cb6a28f6848acc465fb118c2379cccf86f4605eb8d51f418d2c9e691a2679bd2

Analysis

max time kernel
52s
max time network
56s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
02/01/2023, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_wipe.exe
Size

6.3MB
MD5

6ecbef662a58fa79898c64dfe4aec8b0
SHA1

27f6facacf26773974f8a6a2c4fb929439d68c63
SHA256

cb6a28f6848acc465fb118c2379cccf86f4605eb8d51f418d2c9e691a2679bd2
SHA512

47e367ead641ef6c1f0ec28c715d70e257f3183e12a4d96f3cac61a0bcfa0e1de52c737d4c432f0c3ec993604ef5fdba9d186b3e52da29b8ce95210cc3e43a59
SSDEEP

98304:dktDam/Y6kgSRo5e6n0rCq7oF7ftzTACeDC+X0aj008fmMMN3S1cn/b73:u8AI9Rw02+oF7lzMCeDCTvYN7P3

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1792	setup_wipe.tmp
988	Wipe.exe
1196	Process not Found
644	Wipe.exe

Loads dropped DLL 9 IoCs

pid	Process
860	setup_wipe.exe
1792	setup_wipe.tmp
1196	Process not Found
988	Wipe.exe
988	Wipe.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wipe Updates = "\"C:\\Program Files (x86)\\Wipe\\Wipe.exe\" uf_sub_winStartup"	Wipe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Wipe\Framework\Interface\is-EF00K.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-7HRC8.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-JNJRJ.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-EICKQ.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-178FV.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-E271A.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-LS9Q8.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-BOSLQ.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-FADD5.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-IVKKQ.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-PF06P.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\Languages\is-8HO1N.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-RU6RK.tmp	setup_wipe.tmp
File opened for modification	C:\Program Files (x86)\Wipe\unins000.dat	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\FunStarts\is-SP51G.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-412TE.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-8G2NB.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-ID3JL.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\UForms\is-CGJCV.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-SM7F1.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-C7GAQ.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-1BOTH.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\FunProMessages\is-BMMH9.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\Interface\is-BVERO.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-22MR0.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-65IT7.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-JT65Q.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-24OBH.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-TTPHO.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-0TUQ5.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-22OQP.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-PCP2I.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-QEM6O.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-2067M.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-2GJ3T.tmp	setup_wipe.tmp
File opened for modification	C:\Program Files (x86)\Wipe\version-information.ini	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-460K3.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-4ACAV.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-7H2CU.tmp	setup_wipe.tmp
File opened for modification	C:\Program Files (x86)\Wipe\System.Data.SQLite.Linq.dll	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-FRM1L.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-ORPOD.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-K4EV7.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-MOIPP.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\Languages\is-9KL58.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-4OBNV.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-02A77.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\Languages\is-SRO17.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\FunProMessages\is-PF9J9.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\Languages-flags\is-2KMPP.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-VG1B5.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-P1JN8.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-RDMLI.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-H6N5L.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-ROCLF.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\Languages-flags\is-FJJ1U.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Languages\is-E843T.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-IOFI1.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-8QFO6.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-RBVV2.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\UForms\is-F6JP1.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\is-M58FA.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Framework\Languages-flags\is-QSBG2.tmp	setup_wipe.tmp
File created	C:\Program Files (x86)\Wipe\Application\Plugins\is-8ITGO.tmp	setup_wipe.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C9F5031-8AF9-11ED-9AF1-EE38AA991E65} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1C9F5033-8AF9-11ED-9AF1-EE38AA991E65}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Wipe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Wipe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Wipe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Wipe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Wipe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Wipe.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1792	setup_wipe.tmp
1792	setup_wipe.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	988	Wipe.exe
Token: SeDebugPrivilege	644	Wipe.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1792	setup_wipe.tmp
1876	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1876	iexplore.exe
1876	iexplore.exe
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1792	860	setup_wipe.exe	28
PID 860 wrote to memory of 1792	860	setup_wipe.exe	28
PID 860 wrote to memory of 1792	860	setup_wipe.exe	28
PID 860 wrote to memory of 1792	860	setup_wipe.exe	28
PID 860 wrote to memory of 1792	860	setup_wipe.exe	28
PID 860 wrote to memory of 1792	860	setup_wipe.exe	28
PID 860 wrote to memory of 1792	860	setup_wipe.exe	28
PID 1792 wrote to memory of 988	1792	setup_wipe.tmp	29
PID 1792 wrote to memory of 988	1792	setup_wipe.tmp	29
PID 1792 wrote to memory of 988	1792	setup_wipe.tmp	29
PID 1792 wrote to memory of 988	1792	setup_wipe.tmp	29
PID 988 wrote to memory of 1876	988	Wipe.exe	31
PID 988 wrote to memory of 1876	988	Wipe.exe	31
PID 988 wrote to memory of 1876	988	Wipe.exe	31
PID 1876 wrote to memory of 1652	1876	iexplore.exe	33
PID 1876 wrote to memory of 1652	1876	iexplore.exe	33
PID 1876 wrote to memory of 1652	1876	iexplore.exe	33
PID 1876 wrote to memory of 1652	1876	iexplore.exe	33
PID 988 wrote to memory of 644	988	Wipe.exe	35
PID 988 wrote to memory of 644	988	Wipe.exe	35
PID 988 wrote to memory of 644	988	Wipe.exe	35

C:\Users\Admin\AppData\Local\Temp\setup_wipe.exe
"C:\Users\Admin\AppData\Local\Temp\setup_wipe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\is-36CP4.tmp\setup_wipe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-36CP4.tmp\setup_wipe.tmp" /SL5="$C0158,6101741,185344,C:\Users\Admin\AppData\Local\Temp\setup_wipe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Program Files (x86)\Wipe\Wipe.exe
    "C:\Program Files (x86)\Wipe\Wipe.exe" uf_sub_runonsetup
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:988
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://privacyroot.com/apps/scripts/uframework-web.pl?scn=wipe&version=2227.00&fipr=2e02d98af13221cc24925629d2c35577&pcid=b83890ca22f1ab2ecaba8f123869647b&location=appInstalled&iso2=es&iso2ui=es&lang_wipe=es
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1652
  - - C:\Program Files (x86)\Wipe\Wipe.exe
      "C:\Program Files (x86)\Wipe\Wipe.exe" uf_sub_downloadSetup
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wipe\Framework\Interface\colors.ini

Filesize
605B

MD5
7083a2accda7fe7348e732bd46ecb25b

SHA1
727af15ff453cb6e164f94326baa9640e6f50150

SHA256
25e63e1d0be2bfaec6966c0df046a2c3f0c1ba69702745e3a7ffdf3507dc3661

SHA512
4e0a366b712405756cde465c5f48e0501549586fda73e2e30c252a50663a2f80de06d9ff3df43a45f52cfad6af8356e39bda0deb937c8c6c85fbefe770cf4e1a

Download Submit
C:\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
C:\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
C:\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
C:\Program Files (x86)\Wipe\Wipe.exe.config

Filesize
1KB

MD5
93fd560b744390a798012730cf2b1648

SHA1
8a83bcfdf630bd1ceda69daf3d5af421cea95af3

SHA256
368f802cc75af22a2928278367450d712db9807c4ef41c37707ba52d72354841

SHA512
09f699d80001a68f9f63c316c765cd9a40c6bd516830ae511ced17ee6e2c4d6e25a2447427e888577495e0960d27cf4b40ff95db84ed96fcf367c19541e8fa69

Download Submit
C:\ProgramData\WindowsHardwareTelemetry.ini

Filesize
1KB

MD5
6c7bd6b53ffac70368c362ad993f1d9c

SHA1
d1af82d26b66b60a302085580e49e0278d7af8cc

SHA256
aefc37b9169800e8345c54fa46ad193f44ffd06a4900ed2a9fa4f05326f4c844

SHA512
4c1dea91a9e84e54c5664f16e01a7d9503ef350119e3dbacb31b77e74abc66e7a70bb7f34cf03f3ed233adf7cc9087c36a85af85657d7bd42a70b77de30bd86e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2fb4c2da29b2fb508abbe5d4309ececb

SHA1
cdc88d3532c0e114280b71e9bffd558544db0685

SHA256
002276016aa4a88c629e81b767596153eacf7befc528e8f122a8aa62fb6152d7

SHA512
cf6fb97a093e8c053bc7402d77b2620143184095e843d4172b7e0a97ece69010b373b91335254f8c7949665c1f28e82ac781100a13f43b0d922300b6121cac8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-36CP4.tmp\setup_wipe.tmp

Filesize
1.2MB

MD5
ff41bdabba2dc4bab5bde486732632ed

SHA1
fae533b1f212eeec14fa0a27f3ab3d48ab5188f1

SHA256
d0f36ddae627a2b437586c9b81d4a1821e5721c2a1aeb1eadc5bafc6ad238fa1

SHA512
312f02c2faca4c8a771513fdd1804fd38da44b021aaa0e09d6d33bddd0120e77a4af9b525d331748788592d10d6187f0e453e9dedc2a23bbd40c05200035d45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-36CP4.tmp\setup_wipe.tmp

Filesize
1.2MB

MD5
ff41bdabba2dc4bab5bde486732632ed

SHA1
fae533b1f212eeec14fa0a27f3ab3d48ab5188f1

SHA256
d0f36ddae627a2b437586c9b81d4a1821e5721c2a1aeb1eadc5bafc6ad238fa1

SHA512
312f02c2faca4c8a771513fdd1804fd38da44b021aaa0e09d6d33bddd0120e77a4af9b525d331748788592d10d6187f0e453e9dedc2a23bbd40c05200035d45f

Download Submit
C:\Users\Admin\AppData\Roaming\wipe2021\Settings\ServerResponse.ini

Filesize
214B

MD5
78f6ffbfcf8ba6f0bd8687d97bc1889d

SHA1
162697a1fe587372caac1fe61bb7ef3f0d6d8e4a

SHA256
58975a26a61df18a0516688760bff496901426e96a07148fa947f82ccaee7738

SHA512
02457c44f66a994929e46a90f81e0a40d7b42c0a25e0df26eeaa6987b101725fa74d41c6b65342e6cddd5d56c29d194b06598848dd65bcd6b68e4e3e30001302

Download Submit
C:\Users\Admin\AppData\Roaming\wipe2021\Settings\UF.ini

Filesize
84B

MD5
fd7fb0c0a4f69eef062486596cb8ffc2

SHA1
b5cda03aecbd15d25aac52e5ea09a54987c6a115

SHA256
06dfc7a241543e9f84867e947678d8f6b79dc5e00cfa8fff25ea85fdb2352e43

SHA512
b79796f81593730688b0b1bd2563cc1fbe92aeb16f6f1e1efaf0a4038f44a97eb00d20f893a0ae1cee8fafbabdcba8edc8ea286dcf497be7b57e6eb45217c1f9

Download Submit
C:\Users\Admin\AppData\Roaming\wipe2021\Settings\UsageV4.ini

Filesize
85B

MD5
e6051ac8f153c42e786f4c2a9ca08947

SHA1
359f8867e0459f4576ca3db96534630f76aaa94d

SHA256
8afbe31ed2e543ec5b274820ced89ddb44f81978d17b37845419aa011e061def

SHA512
9a5a31e399899e305153f7b2de5c3123f0925fb2e8581a5ab373983bf01cbf56d3c8ddd2c61431810d30ad7726d4b55b70727e44e09229cf58f7588ae37c1466

Download Submit
\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
\Program Files (x86)\Wipe\Wipe.exe

Filesize
527KB

MD5
2d13fbc9e0a20399cdc992ecb622d0d0

SHA1
1e2cf017df1a2a68de5c89f4178c09f39bc434f6

SHA256
72222e082056c5347be18d714fd9afd6ff70dc4f412743e8355734fddf1ac485

SHA512
922487f6bd1fb7399239abdd3039b1e7aff99793f14beb1def716a0e5e0a0856d933cdf63cfb20d4660aa482ae1270c5b57d54e27a113c094a3149da86fe00ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-36CP4.tmp\setup_wipe.tmp

Filesize
1.2MB

MD5
ff41bdabba2dc4bab5bde486732632ed

SHA1
fae533b1f212eeec14fa0a27f3ab3d48ab5188f1

SHA256
d0f36ddae627a2b437586c9b81d4a1821e5721c2a1aeb1eadc5bafc6ad238fa1

SHA512
312f02c2faca4c8a771513fdd1804fd38da44b021aaa0e09d6d33bddd0120e77a4af9b525d331748788592d10d6187f0e453e9dedc2a23bbd40c05200035d45f

Download Submit
memory/644-83-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/644-92-0x000000001BFE6000-0x000000001C005000-memory.dmp

Filesize
124KB

Download
memory/644-89-0x000000001BFE6000-0x000000001C005000-memory.dmp

Filesize
124KB

Download
memory/860-61-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/860-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/860-54-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/860-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/988-71-0x000000001C076000-0x000000001C095000-memory.dmp

Filesize
124KB

Download
memory/988-82-0x000000001C076000-0x000000001C095000-memory.dmp

Filesize
124KB

Download
memory/988-69-0x00000000009A0000-0x0000000000A24000-memory.dmp

Filesize
528KB

Download
memory/1792-62-0x0000000074071000-0x0000000074073000-memory.dmp

Filesize
8KB

Download