b7147a76c6695b750a84de55d4569f71f694b33aeefeef5daa09318ebabd9a24

Resubmissions

20-03-2024 09:55

240320-lxzn8sdh94 10

20-03-2024 09:53

240320-lwzb3sef3x 10

18-03-2024 09:01

240318-ky38dadf6s 10

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-03-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Size

147KB
MD5

75256873a03f4a4bc073185f48c1097c
SHA1

e9023061def67ba21c09826fadc1607fd7f71d88
SHA256

068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd
SHA512

4b718093ad42d7b7b72498dfcbcfd1b39c980ef44e999b7035e6bfe6b782aad6b7553832f1efee45003d9b0c56bf2e408ca55082c550ac4faa19f199f366dede
SSDEEP

3072:s6glyuxE4GsUPnliByocWepvdHFdjFpZ/fgyVF0dj:s6gDBGpvEByocWetdHZ/fgKF0

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\cHpfiXA9s.README.txt

Ransom Note

~~~ XeqtR Ransomeware The world's fastest ransomware ~~~ >>>> Your data is now stolen and encrypted, pleaes read the following carefully, as it is in your best interest. We are sorry to inform you that a Ransomware Virus has taken control of your computer. ALL of your important files and folders on your computer have been encrypted with a military grade encryption algorithm. Your documents, videos, images and every other forms of data are now inaccessible and completely locked, and cannot be unlocked without the sole decryption key, in which we are the ONLY ones in possession of this key. This key is currently being stored on a remote server. To acquire this key and have all files restored, transfer the amount of 500 USD in the cryptocurrency BITCOIN to the below specified bitcoin wallet address before the time runs out. Once you have read this you now have 36 hours until your files are lost forever. If you fail to take action within this time window, the decryption key will be destroyed and access to your files will be permanently lost. If you are not familiar with cryptocurrency and bitcoin, just do a google search, visit bitcoin.org, go on your mobile to Cash App, or pretty much just ask someone and most likely they can explain it. Once again, 500 USD in the form of Bitcoin to this wallet address bc1q8wqyacjzzvrn57d2g7aj35lnr5r8fqv0dn0394 The second you have sent the bitcoin and the transaction verifies another text file will appear on your desktop with the website to get your key, and the simple instructions on how to use it to get your files back. 36 hours starts now, we suggest you do not waste time. For any reason you should need customer service, email [email protected]

Emails

[email protected]

Signatures

Renames multiple (9399) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1572	97EC.tmp

Executes dropped EXE 1 IoCs

pid	Process
1572	97EC.tmp

Loads dropped DLL 1 IoCs

pid	Process
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\cHpfiXA9s.bmp"	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\cHpfiXA9s.bmp"	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
1572	97EC.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS10TARG.POC	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\meta-index.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\icon.png	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7es.dll	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18210_.WMF	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00442_.WMF.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151061.WMF	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\cHpfiXA9s.README.txt	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Issue Tracking.gta	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01242_.WMF.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ACE.dll.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_MCELogo_mouseover.png	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\cacerts.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\cHpfiXA9s.README.txt	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\cHpfiXA9s.README.txt	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Services.Design.resources.dll	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIP.DPV.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Elemental.eftx	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239997.WMF	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_settings.png	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_gather_plugin.dll.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7en.kic.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00247_.WMF.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105638.WMF.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_pl.dll	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\PREVIEW.GIF	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Internet Explorer\jsprofilerui.dll	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\cHpfiXA9s.README.txt	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTINTL.DLL.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304875.WMF	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MUSIC_01.MID.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.dll	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\mpvis.dll.mui	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VVIEWER.DLL.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTITS.ICO.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QRYINT32.DLL	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Origin.thmx.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\cHpfiXA9s.README.txt	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\Revert.wmz	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.sig.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\THMBNAIL.PNG	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\SettingsInternal.zip.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\NVBELL.NET.XML	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\Desktop\WallpaperStyle = "10"	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cHpfiXA9s\ = "cHpfiXA9s"	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s\DefaultIcon	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s\DefaultIcon\ = "C:\\ProgramData\\cHpfiXA9s.ico"	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp
1572	97EC.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeDebugPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: 36	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeImpersonatePrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeIncBasePriorityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeIncreaseQuotaPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: 33	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeManageVolumePrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeProfSingleProcessPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeRestorePrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSystemProfilePrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeTakeOwnershipPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeShutdownPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeDebugPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeBackupPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
Token: SeSecurityPrivilege	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1572	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe	30
PID 2408 wrote to memory of 1572	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe	30
PID 2408 wrote to memory of 1572	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe	30
PID 2408 wrote to memory of 1572	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe	30
PID 2408 wrote to memory of 1572	2408	068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe	30
PID 1572 wrote to memory of 2976	1572	97EC.tmp	31
PID 1572 wrote to memory of 2976	1572	97EC.tmp	31
PID 1572 wrote to memory of 2976	1572	97EC.tmp	31
PID 1572 wrote to memory of 2976	1572	97EC.tmp	31

C:\Users\Admin\AppData\Local\Temp\068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe
"C:\Users\Admin\AppData\Local\Temp\068ca3e92c65eb907b5a34be16580e267efbbde6f9129ca30ad80c948a1d3ffd.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\ProgramData\97EC.tmp
  "C:\ProgramData\97EC.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\97EC.tmp >> NUL
    3⤵
    PID:2976

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\BBBBBBBBBBB

Filesize
129B

MD5
2657a0e864c9edd2ac4512b622bc502b

SHA1
1b4d1cf16d991bcb714fae039ea28271750becc3

SHA256
d6793498e4a53dbdc73f18aa2561a1a5da3cc47abf55035aa87ce5ad35f8b6fb

SHA512
0fbd59fdcaa6c95e76637659e5826c39abc2f3900c70bc614738e34e156dcb87df9766ea570d238f6b84503b4998b07ddaae3d70bc2040d18dab9b3ab8bc4416

Download Submit
C:\ProgramData\cHpfiXA9s.ico

Filesize
14KB

MD5
88d9337c4c9cfe2d9aff8a2c718ec76b

SHA1
ce9f87183a1148816a1f777ba60a08ef5ca0d203

SHA256
95e059ef72686460884b9aea5c292c22917f75d56fe737d43be440f82034f438

SHA512
abafea8ca4e85f47befb5aa3efee9eee699ea87786faff39ee712ae498438d19a06bb31289643b620cb8203555ea4e2b546ef2f10d3f0087733bc0ceaccbeafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
147KB

MD5
c76cb382b5078d0ff97f5c0955833cec

SHA1
0a4f596e3325d9267048465ad325ebcafecb77ad

SHA256
49910923f8c6624c6bde580e7c3bab33f419854d89c74fdbf5a850c5bdb55a05

SHA512
77280ae9ecbd4d4e86906a50eaea5f4e9b0f55412a66f5fbdbf7aa734982567d603c75f25549d475cea0d6e9186e9a2406f25f0802c4107a5f90c19080224b29

Download Submit
C:\cHpfiXA9s.README.txt

Filesize
1KB

MD5
3605fdc69caa6b331eaf96ea07e4157d

SHA1
fc6bce8fc36aa774fb5e02cc1b25df8b59c6fa44

SHA256
0ec8c3830d53015c531dd0d8c540bc961f67888bb44731f87af6ba8be1268df3

SHA512
8b3eddd76b231bf1cca7e26d83756d418fab432afb6c7fc46e3e1356c8a580b78e09f29ef3adbadf72a8258c29d4855dac9b4b5c4519535b93a982469519c226

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\DDDDDDDDDDD

Filesize
129B

MD5
879afa37331cf3bbcbca5078e88c4794

SHA1
68c9ef96386ae06272cc0514d4893b32bf8bb540

SHA256
2b923950e683d3c8623264f1ee9d06602f90920e04a5d7d0f52ec67d20f68f40

SHA512
6044b84c30b8d6ef313bcbb0f094942f1999c255bd97c3adca66deeee1d7be5102e807a280ca0edc4f1d8d1c067c6ee507858e2d14d096b58dcef7212cc40d08

Download Submit
\ProgramData\97EC.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1572-13730-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1572-13731-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/1572-13734-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/1572-13737-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1572-13739-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1572-13763-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1572-13764-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/2408-0-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download