asyncrat | hxxps://81[.]214[.]76[.]68/

Resubmissions

02/01/2025, 16:51

250102-vc2grs1phj 4

02/01/2025, 16:42

250102-t7t6haylas 10

Analysis

max time kernel
238s
max time network
239s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02/01/2025, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://81.214.76.68/

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

A 12

Botnet

Default

81.214.76.68:5500

Mutex

AsyncMutex_6SI8

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkey.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkey.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkey.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkey.bat	cmd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3156 set thread context of 2564	3156	AutoHotkey.exe	125
PID 4108 set thread context of 1080	4108	AutoHotkey.exe	139

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133803097511647193"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000df7dd222dd4bdb016b5b9b6fe64bdb017f9c605c355ddb0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e8005398e082303024b98265d99428e115f0000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3196	NOTEPAD.EXE
2652	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
412	taskmgr.exe
412	taskmgr.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe
2564	AppLaunch.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe
Token: SeShutdownPrivilege	2172	chrome.exe
Token: SeCreatePagefilePrivilege	2172	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2844	7zG.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
2172	chrome.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe
412	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2104	chrome.exe
2876	chrome.exe
2564	AppLaunch.exe
2680	mmc.exe
2680	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3876	2172	chrome.exe	81
PID 2172 wrote to memory of 3876	2172	chrome.exe	81
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 2636	2172	chrome.exe	82
PID 2172 wrote to memory of 3620	2172	chrome.exe	83
PID 2172 wrote to memory of 3620	2172	chrome.exe	83
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84
PID 2172 wrote to memory of 5116	2172	chrome.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://81.214.76.68/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff937e9cc40,0x7ff937e9cc4c,0x7ff937e9cc58
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1828,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2348,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4444,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4680,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4720 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3368,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3228,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5256,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5416,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5460,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5136,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5772,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4528,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3220,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5884,i,11617839503079153410,6080945524994760351,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4040

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2384

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Public\" -spe -an -ai#7zMap9826:74:7zEvent4323
1⤵
- Suspicious use of FindShellTrayWindow
PID:2844

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Public\AutoHotkey.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3196

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Public\str.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Public\AutoHotkey.bat" "
1⤵
- Drops startup file
PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Public\AutoHotkey.bat" "
1⤵
- Drops startup file
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\AutoHotkey.bat" "
1⤵
- Drops startup file
PID:2628
- C:\Users\Public\AutoHotkey.exe
  "C:\Users\Public\AutoHotkey.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:3156
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2564

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:412

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkey.bat" "
1⤵
PID:3708
- C:\Users\Public\AutoHotkey.exe
  "C:\Users\Public\AutoHotkey.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:4108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkey.bat
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
73c78516b591e83132b3212badb1dad0

SHA1
d3658ec2d5282f496b494ec68525e128bd4f6dbc

SHA256
842a262558c0cabe5278909c585d64bae44b5599f2334f01dd543b5e2ca2a001

SHA512
db29a499e3a96c84a1d9501d7ca639f2ddde86cec7ee830021f7d6920433bc00e24838fd475675988b096b8af67261f2ec5d9b39bab3388d8bc713730a2dbc1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fe6b572ebfe95c9ebae4bcab8ce7d5a2

SHA1
a5d3f3e4595a7b23255b26a49811f6618634a18f

SHA256
29c0171e5eb60580cf9540ef7fa53f97dce52061df7d3ed195fc15f6f2e7aec2

SHA512
912a6b5cce1bffbce490b3e15416354846fa70c287fe698cf97da330ab1dad33b014dbdd3468798a99ebd1e957bb082909476cb2a14d27bf0bb86e83b048ab57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
9e44192912f2d9672999a9e71b7ae269

SHA1
c15604a11f1e5b13df89816ebc8889c5c5c63147

SHA256
0f3cc01c736da10072c2421d1f3a463fc35e526a35e970526877766141ed66d3

SHA512
dfaeabae4a17685682bf2db18a9555b6943cb74fc20ce103429b79d1a8bc709688ae731cd65ba49ad90a5639e3f52bc8f51e4a4c6dcb7e6ce22d224e3294936d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
d1be1e0ae6b2bc7de193a2d8832bc177

SHA1
9d3ec565e14a2da0048c7298275f34dd0d34e4f0

SHA256
92b5a0ad6c4ea4e391ec6776faaa0f9ed6b8c08871420e462f13c6a2f869fdfe

SHA512
644983773e058f87bc4cfa17f3acd50606fdde1d4ded9de932a74684ed376177afb8cc350b1768556c4396dc8165f7509e018c996f38adf19e2eee5d27a55d25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
5ff2eb2fc9cfeedd6047b7387482793c

SHA1
b3b25f6ba3847d0f483fb963ad4516941f88c15a

SHA256
586e04465942b6a2c7514a96cb2e31a2f6753ecfbb019190d3b6db94d332c08d

SHA512
67dce77a13df1738628e5495962a19b735309979895762a9bfd94a4905cc214528eb6e6b31b74e38e440d2afdc6d4901a2400ff8363e588475238174d8efacb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c8b5086c311881c7bd023afe85c27cf5

SHA1
445967a5db201b7fbcf72ce8707a96ed028db2c0

SHA256
1ddae46bc7daeacec91021ba4ce64a8544508f713d25661435019db717cf77e5

SHA512
70215d5cc91cadf92ec370df058d9f066f28bcddf94debbd404bce1be0a66befdb401eccc56f2cd39b7370293fc5f199fa9e23a1becae49499fb5bacce1e33ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7aba7ec359ce469f85f731c01f9a0b1a

SHA1
695a1ee968e66b45e607b46b8530213ba0c76c3a

SHA256
18bf4b0f651565255cf677a5706ba72b8ad5845203a16379eb36e11875ff14d6

SHA512
f8119bbaac3c4428fca7fa3d00aacceb5e88f1139bc3972896ae4f02bcb6c7b161e16aec36f5961b15730858894048dce7deb4eeb96b23fb7894634e2c45684c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
09325e78c11cbfba5f75839ad267e167

SHA1
3b7c4063417a96dd70847cf30573cf7848a13351

SHA256
12dee8a57b9b74f60f44848facb54f35996f20c8b1baeda73554a38a533d125a

SHA512
83d53b2b4be20bd3389d2d5adc57c9d20afc9bbcf80b50e2b7c4bdb63649e3c2bca7fe15bb9cf0d15e1b2c4ed327386433cc9aa94464c335a5febf619b611f52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3b40718605141310accfea619a2e8e87

SHA1
1f0ba16b5b76cd16f8993ca892c6dcc9653b2004

SHA256
f890567e14dc2ce1acfa86c36cc097ccef0a5842cd4030a07223d7707e0d1000

SHA512
4da7c8301bf244f95941f6d589dad97f36fdab20150ddb0af1886bf907207593de3fb0b686c94da5d005ceddfb92ec89d2cc8fdc5dff132a5ed81bd6d0b99e81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
317be9445c52a664e94fd06e9bfc7ad6

SHA1
5acb8c31af1d145147e68766e8fc35e4a8f74497

SHA256
c6239ebe448977256232515733f385da4e780dbb5782784fdab8de7cb4b9bb97

SHA512
e162814f8e3383bb09ed667ccae9c9eb3ded9893aa898c587e3c5e5b3fba5e5261b4d12fc8715a525b01ba7b77932e15734671cb01a3faa640bfb6dbd1f1e5d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc70ef275e41c55a10e356841cf23301

SHA1
dd10a7850e794031ff44c4a72157da52b5f76c97

SHA256
c3f2759d055354039d57a64123026a6c94e2f4db3394506bfee3f1f16f58c60d

SHA512
646c213dc902c7f84e6e49a63bd081af5bd90f7306bd2cd35b8a6ae675a075503551cf38cdf34282521d01e7b437afbd99fd634e7dfe8a1ab332ef6bae5331ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bb6d109d9747b74872bf9a846dfe02aa

SHA1
cf8e478c5ee715a7d92d064ace8cc66ee267e1e3

SHA256
ce638af7f570fd4d79d400bfaadc0ba5c8b60000f8bd8583cdc741df38d20875

SHA512
f8145f30316f10dde48b44a9566bbfc46d0e5ec8b53e587829d87f2527e590bc21e6ab83df0014dffb86a962fecfd04c8f001567a1886f5932ed2a881a0996e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ab5d7df72faed6238ae15d34ac8c97c4

SHA1
4170f071861bd149a78cfa05358b972c6fa8a66f

SHA256
ddc26bf9ca55ef65891ca39f5265590166c3f18de00ee7b060fe4fe4be83f624

SHA512
2e07ebcf5d5d941df9350090c1754c82b8367ad394e748bc5964712570261154fb505fbaf8093715af404826ba28363dc1e3a895f2e4f41c479796b9683e73e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5b332015f26d49ad0ed598f04a183956

SHA1
8bfef8c189b48c35c8d3398d91457099594e7dc4

SHA256
5ee27732d053f4a817a08e83736a25c0a8866a5445ea32b27d9ebad64d5e9abb

SHA512
2c63314ec5bbdc6ceef7bd98aaa5473f40c443ff18a4112548e51a5269ab3071b682a258e93ceac20c3c6b5f69c2168f3a395554318797c48913250262df3578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4eaacf2bc8a93b5b22c23af58ec90b35

SHA1
c4a2e35d9dd39a293627d009bfdb31bd074e5167

SHA256
fbe1057c880f5d180ee2e5090e32c67de50b8cfaca36d21806d40e4a94d81e7b

SHA512
49aea28169d7477b818014ddc5c6f7c5cb1e2540c59975fb3d8cf970ab8d05a424ecd9b3e86dbca0946d5720f09e5c4c8585f24fea737f31529fe1f9bd7c17f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
17e9205ba6d3240df8a7ae3dbf1a37c8

SHA1
ee751e22cf23bb4ea290e0779f2b58f1289b08a6

SHA256
ad201c774342e7273c7ffc20ad2419a2f6111fb73f0f4c89d1edc320b5ce4ae2

SHA512
44e9e76b63964efeddf08fdd9d4b2ceb8eb30aca93e75c0a3a34e0257a512518ee434f93e9270e8c19d8b08b12b3a288bf759cf69faeb038cb5d10a844ef2705

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
55c6eae637409b9bbd130c7da4b742e0

SHA1
9bcf11b5fe0d4aa7c043720a0363a4847e943354

SHA256
01cee9a4ee386f103d6c88bb289f310dfd26c777f3d9c99b4c6dd427e8e54c79

SHA512
6b25b17cbedc128939bf65b1089e5edeaacb500fb27328f63f7c623a68752bf738adf08989ddec12606f364b762d277c09c5a365a1f6f5c4f7b551bd8722ee71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
baed5cfb627ec593bd0a5ccd068e80f7

SHA1
276e3117b09759dab06a55fb901b175bcf4aea38

SHA256
5632faaaf52fe805b0d5f2bc43f31c4b9ee2bcb31a08853530554c63ff0fb76f

SHA512
02ce465855f79f3d93f4440e7fdb0d851d83c69375b40b1614bca0d92041b7bc70873a30f2d55b0d06ce957c70c1c5309895f46d6e54952a81a28a07fa7c469a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
86fbe6421c4224c435b12c3f92fd49b1

SHA1
514d18c72cf6b1434f966d089827891c81a08377

SHA256
5386f9b02abe9fa619ac52550f88d90571b4b32ade2495be1bdf7b0ac292a2f2

SHA512
cc97a16ef1514c36343720a37123a378ecf39c4f35b61cdbbf8a5df88a8d1b382cd458ea1e36abc0fa49f2dd0914a385f50bca1a37cf375e81a2809c523a09a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
91ca9e0226f7b074fc3828880b6c4686

SHA1
0bb3a8e0c179896cfcbd8cef19c8c84ad2c8540e

SHA256
97fbb5784d4074a267a729b9ba96c3d9dfba7328c7eebb9ab8507957d857bda1

SHA512
e470304c08dc874d233abe5ff25aced92aa1d8e387b0078c54d0400389908c86477429fd755c5d3e8b352ba8e6880e5443b3a8e51cefd7a57e9f3258c36ec6b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eef434d89c8683aa01eaa2671bb15f4a

SHA1
125eb6653f7fe6ef127c6e1a1eee3af7ad2eda03

SHA256
62a0a8d78f6cf811d4371968758a74509b6ff4a60550bec3898649dcf4d74590

SHA512
1ef669c97545c9494598fef60564c434cc868cd508c411ff59a4a8742141b5b7073db7f0394498fe1a685099d5fc5ee87020ad42003c6d92c79457722359fd5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
43a076371a7ebe7645441023bd14ef07

SHA1
91c065d5c80acf5c5e740c6934e9af8a360e2126

SHA256
0a68df8796124ef04a2d8f753677665802fd4b4950358565075dce38052af7ae

SHA512
56a7d13433df241e9d837bf0def76374e6a88becb7504a2cc0be418dd60ec6879eb96414f5b914962fa19ca85e80bbb47256037b4d7f09c3acbdad4534450ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
3714914e1b1051bd0c48ba42e2122020

SHA1
db0098168f4d3f5be065b1e1124de77b404c4bd3

SHA256
30673cf4008b4f91b413580e9368265816df39c72d7c05d4e1ad8d00d0792aa5

SHA512
77cbf08b9c6c7efae14438a7c1a2ee40965218f5de7ad1a98c635862ea7f97bbdda4837521599cfae769105e5b750d22a54fce421f655d05d32f797703f45a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
8923c7163c9f5abaad38daf04a847f81

SHA1
4b43af91f6d1c68b41d485470a9729edecbf79b3

SHA256
284fb512e3ee7a02e601408fb6a64a59a43c2c947e4bdf4d17c6fd733e6953f2

SHA512
1687f86d2aa88756a6117429f89a93cdc74fd5e61917be644963598f9a00b1b7f0e94baf10ba6b3280eba00292af64906020b87943e9d55ed284bd48e75d5a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
b61011bddbdf6cd0b4cb575a69c402ef

SHA1
bae955610ceae7667717f93bcbda9f00bb7082b5

SHA256
9ca24304a50a4ee812396397c1b7a37487c22d11189a3702c4481a8121b93b71

SHA512
c5a867fcd8cf072ed5d1b9a4711678ec4d61b5658236eb0385cbd25ad3b1ecaeb9ff210d5d3a139117030c762d93b512ce9787cbb6d69fccd3ea6d886a94778d

Download Submit
C:\Users\Admin\Downloads\Public.zip

Filesize
665KB

MD5
5303ba99ceb9c93ca03cab491a2d4ccf

SHA1
4c064d0ded7595f043b82bde2e09d27eed3997b7

SHA256
aed54881caa4b95e7cc52f4c90a467a2220cad0b61e6b83c6a72aa49986a34a6

SHA512
83ac240513dfec18433235d9408602d6f09c2413bda72330fce0e991cf9ed1fac7041be683abba55427fb1ac8ca5d763c08548c590cae67efaa25a481a83c1f3

Download Submit
C:\Users\Admin\Downloads\Public\AutoHotkey.bat

Filesize
240B

MD5
596edfdc3b2dca9c6e44b4941bb046b3

SHA1
fd754611881004d805d09191d4720176383ef2aa

SHA256
72758c69bef6ffcccd8d27590489725ca79ee9f11f0948d3080b30be1200a69e

SHA512
badbb683f4d4d61f3edd310743ca007ae9b3ef021076568a29604e0021956131d8f8a80e7169b57f9afa0e4edf2d72172c6d98ac07069130d95155a909df37f0

Download Submit
C:\Users\Admin\Downloads\Public\str.txt

Filesize
273KB

MD5
34a8bffb62ce24ba001ad481d6a1132f

SHA1
e9358556737882184b9d83e0aa8ab2c519555040

SHA256
48ca477fc07aa7d6c1944ad8178289c3d3dceec373144eff55437533f10fb487

SHA512
cd18d728e6fa802a935b2bf3744d0d564361fa9f98d50216e2d7144ee39228d5144188e83f9114dec0fd75802886acb568eb0466d540a2a8a5bc8a4ea06f2eae

Download Submit
memory/412-361-0x0000022E67A40000-0x0000022E67A41000-memory.dmp

Filesize
4KB

Download
memory/412-360-0x0000022E67A40000-0x0000022E67A41000-memory.dmp

Filesize
4KB

Download
memory/412-365-0x0000022E67A40000-0x0000022E67A41000-memory.dmp

Filesize
4KB

Download
memory/412-364-0x0000022E67A40000-0x0000022E67A41000-memory.dmp

Filesize
4KB

Download
memory/412-363-0x0000022E67A40000-0x0000022E67A41000-memory.dmp

Filesize
4KB

Download
memory/412-362-0x0000022E67A40000-0x0000022E67A41000-memory.dmp

Filesize
4KB

Download
memory/412-355-0x0000022E67A40000-0x0000022E67A41000-memory.dmp

Filesize
4KB

Download
memory/412-353-0x0000022E67A40000-0x0000022E67A41000-memory.dmp

Filesize
4KB

Download
memory/412-359-0x0000022E67A40000-0x0000022E67A41000-memory.dmp

Filesize
4KB

Download
memory/412-354-0x0000022E67A40000-0x0000022E67A41000-memory.dmp

Filesize
4KB

Download
memory/2564-375-0x00000000068C0000-0x000000000695C000-memory.dmp

Filesize
624KB

Download
memory/2564-376-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/2564-340-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2564-350-0x00000000057D0000-0x0000000005D76000-memory.dmp

Filesize
5.6MB

Download
memory/2564-352-0x00000000053B0000-0x00000000053BA000-memory.dmp

Filesize
40KB

Download
memory/2564-351-0x00000000053C0000-0x0000000005452000-memory.dmp

Filesize
584KB

Download