e566ee2189f830504af1cb787279111b7b2f3817a61a85bad8d9810701dd4877

Analysis

max time kernel
1561s
max time network
1562s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Size

153KB
MD5

35560fff8fc990948a9252bf20cfc8f5
SHA1

66163cb283c8792ac32c0e2361adc7143d8d319d
SHA256

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1
SHA512

9bf7b5aeec71b74012fa36d2af4dc4704e859a564cfbf3b35e44b1af8195a9885292c22a9297b691903c3245a6fae85746590988706e6a4d5dab29937ac13d77
SSDEEP

3072:j6glyuxE4GsUPnliByocWepvdHFdjFpZ/fgyVF0djk:j6gDBGpvEByocWetdHZ/fgKF0

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\cHpfiXA9s.README.txt

Ransom Note

~~~ XeqtR Ransomeware The world's fastest ransomware ~~~ >>>> Your data is now stolen and encrypted, pleaes read the following carefully, as it is in your best interest. We are sorry to inform you that a Ransomware Virus has taken control of your computer. ALL of your important files and folders on your computer have been encrypted with a military grade encryption algorithm. Your documents, videos, images and every other forms of data are now inaccessible and completely locked, and cannot be unlocked without the sole decryption key, in which we are the ONLY ones in possession of this key. This key is currently being stored on a remote server. To acquire this key and have all files restored, transfer the amount of 500 USD in the cryptocurrency BITCOIN to the below specified bitcoin wallet address before the time runs out. Once you have read this you now have 36 hours until your files are lost forever. If you fail to take action within this time window, the decryption key will be destroyed and access to your files will be permanently lost. If you are not familiar with cryptocurrency and bitcoin, just do a google search, visit bitcoin.org, go on your mobile to Cash App, or pretty much just ask someone and most likely they can explain it. Once again, 500 USD in the form of Bitcoin to this wallet address bc1q8wqyacjzzvrn57d2g7aj35lnr5r8fqv0dn0394 The second you have sent the bitcoin and the transaction verifies another text file will appear on your desktop with the website to get your key, and the simple instructions on how to use it to get your files back. 36 hours starts now, we suggest you do not waste time. For any reason you should need customer service, email [email protected]

Emails

[email protected]

Signatures

Renames multiple (9361) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

316C.tmp

pid process

2428 316C.tmp
Executes dropped EXE 1 IoCs

Processes:

316C.tmp

pid process

2428 316C.tmp
Loads dropped DLL 1 IoCs

Processes:

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

pid process

2064 3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 3 IoCs

Processes:

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\cHpfiXA9s.bmp"	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\cHpfiXA9s.bmp"	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe316C.tmp

pid	process
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2428	316C.tmp

Drops file in Program Files directory 64 IoCs

Processes:

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\common.luac	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\cHpfiXA9s.README.txt	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.LEX	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_pt-BR.dll	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\cHpfiXA9s.README.txt	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_COL.HXC	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00394_.WMF	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02094_.WMF.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Mawson.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanReport.Dotx.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00141_.WMF	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\cHpfiXA9s.README.txt	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.POC	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2A.BDR.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msolui100.rll	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Client.dll	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprsr.dll	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18224_.WMF	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\cHpfiXA9s.README.txt	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA000A.DLL.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21337_.GIF	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21306_.GIF	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14529_.GIF	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\cHpfiXA9s.README.txt	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME10.CSS	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\cHpfiXA9s.README.txt	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00184_.WMF	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FLAP.WMF.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309920.WMF.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\cHpfiXA9s.README.txt	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\SpiderSolitaire.exe.mui	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Trek.eftx	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\AMERITECH.NET.XML.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\rings-dock.png	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallpaperStyle = "10"	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

Modifies registry class 5 IoCs

Processes:

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s\DefaultIcon	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cHpfiXA9s\DefaultIcon\ = "C:\\ProgramData\\cHpfiXA9s.ico"	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cHpfiXA9s	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cHpfiXA9s\ = "cHpfiXA9s"	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

pid	process
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

316C.tmp

pid	process
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp
2428	316C.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeDebugPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: 36	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeImpersonatePrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeIncBasePriorityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeIncreaseQuotaPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: 33	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeManageVolumePrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeProfSingleProcessPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeRestorePrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSystemProfilePrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeTakeOwnershipPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeShutdownPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeDebugPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeBackupPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
Token: SeSecurityPrivilege	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe316C.tmp

description	pid	process	target process
PID 2064 wrote to memory of 2428	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe	316C.tmp
PID 2064 wrote to memory of 2428	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe	316C.tmp
PID 2064 wrote to memory of 2428	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe	316C.tmp
PID 2064 wrote to memory of 2428	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe	316C.tmp
PID 2064 wrote to memory of 2428	2064	3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe	316C.tmp
PID 2428 wrote to memory of 2252	2428	316C.tmp	cmd.exe
PID 2428 wrote to memory of 2252	2428	316C.tmp	cmd.exe
PID 2428 wrote to memory of 2252	2428	316C.tmp	cmd.exe
PID 2428 wrote to memory of 2252	2428	316C.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe
"C:\Users\Admin\AppData\Local\Temp\3e04fe9f427717ca17142603b46c5264fb42621048719721ffa4926c8e9bb6f1.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\ProgramData\316C.tmp
  "C:\ProgramData\316C.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\316C.tmp >> NUL
    3⤵
    PID:2252

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2660163958-4080398480-1122754539-1000\AAAAAAAAAAA

Filesize
129B

MD5
e9d8659f707609498c5326b8960e9ef8

SHA1
b4003b8d1d24a72c718cef2a1839bfec9433ccf4

SHA256
4f09658e6ff6e7135309c78ce8a7c1c0a11d06011db3bd856772703eb9dffb12

SHA512
2d8bd7fa78bb1241f23ce04c5e32e4f052f598b6c21368d1b34c22e377ad43c0145aaee8b010c76d1fb02497e6c6b5c00ec8a0ec5635869fe15af10b9b61cf14

Download Submit
C:\ProgramData\cHpfiXA9s.ico

Filesize
14KB

MD5
24a9eb90f460225a017475bfda1b7a91

SHA1
a1e8d479d7d286d8b1137290afa53f61941ca365

SHA256
8ff8322ec21c6f1fbf72277ecf16390b125074e4ec9c35140399517582d3400f

SHA512
994ee866112c930d128e8860d537508c63365cbd8f0d254671bd60fd532b1ae697e79d01f6371c711cd208e1451ba7e3e67705de8082d946b54727bbe83a42a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
153KB

MD5
06824e076455367f2925bf11385410e1

SHA1
8f6f0566eed13413963fa5a6eee49835632c1219

SHA256
295632ec496541e31c66277d8e969378f8bcec7578c5ae1e0dab2b31a9f31fa2

SHA512
ff972043860892cd2a9a735bc120f9f5e0ca961bcbc9999c54f31c318e87a718b45216bd3e50c1bd7364a8ba866b110ac29ea9c181a4c920a1757cf2834a4c19

Download Submit
C:\cHpfiXA9s.README.txt

Filesize
1KB

MD5
3605fdc69caa6b331eaf96ea07e4157d

SHA1
fc6bce8fc36aa774fb5e02cc1b25df8b59c6fa44

SHA256
0ec8c3830d53015c531dd0d8c540bc961f67888bb44731f87af6ba8be1268df3

SHA512
8b3eddd76b231bf1cca7e26d83756d418fab432afb6c7fc46e3e1356c8a580b78e09f29ef3adbadf72a8258c29d4855dac9b4b5c4519535b93a982469519c226

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2660163958-4080398480-1122754539-1000\KKKKKKKKKKK

Filesize
129B

MD5
42d9a8802a3ed460717702a1076b88dc

SHA1
ebe7482323fb007a1d12590bd9081609f5fa8b3c

SHA256
cc57911c31023c42bfdf8eefe63a2ec208fc7c09016d514fa026416f4b88411f

SHA512
38673ed088550c3cda26b2972504bcc5188c7122af04a6682eb5c8a51d10c1e87277df3b12dbe01eea631428435aa040a655db8c7f0818092cfddded6a1ac8c4

Download Submit
\ProgramData\316C.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2064-0-0x0000000002130000-0x0000000002170000-memory.dmp

Filesize
256KB

Download
memory/2428-13741-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/2428-13745-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/2428-13744-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/2428-13743-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/2428-13742-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/2428-13774-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2428-13775-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download