b08a5ca4233fd7e6c72891e3491c0d864d4467c9a58ea151abd501b5119eec8e

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4c8cb015a10690a18c428f298a6fb3f.exe
Size

324KB
MD5

b4c8cb015a10690a18c428f298a6fb3f
SHA1

7c5a4fc55c708d20b03fb307a291a0cf6c454e91
SHA256

b08a5ca4233fd7e6c72891e3491c0d864d4467c9a58ea151abd501b5119eec8e
SHA512

91766cdaf252a427b42b8ccd57d78436b476ba89ab92ab040e5ebe59c209b7ad2488a0860f036c06e48e09153561b29fbc34fb23a7b292e9f3f982680aaaef92
SSDEEP

6144:9dYq0a08wh8sRdNXvR2SQkY+m5MnZahlom3LKmKyQYFin8zhsRd:7ZsRvXvISMSCdKMI8za

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1180	rwia.exe
1032	rwia.exe
4792	rwia.exe
1044	rwia.exe
2192	rwia.exe
1268	rwia.exe
1076	rwia.exe
4908	rwia.exe
3376	rwia.exe
856	rwia.exe
4380	rwia.exe
2448	rwia.exe
5004	rwia.exe
2396	rwia.exe
1544	rwia.exe
1080	rwia.exe
4368	rwia.exe
2104	rwia.exe
2248	rwia.exe
2816	rwia.exe
1892	rwia.exe
404	rwia.exe
4116	rwia.exe
2888	rwia.exe
1476	rwia.exe
3064	rwia.exe
1916	rwia.exe
4400	rwia.exe
2156	rwia.exe
1556	rwia.exe
3948	rwia.exe
1472	rwia.exe
1116	rwia.exe
2448	rwia.exe
3028	rwia.exe
3888	rwia.exe
1532	rwia.exe
632	rwia.exe
1544	rwia.exe
1384	rwia.exe
4484	rwia.exe
1524	rwia.exe
1420	rwia.exe
2032	rwia.exe
536	rwia.exe
2308	rwia.exe
404	rwia.exe
4492	rwia.exe
1816	rwia.exe
4436	rwia.exe
3452	rwia.exe
1520	rwia.exe
3092	rwia.exe
4032	rwia.exe
4976	rwia.exe
692	rwia.exe
1268	rwia.exe
4828	rwia.exe
2060	rwia.exe
1116	rwia.exe
656	rwia.exe
4472	rwia.exe
4896	rwia.exe
1920	rwia.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	b4c8cb015a10690a18c428f298a6fb3f.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe
File created	C:\Windows\SysWOW64\rwia.exe	rwia.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3348	b4c8cb015a10690a18c428f298a6fb3f.exe
3348	b4c8cb015a10690a18c428f298a6fb3f.exe
3348	b4c8cb015a10690a18c428f298a6fb3f.exe
3348	b4c8cb015a10690a18c428f298a6fb3f.exe
1180	rwia.exe
1180	rwia.exe
1180	rwia.exe
1180	rwia.exe
1032	rwia.exe
1032	rwia.exe
1032	rwia.exe
1032	rwia.exe
4792	rwia.exe
4792	rwia.exe
4792	rwia.exe
4792	rwia.exe
1044	rwia.exe
1044	rwia.exe
1044	rwia.exe
1044	rwia.exe
2192	rwia.exe
2192	rwia.exe
2192	rwia.exe
2192	rwia.exe
1268	rwia.exe
1268	rwia.exe
1268	rwia.exe
1268	rwia.exe
1076	rwia.exe
1076	rwia.exe
1076	rwia.exe
1076	rwia.exe
4908	rwia.exe
4908	rwia.exe
4908	rwia.exe
4908	rwia.exe
3376	rwia.exe
3376	rwia.exe
3376	rwia.exe
3376	rwia.exe
856	rwia.exe
856	rwia.exe
856	rwia.exe
856	rwia.exe
4380	rwia.exe
4380	rwia.exe
4380	rwia.exe
4380	rwia.exe
2448	rwia.exe
2448	rwia.exe
2448	rwia.exe
2448	rwia.exe
5004	rwia.exe
5004	rwia.exe
5004	rwia.exe
5004	rwia.exe
2396	rwia.exe
2396	rwia.exe
2396	rwia.exe
2396	rwia.exe
1544	rwia.exe
1544	rwia.exe
1544	rwia.exe
1544	rwia.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	b4c8cb015a10690a18c428f298a6fb3f.exe
Token: SeDebugPrivilege	1180	rwia.exe
Token: SeDebugPrivilege	1032	rwia.exe
Token: SeDebugPrivilege	4792	rwia.exe
Token: SeDebugPrivilege	1044	rwia.exe
Token: SeDebugPrivilege	2192	rwia.exe
Token: SeDebugPrivilege	1268	rwia.exe
Token: SeDebugPrivilege	1076	rwia.exe
Token: SeDebugPrivilege	4908	rwia.exe
Token: SeDebugPrivilege	3376	rwia.exe
Token: SeDebugPrivilege	856	rwia.exe
Token: SeDebugPrivilege	4380	rwia.exe
Token: SeDebugPrivilege	2448	rwia.exe
Token: SeDebugPrivilege	5004	rwia.exe
Token: SeDebugPrivilege	2396	rwia.exe
Token: SeDebugPrivilege	1544	rwia.exe
Token: SeDebugPrivilege	1080	rwia.exe
Token: SeDebugPrivilege	4368	rwia.exe
Token: SeDebugPrivilege	2104	rwia.exe
Token: SeDebugPrivilege	2248	rwia.exe
Token: SeDebugPrivilege	2816	rwia.exe
Token: SeDebugPrivilege	1892	rwia.exe
Token: SeDebugPrivilege	404	rwia.exe
Token: SeDebugPrivilege	4116	rwia.exe
Token: SeDebugPrivilege	2888	rwia.exe
Token: SeDebugPrivilege	1476	rwia.exe
Token: SeDebugPrivilege	3064	rwia.exe
Token: SeDebugPrivilege	1916	rwia.exe
Token: SeDebugPrivilege	4400	rwia.exe
Token: SeDebugPrivilege	2156	rwia.exe
Token: SeDebugPrivilege	1556	rwia.exe
Token: SeDebugPrivilege	3948	rwia.exe
Token: SeDebugPrivilege	1472	rwia.exe
Token: SeDebugPrivilege	1116	rwia.exe
Token: SeDebugPrivilege	2448	rwia.exe
Token: SeDebugPrivilege	3028	rwia.exe
Token: SeDebugPrivilege	3888	rwia.exe
Token: SeDebugPrivilege	1532	rwia.exe
Token: SeDebugPrivilege	632	rwia.exe
Token: SeDebugPrivilege	1544	rwia.exe
Token: SeDebugPrivilege	1384	rwia.exe
Token: SeDebugPrivilege	4484	rwia.exe
Token: SeDebugPrivilege	1524	rwia.exe
Token: SeDebugPrivilege	1420	rwia.exe
Token: SeDebugPrivilege	2032	rwia.exe
Token: SeDebugPrivilege	536	rwia.exe
Token: SeDebugPrivilege	2308	rwia.exe
Token: SeDebugPrivilege	404	rwia.exe
Token: SeDebugPrivilege	4492	rwia.exe
Token: SeDebugPrivilege	1816	rwia.exe
Token: SeDebugPrivilege	4436	rwia.exe
Token: SeDebugPrivilege	3452	rwia.exe
Token: SeDebugPrivilege	1520	rwia.exe
Token: SeDebugPrivilege	3092	rwia.exe
Token: SeDebugPrivilege	4032	rwia.exe
Token: SeDebugPrivilege	4976	rwia.exe
Token: SeDebugPrivilege	692	rwia.exe
Token: SeDebugPrivilege	1268	rwia.exe
Token: SeDebugPrivilege	4828	rwia.exe
Token: SeDebugPrivilege	2060	rwia.exe
Token: SeDebugPrivilege	1116	rwia.exe
Token: SeDebugPrivilege	656	rwia.exe
Token: SeDebugPrivilege	4472	rwia.exe
Token: SeDebugPrivilege	4896	rwia.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 1180	3348	b4c8cb015a10690a18c428f298a6fb3f.exe	91
PID 3348 wrote to memory of 1180	3348	b4c8cb015a10690a18c428f298a6fb3f.exe	91
PID 3348 wrote to memory of 1180	3348	b4c8cb015a10690a18c428f298a6fb3f.exe	91
PID 1180 wrote to memory of 1032	1180	rwia.exe	92
PID 1180 wrote to memory of 1032	1180	rwia.exe	92
PID 1180 wrote to memory of 1032	1180	rwia.exe	92
PID 1032 wrote to memory of 4792	1032	rwia.exe	93
PID 1032 wrote to memory of 4792	1032	rwia.exe	93
PID 1032 wrote to memory of 4792	1032	rwia.exe	93
PID 4792 wrote to memory of 1044	4792	rwia.exe	95
PID 4792 wrote to memory of 1044	4792	rwia.exe	95
PID 4792 wrote to memory of 1044	4792	rwia.exe	95
PID 1044 wrote to memory of 2192	1044	rwia.exe	97
PID 1044 wrote to memory of 2192	1044	rwia.exe	97
PID 1044 wrote to memory of 2192	1044	rwia.exe	97
PID 2192 wrote to memory of 1268	2192	rwia.exe	100
PID 2192 wrote to memory of 1268	2192	rwia.exe	100
PID 2192 wrote to memory of 1268	2192	rwia.exe	100
PID 1268 wrote to memory of 1076	1268	rwia.exe	103
PID 1268 wrote to memory of 1076	1268	rwia.exe	103
PID 1268 wrote to memory of 1076	1268	rwia.exe	103
PID 1076 wrote to memory of 4908	1076	rwia.exe	104
PID 1076 wrote to memory of 4908	1076	rwia.exe	104
PID 1076 wrote to memory of 4908	1076	rwia.exe	104
PID 4908 wrote to memory of 3376	4908	rwia.exe	105
PID 4908 wrote to memory of 3376	4908	rwia.exe	105
PID 4908 wrote to memory of 3376	4908	rwia.exe	105
PID 3376 wrote to memory of 856	3376	rwia.exe	107
PID 3376 wrote to memory of 856	3376	rwia.exe	107
PID 3376 wrote to memory of 856	3376	rwia.exe	107
PID 856 wrote to memory of 4380	856	rwia.exe	108
PID 856 wrote to memory of 4380	856	rwia.exe	108
PID 856 wrote to memory of 4380	856	rwia.exe	108
PID 4380 wrote to memory of 2448	4380	rwia.exe	110
PID 4380 wrote to memory of 2448	4380	rwia.exe	110
PID 4380 wrote to memory of 2448	4380	rwia.exe	110
PID 2448 wrote to memory of 5004	2448	rwia.exe	111
PID 2448 wrote to memory of 5004	2448	rwia.exe	111
PID 2448 wrote to memory of 5004	2448	rwia.exe	111
PID 5004 wrote to memory of 2396	5004	rwia.exe	112
PID 5004 wrote to memory of 2396	5004	rwia.exe	112
PID 5004 wrote to memory of 2396	5004	rwia.exe	112
PID 2396 wrote to memory of 1544	2396	rwia.exe	114
PID 2396 wrote to memory of 1544	2396	rwia.exe	114
PID 2396 wrote to memory of 1544	2396	rwia.exe	114
PID 1544 wrote to memory of 1080	1544	rwia.exe	115
PID 1544 wrote to memory of 1080	1544	rwia.exe	115
PID 1544 wrote to memory of 1080	1544	rwia.exe	115
PID 1080 wrote to memory of 4368	1080	rwia.exe	116
PID 1080 wrote to memory of 4368	1080	rwia.exe	116
PID 1080 wrote to memory of 4368	1080	rwia.exe	116
PID 4368 wrote to memory of 2104	4368	rwia.exe	117
PID 4368 wrote to memory of 2104	4368	rwia.exe	117
PID 4368 wrote to memory of 2104	4368	rwia.exe	117
PID 2104 wrote to memory of 2248	2104	rwia.exe	118
PID 2104 wrote to memory of 2248	2104	rwia.exe	118
PID 2104 wrote to memory of 2248	2104	rwia.exe	118
PID 2248 wrote to memory of 2816	2248	rwia.exe	119
PID 2248 wrote to memory of 2816	2248	rwia.exe	119
PID 2248 wrote to memory of 2816	2248	rwia.exe	119
PID 2816 wrote to memory of 1892	2816	rwia.exe	120
PID 2816 wrote to memory of 1892	2816	rwia.exe	120
PID 2816 wrote to memory of 1892	2816	rwia.exe	120
PID 1892 wrote to memory of 404	1892	rwia.exe	121

C:\Users\Admin\AppData\Local\Temp\b4c8cb015a10690a18c428f298a6fb3f.exe
"C:\Users\Admin\AppData\Local\Temp\b4c8cb015a10690a18c428f298a6fb3f.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\SysWOW64\rwia.exe
  C:\Windows\system32\rwia.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\SysWOW64\rwia.exe
    C:\Windows\system32\rwia.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\rwia.exe
      C:\Windows\system32\rwia.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
      - C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        35⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        37⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        38⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        40⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        41⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        44⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        51⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        52⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3452
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        53⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        55⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4032
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        61⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        64⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        65⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        66⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        67⤵
        Drops file in System32 directory
        
        PID:4108
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        68⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        69⤵
        Drops file in System32 directory
        
        PID:4344
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        70⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        71⤵
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        72⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        73⤵
        
        PID:60
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        74⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        75⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        76⤵
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        77⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        78⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        79⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        80⤵
        Drops file in System32 directory
        
        PID:368
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        81⤵
        
        PID:764
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        82⤵
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        83⤵
        Drops file in System32 directory
        
        PID:2468
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        84⤵
        
        PID:552
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        85⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        86⤵
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        87⤵
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        88⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        89⤵
        Drops file in System32 directory
        
        PID:1040
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        90⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        91⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        92⤵
        
        PID:656
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        93⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        94⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        95⤵
        Drops file in System32 directory
        
        PID:4100
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        96⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        97⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        98⤵
        Drops file in System32 directory
        
        PID:632
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        99⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        100⤵
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        101⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        102⤵
        Drops file in System32 directory
        
        PID:4384
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        103⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        104⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        105⤵
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        106⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        107⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        108⤵
        
        PID:536
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        109⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        110⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        111⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        112⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        113⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        114⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        115⤵
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        116⤵
        Drops file in System32 directory
        
        PID:4768
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        117⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        118⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        119⤵
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        120⤵
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        121⤵
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        122⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        123⤵
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        124⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        125⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        126⤵
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        127⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        128⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        129⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        130⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        131⤵
        Drops file in System32 directory
        
        PID:4236
        
        C:\Windows\SysWOW64\rwia.exe
        
        C:\Windows\system32\rwia.exe
        132⤵
        
        PID:4796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rwia.exe

Filesize
324KB

MD5
6521f6cffa3006f3074447bd45f81e95

SHA1
aa08f0c3b264231653b69b433b1769895a9c732b

SHA256
3ed0c070159cb1ba91cab3d08177b34507412a313e8383caea6c2bf268a2239f

SHA512
23dc28285ea36d98edb66617361a6a96598ac490ee2a798d62f89e71f4d2206faa5ba8de7a5df5323a3cf883d138bc0ad6e02ec74163a6476240490075a0e25d

Download Submit
memory/404-59-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/536-111-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/632-96-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/856-31-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1032-9-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1032-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1044-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1076-23-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1080-47-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1116-85-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1180-8-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1180-4-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1268-21-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1268-19-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1384-101-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1384-99-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1420-107-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1472-83-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1476-66-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1524-105-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1532-94-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1532-92-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1544-45-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1544-43-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1544-98-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1556-79-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1556-77-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1892-57-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1916-69-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1916-72-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2032-109-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2104-51-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-76-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2192-18-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2248-53-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2308-113-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2396-42-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2448-36-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2448-35-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2448-87-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2816-55-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2888-64-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2888-62-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3028-89-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3064-68-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3348-5-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3348-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3376-27-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3376-28-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3888-91-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3948-81-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4116-61-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4368-49-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4380-34-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4380-32-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4400-74-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4400-71-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4484-103-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4792-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4792-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4908-26-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/4908-24-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5004-38-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5004-40-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download