ramnit | 0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34

Analysis

max time kernel
140s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/11/2024, 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Size

974KB
MD5

6a385771977bab2c8914089e6c65bf91
SHA1

6ec4bd68e06b13d7065e83b4b1adbc32ec5db0bb
SHA256

0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34
SHA512

63c2e1fb1e95d5ac9262b7ac8339b54bae372c1d2138b0f5fa9bbb5e1603d83377c70f959f65dc6855d0615c3095b9be423dab71683a8082ae043b356046ea16
SSDEEP

24576:mNoYMx2ZB8Xk61KmjBpVGE7EjwSM8AXjYRyfhfel3gQO:K1MKB8UyjsE7DlNMRywmv

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
1952	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
2320	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2356	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
1952	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120ff-6.dat	upx
behavioral1/memory/1952-11-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2320-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2320-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2356-893-0x0000000003600000-0x00000000038A2000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxC4B6.tmp	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C7A83151-A59A-11EF-9EA5-F2BBDB1F0DCB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438088834"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE /dde"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\1	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\MiscStatus	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\server\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultIcon	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ = "PDF Document"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\3	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultExtension	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DocObject	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ProgID	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\0	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Insertable\	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\2	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\ = "PDF Document"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\Insertable\	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\MiscStatus\ = "32"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\InprocHandler32	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE,1"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Printable\	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\LocalServer32	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Printable	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\server	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ProgID\ = "FoxitReader.Document"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE,1"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\0\ = "&Edit,0,2"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\3\ = "Foxit Reader"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\InprocHandler32\ = "ole32.dll"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\Insertable	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DefaultIcon	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE /dde"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE\" \"%1\""	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\CLSID\ = "{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb\0\ = "&Edit"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Insertable	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE /dde"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\1\ = "&Open,0,2"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec\ = "[open(\"%1\")]"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec\ = "[print(\"%1\")]"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DocObject	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DocObject\ = "0"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2320	DesktopLayer.exe
2320	DesktopLayer.exe
2320	DesktopLayer.exe
2320	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3012	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2356	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
2356	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
3012	iexplore.exe
3012	iexplore.exe
1656	IEXPLORE.EXE
1656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1952	2356	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe	30
PID 2356 wrote to memory of 1952	2356	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe	30
PID 2356 wrote to memory of 1952	2356	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe	30
PID 2356 wrote to memory of 1952	2356	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe	30
PID 1952 wrote to memory of 2320	1952	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe	31
PID 1952 wrote to memory of 2320	1952	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe	31
PID 1952 wrote to memory of 2320	1952	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe	31
PID 1952 wrote to memory of 2320	1952	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe	31
PID 2320 wrote to memory of 3012	2320	DesktopLayer.exe	32
PID 2320 wrote to memory of 3012	2320	DesktopLayer.exe	32
PID 2320 wrote to memory of 3012	2320	DesktopLayer.exe	32
PID 2320 wrote to memory of 3012	2320	DesktopLayer.exe	32
PID 3012 wrote to memory of 1656	3012	iexplore.exe	33
PID 3012 wrote to memory of 1656	3012	iexplore.exe	33
PID 3012 wrote to memory of 1656	3012	iexplore.exe	33
PID 3012 wrote to memory of 1656	3012	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
"C:\Users\Admin\AppData\Local\Temp\0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
  C:\Users\Admin\AppData\Local\Temp\0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3012 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1de28708e4ea69eec95cd296b07a4b59

SHA1
5764756f2262b36f5e9b519ee0ad01a586d6747f

SHA256
c67e7aec23b8a00ac92c56e452e104f949b7570d928b2e90aad03f43bd66d131

SHA512
7d076031ead07fa7accd8a5ba522e897ada0795080fcedd03326d6930411e5010485bf9d8f545a59e33eb8e36985dcc4e07704891c75c2edb08eec3e3b5edec1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f987ccf25de583f0b0f8c4573d627bf6

SHA1
dd00b58749f8f96bdc17dc577d2e08b0ae92c641

SHA256
6c6ef50a243569253398e85d51243a3eaf16656b4f02a39e084288a14132905a

SHA512
928a959cce6ffd75d383b32d3894efc67ef25e89b0a73c8c2a8e35da192b625da3e653ba60d2add7df9092d706348b6a03efac4cb69d13ef19b3b5bdeebed0f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
831063a887cd3b66132325881dc9e9e8

SHA1
53e1a81e9d181f6f511e1d0c1273dfb55f66e216

SHA256
279bc0b6ae284c8277c82c6088cc8516b710e299f4299658a1fd82afef191d67

SHA512
5fe420ffba0f77ce86c95442c233b6739bfea6da76f1dbf134325e7fcf50c78da84b1b8cf5f63b6c6e78da5da0ff932a0dee3c4df4de2585450278b9d018ce0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fe12f8d6739206ae3dae0a640eb6c66

SHA1
d51101d4d80be8f4a7728bb7832f37849f0b5853

SHA256
aaeeeb1210509336c92579ee52bb321a6b85bb4ac1d51451a3e37dd73e2b9a10

SHA512
199237cf2e52dd2ffa6d5568998391cf55db74cab41341d6e916ba34e0286a117070dc3598570e8ddba672fa2a81c6c3e25b0d19fcf455a78919859cfc33815e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dfcfa5422782350078daccc2ce955db

SHA1
551dcd3c3cf8c2a39bb9f904463cab6d98e534e0

SHA256
0ccd9c8f6676396a1b7872f44c912dc2f3cf8769b7e883d382ec1fcf485ad0c3

SHA512
2be490fcb7773a0c6fd2afbf87f91a3b7f999255601fc5e392a8da2b28ed477a6a2133dc84e70a75fb3293ec880e512a9985927b60ad4a6bf67de74929dd148d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd4573253fb23a2859744340eb39a733

SHA1
bc72f64b18cab89cd59c39a0f841ee4c90f89806

SHA256
8c352159209bb41c48f9ff77e3071b5247721c05066988de7cc9323b2a863da9

SHA512
b9f7823c3e8755a4d067eeacf2e2f269ed29783738c9528105383672849afb44556286736f6c6df50d6eb32a504dd9fa3739ae2cf027743fd975fb14280dbd5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a29f09e8752a05bd53bea43d31d59c5

SHA1
7e133655e6fe38e5f0959616a96f4925114effe4

SHA256
d22af50f51f1e4544c91ff08cbc1f3126176069f2abf999aa4d3988f72e8810e

SHA512
f4896485d461c744350443a933803b2f536873717932b13abc479808c7ce01b8b83c002d15b0de2bf7798ed209d9191d0a989dbcc146279bc3e089f2749e0cca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b8521a99e4fea840dd212c90e6db133

SHA1
7d87c08ebb30420379828c07fb9725e132adf0a5

SHA256
b5ae5550e758100210786c1bd6add41eff158d09878a2f2fb75101bb72dc4a33

SHA512
f411707fbc904c23bf1aa0a51366979e4888b597910488a3dd95a8ebc6553f95de5264aa225c91456ccb64e5de477d2527bc83ff4ae2789b90574b6205c6b09d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
923fed44a9176672a35311319316ab6b

SHA1
8ed353ef54901693e7d8832a1da15ceafbc0cccb

SHA256
cd7df36befecf453ea147ed3f8dd944adfc474888f785c7f5a6ab61cc8f3fcd8

SHA512
6b602639fca6e92efcfe6fab3beb8e3b5c2f95d0f8981c427ecc7b50b062c70ab68fa892a6a2d4ef66e579b7921b810879ddb0bd5f03fcf70d8a2d5c6e199267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf55258dc1965a7d349fb3354af98188

SHA1
009cda24cbfb41a7d93534433a86dfd45fe53f6c

SHA256
838bd547e8223f0cdc42860c8d88365faa4701b422dbbead0b6faa267d5bd81f

SHA512
3f924261a0e831960e00ba4c17fe8517d82f408608307f94d8b825880c3b3a340a03bfcc1186a4b2a7956d394ae7d6bf83c8962bf811ee40b3163ce6ff722bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d49631bbdb9726e17ff14c90e14cf81

SHA1
54ecaff56bd0c624c3a6de321b618de671d315cd

SHA256
d50901a6eec2e7464ab1cb4e1894ea9cabd17c4c61efafa08f06178c5ceb8d8a

SHA512
e81201e4d3442a7a408b07f3f1ca3483ef20c633f0ce50ee9790baba97f2cf793c3aa07a1f2225073bd10c0d1e7593cda5736e7df43540b9c050f371d27b3c01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f48535866a38640398117619bee3e7f1

SHA1
454bc69726859e62e45a8c92ec77f6eac5a48d2b

SHA256
75b7731b62b68f106cc3f1fe9c6dc7b7f9a558bca82edc93f407fb9421976917

SHA512
824ca650ebf574e2017db4f099bd40c1ed6a957fc9b5700e093a618ac4ee574998118a13d8613f5878773ef93dcff629a06d1fdc1c9f249530e59edc95ce4583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cdcef10d996f03704f7856e683af7b8

SHA1
d10cfd6ed25a2166bd187b88ea7dc546c17b722a

SHA256
f7ae42695f817e5629efbe6651d222e5107cefe7b9e51337af8e144724ce1ea3

SHA512
69e33b01c0c906b7a3793aa4fe09ae69aa4814db2ab31828ba7003959a8fb58852a83fc2350e31323a67e50f69f4c521b92e858cf7044f4cf5e621034e840120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff5ed8f08d6c7b5677b24926e2ba66b4

SHA1
a27c1b5e5eaa01fdd854105c0c21230305fd147a

SHA256
a3563cc8eb4bc19bf348b3f05be4b076e55c077cc37546069630737f14debfe7

SHA512
6770999c01f7f3a4a37fd450596cf701e2f141d602d087defb7bbc7b3ec2c3722cdf0b9d86af6b2f49167cd54d9aa828181b3cb67e15d310ed61faa03da2d071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32c1009499195a7ed201946b0f8802fb

SHA1
c7326fd4637ca0a0e8aa6dad4822c3fd958731d3

SHA256
3e2ad7605d74bbee60e0abc010f8e9d22ac70b1df1e99fbd92ab67cb3095f0af

SHA512
3691ed3fef65f353478bb7b39bd97a3900086b14e557d054d2a41f42e69c9929c23026024eba3fab8cfe45ee374b50d855e330ce7c4e0b3b605d9fb8d890c51d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b9298e4f176e6de5f5e69f6906d4827

SHA1
575ae857de11560c396d095525e6e73d1af6ca85

SHA256
74a8738f89d49cf8ac3fb2f24e9203ecdb963a75b26e98b38215293bbb385f2e

SHA512
66ef6a0f631bd4d53988b9fc153001ad3c2627a28ea3187b6ab8693a1e922b4a4ed5189f98a48b742636b75c3c85a1545b5e0e50bb994c3d01d5ffeecc77c58c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
609f963b6bc0bd2cc056084d5bc68790

SHA1
6eceeeb38365c0d997ea0368f6b6630c5126d844

SHA256
6f9df131238b5527975edf785bfadca0558a9400d9e85d7769b72fd886384f18

SHA512
2343acdb6a7a22bf55ff0ad6996f3294c2db2cd49c761fc02c48d12b8b54d18edd40b9b43a5a17bf7267bc9c57c61c8106a833f09c4d8c32b4eb8cbc648bb2fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efe1281712b16da55aedb373c9bdcf2b

SHA1
79a69e768101c67d6a2df5fd5f38d898eca7bda8

SHA256
7bb414227f79721b9691fdf6562378a0901df63bfa07c0b5cf5dd6fe104a0944

SHA512
3482d5cc3f199092b646d4103696ab5e83807a198896b99c3b9976c3547383f66645b67fc10f9becdb4ccc578dba362633da4a70adefb8bf9dcff51a5cddcf74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02c4cd9dee4217d5592a4e95bbc2dd2c

SHA1
3f90c426ccd07719440f1b20e2ea20a74a057820

SHA256
ddbf0f02adce07e12391024cdde5fb6cdecfd297989c37892edd4a5897fe2697

SHA512
24f57d327df22ef69a29274252cf1bac363f1340a4bf4613633475b4b65ad6a0fe455b2a0f3badc8ffbe50e151a3488347b8502d6b02d06cc1986bad458e0f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE67B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE759.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1952-10-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/1952-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1952-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2320-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2320-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2320-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2356-455-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2356-9-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2356-22-0x0000000003600000-0x00000000038A2000-memory.dmp

Filesize
2.6MB

Download
memory/2356-2-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2356-5-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2356-454-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2356-24-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download
memory/2356-23-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download
memory/2356-893-0x0000000003600000-0x00000000038A2000-memory.dmp

Filesize
2.6MB

Download