saintbot | 8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736

Analysis

max time kernel
140s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
12-03-2022 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
Size

670KB
MD5

e57825558128cf42f67346dcf2319e64
SHA1

d3d940ccbdb64aa57261599511a09d507b5dd417
SHA256

8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736
SHA512

e7209f05adde4813627d142808091ecb002ecd581f58d6905e4a4228f48df27ee4f087c8b4ff11d89acf2607a6628519d030a10070d2ea46185170a698dc00a1

Score

10^/10

saintbot discovery dropper persistence

Malware Config

Signatures

SaintBot
Saint Bot is a malware dropper being used to deliver secondary payloads such as information stealers.
dropper saintbot

SaintBot Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4644-149-0x0000000000400000-0x000000000040B000-memory.dmp	family_saintbot
behavioral2/memory/4820-173-0x00000000004A0000-0x00000000004AB000-memory.dmp	family_saintbot

Nirsoft 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 12 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeWrvqtyoyuopenbullet.exeMicrosoft Edge.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeMicrosoft Edge.exeWrvqtyoyuopenbullet.exe

pid	process
3636	AdvancedRun.exe
3724	AdvancedRun.exe
216	AdvancedRun.exe
4324	AdvancedRun.exe
3804	Wrvqtyoyuopenbullet.exe
2724	Microsoft Edge.exe
2112	AdvancedRun.exe
1724	AdvancedRun.exe
8	AdvancedRun.exe
800	AdvancedRun.exe
4224	Microsoft Edge.exe
4496	Wrvqtyoyuopenbullet.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Microsoft Edge.exeWScript.exeAdvancedRun.exeAdvancedRun.exe8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exeAdvancedRun.exeAdvancedRun.exe8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Microsoft Edge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

Processes:

8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe

Loads dropped DLL 2 IoCs

Processes:

Microsoft Edge.exedfrgui.exe

pid process

4224 Microsoft Edge.exe
4820 dfrgui.exe

pid	process
4224	Microsoft Edge.exe
4820	dfrgui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dfrgui.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\zzAdmin\\Admin.vbs"	dfrgui.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Microsoft Edge.exedfrgui.exe8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Microsoft Edge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	dfrgui.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	dfrgui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	Microsoft Edge.exe

Drops file in System32 directory 1 IoCs

Processes:

dfrgui.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\dfrgui.exe dfrgui.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dfrgui.exe	dfrgui.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exeMicrosoft Edge.exe

description	pid	process	target process
PID 5072 set thread context of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 2724 set thread context of 4224	2724	Microsoft Edge.exe	Microsoft Edge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1092 3804 WerFault.exe Wrvqtyoyuopenbullet.exe
3108 4496 WerFault.exe Wrvqtyoyuopenbullet.exe

pid	pid_target	process	target process
1092	3804	WerFault.exe	Wrvqtyoyuopenbullet.exe
3108	4496	WerFault.exe	Wrvqtyoyuopenbullet.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dfrgui.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dfrgui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dfrgui.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

524 schtasks.exe

pid	process
524	schtasks.exe

Modifies registry class 2 IoCs

Processes:

8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exeMicrosoft Edge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\Local Settings	Microsoft Edge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1952 PING.EXE

pid	process
1952	PING.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeMicrosoft Edge.exeMicrosoft Edge.exe

pid	process
3636	AdvancedRun.exe
3636	AdvancedRun.exe
3636	AdvancedRun.exe
3636	AdvancedRun.exe
3724	AdvancedRun.exe
3724	AdvancedRun.exe
3724	AdvancedRun.exe
3724	AdvancedRun.exe
216	AdvancedRun.exe
216	AdvancedRun.exe
216	AdvancedRun.exe
216	AdvancedRun.exe
4324	AdvancedRun.exe
4324	AdvancedRun.exe
4324	AdvancedRun.exe
4324	AdvancedRun.exe
5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
2112	AdvancedRun.exe
2112	AdvancedRun.exe
2112	AdvancedRun.exe
2112	AdvancedRun.exe
1724	AdvancedRun.exe
1724	AdvancedRun.exe
1724	AdvancedRun.exe
1724	AdvancedRun.exe
8	AdvancedRun.exe
8	AdvancedRun.exe
8	AdvancedRun.exe
8	AdvancedRun.exe
800	AdvancedRun.exe
800	AdvancedRun.exe
800	AdvancedRun.exe
800	AdvancedRun.exe
2724	Microsoft Edge.exe
2724	Microsoft Edge.exe
4224	Microsoft Edge.exe
4224	Microsoft Edge.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeMicrosoft Edge.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process
Token: SeDebugPrivilege	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
Token: SeDebugPrivilege	3636	AdvancedRun.exe
Token: SeImpersonatePrivilege	3636	AdvancedRun.exe
Token: SeDebugPrivilege	3724	AdvancedRun.exe
Token: SeImpersonatePrivilege	3724	AdvancedRun.exe
Token: SeDebugPrivilege	216	AdvancedRun.exe
Token: SeImpersonatePrivilege	216	AdvancedRun.exe
Token: SeDebugPrivilege	4324	AdvancedRun.exe
Token: SeImpersonatePrivilege	4324	AdvancedRun.exe
Token: SeDebugPrivilege	2724	Microsoft Edge.exe
Token: SeDebugPrivilege	2112	AdvancedRun.exe
Token: SeImpersonatePrivilege	2112	AdvancedRun.exe
Token: SeDebugPrivilege	1724	AdvancedRun.exe
Token: SeImpersonatePrivilege	1724	AdvancedRun.exe
Token: SeDebugPrivilege	8	AdvancedRun.exe
Token: SeImpersonatePrivilege	8	AdvancedRun.exe
Token: SeDebugPrivilege	800	AdvancedRun.exe
Token: SeImpersonatePrivilege	800	AdvancedRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exeAdvancedRun.exeAdvancedRun.exeWScript.exe8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.execmd.exeMicrosoft Edge.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 5072 wrote to memory of 3636	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	AdvancedRun.exe
PID 5072 wrote to memory of 3636	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	AdvancedRun.exe
PID 5072 wrote to memory of 3636	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	AdvancedRun.exe
PID 3636 wrote to memory of 3724	3636	AdvancedRun.exe	AdvancedRun.exe
PID 3636 wrote to memory of 3724	3636	AdvancedRun.exe	AdvancedRun.exe
PID 3636 wrote to memory of 3724	3636	AdvancedRun.exe	AdvancedRun.exe
PID 5072 wrote to memory of 216	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	AdvancedRun.exe
PID 5072 wrote to memory of 216	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	AdvancedRun.exe
PID 5072 wrote to memory of 216	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	AdvancedRun.exe
PID 216 wrote to memory of 4324	216	AdvancedRun.exe	AdvancedRun.exe
PID 216 wrote to memory of 4324	216	AdvancedRun.exe	AdvancedRun.exe
PID 216 wrote to memory of 4324	216	AdvancedRun.exe	AdvancedRun.exe
PID 5072 wrote to memory of 1156	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	WScript.exe
PID 5072 wrote to memory of 1156	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	WScript.exe
PID 5072 wrote to memory of 1156	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	WScript.exe
PID 1156 wrote to memory of 3804	1156	WScript.exe	Wrvqtyoyuopenbullet.exe
PID 1156 wrote to memory of 3804	1156	WScript.exe	Wrvqtyoyuopenbullet.exe
PID 1156 wrote to memory of 3804	1156	WScript.exe	Wrvqtyoyuopenbullet.exe
PID 5072 wrote to memory of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 5072 wrote to memory of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 5072 wrote to memory of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 5072 wrote to memory of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 5072 wrote to memory of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 5072 wrote to memory of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 5072 wrote to memory of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 5072 wrote to memory of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 5072 wrote to memory of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 5072 wrote to memory of 4644	5072	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
PID 4644 wrote to memory of 2724	4644	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	Microsoft Edge.exe
PID 4644 wrote to memory of 2724	4644	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	Microsoft Edge.exe
PID 4644 wrote to memory of 2724	4644	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	Microsoft Edge.exe
PID 4644 wrote to memory of 4920	4644	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	cmd.exe
PID 4644 wrote to memory of 4920	4644	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	cmd.exe
PID 4644 wrote to memory of 4920	4644	8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe	cmd.exe
PID 4920 wrote to memory of 1952	4920	cmd.exe	PING.EXE
PID 4920 wrote to memory of 1952	4920	cmd.exe	PING.EXE
PID 4920 wrote to memory of 1952	4920	cmd.exe	PING.EXE
PID 4920 wrote to memory of 1804	4920	cmd.exe	cmd.exe
PID 4920 wrote to memory of 1804	4920	cmd.exe	cmd.exe
PID 4920 wrote to memory of 1804	4920	cmd.exe	cmd.exe
PID 2724 wrote to memory of 2112	2724	Microsoft Edge.exe	AdvancedRun.exe
PID 2724 wrote to memory of 2112	2724	Microsoft Edge.exe	AdvancedRun.exe
PID 2724 wrote to memory of 2112	2724	Microsoft Edge.exe	AdvancedRun.exe
PID 2112 wrote to memory of 1724	2112	AdvancedRun.exe	AdvancedRun.exe
PID 2112 wrote to memory of 1724	2112	AdvancedRun.exe	AdvancedRun.exe
PID 2112 wrote to memory of 1724	2112	AdvancedRun.exe	AdvancedRun.exe
PID 2724 wrote to memory of 8	2724	Microsoft Edge.exe	AdvancedRun.exe
PID 2724 wrote to memory of 8	2724	Microsoft Edge.exe	AdvancedRun.exe
PID 2724 wrote to memory of 8	2724	Microsoft Edge.exe	AdvancedRun.exe
PID 8 wrote to memory of 800	8	AdvancedRun.exe	AdvancedRun.exe
PID 8 wrote to memory of 800	8	AdvancedRun.exe	AdvancedRun.exe
PID 8 wrote to memory of 800	8	AdvancedRun.exe	AdvancedRun.exe
PID 2724 wrote to memory of 3988	2724	Microsoft Edge.exe	WScript.exe
PID 2724 wrote to memory of 3988	2724	Microsoft Edge.exe	WScript.exe
PID 2724 wrote to memory of 3988	2724	Microsoft Edge.exe	WScript.exe
PID 2724 wrote to memory of 4224	2724	Microsoft Edge.exe	Microsoft Edge.exe
PID 2724 wrote to memory of 4224	2724	Microsoft Edge.exe	Microsoft Edge.exe
PID 2724 wrote to memory of 4224	2724	Microsoft Edge.exe	Microsoft Edge.exe
PID 2724 wrote to memory of 4224	2724	Microsoft Edge.exe	Microsoft Edge.exe
PID 2724 wrote to memory of 4224	2724	Microsoft Edge.exe	Microsoft Edge.exe
PID 2724 wrote to memory of 4224	2724	Microsoft Edge.exe	Microsoft Edge.exe
PID 2724 wrote to memory of 4224	2724	Microsoft Edge.exe	Microsoft Edge.exe
PID 2724 wrote to memory of 4224	2724	Microsoft Edge.exe	Microsoft Edge.exe
PID 2724 wrote to memory of 4224	2724	Microsoft Edge.exe	Microsoft Edge.exe

C:\Users\Admin\AppData\Local\Temp\8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
"C:\Users\Admin\AppData\Local\Temp\8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3636
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3724
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 216
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sqsxfhynivxwpl.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe
    "C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe"
    3⤵
    - Executes dropped EXE
    PID:3804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 1052
      4⤵
      Program crash
      PID:1092
- C:\Users\Admin\AppData\Local\Temp\8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
  C:\Users\Admin\AppData\Local\Temp\8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Maps connected drives based on registry
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2112
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 8
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Sqsxfhynivxwpl.vbs"
      4⤵
      Checks computer location settings
      PID:3988
    - - C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe"
        5⤵
        Executes dropped EXE
        
        PID:4496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1020
        6⤵
        Program crash
        
        PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      PID:4224
    - - C:\Windows\SysWOW64\dfrgui.exe
        
        "C:\Windows\system32\dfrgui.exe"
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        Maps connected drives based on registry
        Drops file in System32 directory
        Checks processor information in registry
        
        PID:4820
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F
        6⤵
        Creates scheduled task(s)
        
        PID:524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Roaming\del.bat"
      4⤵
      PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3804 -ip 3804
1⤵
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4496 -ip 4496
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe

MD5
e57825558128cf42f67346dcf2319e64

SHA1
d3d940ccbdb64aa57261599511a09d507b5dd417

SHA256
8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736

SHA512
e7209f05adde4813627d142808091ecb002ecd581f58d6905e4a4228f48df27ee4f087c8b4ff11d89acf2607a6628519d030a10070d2ea46185170a698dc00a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe

MD5
e57825558128cf42f67346dcf2319e64

SHA1
d3d940ccbdb64aa57261599511a09d507b5dd417

SHA256
8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736

SHA512
e7209f05adde4813627d142808091ecb002ecd581f58d6905e4a4228f48df27ee4f087c8b4ff11d89acf2607a6628519d030a10070d2ea46185170a698dc00a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sqsxfhynivxwpl.vbs

MD5
98b87193951f0e47403c8ac2100447b8

SHA1
b5850433e60ab2d75ff401818a511f2015d91417

SHA256
b8e829bb8cbd54125b29e6f5bb6cfeb2275585c1812078f80d68fb638f8ac67a

SHA512
42d95c4446a5d49181fdcda38df0ce81f8aabb5ae6a75aa6795bfd85946f6f127d8acd1813ce251065eabc35da0097fabb5b6a6249906520d02ba871de79c7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sqsxfhynivxwpl.vbs

MD5
98b87193951f0e47403c8ac2100447b8

SHA1
b5850433e60ab2d75ff401818a511f2015d91417

SHA256
b8e829bb8cbd54125b29e6f5bb6cfeb2275585c1812078f80d68fb638f8ac67a

SHA512
42d95c4446a5d49181fdcda38df0ce81f8aabb5ae6a75aa6795bfd85946f6f127d8acd1813ce251065eabc35da0097fabb5b6a6249906520d02ba871de79c7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe

MD5
5522e540170ed24b9105c706ea88f81c

SHA1
10797720d3740452777c9e7f33a630e4062eea4c

SHA256
65b5e3618ad273eeda31ef1245d7966174d15d19c916c5e844cd65216370ca31

SHA512
decaf50bbcd67e0b421a2a70bc090d07301cb7e94ac8dd0c4fbacda8ba1e73ba9ae5de13a111ad98e81502f3973538e1ea21b4fcd7bdb4863e7b8aeba2cd1cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe

MD5
5522e540170ed24b9105c706ea88f81c

SHA1
10797720d3740452777c9e7f33a630e4062eea4c

SHA256
65b5e3618ad273eeda31ef1245d7966174d15d19c916c5e844cd65216370ca31

SHA512
decaf50bbcd67e0b421a2a70bc090d07301cb7e94ac8dd0c4fbacda8ba1e73ba9ae5de13a111ad98e81502f3973538e1ea21b4fcd7bdb4863e7b8aeba2cd1cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe

MD5
5522e540170ed24b9105c706ea88f81c

SHA1
10797720d3740452777c9e7f33a630e4062eea4c

SHA256
65b5e3618ad273eeda31ef1245d7966174d15d19c916c5e844cd65216370ca31

SHA512
decaf50bbcd67e0b421a2a70bc090d07301cb7e94ac8dd0c4fbacda8ba1e73ba9ae5de13a111ad98e81502f3973538e1ea21b4fcd7bdb4863e7b8aeba2cd1cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wrvqtyoyuopenbullet.exe

MD5
5522e540170ed24b9105c706ea88f81c

SHA1
10797720d3740452777c9e7f33a630e4062eea4c

SHA256
65b5e3618ad273eeda31ef1245d7966174d15d19c916c5e844cd65216370ca31

SHA512
decaf50bbcd67e0b421a2a70bc090d07301cb7e94ac8dd0c4fbacda8ba1e73ba9ae5de13a111ad98e81502f3973538e1ea21b4fcd7bdb4863e7b8aeba2cd1cb0

Download Submit
C:\Users\Admin\AppData\Local\zzAdmin\slideshow.mp4

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\zzAdmin\slideshow.mp4

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\zzAdmin\slideshow.mp4

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

MD5
e57825558128cf42f67346dcf2319e64

SHA1
d3d940ccbdb64aa57261599511a09d507b5dd417

SHA256
8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736

SHA512
e7209f05adde4813627d142808091ecb002ecd581f58d6905e4a4228f48df27ee4f087c8b4ff11d89acf2607a6628519d030a10070d2ea46185170a698dc00a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe

MD5
e57825558128cf42f67346dcf2319e64

SHA1
d3d940ccbdb64aa57261599511a09d507b5dd417

SHA256
8f5315482513b1df3511cc3b8dc47cb635ef5d4ad66d4c1b615b928be21b1736

SHA512
e7209f05adde4813627d142808091ecb002ecd581f58d6905e4a4228f48df27ee4f087c8b4ff11d89acf2607a6628519d030a10070d2ea46185170a698dc00a1

Download Submit
C:\Users\Admin\AppData\Roaming\del.bat

MD5
0112c1209ddca8b4760d465d163539aa

SHA1
84cdc70d517eb190374a2e2850a98455fb1b09e3

SHA256
8b5ca5aec836460d9bdb7ba7e532a66acc03eced647e04ea1ba07edafccce60e

SHA512
efcbc4f0818021b7cfe5976133398138ea01fc2e9087e0eb88dbd25afcd1b95bc2bec7dc867fd97d169b6bd7cca658e29e9053be06b342ba00d310bf0aa03269

Download Submit
memory/2724-154-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/2724-153-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/3804-146-0x0000000000510000-0x0000000000638000-memory.dmp

Filesize
1.2MB

Download
memory/3804-155-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/3804-148-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/4224-168-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4496-171-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/4496-170-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/4644-149-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4644-147-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4820-173-0x00000000004A0000-0x00000000004AB000-memory.dmp

Filesize
44KB

Download
memory/5072-136-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/5072-135-0x0000000000670000-0x000000000071C000-memory.dmp

Filesize
688KB

Download
memory/5072-134-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/5072-137-0x00000000059D0000-0x0000000005F74000-memory.dmp

Filesize
5.6MB

Download