 3644	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3644	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 3492	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 4964	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 4964	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe
PID 3008 wrote to memory of 812	3008	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://135.181.253.8:8181/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5aa69758,0x7ffb5aa69768,0x7ffb5aa69778
2⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:2
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:1
2⤵
PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:1
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4936 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4848 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4008 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:1
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5104 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4996 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2456 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:1
2⤵
PID:3956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:4344

C:\Users\Admin\Downloads\revsocks.exe
"C:\Users\Admin\Downloads\revsocks.exe"
2⤵
- Executes dropped EXE
PID:2816

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\shz.ps1"
2⤵
- Opens file in notepad (likely ransom note)
PID:1080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=876 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:8
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5484 --field-trial-handle=1916,i,144447136364228094,875464692249618192,131072 /prefetch:2
2⤵
PID:2596

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Downloads\shz.ps1'"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:672

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\hello
2⤵
PID:5012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3436

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
PID:5016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.0.1811562844\448475689" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {246ea22c-4ef1-4fe6-b1c6-a2a69ba3079f} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 1980 1ad91cd9f58 gpu
3⤵
PID:2384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.1.1093475580\1907486393" -parentBuildID 20221007134813 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f02db09-5167-4afb-aad6-2fc9d9853758} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 2380 1ad91bf3058 socket
3⤵
PID:1616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.2.192387396\1293563481" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 2852 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b11fb86-788e-4c98-9c1b-7963ebcb0e8a} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 3316 1ad95df5258 tab
3⤵
PID:2300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.3.962583664\1688844683" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3552 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc375c9b-3d9e-4679-ad09-16e1244568c3} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 3564 1ad96378358 tab
3⤵
PID:4988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.4.324384204\975298163" -childID 3 -isForBrowser -prefsHandle 4192 -prefMapHandle 4188 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1e9bf19-3dc2-4a40-a20c-ffc9dfc13a5c} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 4208 1ad96be6858 tab
3⤵
PID:2432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.7.896531328\324016311" -childID 6 -isForBrowser -prefsHandle 5344 -prefMapHandle 5348 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8956cd82-f2e9-461a-be68-be9cfab1a660} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 5336 1ad9830e558 tab
3⤵
PID:3032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.6.1616192135\876256150" -childID 5 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6444a13b-9c26-48b7-b5cc-878c7465fc4b} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 5148 1ad9830d958 tab
3⤵
PID:4056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5016.5.199137230\1686380185" -childID 4 -isForBrowser -prefsHandle 5004 -prefMapHandle 5000 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e7b6293-5691-4297-adcd-3e5044674220} 5016 "\\.\pipe\gecko-crash-server-pipe.5016" 5008 1ad96cab458 tab
3⤵
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
731B

MD5
5a50855a2063472f22d2cf44f180756a

SHA1
3bc659e5b843685291835e47a94d253a84bae748

SHA256
e226043c4a9b97bf4c128c8ff512dfaba5f1721675f3924c980fde2ac88242f3

SHA512
812f09587aeda4e08e305fc83acf39e347083bff67de116971fd2a94c0a364da93e98036d1069f248b21b1104c0421616936ec6bf5866e8009038be42e68c149

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1a6710609e281d38791050a002885735

SHA1
d9721e2ff5c4d3677064985ab4bc29a90160d47f

SHA256
2c195024768b57ab1a56e5e0710fc136eb91b4323293a547c64b6460caa694ff

SHA512
a97954392a483922fc5940b8a0c96428a593f5b0571b12e9c54166e00e3093818ce73d32044fd3a4cb98e2bd56d91ef905f7e2dee7afa46b191048326e832547

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
20340120ac8021edb43ae542eaa448a7

SHA1
520198bdaf4a2e118ee9e75ca6906b389e7c3b83

SHA256
c07794b8ca5d2dac772da03c544d4b8c935355f6e0e05608b7f5afbeb304bb48

SHA512
5acb48e5f047564e86a7e93c21b853d4a936f682994cdc062f293a19d716369f44e0b4a461d25e5aa310f7b8616ad481284603aef5ef632c065c0a227d46320d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
34d7c2cf0d8f8ccb19d38728f6d1342b

SHA1
4f52fbda98cac9594a9af91910f02f03efb74f13

SHA256
ce85dce17cd1c3ff3cf1bff3e99a173dcbadfa22c2a687368e2c075f322d3838

SHA512
17be01d88026824cc1e2fb0671b0140f2810f7bf156b168629ac591133bb178fea8ecc91efcd4fbf03d691ea4d78c98765161cdc6f095811a4554a6a9ad21095

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
636dad563f23bb349312d58fee58f920

SHA1
0aca4514bf3c94cc809e21a562040b29d2588aa7

SHA256
f0d719c53e87687840eb171ea6824e048e8b4b5109ed8d35236b84ceab6eb287

SHA512
8080e64c89df91f78114c0b7c5d0639d83ef49fdf9b4b847fca0420b8228b30c77b9d48507a73ca263b8cb2ab540b3b5b8d2c51670e1c2bd3443f290da21135d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
e7025019ad54b12982d587f15729889a

SHA1
e70d5c4117c0c4ba0e754c812a9b13a765e433d5

SHA256
53f91a3e6fcf1b6bb44e350024795e79102e87902aa1c302702e3dea5510f12b

SHA512
782f6a0fb6914d27e7f35cc5427c2ab4c9a3a16e91a55dddde5ab5fb6f463b67c4e1ad6e4b08e3a65ed55be75e33a656cd3f2543a8f5669597581c17ec8d5056

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
dc34508fd5f377f840e9c91c44e7c804

SHA1
4c8060f40eb9110388e024ff45cece7bbc050d02

SHA256
65ca719b3797abeac09d748ac20505fd3c8ea56d6ea4844812dc0646997e1221

SHA512
47d3ffac9cf94d899463f90779d3832bb7532fbb967cdb70e3aa7ec9054f465bcefdd53faa345bff30ff7b60983a9c0875738e055542bf663483a482a5e7cca6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
0b55cf030292f795642231bd79aa6ed0

SHA1
2d7c56d0da6fc4299ef039ba034bb26ca344335a

SHA256
81b42d766a94fa34f2268401114e67e02d045286e4f4feedff8f486d839216d7

SHA512
2fe5a8d067a7e70108e565321e009461da7a6ac974b04fb18bf1aadcce2a18a8f2bf3d2de7dc1716f08bc1ca3345ac8e3de4090ebfdb0f90c161e9580e8c1d33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
115KB

MD5
4c9bb35fd70f8a4973ecdf162de1c812

SHA1
02c3ecaf13f6a43ae3176295c66af70ac737bcd9

SHA256
ac11d86c81a90488467b72272858fa61e065dbc7a1be95b066005c14616d8e97

SHA512
11ce04ff7788a74d8698360fb52d2d70b6e9076cec640eab19b97b8eaa5889ce04dc5b88bec1edcb9271364fe6f649afdaeefdbc0756eaf909fb506d28382cfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
114KB

MD5
8ece792a62042b6e6bbc5a95e244e142

SHA1
7cd30f017b21490f9d7f2b2e892d55f75e0f9ef9

SHA256
6344dc83b1465da05d9dc9e24ed0611d4fd8bd574aa722e3b67660c010084ebc

SHA512
a68368de39070e2cf1b2a6b98f8aab61dde79c993ed5e776ede6b020ab37cf98370df300ebfe53e5038951c38602946d2385997c47fe9a5e879d67f66d0a011b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58872c.TMP
Filesize
101KB

MD5
0d508dac92f33fa50513d25ce7ec5bf1

SHA1
80e5b0bab3d5b95b39b71b158aab10c68da98ecf

SHA256
f286a9189bd2228f5094b599e632eb8042a375bed44cca28d0d226d85ccb57e6

SHA512
316ce2f57dd80a4826d6fcb39e66c9830d45265ed7876b7785275885d6970f51ab38e683cb4a7a5ebc5d7aa1f2c03b81d0573373ef34e2448f055375fb435b16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tkdlsca3.cwe.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
ea91db5094911dfffbdd0162705f2480

SHA1
6a9dc833fd1453a4bc9c013c06c6c13c0bd0e29e

SHA256
034ef9fcf417caf3ad33396fa190245d7b7e1de9741e27f629efcf5b690d976e

SHA512
e206482d584cff1afbe11d5687adff731af4f3071fdd05748d61f9dc3c78510e7bf8094a674eefd98291141f0cf104e017579bf97f61d26908b9e43a759f9223

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\pending_pings\000ed8f5-c5e9-4e6e-9304-8c25dc832878
Filesize
746B

MD5
af55be1d806abda45a4f8b610a5696fe

SHA1
425547dc9655203ecdc84710d982641b717fa0db

SHA256
592e793ae580d37d1c9a51b212bfda47b3092d149e58db492e8e1dcb68b685f7

SHA512
15e9c172246f1b6470db5fb9f9a7193b709590b9cea05b5a2dc0d40ef8ed1ee426681d29e77cac43fcc92bb2ef5a3009dc0d4d78d917d2795fc2b84d073f0220

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\pending_pings\e73c5949-446d-4984-a802-95ee6a3fdba0
Filesize
11KB

MD5
944d395aecdeb599df840e2062bd7ebc

SHA1
f59114bdf8356742eb37c901abffa11fc50cdee5

SHA256
e2e2abcbd25cb8c6a9c81abf0bec09a7b66efc452d5f60eba45a2a834ee6f425

SHA512
52c76ac657825a36c03b055abfed7bdc4935cde4d639e898ba4de94053731a6d441e0b951da5a5a890b690719405c9f4e1905fd8c3a6e2cafbf2470c4d056d39

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 276800.crdownload
Filesize
7.5MB

MD5
36e83d36569372eb937deb92499ed9ee

SHA1
778cccb87a6ae059bd080c53c9f94156888843dc

SHA256
74ac0057cc4b7595eb16f4b37b94706c0789e9a75a7d6d8d5499cd6ec8436591

SHA512
29c152582b6479e02e5310da43e404dcdb322e6d1687ebec98bb70fa7e01a69f46f949f94eb50125e9bce90a784c906e44e076af165bab16b6e399f346a17683

Download Submit
C:\Users\Admin\Downloads\hello
Filesize
6B

MD5
09f7e02f1290be211da707a266f153b3

SHA1
1d229271928d3f9e2bb0375bd6ce5db6c6d348d9

SHA256
66a045b452102c59d840ec097d59d9467e13a3f34f6494e539ffd32c1bb35f18

SHA512
c2bad2223811194582af4d1508ac02cd69eeeeedeeb98d54fcae4dcefb13cc882e7640328206603d3fb9cd5f949a9be0db054dd34fbfa190c498a5fe09750cef

Download Submit
C:\Users\Admin\Downloads\oxilink.crdownload
Filesize
2.8MB

MD5
da499333f9bde4123f2050cc3860d5c6

SHA1
5efc570cd140da97e45e367acce3f7cbc5bb9589

SHA256
0289c62c1828196011977999f11995dc5ba86a58085fa5fb7db14d3ddc44e8aa

SHA512
f108c42d94d895895063aa4c3355828e85feac60da95125007e1d61b69b9772a4a24e144b6ce53875fc06919791651c48a28c59bbaf693a0437f67d73940f18e

Download Submit
C:\Users\Admin\Downloads\revsocks
Filesize
11.3MB

MD5
e6a7f87232daf89cf8d392c728949c9d

SHA1
549684ad6fe57adb6aaa2ce9e99ac02d8940c3f2

SHA256
b6dfe537e3ed973b703ff9b954c428514fe7c6503d181242a80a88dae4ee2b6c

SHA512
85fc919b85bb07a8113d00f7d7ee00d75862bd10b14e21bc4e05350b1977f6031f3bac249a8be6aca481c19fad2f2b3990d2fd6b47a59d91fd6a1a7584b77690

Download Submit
C:\Users\Admin\Downloads\shz.ps1
Filesize
1KB

MD5
4c4fd27b2d2ade7056f48a78a3a5fa77

SHA1
1ca4aeb47bfacd198d15eaffa2ff57556c2bde96

SHA256
cd41ea0bf2014e9041f73cf6437fecaf4f604a75372e6da485fec64724880bb1

SHA512
2c06a90c4a62fd0f697a422cf2535cadd1f9f6482962b58e5fa089f765d23dc127be029c19c4c66518ec541b43ffbe4594182c84f9b1d0c32614a8cbb045d0c3

Download Submit
\??\pipe\crashpad_3008_QQZXQRXWOXLPYXFG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1492-169-0x00007FFB47280000-0x00007FFB47D41000-memory.dmp

Filesize
10.8MB

Download
memory/1492-166-0x000002AECBCD0000-0x000002AECBCE0000-memory.dmp

Filesize
64KB

Download
memory/1492-165-0x000002AECBCD0000-0x000002AECBCE0000-memory.dmp

Filesize
64KB

Download
memory/1492-164-0x000002AECBCD0000-0x000002AECBCE0000-memory.dmp

Filesize
64KB

Download
memory/1492-163-0x00007FFB47280000-0x00007FFB47D41000-memory.dmp

Filesize
10.8MB

Download
memory/1492-162-0x000002AECBCA0000-0x000002AECBCC2000-memory.dmp

Filesize
136KB

Download