9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
Size

3.3MB
MD5

4e59d1b8f652ec6c7afd9a5c18b961f9
SHA1

a67401cc14bc603f38f4974e463982cb804026ae
SHA256

9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824
SHA512

2ad111c0184eb6424ac02d844883b862c277b836e224977d7821707be030d7d9d0e561215c096435edddd98271fe39fd44c4aefd0153afdc8811b51af3514600
SSDEEP

49152:cwVJ/qUQ5F5EexZD63Wb5wSSnebipRCoBRI17fMt6v77/lClNiuHL1jGgJ6OL:3/257I6GnaipRT/md77AlDL1XsOL

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2040	wmpscfgs.exe
2820	wmpscfgs.exe
1868	wmpscfgs.exe
1708	wmpscfgs.exe

Loads dropped DLL 10 IoCs

pid	Process
2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe
2636	WerFault.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
2040	wmpscfgs.exe
2820	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
1868	wmpscfgs.exe
1708	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
File created	C:\Program Files (x86)\259568144.dat	wmpscfgs.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2636	2820	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DOMStorage\flowerdicks.com\Total = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000776a5c1c00f1de93d22fc5abdbc94327f0a362b852229bffb3c26d0aec54557e000000000e8000000002000020000000ba441ed810f34fee6f37626f77bec2744bf805931089813bd4b672bbd428ed2190000000ac0156c8ef132fbfd713f77fee6b59e0e84f0b1ff46b83dc3650d581623b26836f89cc203a4aac6128c61290f5eae06a22a4e707d32995451c9b7b0d27678e3187f0848b62082cd25b669e6a3aedb5af8cf36c6f9c019af1fbf62f34ff74892635eca3e7e9e1f4a484f71611d09585eb78a9d6a56362550ad0d8898cb48c668342aa7dd26d779dbae0c8e8687623050140000000462d221b258f8a315253161f511a6a06b1f39cf0dd36b399e791a13983d99b1e72f2136fedd884a437782a6c66d1b5ef68493116b3a7e0f2251115e0a3f5d59d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1099ad82c4dfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DOMStorage\flowerdicks.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BAD31221-4BB7-11EF-BB68-FA57F1690589} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000006e66517ee164958e617bdb9bd186f65ce948de488fad43d32a5cc6897d009fe8000000000e8000000002000020000000e1ae7688c3a1626898d3127b4ab80d4816570d1ad8bf47029a169b2ceb0c707f200000008e1afac0077df5f36ecedd36c37a3dbaf0c8ecc656eb0657c822081267ff5c754000000067ffa7606de5f538d521fa51928877e2c998eaf936c35031eb60e408faa8c2a0dd98ba50131499172102522f3aef2f588cf42f5a084a618cd3a6e35df7ffc402	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428205665"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DOMStorage\flowerdicks.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DOMStorage\flowerdicks.com\ = "29"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
2040	wmpscfgs.exe
2040	wmpscfgs.exe
1708	wmpscfgs.exe
1868	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
Token: SeDebugPrivilege	2040	wmpscfgs.exe
Token: SeDebugPrivilege	1708	wmpscfgs.exe
Token: SeDebugPrivilege	1868	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2336	iexplore.exe
2336	iexplore.exe
2336	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
2040	wmpscfgs.exe
2820	wmpscfgs.exe
1868	wmpscfgs.exe
1708	wmpscfgs.exe
2336	iexplore.exe
2336	iexplore.exe
588	IEXPLORE.EXE
588	IEXPLORE.EXE
2336	iexplore.exe
2336	iexplore.exe
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2336	iexplore.exe
2336	iexplore.exe
588	IEXPLORE.EXE
588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2040	2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe	29
PID 2552 wrote to memory of 2040	2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe	29
PID 2552 wrote to memory of 2040	2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe	29
PID 2552 wrote to memory of 2040	2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe	29
PID 2552 wrote to memory of 2820	2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe	30
PID 2552 wrote to memory of 2820	2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe	30
PID 2552 wrote to memory of 2820	2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe	30
PID 2552 wrote to memory of 2820	2552	9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe	30
PID 2820 wrote to memory of 2636	2820	wmpscfgs.exe	31
PID 2820 wrote to memory of 2636	2820	wmpscfgs.exe	31
PID 2820 wrote to memory of 2636	2820	wmpscfgs.exe	31
PID 2820 wrote to memory of 2636	2820	wmpscfgs.exe	31
PID 2040 wrote to memory of 1868	2040	wmpscfgs.exe	32
PID 2040 wrote to memory of 1868	2040	wmpscfgs.exe	32
PID 2040 wrote to memory of 1868	2040	wmpscfgs.exe	32
PID 2040 wrote to memory of 1868	2040	wmpscfgs.exe	32
PID 2040 wrote to memory of 1708	2040	wmpscfgs.exe	33
PID 2040 wrote to memory of 1708	2040	wmpscfgs.exe	33
PID 2040 wrote to memory of 1708	2040	wmpscfgs.exe	33
PID 2040 wrote to memory of 1708	2040	wmpscfgs.exe	33
PID 2336 wrote to memory of 588	2336	iexplore.exe	35
PID 2336 wrote to memory of 588	2336	iexplore.exe	35
PID 2336 wrote to memory of 588	2336	iexplore.exe	35
PID 2336 wrote to memory of 588	2336	iexplore.exe	35
PID 2336 wrote to memory of 2436	2336	iexplore.exe	37
PID 2336 wrote to memory of 2436	2336	iexplore.exe	37
PID 2336 wrote to memory of 2436	2336	iexplore.exe	37
PID 2336 wrote to memory of 2436	2336	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe
"C:\Users\Admin\AppData\Local\Temp\9e7c38db3d5a8b3fdfc017f2066aee577491a3e7ef53f3a539a5d44ae8b59824.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2040
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1868
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1708
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 168
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:588
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2336 CREDAT:275481 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5efabda86a4324e2c1cb6c2ed50b0a98

SHA1
03ebe3fd8542f74ad6fa068e0817ef8f572eb9bb

SHA256
60dbc65e0e12902fdd767a56ed4b3036e745effa3263d55e54d42450e73e0960

SHA512
00a17c617822e8707b5bbb89eab13c713dd6937d76b3b0581818536190f42a57dfb798bbfe6f845861a71e985ec59c57cbef14521e810910fb4d8773b1408909

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e55651886c2bc2045be101f86629b3e7

SHA1
52b06932907693511e65fbfb10d4b8e9ea145082

SHA256
c4d9d5a25840dc4ebb1dbd6ce76f3549ac66fd284e16d4f3d2f02f86e47e6ba5

SHA512
f319679a88d1a0906d14eb4c43491f823c250eafe43c6f6ab40b636372c64904d8a8b70087e015b8b87eefc103567cf8272539bb64e7da74c895d952cb82d3fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2024c8585760dc779a01d79cef08060e

SHA1
75b8007f2dec3d011fb20996439c3848bef6f920

SHA256
ae815b58bb2f410094622ffeecece8c49e78abf0c497621369fb06dd94baf463

SHA512
3238ecae66f0d89c7fb88b59841c1f853c65d4601616a01b4805a513caaf8f86eb8b183961609f083b9bd5a0399833e3b90265bd27008fe984d9d0f6b2c8dffa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e28d56c0540024876f3350489eb17c8e

SHA1
0c944f94e4b4c0a87abb2f6956a9c571c2b1effb

SHA256
4d35d881d2f9a2974bfb16c092d0aaa3b0f917578cc13b8a7f5682d39ab83c65

SHA512
9cad334c106b91a9540dbab794cc4d04eee8f3f758431fe22ef2b1f3abcd8de199bddd1424fe5b34ecaf303100a1b8d31cdb9463a00ea0d3527b14c50c07a62a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43e4567ca3a7760ac9578cf4539bf516

SHA1
42795dc527f84b314f5c404cf0d0e5b8c55be018

SHA256
06c8e63c0ee2e576de347356c48b1beb64d885cee899f83fafe45991579072c8

SHA512
18fd9a248231ed35fa5a51fcd8e5ec4c5e25386222d76b10614a41fb1fec34c2c05d88d690de02e54186cc818dafcb961c4f416e4204e7100a56124a20fb32ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b0b4aeb1046a2a8e2f5295f9e607635

SHA1
03c6a9f77b36ee0a3a4fe93962e5023a1edc7ace

SHA256
67439c8d478ffb7550b1673ce3a068580e6b08797f5ce0a0534134c67e52286c

SHA512
f1022da15db0cd223805d2912cd2ece70ad2bf0b65327d99d9edbaac985acaf1cf50512c131844e1aeac81c9a0bc110e398d192cb88b81b682ef10b8766ddf90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fac24b720d155a0b050eac70680e4bd

SHA1
f5c4c954a43262da9c2177f5c9627b34a6f75ec5

SHA256
8b0d61124ec9c05d7e09c78af5dbd7939d250ae53776cc4fde6b94482262b933

SHA512
d52f071a989af41f530efdd6a42015bd47786e4e3e36ecb8f95b121b3b9e7de97300b226ebda10ed01977308e858f4b19580c17358b7d308a116add012de9dd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4c793669ea0f6e4682b8b2b2ef9aa6e

SHA1
cbc50fc6a4783f94218a57c710d00241b38e0e91

SHA256
48f0cf9b02ddf1ebebd39d71641ce09711696d5c603633c6286ee420446ba2af

SHA512
5f399e2efac0016eeea5866ef85c0f93cc37b6fd6126af4b0f257961e714666636c552ad376108b065521294e96dd3baa741f7c287ddee5838b49997b0039068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
388ccb009afbf86a4912e90b75f19671

SHA1
da4eda28d3edc937fd6354e5de6ff6c8ad604a47

SHA256
8773b2fa183b6974eeae8ae66402e9632aca9a72533ff4da790c3f961f0402a3

SHA512
78e49b1b057cf66f67d6333f565afea916fc3023d68ab9ed353d4120303711cd044743d3b0bac07092ff43301312724cc5b1e2cfd3bfb96a862b61b6f3ed0bf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f213e21f6fe846e5560ef0d343f951c

SHA1
dc24417c70f50f3b4fdf01218ad26f2f63995f8f

SHA256
21cc2045c62b16f8670d5aa67598fdad93bc227be7a0e284a3129a06312ffaa3

SHA512
5f9c126bc77238e7b897361ad592623909f1d6d1f818e7910aaad3cd5d78784451f7cc6bab15ba815d954226aa809b993d42e708bf6e3760b07b5d554d4c0e74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff622ce97eabc5d8c7214ff4e987a55e

SHA1
d683b381a623aa158dcf26ec94861db106f980bd

SHA256
e7a20805030895619b3707919173dc881ffd27158f98f0377aa62059eabf6049

SHA512
1950916c246a2acf9f9218f18ca000f229352dfa54d6b25dcc530451f9bb4329f84a6cedc6242662d4b2b81b2f9452d54b76abe2ec5fc2099751b6230301cc7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbb0a7aee902c76b5d1aa1a0b2333eec

SHA1
5749645d1d3544b2c1d8e809b2af76e77dbd3c25

SHA256
24479ee2258704a9a0d658c95a270fcb0969782ebea9dba6c32fe3380f6bf010

SHA512
2f102f0f0343c79a2b198b269ed60fa2308a042d3c01f836a5eaa758930b57e45c38782c6956c488ec62d5ac82bbce1a9ac52bbcb98a2cd9e760f0edf7af43f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
274ae3da4e748d57d80599c24aa0ebfa

SHA1
b8ce5a2454c6e4c7d5e177a6a4e20e051f295372

SHA256
c323ae3a8df827af3b0bdd8fe50d6f13c177a51016c86145a69b04b7466aeb60

SHA512
b40c3b38c2123fc7f7bb3f886307bebd613ca8632788cc92a883da39f55e28045b71f914b40dbe45476cfcc5196e185e2a67c6edf7d73604bab30ee753155ea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
313e3ea63adc9663a1fd96393741254e

SHA1
f43150e61cc294d91d7b25fa3186143ea64614c8

SHA256
688b71b530a5ce6691c1fbdeee879d1f35de9a403a2af6c666ed255074dd6597

SHA512
fedd2f557d4a7d3425cc567bd380a6852d705ae25ad4edc097085627848742636a2344745d8dd6cd47b2aa3ed9f3fc3bad09b20529c4011e7ac43419cd275422

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4d690dece52781df5c432b1e03db563

SHA1
859842bac33c78907ad0532fa9757b029a753d8b

SHA256
cde945db5f209883f6804ca241d09f82f81f82c022ba38c8d1d2ed7cb1356683

SHA512
9853c082e1cd60cf5eada4b2cb0e94711dbfcd71411bffb003a145b8a3ab9e9ac5f8a324175daf30fcb00407d4ea1141c595a7aee12609ada95e1b4310cac8ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d23bf165460891f16c66f0fdb7d7bd66

SHA1
76107b6913dd919c115b7aad97f6bc98d35bc17b

SHA256
177f3c1e1cc80800970b938ab2891ead82d413c7205abe4bc4bfca3837b1eb0f

SHA512
c6390c81f2e6864b400773f55bbe8680d6152016cc0c132a3f3a46de4e702d4d97a3071408a7fc8a2f9e93ae41ec99874fe7cf31f22b3e071d68371c79810cd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c86e76f50df35196f75297cdcb02e618

SHA1
457c1c915f52583227974fa3a53ce783312bd6bf

SHA256
b9d1dd1fcff0a2dbd2f2823929bd48282712a360b14b2f4508bd622be7738c74

SHA512
76ab499ad7c6c9c80f165fa82a26c50518cd9329a7abcc9750c7ea93886af8e3a3e2b740cd916d86a2383e29b854b7d955d208c197b091dcd16cce118f44a449

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
982df1b9ba6c467dcb6cadc9b008df9c

SHA1
92ed94f7f6ab1eb98eb0d673d8a7a2799eaa5bb2

SHA256
f04e395709a469ce82493fbddfbc0e8a7f422a63a3b224b11f4c7cd65821e79b

SHA512
6c8e346927cca09667c956eb83d96560b603e41b9b62b19941d9958ec23a158183c958edb6968a59e4d7f11deda8254228b8f48c83a6e64579ffad7308898b77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9bf9cd5e7e23cb55d4149e06455fd94

SHA1
bf8353c9740cae75189e24afff5baebadd4a7007

SHA256
51e9edc892faa29c9e0468d0fa49b148b8c25e88981a001e3dbe3a62cac8db58

SHA512
70a71ae52967f6d44f47aec6a0af966ff98c1e68b8cb93ac281a6e34dd4a8a20c319bf8d2f0018d057a473d76cc08c763c0fe1928c7c1575c904cf3610b06c6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7c8e1a197531f15f39bf1f54baf0e53

SHA1
77429dff799672de11b1452f5bc0e607ea214c50

SHA256
dbe01fddbdc059ac798aa9e8d4f026523589539620de3d896628ddb73f6b107e

SHA512
d0f11f72e2a32cc6375824ac0b54611a1fc23982acdae9ed567e84516814403e255a5eee6c3dfb18a426458c04d37c5cf9ee37c512ba3e810acbd6afe1124b04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57ce7b37581d2dd0c032d2a931eb0ad1

SHA1
26fd4701dfb2c7ae12f2fbfa2f298abae20b815e

SHA256
7ad3af1c09369c70cec7dfc23cf8d056009d05db12672a44d6dd2e77f85791fa

SHA512
4fd7d6753f313410f2c6e267d90109389f396db34df30e533794bec3d88ad96568ad1e640ff0c3ba7f56f9a0acdc2ba3b8bc8099320b2781ce93f13893b4340f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a40f812002d1efcaf67d89569c93305

SHA1
1ea2b099d2a3f20f1fa2c224d168a44b11697549

SHA256
8a0cc5471b7e74324f13c6d019977a26cdec9ebe9f8e05e51331f691084e1f25

SHA512
aababb4ecda64db1b1b9ac29ef23e3cf9d9db015d9c2d01d5e34d7f583a782a31557dd29a1503b008f0dada8c849a832686b3ab92f01d6551d7c9a4a0df97aea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5757b7c83101de7c90bbd53357b8d94

SHA1
bad3fbb8bfad525c107c03e5f6fad10fbc24eeae

SHA256
1cde65faa263948f10ffd1d25d95049720a1784338534b13fb1dda5b29b6dbf2

SHA512
b89f4484ffdf0cefa87a66e4bc32fe1b46c55057a1db9d6329b68923e2e775a666992eb58c1eb714116bbb4048f29841991511bd9f181b5cc0e06681cafde8cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d72d8d94e5b1feba89e24adbe3462dca

SHA1
35a91bbb697d592134feadd6b5f7b4ea0cb02773

SHA256
4ad5cfad5135fd19a076b16e27acba2c49c315214b24fd91289248554140e7fc

SHA512
6594533d2ed8d4f8f9a1149b087e70abf7b2ae1ca22b1aa198f1b1610c5f38c5eea89b6c374dc318a25d22f19f7aea530e3fc819ad5c030e31681e6204ce30c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
228deb359fa7b6faebe885cd63083877

SHA1
28f0b8781cec9e1c33fd1b91dac627dec66f4267

SHA256
5523ab562cc74fd2f6b6f955a64f3d434ddc38eae6727eb91dc84c6271702111

SHA512
40bf97263313364f269b7dad19f27c289a457c6eee418c9f47a8fb43b9d8eec6911e9343bfdbaa75b67a6198dcee68479906755026f6a796ab42ed1fbb5e9f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
944f5ccaff017369bb79f088b1499f45

SHA1
b21de310eac3339b9b5b1508ee84fd15c8d629e5

SHA256
c534f21b97a80f0fa156953fb21330bf00ec3cf9b6c803fe35dfde4dcec09815

SHA512
7d795939af1502894a93d7aeb637d24d57f1ddcf1c3cad181f417e35030af9712b21ddbad29e76f99104d82ac77d4115934d243420b048bb56006295cf49d582

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE0DF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE19D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
3.3MB

MD5
f9e9436129683a22eae7a3901082eda7

SHA1
df20882e7850e0e69920a6ebef83589a34d3d770

SHA256
0b00daceadb69c92ec68d9358005d0e6f04f72844c751e99877d938cfd115470

SHA512
1afd38214451f016e423f25328a8dcae30bf996cccb9ad0bf8f5acc979d3882eb13b5c118f395466ef2c97fe7b9a0400968fcd6cc98aaf485d588cf74675e13c

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
3.3MB

MD5
c0a84d16331778b4f44c7d60890596db

SHA1
c849ee5135c090b78778965791d7985e610e60e8

SHA256
737f9973875d5f2f6cd4a36983f9d039be7f7df86afddfa791cec933c3de6c03

SHA512
caf65e6d3398dbaafac73f10697b56b76d65f0410bac7f77daabade34330a595dd7e413044a7567c07f897d5d9fb5dba87583749aadf81b3a12650c1daee111f

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
3.3MB

MD5
166bdbb587122684cf547fd98bcba037

SHA1
f17066e45a3bdfb00ca1e126d97d8f69c2223ae4

SHA256
fc98a1b78430e3c8abc38fbe5711fedc0a636b63fa7eeb423830ce42b5e33938

SHA512
1dc01f6833f1ff149f16c9d954d44cd9518323824d3fab0132a9da5ea6fab2d8b35e33162020758c5fd33f301869d93cbbb0b4a28d345ea258fd8933ab8c5350

Download Submit
memory/1708-67-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/1868-71-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-776-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-29-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2040-1382-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-32-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-666-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-668-0x0000000004730000-0x0000000005103000-memory.dmp

Filesize
9.8MB

Download
memory/2040-671-0x0000000004730000-0x0000000005103000-memory.dmp

Filesize
9.8MB

Download
memory/2040-672-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-674-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-677-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-679-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-63-0x00000000003E0000-0x00000000003E2000-memory.dmp

Filesize
8KB

Download
memory/2040-1380-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-1375-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-51-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-33-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2040-60-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-207-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-61-0x0000000004730000-0x0000000005103000-memory.dmp

Filesize
9.8MB

Download
memory/2040-62-0x0000000004730000-0x0000000005103000-memory.dmp

Filesize
9.8MB

Download
memory/2040-40-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-1122-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2040-1373-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2552-53-0x0000000004E00000-0x00000000057D3000-memory.dmp

Filesize
9.8MB

Download
memory/2552-26-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2552-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2552-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2552-27-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2552-0-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2552-28-0x0000000004E00000-0x00000000057D3000-memory.dmp

Filesize
9.8MB

Download
memory/2820-41-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download
memory/2820-30-0x0000000000400000-0x0000000000DD3000-memory.dmp

Filesize
9.8MB

Download