0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
Size

3.0MB
MD5

09626291258bc4cb0b6d753e0dd49cd8
SHA1

810c8626a2dc55dfcf288139234651a917823a0e
SHA256

0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2
SHA512

8ef894481431a19a556393b7f5fdbc999eaa5e9bb9007369cda63e5656227bcb534701b2eae63fe59fc5e6bc77f49e6dff7dc2c7627d1b749f991e225a7081ec
SSDEEP

49152:E7LwANQ2ZNy5GBHW8PpSvItiqpMir3y3zmwTzBo2T4wEQ431dAw+Bsq3d7dbn:6LJuMWWlt3Mijy3zJTzJID1dAws739p

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1972	acrotray.exe
2676	acrotray.exe
2732	acrotray .exe
2124	acrotray .exe

Loads dropped DLL 4 IoCs

pid	Process
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
1972	acrotray.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
2676	acrotray.exe
2732	acrotray .exe
2124	acrotray .exe
1972	acrotray.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
2732	acrotray .exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
2732	acrotray .exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
2732	acrotray .exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
2732	acrotray .exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
2732	acrotray .exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
2732	acrotray .exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
2732	acrotray .exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
2732	acrotray .exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
2732	acrotray .exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
File created	C:\Program Files (x86)\Adobe\acrotray .exe	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acrotray.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000002522d67f8adbdcaa92e2470e6c18bc60f14a7189c445c04c760da5c12d801aa9000000000e8000000002000020000000dace82a6bfb15180925e44c2c80321020d8128bc677db71572d6369ed82b0a5e20000000b7c6fe298bd1cd3225f15e5f9b39e81cea3ed9a7e63410fc3e4d3b9f56e2fb5e40000000d283da5767ef31a754b3778c6ba818d3f6343d4032254066ba231015805faf9da0704dcfcd07e037e67fe75900f2b105f3997e8e403c48951bb3202a23201d16	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429823278"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{08698C21-5A6E-11EF-AE10-CEBD2182E735} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008a23df7aeeda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000006e80fa68ac0e7c66f810e6e409d0123105a1c8f0c0af64db03e87580722933b3000000000e8000000002000020000000b91937281f3febd46421475c09e4be727b4b11d7009c0e26fd4bca961efb5d899000000094ce07434d1f88845b27e01ce7776ccbb18dc061e77eb2c86727114051bcd637abf5c0500e79a49c040b3f749a217720141b5a598cf3f4c78b4ae0b5cbfb2f0754e5504ca378cb1e8b6dd29990240902811fc08d6f6d93cf8691deb571fd3a4a8329a3cd245dce1b073eea526b67146ecbf70603c49c79751d0997752af332572044148c22cf56f30a1c6e4cb3c3ca5340000000cce9662ff6edfe3b808f0f70a0109180feb4df3fe566755cd1ea6b7a1bdcb9787e2472870d0968da2adbcde89699741d6a3fda1f1dae4a7b388e0ab08c915ad6	iexplore.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
1972	acrotray.exe
1972	acrotray.exe
2676	acrotray.exe
2676	acrotray.exe
2732	acrotray .exe
2732	acrotray .exe
2732	acrotray .exe
2124	acrotray .exe
2124	acrotray .exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
2676	acrotray.exe
2124	acrotray .exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
Token: SeDebugPrivilege	1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
Token: SeDebugPrivilege	1972	acrotray.exe
Token: SeDebugPrivilege	2676	acrotray.exe
Token: SeDebugPrivilege	2732	acrotray .exe
Token: SeDebugPrivilege	2124	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2672	iexplore.exe
2672	iexplore.exe
2672	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1940	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
1972	acrotray.exe
2672	iexplore.exe
2672	iexplore.exe
2676	acrotray.exe
2732	acrotray .exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2124	acrotray .exe
2672	iexplore.exe
2672	iexplore.exe
864	IEXPLORE.EXE
864	IEXPLORE.EXE
2672	iexplore.exe
2672	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1940	2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe	28
PID 2224 wrote to memory of 1940	2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe	28
PID 2224 wrote to memory of 1940	2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe	28
PID 2224 wrote to memory of 1940	2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe	28
PID 2224 wrote to memory of 1972	2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe	31
PID 2224 wrote to memory of 1972	2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe	31
PID 2224 wrote to memory of 1972	2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe	31
PID 2224 wrote to memory of 1972	2224	0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe	31
PID 2672 wrote to memory of 2764	2672	iexplore.exe	33
PID 2672 wrote to memory of 2764	2672	iexplore.exe	33
PID 2672 wrote to memory of 2764	2672	iexplore.exe	33
PID 2672 wrote to memory of 2764	2672	iexplore.exe	33
PID 1972 wrote to memory of 2676	1972	acrotray.exe	34
PID 1972 wrote to memory of 2676	1972	acrotray.exe	34
PID 1972 wrote to memory of 2676	1972	acrotray.exe	34
PID 1972 wrote to memory of 2676	1972	acrotray.exe	34
PID 1972 wrote to memory of 2732	1972	acrotray.exe	35
PID 1972 wrote to memory of 2732	1972	acrotray.exe	35
PID 1972 wrote to memory of 2732	1972	acrotray.exe	35
PID 1972 wrote to memory of 2732	1972	acrotray.exe	35
PID 2732 wrote to memory of 2124	2732	acrotray .exe	36
PID 2732 wrote to memory of 2124	2732	acrotray .exe	36
PID 2732 wrote to memory of 2124	2732	acrotray .exe	36
PID 2732 wrote to memory of 2124	2732	acrotray .exe	36
PID 2672 wrote to memory of 864	2672	iexplore.exe	38
PID 2672 wrote to memory of 864	2672	iexplore.exe	38
PID 2672 wrote to memory of 864	2672	iexplore.exe	38
PID 2672 wrote to memory of 864	2672	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
"C:\Users\Admin\AppData\Local\Temp\0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe
  "C:\Users\Admin\AppData\Local\Temp\0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe" C:\Users\Admin\AppData\Local\Temp\0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1940
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\0eb0169f4962d2fcf2866ec64d4ff15f6b20149d59203b82470fd918136515f2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:472072 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\acrotray .exe

Filesize
3.0MB

MD5
684e028274eb3a209a6ac984793e5535

SHA1
7213fbda71467ea82320f851a301c58455dc2751

SHA256
49a3e506c9781555990f233a79902263086872e0547c817c96c09248de8dc747

SHA512
ce59900063c6414fdacaacdb196a101d6a439567c21b344fe380ae298a75cd5b8927101a9633253e95bca851ce8401ade87edf42e365a0132e147887e9e4f243

Download Submit
C:\Program Files (x86)\Adobe\acrotray.exe

Filesize
3.1MB

MD5
84384793db7813ae49298b77c1e5de0c

SHA1
517ced2a1dbbdecfb0fb4e665592cf845031b6cc

SHA256
c4673b6cc3235d3a1309def8736baf721159e601b928ed35e04bb44f090ca846

SHA512
75f694ce8aa24893284b7b348e34a11c87f5459623e611c323b434e98da85c1d5fa33939d38a44921f193d927deffdd1d4c1ac82441154bcdd191e8ae4bccc93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10b55439b5dcc1371ef2a3186b734686

SHA1
c0370d87fa4e3a3e1cad9177d05b89f11208959c

SHA256
34ceb7fa373bc495e4dc2fb7258f0635ba6e0dfd5e952a467d69543cde68b030

SHA512
d7feb08dae963c6bc746716b305fb9c18ca34f40f5a64b1fa51bdb2598b9acb0ff8622affaacf0d14ea96e196a98921356a3d106733712ce01ada18e9cfc113d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e8c61bfe237536153c163bb95a3eb83

SHA1
8bb25bc730c3a51fd5d92155e7435c34ce161bda

SHA256
ab7788f6da9823a632b23705b304d4335c5c13b6de5ae1a6e17aba53531570b2

SHA512
54a90ae9ec076981802e9d69767458be52c1b25a42f4648aea34c6ec271f1b63b59787870975fe2da7ff8dc61b1e2597817a03dd5fe503172045cb150909def0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d5fb70db9f214e322c05be2f6725ea3

SHA1
6e94774e9c7ed547440681bf8a8b61c27f875e88

SHA256
9ca0a850c13fab2b72051d4b56c4c5f5934e20fcc5c3325add9ddcc3174ead66

SHA512
00b2f49cdd246baac8bd9058992667b9ccf6be4f22e7ecddd9b8ecebb5b6b5cb9805696c8a6f80b8c21a3ce962619bf72ccf97c664ae5fc72ea664c335472108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dba6cf050d52897a659b89ce7c604cd5

SHA1
8c0d6b3349c4571c8fe00d171eb05c5641e0a725

SHA256
1702fc05dfecc41531d7f7808229454ed1539f3b19a12cd18e97938a747120ef

SHA512
fdd6c00736c4ba22a690f9586a4f073323d906be7ff31441a38a5f9d5150b3e5cb22926109100fe96661992f8b05b9fb2681b07a8a426c4b77f8361c1b92c051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8f97e6d03c2b035634977fd707fa03c

SHA1
861e4d99b487ae037e5ac5cab6db297a9ed9bd4f

SHA256
8ca703ff1305c9e0c667d96b258489f4b312fc555aca914a4e1e99f5a0d4ace8

SHA512
36c7168964d9439389f71afdf0a25f09e07a916b8733b6a2b36c74be7a734d5cc45fa770f9121b6963899baf7acbebeb04f5cb5d57826a35c4ff82d6f7e2f310

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d9161286344599aaa19940d4afc4b21

SHA1
196f9527d0e88a5a2d258baf1daaadd540ae33f1

SHA256
904fa58660002132918caba74f58b4925cbb785900f4d3b27a5da821eff63980

SHA512
8d68542e2f4ddedacee5b0650f28efc2806504e1aed36dd42483854a88941c5924d96a3182675fcfd973fc708273a7121e30383dc63dba34e3e76b04af9d695f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e049fbc0144c5527e81577c94f3e041

SHA1
1b581c669c3574382cd12f41b92918d733c635bf

SHA256
14b55f9c893e24807eef7f55c4ec75b2284b8b72ad20e874c413efefb99b11ca

SHA512
de4d39230d2e62fa0095a980b869bffcfa7fff780277abfb3221d5a5fa38082138963e0028273a68887c4bc0f5e0066cbbd1043ccdab10e061745473dacf1026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85a9eda12e3bb80807eb3438002d6a7f

SHA1
f44dc58f00cf260a3da4028bc92aa3fc8be5cb44

SHA256
7fe2c3381838ca8f0555273113ada50164726bdc6d8913f9fc77ecc21b40e603

SHA512
e5b9f5f765cf03503195c8fcdb0863531c55f0f7664a51353202b98a9ab8405942f260284e4daa476904f15b4ce9fbfb47fc4f54e668e31feb69bf791ee7a4d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47a6c8b83cff0261637907bc0d5550f1

SHA1
cb6c08b1ea587cf39659acff552a5e29d52f28c3

SHA256
c913a3907ec55b71a210443d40ac18e206d1e99404732b8d33d203a6837a2596

SHA512
7d6f5d01e6abc490a4ec369ddadbfdb76157b67bd089a555e1f9a8143a56396d55a839711e32a082d7445cec0dcee196a4d9f2e166f3346692961eae63f08791

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db1b55e086bb9143eb7be408914b2397

SHA1
5558a278aa820ad724569e13a7b9e6a09f455830

SHA256
f24128d8484de44dc62b016801369d4baf5598f9ace2fef2ea224ed383b1274b

SHA512
3fb390f0947fb9ab14fbdb82052f819fd4869a8ac6b1ff688e0c96e3adb1b82354b2d5b399210b74587225e53a75eeb00e5c59d36b49be0d81af3f0f29d333c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29860e6c528f36293100562975bbb2ba

SHA1
95ff2871b267fe8984c15a9f6164b1d2c44960da

SHA256
b8ad432b2654cc294efcf3819c6b0184a50c219d768c047989af697f15a961af

SHA512
ac50a4041a9eb4a342423de5126b9bde5ccf50af2454aa7602a637ea14f310ecad129131af02a1b5d8f810ddc51d2abfbbd4eb064e134b7959186a17c0fb433b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d71ee2e75527c50dd14d2d4d85e6c849

SHA1
1a2150a76f0d5d16f986fcd70c6baa17154a9687

SHA256
04472c2929705f68e914fd205947c9f5a7947fdcbf4e87e6761fcd15ed87d6dd

SHA512
b584ccfc54fdb8f6e5d89231acdd6145fd8171413e7be5dfa095808e2bf1a0823c96e9b33604d77dc1a05335e97300f7a7fbd59f6894264d0d1a4a8f9d1eeb86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2c43bf7d64b321b13c3ccf78f213569

SHA1
21e65ec7f89b9963700fef035329fe47c432ca33

SHA256
d1c3ed008b3f6f30939b613b124831880785146c189ff0c1a129dd94d3a0b976

SHA512
8bd4c4805f2abaa9e3138957a7e85740d9c768f7e477174f7bc23689107bf523ed64f934a8a6898e501cc2c126ed1b124f92fef0b1e7390d69312d6a2fa2a034

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43b262628eb0e742d6c8e13411737412

SHA1
4f3b6b995159c39779a17f4336d398c91f59287f

SHA256
adb1c8ca6a4a8159ea1e8e85a86478aedf12d3ee0869dfbae75d0744b05e6f05

SHA512
43c114732c0e28d4c1c7c965b95cdfdd60a6727fee7a2c82dd96657f5449699d848f07d13b502b16508062bd301eb91764f8b6c72b7f551757bd9aabf2fd1322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3eb1ec8b62c2830b4883a7aa2b060ceb

SHA1
87448911b8da84f8023e2d3cbaa76b5e5fc6feb7

SHA256
dd59bd694a77ff0ca4c8eddcf1daf026d8300ff3683ac90e8cf7bb4ecee1322d

SHA512
f4468ed82c3d5c9f96febf9d9bcff54057109572c5bfa257a34a62d3948fd452f28bb35bf65745d22540d61b26eab0eee67b1cc8bcc7e20094d454f2b170e6ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2756fd1a21742b2ee6aa37887013746c

SHA1
cd5e5c70390a8ddfba277bba79a191fefd776f51

SHA256
0264aab39fdf85aae78cf7b29493092d5a7e834338f49b364d08f41be5537e72

SHA512
6fb075f8ce8686328fa4d1c3922b8ff5509c941c673d22def7c04527f0714bd2c84ba694de0c7f1f6f24228881c90d8bfc1b809a7035c7d930e79da3564c5ca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c8b23eb25fbc4c877eda31262d2b75d

SHA1
ca29d749ea988e329a77624256c46268b6da40f0

SHA256
e04e042d7c1b87a50bc712474074e70ab02448b473345364b35a03dd4e5bd7a8

SHA512
143e1e2313cda1e1b1712efe50a852961ccdfa1b47a1140967740473fe3b00f55490429d0604653aec98353f0a78c50d91a89ac10c5b8624618d9997ebb2b161

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ad5e6734c006546be01141968ebcf83

SHA1
9c3db2b717440a46b796b91671c972459297adc7

SHA256
bf3f4b4c503e90c0400a7a345425836d18c186ce089140c463ea5d19d80d9880

SHA512
0f8b7ffff7297bf374df5ddf061137322ebb36006f9053eeb7f239497157770f34c83a7ac7d81e271d7b1ca6105f7d5a28441deba16ab82b73213d99aaa00462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5992480ae2fce9e17a7459c9d3f15927

SHA1
ba9ac41f0383bf86435abefe64a649f90bf7e5b0

SHA256
d4f141f266af42f269c9b3f2b1d747e4c7d290b89b3e735a980636642ed1ad08

SHA512
ed96091aaaa2f29c110e02588700ef96c82800f1fdf2b9ca0ab3c7d1eb083d61c7fd1fdef9647e516040491b2dd7cda20ab517b9806650e26153d555a8fec8cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2D59.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DDA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1940-523-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-58-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-56-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-529-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-517-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-12-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-504-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-7-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-6-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-510-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-41-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1940-493-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-969-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-518-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-511-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-524-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-488-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-505-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-495-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-46-0x00000000044F0000-0x0000000004EB5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-29-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-45-0x00000000044F0000-0x0000000004EB5000-memory.dmp

Filesize
9.8MB

Download
memory/1972-496-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2124-527-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2124-521-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2124-499-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2124-972-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2124-514-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2124-508-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2124-491-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-522-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-35-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-973-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-1-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2224-5-0x0000000004670000-0x0000000005035000-memory.dmp

Filesize
9.8MB

Download
memory/2224-516-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-503-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-11-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-13-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-28-0x00000000051A0000-0x0000000005B65000-memory.dmp

Filesize
9.8MB

Download
memory/2224-509-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-0-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-36-0x0000000004670000-0x0000000005035000-memory.dmp

Filesize
9.8MB

Download
memory/2224-47-0x0000000004340000-0x0000000004342000-memory.dmp

Filesize
8KB

Download
memory/2224-55-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-494-0x00000000051A0000-0x0000000005B65000-memory.dmp

Filesize
9.8MB

Download
memory/2224-492-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2224-528-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2676-519-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2676-489-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2676-506-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2676-525-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2676-37-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2676-497-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2676-500-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2676-970-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2676-512-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2732-520-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2732-507-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2732-490-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2732-971-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2732-498-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2732-513-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download
memory/2732-526-0x0000000000400000-0x0000000000DC5000-memory.dmp

Filesize
9.8MB

Download