cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
Size

667KB
MD5

639507e0f50d6c1f31846c5c555b0277
SHA1

918b797f61120580e8dd0c4344fb680235cc643c
SHA256

cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0
SHA512

858d84e086def9b08b8e4c306bcfb79012693225fe0089c44b2093039372f2b60fe7388b65d18be440761420d0c44b085223e5cf80d6d19e71e6d1aa052746e7
SSDEEP

12288:0EQoSCP4x7Quj4Z3N96eF4MobeHp11g8QZIsdeqTzRRBizCKkpDUnzeN/:0+i7B4D0MNp1OZZIlqT/B+CKcD+z+/

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 17 IoCs

resource	yara_rule
behavioral1/memory/2356-66-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-93-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2600-105-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-106-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-107-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-112-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-115-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-118-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-123-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-126-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-129-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-132-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-135-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-138-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-141-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-144-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2924-147-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 20 IoCs

resource	yara_rule
behavioral1/memory/2924-0-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/files/0x0009000000012349-5.dat	UPX
behavioral1/memory/2356-66-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2600-91-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-93-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2600-105-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-106-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-107-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-112-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-115-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-118-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-123-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-126-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-129-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-132-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-135-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-138-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-141-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-144-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2924-147-0x0000000000400000-0x000000000041E000-memory.dmp	UPX

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2924-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/files/0x0009000000012349-5.dat	upx
behavioral1/memory/2356-66-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2600-91-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-93-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2600-105-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-106-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-107-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-112-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-115-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-118-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-123-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-126-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-129-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-132-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-135-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-138-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-141-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-144-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2924-147-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\B:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\G:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\J:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\Q:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\N:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\A:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\E:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\L:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\M:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\V:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\Z:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\H:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\I:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\S:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\U:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\W:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\X:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\Y:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\K:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\O:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\P:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File opened (read-only)	\??\T:	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\norwegian gang bang fucking catfight sweet .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\SysWOW64\FxsTmp\indian lesbian cumshot [bangbus] (Samantha).mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\SysWOW64\IME\shared\russian horse sleeping hole high heels .zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\trambling bukkake sleeping .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\handjob handjob girls (Melissa).avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian xxx full movie feet black hairunshaved .mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\british lesbian girls cock .mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\beast blowjob voyeur glans bedroom .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\german cum trambling full movie (Gina).rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\SysWOW64\IME\shared\kicking voyeur (Ashley,Samantha).mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\french horse beast full movie sm .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\american horse lingerie masturbation upskirt .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\tyrkish porn animal masturbation sweet (Britney,Janette).avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\lesbian porn big girly .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lingerie porn full movie bedroom .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\porn public upskirt .zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files (x86)\Google\Update\Download\african trambling sperm [free] titts .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files\DVD Maker\Shared\fetish hot (!) balls .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files (x86)\Google\Temp\black horse kicking voyeur hotel (Tatjana,Sylvia).mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\horse sleeping .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\danish bukkake licking blondie .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files\Windows Journal\Templates\canadian nude big glans hairy .zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\hardcore full movie hairy .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\horse several models titts granny .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\french gay bukkake hot (!) (Samantha).rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\italian sperm fucking girls vagina beautyfull (Ashley).zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\italian cumshot hot (!) (Jade).mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\asian cumshot catfight ash lady .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\animal kicking masturbation feet latex .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\asian handjob gang bang [free] latex .zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\assembly\tmp\norwegian porn [bangbus] (Sylvia).mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\indian hardcore trambling voyeur .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\fucking gay licking .zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\sperm xxx full movie blondie .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\handjob hot (!) black hairunshaved .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\african trambling gay public circumcision .mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\french trambling several models penetration .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\black kicking sleeping .mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\gay sperm girls swallow .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\british lesbian several models traffic .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\InstallTemp\black fucking horse full movie nipples beautyfull .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\british gay gang bang [bangbus] 50+ .mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\lesbian sleeping leather .zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\fetish catfight (Christine).mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\indian beastiality trambling several models nipples sweet .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\assembly\temp\asian trambling public young .mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\hardcore several models (Karin,Curtney).avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\indian handjob [free] hole sweet (Jade).avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\sperm lingerie several models fishy .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\lesbian uncut (Curtney,Janette).mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\chinese trambling nude voyeur vagina blondie .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\malaysia action voyeur sm (Sonja,Christine).mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\italian xxx voyeur ash .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\tyrkish blowjob nude masturbation black hairunshaved .mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\black bukkake voyeur (Jade).avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\porn bukkake several models nipples .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\Temp\russian gang bang catfight stockings .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\african horse lesbian ejaculation .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\danish kicking action uncut (Sonja,Samantha).avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\danish lesbian xxx masturbation titts .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\animal [milf] pregnant .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\french lingerie gay several models .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\french hardcore hidden (Anniston,Sarah).mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\italian action girls latex (Janette,Sarah).avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\bukkake full movie bedroom .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\SoftwareDistribution\Download\french action hot (!) sweet .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\japanese porn beastiality full movie bondage .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\spanish action full movie titts girly .mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\danish action girls boots .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\gay beastiality masturbation .mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\horse hidden .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\beastiality full movie hole black hairunshaved (Liz,Sonja).zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\animal hidden ìï .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\canadian horse fetish catfight YEâPSè& .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\sperm public ejaculation (Sarah,Gina).mpeg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\mssrv.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\handjob lesbian masturbation legs balls .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\german horse big glans traffic .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\lingerie catfight .zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\italian action several models nipples sweet .avi.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\PLA\Templates\tyrkish blowjob fucking masturbation (Sonja).mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\african cumshot public cock upskirt .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\trambling lesbian bondage .rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\horse catfight upskirt .zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\horse gay girls titts blondie .zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\gay catfight (Ashley,Sarah).rar.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\japanese animal [milf] cock .mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\black hardcore several models hotel (Ashley,Samantha).mpg.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\cum catfight .zip.exe	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
2600	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2356	2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe	28
PID 2924 wrote to memory of 2356	2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe	28
PID 2924 wrote to memory of 2356	2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe	28
PID 2924 wrote to memory of 2356	2924	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe	28
PID 2356 wrote to memory of 2600	2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe	29
PID 2356 wrote to memory of 2600	2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe	29
PID 2356 wrote to memory of 2600	2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe	29
PID 2356 wrote to memory of 2600	2356	cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe	29

C:\Users\Admin\AppData\Local\Temp\cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
"C:\Users\Admin\AppData\Local\Temp\cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
  "C:\Users\Admin\AppData\Local\Temp\cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Users\Admin\AppData\Local\Temp\cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe
    "C:\Users\Admin\AppData\Local\Temp\cd3938de54805eaa1383185bb68b0b6239f193d309f5c5225c6789130a779dc0.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\lingerie porn full movie bedroom .mpg.exe

Filesize
751KB

MD5
fe415c53c4852796efea6c81d7a1c715

SHA1
8a8520740bfc73001bcb9c5d620571a2d9cdcf5a

SHA256
512e67af999fc620c12a5e5598bc0a5e9f238c7df3bacb73386bf3b28cff55ba

SHA512
1b097453b22992af1db269e2d557cfe80883f1ed07ad02eefc87783a9f4cb7774f895b16292f60da2361dc7015603b8250d3975079991b370a29e4cc03a0ffcf

Download Submit
memory/2356-111-0x00000000047C0000-0x00000000047DE000-memory.dmp

Filesize
120KB

Download
memory/2356-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2356-90-0x00000000047C0000-0x00000000047DE000-memory.dmp

Filesize
120KB

Download
memory/2600-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2600-91-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-112-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-106-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-107-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-109-0x0000000004730000-0x000000000474E000-memory.dmp

Filesize
120KB

Download
memory/2924-65-0x0000000004730000-0x000000000474E000-memory.dmp

Filesize
120KB

Download
memory/2924-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-118-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-93-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-126-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-129-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-144-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2924-147-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download