ramnit | c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58

Analysis

max time kernel
136s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
Size

317KB
MD5

43005d910989d6d164915a1137baf860
SHA1

6b1f3c4a8b95c632cb00c56845ec69cf0aa00b7c
SHA256

c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58
SHA512

08e1d54d9a5b719145bcd07db52691f0fd2316d88f123c1539aa699ea127a517805f278d43e9efd1ead3b9e6e2d692edccf792ff71223c0588ff82a15659499a
SSDEEP

6144:rP80iFlOwIjKou2QpK44i8eE68Z2cXvp/IHeiorgVZ:rktQwIuouDK4llE6lcXhA+i3

Score

10^/10

ramnit banker persistence spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe

pid process

1208 c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	upx
\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	upx
C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	upx
behavioral1/memory/1208-60-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral1/memory/1208-90-0x0000000000400000-0x0000000000467000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	upx

Loads dropped DLL 2 IoCs

Processes:

c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe

pid	process
1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exemspaint.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Screen Saver Pro 3.1 = "C:\\Users\\Admin\\AppData\\Roaming\\ScreenSaverPro.scr"	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tklwlp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Tklwlp.exe"	mspaint.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exemspaint.exe

description	ioc	process
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\D:	mspaint.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exec8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe

description	pid	process	target process
PID 1752 set thread context of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 set thread context of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376007065"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B477221-6B7D-11ED-B68C-6A6CB2F85B9F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B479931-6B7D-11ED-B68C-6A6CB2F85B9F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exec8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe

pid	process
1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
2028	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
2028	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe

pid process

1096 c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe

pid	process
1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exec8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exeIEXPLORE.EXEIEXPLORE.EXEsvchost.exemspaint.exeIEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
Token: SeDebugPrivilege	2028	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
Token: SeDebugPrivilege	1040	IEXPLORE.EXE
Token: SeDebugPrivilege	1280	IEXPLORE.EXE
Token: SeDebugPrivilege	2028	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
Token: SeDebugPrivilege	1672	svchost.exe
Token: SeDebugPrivilege	868	mspaint.exe
Token: SeDebugPrivilege	1372	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

520 iexplore.exe
1788 iexplore.exe
520 iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEmspaint.exeIEXPLORE.EXE

pid	process
520	iexplore.exe
520	iexplore.exe
1788	iexplore.exe
1788	iexplore.exe
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
868	mspaint.exe
868	mspaint.exe
868	mspaint.exe
868	mspaint.exe
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
520	iexplore.exe
520	iexplore.exe
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE
1372	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exec8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exeiexplore.exeiexplore.exec8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exesvchost.exec8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exeiexplore.exe

description	pid	process	target process
PID 1752 wrote to memory of 1208	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
PID 1752 wrote to memory of 1208	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
PID 1752 wrote to memory of 1208	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
PID 1752 wrote to memory of 1208	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
PID 1208 wrote to memory of 1788	1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	iexplore.exe
PID 1208 wrote to memory of 1788	1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	iexplore.exe
PID 1208 wrote to memory of 1788	1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	iexplore.exe
PID 1208 wrote to memory of 1788	1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	iexplore.exe
PID 1208 wrote to memory of 520	1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	iexplore.exe
PID 1208 wrote to memory of 520	1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	iexplore.exe
PID 1208 wrote to memory of 520	1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	iexplore.exe
PID 1208 wrote to memory of 520	1208	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe	iexplore.exe
PID 520 wrote to memory of 1040	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 1040	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 1040	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 1040	520	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 1280	1788	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 1280	1788	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 1280	1788	iexplore.exe	IEXPLORE.EXE
PID 1788 wrote to memory of 1280	1788	iexplore.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1752 wrote to memory of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1752 wrote to memory of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1752 wrote to memory of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1752 wrote to memory of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1752 wrote to memory of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1752 wrote to memory of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1752 wrote to memory of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1752 wrote to memory of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1752 wrote to memory of 1096	1752	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 wrote to memory of 1672	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	svchost.exe
PID 1096 wrote to memory of 1672	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	svchost.exe
PID 1096 wrote to memory of 1672	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	svchost.exe
PID 1096 wrote to memory of 1672	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	svchost.exe
PID 1096 wrote to memory of 1672	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	svchost.exe
PID 1096 wrote to memory of 1672	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	svchost.exe
PID 1096 wrote to memory of 1672	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	svchost.exe
PID 1096 wrote to memory of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 wrote to memory of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 wrote to memory of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 wrote to memory of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 wrote to memory of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 wrote to memory of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 wrote to memory of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 wrote to memory of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 wrote to memory of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1096 wrote to memory of 2028	1096	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
PID 1672 wrote to memory of 868	1672	svchost.exe	mspaint.exe
PID 1672 wrote to memory of 868	1672	svchost.exe	mspaint.exe
PID 1672 wrote to memory of 868	1672	svchost.exe	mspaint.exe
PID 1672 wrote to memory of 868	1672	svchost.exe	mspaint.exe
PID 2028 wrote to memory of 1984	2028	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	iexplore.exe
PID 2028 wrote to memory of 1984	2028	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	iexplore.exe
PID 2028 wrote to memory of 1984	2028	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	iexplore.exe
PID 2028 wrote to memory of 1984	2028	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	iexplore.exe
PID 1984 wrote to memory of 872	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 872	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 872	1984	iexplore.exe	IEXPLORE.EXE
PID 1984 wrote to memory of 872	1984	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 1372	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 1372	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 1372	520	iexplore.exe	IEXPLORE.EXE
PID 520 wrote to memory of 1372	520	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1040	2028	c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
"C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:209934 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
"C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\mspaint.exe
"C:\Windows\system32\mspaint.exe"
4⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:868

C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe
"C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"
5⤵
PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2B477221-6B7D-11ED-B68C-6A6CB2F85B9F}.dat

Filesize
3KB

MD5
2dc721b64498c4f4370b6f0c90315120

SHA1
9988ce1b43568f16d9bd0e9fe27a4adaa1d5c86c

SHA256
78d9082547fe0fbb734dd68a48579c93f2812d48a3ba40a0be7600df9e1a0267

SHA512
593792fc259e7667c3ff128d5b8c188f0ff838158827bab78e66fc19629c3db83ff6615fe2acaf7cc6ca7f6b783b5ddb5dd409e47c2f3d436743e6354b7ec928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2B479931-6B7D-11ED-B68C-6A6CB2F85B9F}.dat

Filesize
5KB

MD5
a03bd0acfcfe8edefa0d6e6fd3e0073c

SHA1
911e386d2854adc1fe5a852a40aa1eb9f790ec53

SHA256
fa66eccd8590649e4363498362ba984dcf4f615ff6eb2e1f18d86327f40a78b1

SHA512
909ba95b28f567c69723ef0613b12ad6b64b1a1bc82bb2b65ebf43b5b644c3b045154b57303a2c4c0b72a823f2f045be53d7184a8997451269ab0e3456b0c857

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe

Filesize
143KB

MD5
926a51a69d4cd3b64dc0b6769dc2687c

SHA1
ecd8ee4160d0b78303900a31f8f365b216ac9867

SHA256
9361755715f0c99961824bc1201071e9a3386b27b2ed6094db911b3c48351423

SHA512
5bf67c92c2e5b379961b8ccde6503fc603632db34e2762d09a5997539a99d16499b6a6a9f806f9dc1d613374c1089df957b5599c442740bc32c745a7a76426e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe

Filesize
143KB

MD5
926a51a69d4cd3b64dc0b6769dc2687c

SHA1
ecd8ee4160d0b78303900a31f8f365b216ac9867

SHA256
9361755715f0c99961824bc1201071e9a3386b27b2ed6094db911b3c48351423

SHA512
5bf67c92c2e5b379961b8ccde6503fc603632db34e2762d09a5997539a99d16499b6a6a9f806f9dc1d613374c1089df957b5599c442740bc32c745a7a76426e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8NS9NB23.txt

Filesize
603B

MD5
9af59da869a82944cd1e5156c6f82ae2

SHA1
e294b1b69c5c4725804e3f4e96025d4f3ba27caa

SHA256
f8278512fad58873666ffa638898dffe306c4308c6c24fa59046136fdb861944

SHA512
29fba9050880c1ea17be85517f6967f2da543e4eda3be020f9fa41f828e9b6cd30a7fa99452b526c484fd6cf19339bbd125c31a706bda777cf68a66a463477f4

Download Submit
\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe

Filesize
143KB

MD5
926a51a69d4cd3b64dc0b6769dc2687c

SHA1
ecd8ee4160d0b78303900a31f8f365b216ac9867

SHA256
9361755715f0c99961824bc1201071e9a3386b27b2ed6094db911b3c48351423

SHA512
5bf67c92c2e5b379961b8ccde6503fc603632db34e2762d09a5997539a99d16499b6a6a9f806f9dc1d613374c1089df957b5599c442740bc32c745a7a76426e1

Download Submit
\Users\Admin\AppData\Local\Temp\c8e89bc12e639b4d2fa69591b60224515bcff7996cb758f6025a6f8f03902c58mgr.exe

Filesize
143KB

MD5
926a51a69d4cd3b64dc0b6769dc2687c

SHA1
ecd8ee4160d0b78303900a31f8f365b216ac9867

SHA256
9361755715f0c99961824bc1201071e9a3386b27b2ed6094db911b3c48351423

SHA512
5bf67c92c2e5b379961b8ccde6503fc603632db34e2762d09a5997539a99d16499b6a6a9f806f9dc1d613374c1089df957b5599c442740bc32c745a7a76426e1

Download Submit
memory/868-324-0x00000000042B8000-0x00000000042BA000-memory.dmp

Filesize
8KB

Download
memory/868-313-0x00000000042B8000-0x00000000042BA000-memory.dmp

Filesize
8KB

Download
memory/868-140-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/868-131-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/868-125-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/868-119-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/868-114-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/868-98-0x0000000000791000-0x0000000000793000-memory.dmp

Filesize
8KB

Download
memory/868-323-0x0000000004280000-0x00000000042CE000-memory.dmp

Filesize
312KB

Download
memory/868-96-0x0000000000000000-mapping.dmp

Download
memory/1096-71-0x0000000000402940-mapping.dmp

Download
memory/1096-70-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1096-66-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1096-69-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1096-75-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1096-67-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1096-63-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1096-64-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1096-100-0x0000000002420000-0x0000000002476000-memory.dmp

Filesize
344KB

Download
memory/1096-99-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1208-56-0x0000000000000000-mapping.dmp

Download
memory/1208-60-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1208-90-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1672-109-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1672-132-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1672-139-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1672-102-0x0000000000080000-0x00000000000A1000-memory.dmp

Filesize
132KB

Download
memory/1672-322-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1672-113-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1672-120-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1672-126-0x0000000000230000-0x000000000027E000-memory.dmp

Filesize
312KB

Download
memory/1672-78-0x0000000000000000-mapping.dmp

Download
memory/1752-72-0x0000000000320000-0x0000000000376000-memory.dmp

Filesize
344KB

Download
memory/1752-73-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1752-59-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/1752-58-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2028-115-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2028-121-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2028-127-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2028-108-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2028-101-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2028-133-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2028-95-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2028-136-0x0000000000320000-0x00000000003E4000-memory.dmp

Filesize
784KB

Download
memory/2028-141-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2028-91-0x0000000000410910-mapping.dmp

Download
memory/2028-89-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2028-291-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2028-294-0x0000000000320000-0x000000000036E000-memory.dmp

Filesize
312KB

Download
memory/2028-87-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2028-85-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2028-83-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2028-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2028-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download