37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33

Analysis

max time kernel
1800s
max time network
1799s
platform
windows7_x64
resource
win7-20220414-en
submitted
05-07-2022 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe
Size

1.3MB
MD5

03f39d4df6508064da95ed5a273a6979
SHA1

60cb1fa320b0d8ac4082f8af7bf59e54de6b9ccb
SHA256

37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33
SHA512

89212c00bfdc1addfa063d1786c96c3f69d932cdd678f9be3be58dfb89ed571417105ad8034b7ad88d4801f35755a847961f8ff6f1e91c26bf372d8be4da485c

Score

10^/10

adware persistence suricata upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe"	svchost.exe

suricata: ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain
suricata: ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain
suricata
suricata: ET MALWARE Win32/Ramnit Checkin
suricata: ET MALWARE Win32/Ramnit Checkin
suricata

Allows Chrome notifications for new domains 1 TTPs 4 IoCs

adware

Modify Registry

T1112

Processes:

37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls\1 = "https://[*.]durington.info"	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls\2 = "https://[*.]stimafigu.info"	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Policies\Google\Chrome\NotificationsAllowedForUrls\3 = "https://[*.]qareaste.info"	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe

Executes dropped EXE 2 IoCs

Processes:

37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exeWaterMark.exe

pid process

900 37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
1488 WaterMark.exe

pid	process
900	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
1488	WaterMark.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/900-61-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/900-62-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/900-67-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1488-86-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe

pid	process
1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe
1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe
900	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
900	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe
File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\dmlconf.dat	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_elf.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaremr.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado15.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcfr.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\mojo_core.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\npdeployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll	svchost.exe
File opened for modification	C:\Program Files\DVD Maker\Pipeline.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2native.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador15.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadrh15.dll	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\eventlog_provider.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\fontmanager.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	svchost.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsTap.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	svchost.exe
File opened for modification	C:\Program Files\Internet Explorer\msdbg2.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\JdbcOdbc.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadco.dll	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec000000000020000000000106600000001000020000000537b52886792301abb22b8b70da9fa5e91e2568cf34cd455e273ca43bf4beb6d000000000e80000000020000200000006c8f0b5965030f8b24d46c5b6cfe5192e1b0ae284756819ed849142d515e51d220000000805ded2a5b5a005cc6f22874d803522a1eec3d6359381e5d0e1d014f58a132d840000000c429b322ac96ef643c292d2dc8cce95f0d415157600587374c5658a7f61a7e0b9a8c04cbb27389abe73830b3ab92de9106c5ab177d59c11675789a7a034bb8fe	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec000000000020000000000106600000001000020000000b555f14a4dd7902f90496171264760fe75f8d715d94c9c3e705c85f05e971bb1000000000e800000000200002000000083c7f411084187af0deaee5f7f235bafecd31c0fb14fc095d5b944b95d7248479000000004ef20c2e622efb8557451d9e673402cebdd4d0279db8b3362965b40db0cb99918cbd96cd1332e2ff7129e9908fb3f4e57330f4792c15ed7edcd5384a6bc7a8ff33b5515faf96a679d3de8e860f44a8861c06b81694c1b59e9fb0e43a0853faec74d3b63cf407a858c417cc828cf3768803f2c2a9092d469245cd5639381fb6b6752525229b13f749bf70286b6b4cc3440000000afd7c351d859745eeb75c544dac915d15549f76274621dcc69ce12313ad5b2e853402016a21022d2cf01ec527b7ca712f132243cead234b47243de4f127a4166	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363824011"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 606e2427bc90d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{49CE3D61-FCAF-11EC-9367-7EDEB47CBF10} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WaterMark.exesvchost.exe37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe

pid	process
1488	WaterMark.exe
1488	WaterMark.exe
1488	WaterMark.exe
1488	WaterMark.exe
1488	WaterMark.exe
1488	WaterMark.exe
1488	WaterMark.exe
1488	WaterMark.exe
1624	svchost.exe
1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe
1624	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

916 iexplore.exe

pid	process
916	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WaterMark.exesvchost.exeIEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1488	WaterMark.exe
Token: SeDebugPrivilege	1624	svchost.exe
Token: SeDebugPrivilege	1488	WaterMark.exe
Token: SeDebugPrivilege	1744	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

916 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

916 iexplore.exe
916 iexplore.exe
1744 IEXPLORE.EXE
1744 IEXPLORE.EXE
1744 IEXPLORE.EXE
1744 IEXPLORE.EXE
Suspicious use of UnmapMainImage 2 IoCs

Processes:

37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exeWaterMark.exe

pid process

900 37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
1488 WaterMark.exe

pid	process
916	iexplore.exe

pid	process
916	iexplore.exe
916	iexplore.exe
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE
1744	IEXPLORE.EXE

pid	process
900	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
1488	WaterMark.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exeWaterMark.exesvchost.exe

description	pid	process	target process
PID 1888 wrote to memory of 900	1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
PID 1888 wrote to memory of 900	1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
PID 1888 wrote to memory of 900	1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
PID 1888 wrote to memory of 900	1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
PID 900 wrote to memory of 1488	900	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe	WaterMark.exe
PID 900 wrote to memory of 1488	900	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe	WaterMark.exe
PID 900 wrote to memory of 1488	900	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe	WaterMark.exe
PID 900 wrote to memory of 1488	900	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe	WaterMark.exe
PID 1488 wrote to memory of 1320	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1320	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1320	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1320	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1320	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1320	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1320	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1320	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1320	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1320	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1624	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1624	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1624	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1624	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1624	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1624	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1624	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1624	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1624	1488	WaterMark.exe	svchost.exe
PID 1488 wrote to memory of 1624	1488	WaterMark.exe	svchost.exe
PID 1624 wrote to memory of 260	1624	svchost.exe	smss.exe
PID 1624 wrote to memory of 260	1624	svchost.exe	smss.exe
PID 1624 wrote to memory of 260	1624	svchost.exe	smss.exe
PID 1624 wrote to memory of 260	1624	svchost.exe	smss.exe
PID 1624 wrote to memory of 260	1624	svchost.exe	smss.exe
PID 1624 wrote to memory of 336	1624	svchost.exe	csrss.exe
PID 1624 wrote to memory of 336	1624	svchost.exe	csrss.exe
PID 1624 wrote to memory of 336	1624	svchost.exe	csrss.exe
PID 1624 wrote to memory of 336	1624	svchost.exe	csrss.exe
PID 1624 wrote to memory of 336	1624	svchost.exe	csrss.exe
PID 1624 wrote to memory of 372	1624	svchost.exe	wininit.exe
PID 1624 wrote to memory of 372	1624	svchost.exe	wininit.exe
PID 1624 wrote to memory of 372	1624	svchost.exe	wininit.exe
PID 1624 wrote to memory of 372	1624	svchost.exe	wininit.exe
PID 1624 wrote to memory of 372	1624	svchost.exe	wininit.exe
PID 1888 wrote to memory of 916	1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe	iexplore.exe
PID 1888 wrote to memory of 916	1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe	iexplore.exe
PID 1888 wrote to memory of 916	1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe	iexplore.exe
PID 1888 wrote to memory of 916	1888	37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe	iexplore.exe
PID 1624 wrote to memory of 384	1624	svchost.exe	csrss.exe
PID 1624 wrote to memory of 384	1624	svchost.exe	csrss.exe
PID 1624 wrote to memory of 384	1624	svchost.exe	csrss.exe
PID 1624 wrote to memory of 384	1624	svchost.exe	csrss.exe
PID 1624 wrote to memory of 384	1624	svchost.exe	csrss.exe
PID 1624 wrote to memory of 420	1624	svchost.exe	winlogon.exe
PID 1624 wrote to memory of 420	1624	svchost.exe	winlogon.exe
PID 1624 wrote to memory of 420	1624	svchost.exe	winlogon.exe
PID 1624 wrote to memory of 420	1624	svchost.exe	winlogon.exe
PID 1624 wrote to memory of 420	1624	svchost.exe	winlogon.exe
PID 1624 wrote to memory of 464	1624	svchost.exe	services.exe
PID 1624 wrote to memory of 464	1624	svchost.exe	services.exe
PID 1624 wrote to memory of 464	1624	svchost.exe	services.exe
PID 1624 wrote to memory of 464	1624	svchost.exe	services.exe
PID 1624 wrote to memory of 464	1624	svchost.exe	services.exe
PID 1624 wrote to memory of 480	1624	svchost.exe	lsass.exe
PID 1624 wrote to memory of 480	1624	svchost.exe	lsass.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:464

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:1668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:1844

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1060

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1160

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
4⤵
PID:1756

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:480

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:336

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:260

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:832

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe
"C:\Users\Admin\AppData\Local\Temp\37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33.exe"
2⤵
- Allows Chrome notifications for new domains
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
C:\Users\Admin\AppData\Local\Temp\37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:900

C:\Program Files (x86)\Microsoft\WaterMark.exe
"C:\Program Files (x86)\Microsoft\WaterMark.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://durington.info/?tag_id=715349&sub_id1=59&sub_id2=F3150013-721C-489E-9524-6640CC123A9F&cookie_id=4cab856c-2ae4-4cbd-8a04-329969ee64da&lp=blank&tb=redirect&allb=redirect&ob=redirect&href=https://stimafigu.info/?tag_id=715349%26sub_id1=59%26sub_id2=F3150013-721C-489E-9524-6640CC123A9F%26cookie_id=4cab856c-2ae4-4cbd-8a04-329969ee64da%26lp=blank%26tb=redirect%26allb=redirect%26ob=redirect%26href=https://qareaste.info/?tag_id=715349%2526sub_id1=59%2526sub_id2=F3150013-721C-489E-9524-6640CC123A9F%2526cookie_id=4cab856c-2ae4-4cbd-8a04-329969ee64da%2526lp=blank%2526tb=redirect%2526allb=redirect%2526ob=redirect
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:916

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:916 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1744

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
c8a06514b4f1bff09de4f7911e5cd75f

SHA1
bcc94970f2834f4a7d515e47092a95002efa9cc0

SHA256
1c5f12c831177a89895dabeca5de8556ca60e1a56b2048576c938958e1447c9b

SHA512
77f6cf6d8816dc85dcbdf8bf8f0a574a358a2f58d9a6b6cecc274b3bc9c1bb9f1ce088c0a1d5e7dd3ffe040a87f409a49cfe782ab29fb9a3b1e439ec47469723

Download Submit
C:\Users\Admin\AppData\Local\Temp\37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JPP4WH04.txt
Filesize
595B

MD5
de32a5084000f66fb89f73f4641cb228

SHA1
613660d03bfb3cd8e6e8fd2bb26c0b9ab47b033e

SHA256
560138b14537404506af865d6218c8c5337dda86d164a140883b8f61591fb82f

SHA512
4f94b3387024f7cd02de97e6f5e724e252b35b2b99dd7fd45a35f1812bc30a5ab156eeda9d186c40f4c1a19f6a1700f9814bdd7fe90d675666bb16a9188517e5

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
\Program Files (x86)\Microsoft\WaterMark.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
\Users\Admin\AppData\Local\Temp\37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
\Users\Admin\AppData\Local\Temp\37312334158e98e5a3e536b38660de4c83d3a0628115ef7fbc09a15b5f9ccf33mgr.exe
Filesize
184KB

MD5
d059e448bae51f521010cbce8f23643a

SHA1
74925d1dc5b0da8ffa87c694a1fef4e8a9697ec0

SHA256
c3dc9ae1a07d82a0f41a54d54eea09dfd4a0e12baeaedb278ce207c59ae05655

SHA512
7e8fa21ec13d787b1655a1ef794dd812f2f607508af6ba006344a450dc4515d70bd4a338619bc49861583acfbf693c456cc23179950aac02dd41aaf1eeb7b64e

Download Submit
memory/900-57-0x0000000000000000-mapping.dmp

Download
memory/900-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/900-62-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/900-61-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1320-75-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1320-77-0x0000000000000000-mapping.dmp

Download
memory/1320-79-0x0000000020010000-0x0000000020022000-memory.dmp

Filesize
72KB

Download
memory/1488-66-0x0000000000000000-mapping.dmp

Download
memory/1488-86-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1624-128-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1624-125-0x0000000000000000-mapping.dmp

Download
memory/1624-121-0x0000000020010000-0x000000002001B000-memory.dmp

Filesize
44KB

Download
memory/1888-108-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-88-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-91-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-92-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-93-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-94-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-95-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-96-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-97-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-98-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-99-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-100-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-101-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-102-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-103-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-104-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-105-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-106-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-107-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-89-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-109-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-110-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-111-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-112-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-113-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-114-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-115-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-116-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-117-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-118-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-120-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-90-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-122-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-124-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-87-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-126-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-127-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-85-0x00000000002E0000-0x0000000000318000-memory.dmp

Filesize
224KB

Download
memory/1888-129-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-131-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-133-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-135-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-136-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-137-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-138-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-140-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-141-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-142-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-143-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-145-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-146-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-147-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-149-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-150-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-151-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-153-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-154-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-155-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-156-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-163-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-84-0x00000000002E0000-0x0000000000318000-memory.dmp

Filesize
224KB

Download
memory/1888-83-0x000000000FD30000-0x000000000FE7E000-memory.dmp

Filesize
1.3MB

Download
memory/1888-54-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download