ramnit | fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541e

Analysis

max time kernel
134s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541e.exe
Size

1.3MB
MD5

919cea3bb73b4ffc28644333df5b6e1d
SHA1

25c19e619448ddfb21280cabaf3357107fb287fa
SHA256

fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541e
SHA512

73c1846044bed90d75466029745cc3988fa26403483d0acc741633441ee77ab751bfd678843f73c85f45c38a60a6ad2cdff861bc760e02d61cc87cf02437a43d
SSDEEP

24576:AAOjb9AEhTev+swfVbbUC9ZVl3u9RJ1tv+K38n2dPMm:AdP9AEhTA+swfVbbUCtWLJdPMm

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

pid	Process
460	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe
1748	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe
1152	WaterMark.exe
1580	WaterMark.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1748-145-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1748-144-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1748-147-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1748-148-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/460-151-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/460-153-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/1748-150-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1748-164-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/460-156-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/460-159-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral2/memory/1152-160-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1152-165-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1580-167-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1580-170-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1152-179-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1580-178-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1580-180-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1152-177-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1152-185-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1152-186-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1580-188-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1580-187-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1152-189-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1580-190-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/1152-191-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxACB0.tmp	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\WaterMark.exe	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxACDF.tmp	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe
File created	C:\Program Files (x86)\Microsoft\WaterMark.exe	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3060	4556	WerFault.exe	83
1000	3488	WerFault.exe	82

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374004974"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2316540949"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993748"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993748"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993748"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B2C95B7A-5947-11ED-B696-DEF0885D2AEB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993748"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B2CBBD5B-5947-11ED-B696-DEF0885D2AEB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B2C6F794-5947-11ED-B696-DEF0885D2AEB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2321385142"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993748"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2316540949"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2316385905"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2316540949"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2316385905"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30993748"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2321229178"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2321229178"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993748"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30993748"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2321229178"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1152	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1152	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1152	WaterMark.exe
1580	WaterMark.exe
1152	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe
1580	WaterMark.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4832	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541e.exe
2440	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	WaterMark.exe
Token: SeDebugPrivilege	1580	WaterMark.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2316	iexplore.exe
1336	iexplore.exe
2440	iexplore.exe
4348	iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4832	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541e.exe
2440	iexplore.exe
2440	iexplore.exe
2316	iexplore.exe
2316	iexplore.exe
1336	iexplore.exe
1336	iexplore.exe
4348	iexplore.exe
4348	iexplore.exe
8	IEXPLORE.EXE
8	IEXPLORE.EXE
3376	IEXPLORE.EXE
3376	IEXPLORE.EXE
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
3264	IEXPLORE.EXE
3264	IEXPLORE.EXE
3376	IEXPLORE.EXE
3376	IEXPLORE.EXE

Suspicious use of UnmapMainImage 4 IoCs

pid	Process
1748	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe
460	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe
1152	WaterMark.exe
1580	WaterMark.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 460	4832	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541e.exe	78
PID 4832 wrote to memory of 460	4832	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541e.exe	78
PID 4832 wrote to memory of 460	4832	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541e.exe	78
PID 460 wrote to memory of 1748	460	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe	79
PID 460 wrote to memory of 1748	460	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe	79
PID 460 wrote to memory of 1748	460	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe	79
PID 460 wrote to memory of 1152	460	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe	80
PID 460 wrote to memory of 1152	460	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe	80
PID 460 wrote to memory of 1152	460	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe	80
PID 1748 wrote to memory of 1580	1748	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe	81
PID 1748 wrote to memory of 1580	1748	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe	81
PID 1748 wrote to memory of 1580	1748	fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe	81
PID 1152 wrote to memory of 3488	1152	WaterMark.exe	82
PID 1152 wrote to memory of 3488	1152	WaterMark.exe	82
PID 1152 wrote to memory of 3488	1152	WaterMark.exe	82
PID 1152 wrote to memory of 3488	1152	WaterMark.exe	82
PID 1152 wrote to memory of 3488	1152	WaterMark.exe	82
PID 1152 wrote to memory of 3488	1152	WaterMark.exe	82
PID 1152 wrote to memory of 3488	1152	WaterMark.exe	82
PID 1152 wrote to memory of 3488	1152	WaterMark.exe	82
PID 1152 wrote to memory of 3488	1152	WaterMark.exe	82
PID 1580 wrote to memory of 4556	1580	WaterMark.exe	83
PID 1580 wrote to memory of 4556	1580	WaterMark.exe	83
PID 1580 wrote to memory of 4556	1580	WaterMark.exe	83
PID 1580 wrote to memory of 4556	1580	WaterMark.exe	83
PID 1580 wrote to memory of 4556	1580	WaterMark.exe	83
PID 1580 wrote to memory of 4556	1580	WaterMark.exe	83
PID 1580 wrote to memory of 4556	1580	WaterMark.exe	83
PID 1580 wrote to memory of 4556	1580	WaterMark.exe	83
PID 1580 wrote to memory of 4556	1580	WaterMark.exe	83
PID 1152 wrote to memory of 4348	1152	WaterMark.exe	91
PID 1152 wrote to memory of 4348	1152	WaterMark.exe	91
PID 1152 wrote to memory of 1336	1152	WaterMark.exe	93
PID 1152 wrote to memory of 1336	1152	WaterMark.exe	93
PID 1580 wrote to memory of 2316	1580	WaterMark.exe	92
PID 1580 wrote to memory of 2316	1580	WaterMark.exe	92
PID 1580 wrote to memory of 2440	1580	WaterMark.exe	94
PID 1580 wrote to memory of 2440	1580	WaterMark.exe	94
PID 2440 wrote to memory of 3376	2440	iexplore.exe	95
PID 2440 wrote to memory of 3376	2440	iexplore.exe	95
PID 2440 wrote to memory of 3376	2440	iexplore.exe	95
PID 2316 wrote to memory of 8	2316	iexplore.exe	97
PID 2316 wrote to memory of 8	2316	iexplore.exe	97
PID 2316 wrote to memory of 8	2316	iexplore.exe	97
PID 1336 wrote to memory of 1880	1336	iexplore.exe	96
PID 1336 wrote to memory of 1880	1336	iexplore.exe	96
PID 1336 wrote to memory of 1880	1336	iexplore.exe	96
PID 4348 wrote to memory of 3264	4348	iexplore.exe	98
PID 4348 wrote to memory of 3264	4348	iexplore.exe	98
PID 4348 wrote to memory of 3264	4348	iexplore.exe	98

C:\Users\Admin\AppData\Local\Temp\fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541e.exe
"C:\Users\Admin\AppData\Local\Temp\fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541e.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe
  C:\Users\Admin\AppData\Local\Temp\fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Users\Admin\AppData\Local\Temp\fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe
    C:\Users\Admin\AppData\Local\Temp\fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of UnmapMainImage
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:4556
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 204
        6⤵
        Program crash
        
        PID:3060
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:8
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:17410 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3376
- - C:\Program Files (x86)\Microsoft\WaterMark.exe
    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:3488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 204
        5⤵
        Program crash
        
        PID:1000
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4348 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3264
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1336 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4556 -ip 4556
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3488 -ip 3488
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
122KB

MD5
0972a845726ea839fd2e63c57335ec70

SHA1
baa2daaef7859009a09c24d8d92ea4573ebc5e23

SHA256
4030d96c4a63e3e8a2f10a9822d5769338b7f048acb40b2c15f218106e98a358

SHA512
1f9518fe04cd512dfa2fb1f82a1a50c48506aff6e51d17c54d33cc353c1dd21d981f546a980abac01e04319cfd14fbee2e8d07e59f6db2ac259e284bb47944f2

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
122KB

MD5
0972a845726ea839fd2e63c57335ec70

SHA1
baa2daaef7859009a09c24d8d92ea4573ebc5e23

SHA256
4030d96c4a63e3e8a2f10a9822d5769338b7f048acb40b2c15f218106e98a358

SHA512
1f9518fe04cd512dfa2fb1f82a1a50c48506aff6e51d17c54d33cc353c1dd21d981f546a980abac01e04319cfd14fbee2e8d07e59f6db2ac259e284bb47944f2

Download Submit
C:\Program Files (x86)\Microsoft\WaterMark.exe

Filesize
122KB

MD5
0972a845726ea839fd2e63c57335ec70

SHA1
baa2daaef7859009a09c24d8d92ea4573ebc5e23

SHA256
4030d96c4a63e3e8a2f10a9822d5769338b7f048acb40b2c15f218106e98a358

SHA512
1f9518fe04cd512dfa2fb1f82a1a50c48506aff6e51d17c54d33cc353c1dd21d981f546a980abac01e04319cfd14fbee2e8d07e59f6db2ac259e284bb47944f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
deabbdcb221537d48aed54816739f367

SHA1
9ce0f0d21d9bd08823732047e19edbbd909396bc

SHA256
494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf

SHA512
95a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
deabbdcb221537d48aed54816739f367

SHA1
9ce0f0d21d9bd08823732047e19edbbd909396bc

SHA256
494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf

SHA512
95a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
deabbdcb221537d48aed54816739f367

SHA1
9ce0f0d21d9bd08823732047e19edbbd909396bc

SHA256
494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf

SHA512
95a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
deabbdcb221537d48aed54816739f367

SHA1
9ce0f0d21d9bd08823732047e19edbbd909396bc

SHA256
494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf

SHA512
95a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
72b92129d0a7f6bf51905dbc8ae171b6

SHA1
bb82f1d7ad9d3c04e68e871d82789c299f88b6f5

SHA256
6d9f78dc40a19dd642ed52290b88b01f74b65d943eebe99d67c7ea6224855f51

SHA512
44675483f7ea3f7b2db54b11f82e8a0d6a52dfd09bab3b873592b6a6dfc85c8c7997bfd9520e26132927b2971282bf443156e2d930801da5442eec275ce4df54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
72b92129d0a7f6bf51905dbc8ae171b6

SHA1
bb82f1d7ad9d3c04e68e871d82789c299f88b6f5

SHA256
6d9f78dc40a19dd642ed52290b88b01f74b65d943eebe99d67c7ea6224855f51

SHA512
44675483f7ea3f7b2db54b11f82e8a0d6a52dfd09bab3b873592b6a6dfc85c8c7997bfd9520e26132927b2971282bf443156e2d930801da5442eec275ce4df54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
72b92129d0a7f6bf51905dbc8ae171b6

SHA1
bb82f1d7ad9d3c04e68e871d82789c299f88b6f5

SHA256
6d9f78dc40a19dd642ed52290b88b01f74b65d943eebe99d67c7ea6224855f51

SHA512
44675483f7ea3f7b2db54b11f82e8a0d6a52dfd09bab3b873592b6a6dfc85c8c7997bfd9520e26132927b2971282bf443156e2d930801da5442eec275ce4df54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
72b92129d0a7f6bf51905dbc8ae171b6

SHA1
bb82f1d7ad9d3c04e68e871d82789c299f88b6f5

SHA256
6d9f78dc40a19dd642ed52290b88b01f74b65d943eebe99d67c7ea6224855f51

SHA512
44675483f7ea3f7b2db54b11f82e8a0d6a52dfd09bab3b873592b6a6dfc85c8c7997bfd9520e26132927b2971282bf443156e2d930801da5442eec275ce4df54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
72b92129d0a7f6bf51905dbc8ae171b6

SHA1
bb82f1d7ad9d3c04e68e871d82789c299f88b6f5

SHA256
6d9f78dc40a19dd642ed52290b88b01f74b65d943eebe99d67c7ea6224855f51

SHA512
44675483f7ea3f7b2db54b11f82e8a0d6a52dfd09bab3b873592b6a6dfc85c8c7997bfd9520e26132927b2971282bf443156e2d930801da5442eec275ce4df54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B2BFD13E-5947-11ED-B696-DEF0885D2AEB}.dat

Filesize
5KB

MD5
8c770b14e5884907c471210594ad5572

SHA1
c3f671aa37141dfb9e31663731fdf5ff9cee90bd

SHA256
a6f89f2df3612d1f683f4797edcda3ee37b23e4d08f5cb5f965f2c3c8dc88f7f

SHA512
9cefe11c3f55a334e45fd5ab9dd7844b44d8d03925a94a4ac94ce31efe93be98c6422803a857e3d19f4ac8cf49cc0e940d856ff865861024167724673b9bbebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B2C6F794-5947-11ED-B696-DEF0885D2AEB}.dat

Filesize
4KB

MD5
c2557e5597f9a4ac3888eb00f1e4fe59

SHA1
767e4722add32b64853349a9e6db90d043d3c9c1

SHA256
5a81d0d5bda02d01b0d0ed96a7d155656615ac1df90f814b9b9ccaa7be2a84bc

SHA512
fa1311a70086f8319e714b59f51697ac0e0bb15710c6b4f73ca9817d1688daae15bed97b95cb0ed1e842cc0909e7a17debc02a5510f3dfd0078e172574216302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B2C6F794-5947-11ED-B696-DEF0885D2AEB}.dat

Filesize
5KB

MD5
caf47d1bc38711f2589aea2d013446d8

SHA1
9997ca536fdf1066d49e11789bae2f81212cebb0

SHA256
d88c18fc5d8100a39c866cc4b527b3451f604548621a2ccead77d334e361d7a9

SHA512
fdbeabd551331a896ada6d31c11dd48a70c690129a6fc3a014af252794ad59f83dcc5778c4c6dd9dbfc5bab67cfe0d2aaad5c8de41e98addc52857d64ae24340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B2C95B7A-5947-11ED-B696-DEF0885D2AEB}.dat

Filesize
5KB

MD5
87ec9f5a7c8ebb51f5dbe593b10ba8da

SHA1
702348be24ef4e3aebe12a6106cb5598cd92af90

SHA256
caeefc972716fdf4591b77eaf57ac78e0f57cbc2746857d8063af86e65cdc343

SHA512
aed153c8093f5ee0789dd950a49be3187615624dec5227652e943ddadf93bf39ebf87446077759d1e91002fa4a349a117dbcdf3bd99e32e86931e1b049ce0715

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe

Filesize
247KB

MD5
41d178a72b7affe6d0a7957fbc8a24c8

SHA1
b3a3d13c9b0e5ae19adae909652cc7753f1c2c9a

SHA256
cb37f19d693eba249127ccdef524b7d22a710344f2da6af8d8e003451660907b

SHA512
48475361f45f02b385996a1664994a01290a6cf8c11ff859802c1982123fff4aaf281c13a96ade2b6047c13fb97b25b66fe3538ea62b5652ab5e98f7479bf8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgr.exe

Filesize
247KB

MD5
41d178a72b7affe6d0a7957fbc8a24c8

SHA1
b3a3d13c9b0e5ae19adae909652cc7753f1c2c9a

SHA256
cb37f19d693eba249127ccdef524b7d22a710344f2da6af8d8e003451660907b

SHA512
48475361f45f02b385996a1664994a01290a6cf8c11ff859802c1982123fff4aaf281c13a96ade2b6047c13fb97b25b66fe3538ea62b5652ab5e98f7479bf8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe

Filesize
122KB

MD5
0972a845726ea839fd2e63c57335ec70

SHA1
baa2daaef7859009a09c24d8d92ea4573ebc5e23

SHA256
4030d96c4a63e3e8a2f10a9822d5769338b7f048acb40b2c15f218106e98a358

SHA512
1f9518fe04cd512dfa2fb1f82a1a50c48506aff6e51d17c54d33cc353c1dd21d981f546a980abac01e04319cfd14fbee2e8d07e59f6db2ac259e284bb47944f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa6add4d1293e3d8b7dad73d044de203e1291ec956f91066d5d8694cb00b541emgrmgr.exe

Filesize
122KB

MD5
0972a845726ea839fd2e63c57335ec70

SHA1
baa2daaef7859009a09c24d8d92ea4573ebc5e23

SHA256
4030d96c4a63e3e8a2f10a9822d5769338b7f048acb40b2c15f218106e98a358

SHA512
1f9518fe04cd512dfa2fb1f82a1a50c48506aff6e51d17c54d33cc353c1dd21d981f546a980abac01e04319cfd14fbee2e8d07e59f6db2ac259e284bb47944f2

Download Submit
memory/460-151-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/460-159-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/460-156-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/460-153-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/460-136-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1152-191-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1152-179-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1152-165-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1152-160-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1152-177-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1152-189-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1152-186-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1152-185-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1580-190-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1580-178-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1580-180-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1580-188-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1580-187-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1580-170-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1580-167-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1748-148-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1748-164-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1748-150-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1748-147-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1748-144-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1748-145-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4832-132-0x0000000000400000-0x0000000000672000-memory.dmp

Filesize
2.4MB

Download
memory/4832-201-0x0000000000400000-0x0000000000672000-memory.dmp

Filesize
2.4MB

Download