ramnit | 559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059

Analysis

max time kernel
90s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Size

1.2MB
MD5

0b0abebcf52608a0a662c17f3bd316d0
SHA1

107c457ae440d137e5735244871f8e8f3998e6e1
SHA256

559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059
SHA512

0f96fbbf4b502f7e5dfb187091a070d0acca5c182ef741210eaf3dbd9e24388fbeb0f9be0e80270eb8fdb71f48d23137771b6ef95d1f3ebf20d640f5ec13b7db
SSDEEP

24576:EdsuNOCN8loXWfgLYeuQaTjCdsyYPDsseHtHwKlK7MMMMMMRxAyTSiU:nuY28SUgLYosT1MMMMMMhTSd

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
4100	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
3684	WaterMark.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4100-137-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4100-138-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/4100-141-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/3684-150-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3684-151-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3684-152-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3684-153-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3684-156-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3684-157-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3684-158-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3684-159-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF784.tmp	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
364	3656	WerFault.exe	84

Modifies Internet Explorer settings 1 TTPs 49 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "71458803"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "62082781"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "62240171"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "62082781"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993175"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373758652"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "62240171"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2F2864D9-570A-11ED-A0EE-5286B00C3051} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993175"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993175"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993175"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2F2F8B13-570A-11ED-A0EE-5286B00C3051} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993175"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993175"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "71458803"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR32	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,1"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe
3684	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
216	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	WaterMark.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
216	iexplore.exe
3708	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
216	iexplore.exe
216	iexplore.exe
3708	iexplore.exe
3708	iexplore.exe
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
1940	IEXPLORE.EXE
1940	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4100	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
3684	WaterMark.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4100	4896	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe	82
PID 4896 wrote to memory of 4100	4896	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe	82
PID 4896 wrote to memory of 4100	4896	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe	82
PID 4100 wrote to memory of 3684	4100	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe	83
PID 4100 wrote to memory of 3684	4100	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe	83
PID 4100 wrote to memory of 3684	4100	559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe	83
PID 3684 wrote to memory of 3656	3684	WaterMark.exe	84
PID 3684 wrote to memory of 3656	3684	WaterMark.exe	84
PID 3684 wrote to memory of 3656	3684	WaterMark.exe	84
PID 3684 wrote to memory of 3656	3684	WaterMark.exe	84
PID 3684 wrote to memory of 3656	3684	WaterMark.exe	84
PID 3684 wrote to memory of 3656	3684	WaterMark.exe	84
PID 3684 wrote to memory of 3656	3684	WaterMark.exe	84
PID 3684 wrote to memory of 3656	3684	WaterMark.exe	84
PID 3684 wrote to memory of 3656	3684	WaterMark.exe	84
PID 3684 wrote to memory of 216	3684	WaterMark.exe	89
PID 3684 wrote to memory of 216	3684	WaterMark.exe	89
PID 3684 wrote to memory of 3708	3684	WaterMark.exe	90
PID 3684 wrote to memory of 3708	3684	WaterMark.exe	90
PID 3708 wrote to memory of 2988	3708	iexplore.exe	91
PID 3708 wrote to memory of 2988	3708	iexplore.exe	91
PID 3708 wrote to memory of 2988	3708	iexplore.exe	91
PID 216 wrote to memory of 1940	216	iexplore.exe	92
PID 216 wrote to memory of 1940	216	iexplore.exe	92
PID 216 wrote to memory of 1940	216	iexplore.exe	92

C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe
"C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059.exe"
1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
  C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:3656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 204
        5⤵
        Program crash
        
        PID:364
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:216 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1940
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3708 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3656 -ip 3656
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
4f630c01f9bf4c57d049a46ea616203c

SHA1
a2d06f097a95d9096f7e381d39e982c0c29aac25

SHA256
217bc1b6fd8b9b5987d428f164bde885ce60d24db297abd86c177e8595c30793

SHA512
1ae68ac255fe9b2c517425e8642fb630c178ea261e6e844fc27d7a9f8d3e6c92da594549284622aee09b96540e9fc6086fa32ba7f66c794c1c983ed7c526af45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
4f630c01f9bf4c57d049a46ea616203c

SHA1
a2d06f097a95d9096f7e381d39e982c0c29aac25

SHA256
217bc1b6fd8b9b5987d428f164bde885ce60d24db297abd86c177e8595c30793

SHA512
1ae68ac255fe9b2c517425e8642fb630c178ea261e6e844fc27d7a9f8d3e6c92da594549284622aee09b96540e9fc6086fa32ba7f66c794c1c983ed7c526af45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
3987d2f40eb458c4f62dd34ff560b023

SHA1
1866e5fcaec531bec79814f6ba18f837b8ec9835

SHA256
1ff0c01f880f292889c6b61835dc657e1ceeef4c698bd21bd48bd9faf796d630

SHA512
60fae8e37454ad85138b737ae1564b6bd8b1d1fd50760df5f25c625ee439a429adfd57e12214ab91199e2101167e42d199180801cf6cc845720e2312fd29ddf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
aa2d2bfb65cf32e9278ba20cd414f62b

SHA1
b99132f2d23daca647409f478f67fbf67ab31e2d

SHA256
6f17c313372263e480d1bfa109db0fefaf773c1388aea9b4edb4c8a4d739eb82

SHA512
7f2b5e97727d70f6a3d93ba4a4a1ab8b24411afd8b04098980d3d56d400668872d7220beb9b22a3e777c6f338e15bec163763a55713247f5076f3f7b08e4ff81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2F2864D9-570A-11ED-A0EE-5286B00C3051}.dat

Filesize
4KB

MD5
baa474d6d19232b7c42665e2a78e0eaf

SHA1
de5e158ff54a912a8435fadd40c2f668f5c157f9

SHA256
ed40736141339eedb0c0558dd1936ddc3b4b4d81cdbef1376db18d6145626ced

SHA512
3b40dffa3f1a36cd4cae518529828abdb3d9338937ce82e0bf4bdb72c1a463bd08012afa0a805c362e1d4faa71f448b836034341117649e948a523c279db7610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2F2F8B13-570A-11ED-A0EE-5286B00C3051}.dat

Filesize
5KB

MD5
e4e306682103e7d1560053cd91e7b918

SHA1
5cd0909c0370923fb0afb44c84160ecd90760d03

SHA256
a409a594b3415f1f67135e7f4c77d366b740d58b0012efcd9ad7e51837b59818

SHA512
7421fa7f858499ed291d7445861e930ead703c584f3a7800383397042941209d4805ffc13499ca8d793a4d1aa0f00aae7f94770057a2bd00cd6f1956e464c58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\559a0c77c733d6206a2f3b3f4748a10182634b207f5ad1b30fa66bdb3d025059mgr.exe

Filesize
112KB

MD5
b5d2cd911f8159258420e865fbcfb130

SHA1
e2a1ddc84e7a66259ab0d7b2bebb8b7091b55766

SHA256
ce9192cb9d26236169b2a0379d1bbf82e8ad21a0e0cc3ada5b17858aec6ebbb0

SHA512
812e026ddafa4e519e9ee6e11301004065038b74717bc6a90683669393b6cbf7845d1bafde80929645c0184062583df7f52ac782537ed0d5d7b970eb2581fd48

Download Submit
memory/3684-157-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3684-152-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3684-153-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3684-150-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3684-151-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3684-156-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3684-159-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3684-158-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4100-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4100-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4100-137-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4896-149-0x0000000000F00000-0x000000000107C000-memory.dmp

Filesize
1.5MB

Download
memory/4896-164-0x0000000000F00000-0x000000000107C000-memory.dmp

Filesize
1.5MB

Download