chaos | f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

Analysis

max time kernel
389s
max time network
379s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14-08-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unconfirmed 307690.exe
Size

550KB
MD5

8b855e56e41a6e10d28522a20c1e0341
SHA1

17ea75272cfe3749c6727388fd444d2c970f9d01
SHA256

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
SHA512

eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908
SSDEEP

3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score

10^/10

chaos defense_evasion discovery evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\Documents\read_it.txt

Family

chaos

Ransom Note

----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

resource	yara_rule
behavioral1/memory/236-1-0x0000000000450000-0x00000000004DE000-memory.dmp	family_chaos
behavioral1/files/0x000100000002aabb-17.dat	family_chaos
behavioral1/files/0x000100000002aac1-26.dat	family_chaos
behavioral1/memory/5000-27-0x0000000000460000-0x000000000046C000-memory.dmp	family_chaos

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1840	bcdedit.exe
940	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
956	wbadmin.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fnaft.url	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	fnaft.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	fnaft.exe

Executes dropped EXE 2 IoCs

pid	Process
5000	fnaf.exe
2340	fnaft.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-242286936-336880687-2152680090-1000\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	fnaft.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	fnaft.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	fnaft.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2596	vssadmin.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000020000000100000000000000ffffffff	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "6"	Unconfirmed 307690.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Unconfirmed 307690.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Pictures"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\0\NodeSlot = "7"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000200000000000000ffffffff	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Unconfirmed 307690.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	fnaft.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000030000000100000002000000ffffffff	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 02000000000000000300000001000000ffffffff	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 01000000030000000200000000000000ffffffff	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Unconfirmed 307690.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Unconfirmed 307690.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Unconfirmed 307690.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Unconfirmed 307690.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3728	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2340	fnaft.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
5000	fnaf.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe
2340	fnaft.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
236	Unconfirmed 307690.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	236	Unconfirmed 307690.exe
Token: SeDebugPrivilege	5000	fnaf.exe
Token: SeDebugPrivilege	2340	fnaft.exe
Token: SeBackupPrivilege	2512	vssvc.exe
Token: SeRestorePrivilege	2512	vssvc.exe
Token: SeAuditPrivilege	2512	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2452	WMIC.exe
Token: SeSecurityPrivilege	2452	WMIC.exe
Token: SeTakeOwnershipPrivilege	2452	WMIC.exe
Token: SeLoadDriverPrivilege	2452	WMIC.exe
Token: SeSystemProfilePrivilege	2452	WMIC.exe
Token: SeSystemtimePrivilege	2452	WMIC.exe
Token: SeProfSingleProcessPrivilege	2452	WMIC.exe
Token: SeIncBasePriorityPrivilege	2452	WMIC.exe
Token: SeCreatePagefilePrivilege	2452	WMIC.exe
Token: SeBackupPrivilege	2452	WMIC.exe
Token: SeRestorePrivilege	2452	WMIC.exe
Token: SeShutdownPrivilege	2452	WMIC.exe
Token: SeDebugPrivilege	2452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2452	WMIC.exe
Token: SeRemoteShutdownPrivilege	2452	WMIC.exe
Token: SeUndockPrivilege	2452	WMIC.exe
Token: SeManageVolumePrivilege	2452	WMIC.exe
Token: 33	2452	WMIC.exe
Token: 34	2452	WMIC.exe
Token: 35	2452	WMIC.exe
Token: 36	2452	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2452	WMIC.exe
Token: SeSecurityPrivilege	2452	WMIC.exe
Token: SeTakeOwnershipPrivilege	2452	WMIC.exe
Token: SeLoadDriverPrivilege	2452	WMIC.exe
Token: SeSystemProfilePrivilege	2452	WMIC.exe
Token: SeSystemtimePrivilege	2452	WMIC.exe
Token: SeProfSingleProcessPrivilege	2452	WMIC.exe
Token: SeIncBasePriorityPrivilege	2452	WMIC.exe
Token: SeCreatePagefilePrivilege	2452	WMIC.exe
Token: SeBackupPrivilege	2452	WMIC.exe
Token: SeRestorePrivilege	2452	WMIC.exe
Token: SeShutdownPrivilege	2452	WMIC.exe
Token: SeDebugPrivilege	2452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2452	WMIC.exe
Token: SeRemoteShutdownPrivilege	2452	WMIC.exe
Token: SeUndockPrivilege	2452	WMIC.exe
Token: SeManageVolumePrivilege	2452	WMIC.exe
Token: 33	2452	WMIC.exe
Token: 34	2452	WMIC.exe
Token: 35	2452	WMIC.exe
Token: 36	2452	WMIC.exe
Token: SeBackupPrivilege	3908	wbengine.exe
Token: SeRestorePrivilege	3908	wbengine.exe
Token: SeSecurityPrivilege	3908	wbengine.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
236	Unconfirmed 307690.exe
4212	OpenWith.exe
2612	MiniSearchHost.exe
2864	OpenWith.exe
3816	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
1952	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
308	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
2736	OpenWith.exe
1768	OpenWith.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 5088	236	Unconfirmed 307690.exe	86
PID 236 wrote to memory of 5088	236	Unconfirmed 307690.exe	86
PID 5088 wrote to memory of 1952	5088	csc.exe	88
PID 5088 wrote to memory of 1952	5088	csc.exe	88
PID 5000 wrote to memory of 2340	5000	fnaf.exe	94
PID 5000 wrote to memory of 2340	5000	fnaf.exe	94
PID 2340 wrote to memory of 4272	2340	fnaft.exe	96
PID 2340 wrote to memory of 4272	2340	fnaft.exe	96
PID 4272 wrote to memory of 2596	4272	cmd.exe	98
PID 4272 wrote to memory of 2596	4272	cmd.exe	98
PID 4272 wrote to memory of 2452	4272	cmd.exe	101
PID 4272 wrote to memory of 2452	4272	cmd.exe	101
PID 2340 wrote to memory of 1192	2340	fnaft.exe	103
PID 2340 wrote to memory of 1192	2340	fnaft.exe	103
PID 1192 wrote to memory of 1840	1192	cmd.exe	105
PID 1192 wrote to memory of 1840	1192	cmd.exe	105
PID 1192 wrote to memory of 940	1192	cmd.exe	106
PID 1192 wrote to memory of 940	1192	cmd.exe	106
PID 2340 wrote to memory of 628	2340	fnaft.exe	107
PID 2340 wrote to memory of 628	2340	fnaft.exe	107
PID 628 wrote to memory of 956	628	cmd.exe	109
PID 628 wrote to memory of 956	628	cmd.exe	109
PID 2340 wrote to memory of 3728	2340	fnaft.exe	114
PID 2340 wrote to memory of 3728	2340	fnaft.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Unconfirmed 307690.exe
"C:\Users\Admin\AppData\Local\Temp\Unconfirmed 307690.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\olknsqpo\olknsqpo.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54C.tmp" "c:\Users\Admin\Downloads\CSC967F0F9543EB491F9CE0B8656AF1B652.TMP"
    3⤵
    PID:1952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1768

C:\Users\Admin\Downloads\fnaf.exe
"C:\Users\Admin\Downloads\fnaf.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Roaming\fnaft.exe
  "C:\Users\Admin\AppData\Roaming\fnaft.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1840
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:940
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:956
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:3728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3792

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2664

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4420

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\~earchHoverUnifiedTileModelCache.tmp

Filesize
9KB

MD5
af219248c251b1b3f540a7e71126f8b8

SHA1
6fd2f8f514fa8d45894f6d1c1279bb66b1d1e148

SHA256
87cd5afaf4fb8e3077fa29cb759e2dd4d796acba64ac39a817ba088d12d124fa

SHA512
39cc85a688b5478898082f7b0a0f094e77c27dc1d68dcca90dc4a16dafcb5ca53ef5fff72d0ab142208cfafba74f0116500906cab0316b4a50fcc1b5028c0245

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES54C.tmp

Filesize
1KB

MD5
8d0bba194165f96d8393cdde0faed4e3

SHA1
8c2cfd1d6779f1e6f70e8dad70f32a3ed8067144

SHA256
a3cf78a584f71c2c9bcb7c052a6a499ffc38abdf7f22cdb71850b07834b54312

SHA512
a803d9b5ae5ffcd87a6a013522838f152f34a9eaa87a85ab35e7cfd5fcbb276a5253435cdc8662fa5e44ab1a020c9c5714df3b1ef6a6d4db7fb0e01200a740fe

Download Submit
C:\Users\Admin\Documents\read_it.txt

Filesize
964B

MD5
4217b8b83ce3c3f70029a056546f8fd0

SHA1
487cdb5733d073a0427418888e8f7070fe782a03

SHA256
7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

SHA512
2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

Download Submit
C:\Users\Admin\Downloads\fnaf.exe

Filesize
23KB

MD5
6c538545dae084cb5e2093e465fecb0c

SHA1
76d260b1f9ff4a536774892871ee36bd5a172425

SHA256
6925fde895fd99f5f0a8d379e12b3a742a93036f7ae8a4a28958ddf130a9c205

SHA512
f63a84dea4d0762a752e9618a7c445bf799ee8464da655acf55d931f63f3605267d9d436468c3b63a8a74322277a253ca38a3da7bb5a576d70345ba95291ff77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\olknsqpo\olknsqpo.0.cs

Filesize
31KB

MD5
7cfc313c4692226f76c3a060dd83fac4

SHA1
d079fa4b78c607af7b25455e7aec81c776a2426d

SHA256
f8ec61a4621debd4acd82ad6ed4762e1934473a82321955b680f52cc95d14c1d

SHA512
d6585b8ec8e5ff8026f1fda8900c974bd311a26deabd4b70dc0c618a5b7a637207701edefbaaa579e22a5e864325de35325f826fadb1e98776657cd05740d597

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\olknsqpo\olknsqpo.cmdline

Filesize
332B

MD5
6c4ec3cff6ddbf78b42f93e4d2c00aee

SHA1
1b5e7aed84087bfec5c252890be799fe6c94ad60

SHA256
879092b567cd80f066de54f0b4fc21073fc3b5c4bbba0e8d3df994117f9cf10c

SHA512
c2031c55fbeb160fbaf6d0a8501eb3424861eaf4a0848d5b4257f3944e13b24705c77d6e8ad07f3e6f34bc42b516c66d6a1e862c9e27878046c364777a83acea

Download Submit
\??\c:\Users\Admin\Downloads\CSC967F0F9543EB491F9CE0B8656AF1B652.TMP

Filesize
1KB

MD5
ff183a6f75cc397f5ee9598b20fb287e

SHA1
3d216f28f6780645ef87c7b3cb509023f71dedf1

SHA256
0b1ec5f7f964b91c481b4bdb588f1e13014b680e7bc3a265ea2479588ef01536

SHA512
292a948d62c543b9577251e898d5d731edd84e913d78cf409ac766bea51ca092dbf4b560d74e28f4af7779369726a1966455402b3d8ae85df2ddde108c175c32

Download Submit
memory/236-4-0x00007FF823AA0000-0x00007FF824562000-memory.dmp

Filesize
10.8MB

Download
memory/236-6-0x00007FF823AA0000-0x00007FF824562000-memory.dmp

Filesize
10.8MB

Download
memory/236-5-0x00007FF823AA3000-0x00007FF823AA5000-memory.dmp

Filesize
8KB

Download
memory/236-0-0x00007FF823AA3000-0x00007FF823AA5000-memory.dmp

Filesize
8KB

Download
memory/236-3-0x00007FF823AA0000-0x00007FF824562000-memory.dmp

Filesize
10.8MB

Download
memory/236-2-0x00007FF823AA0000-0x00007FF824562000-memory.dmp

Filesize
10.8MB

Download
memory/236-499-0x00007FF823AA0000-0x00007FF824562000-memory.dmp

Filesize
10.8MB

Download
memory/236-1-0x0000000000450000-0x00000000004DE000-memory.dmp

Filesize
568KB

Download
memory/5000-27-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download