ramnit | 3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe
Size

8.0MB
MD5

27038a95bd4709a40755ae920e606b03
SHA1

6c5586ff2404b8ea37e5b3ac8ead7b778a6f2d9a
SHA256

3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34
SHA512

bc108a0f98ab58e77dced11492e880a36ea3578c2c910c759e557a9bae4ff309df2f4b477ce9c8d88d3d3b760ab870a38faf072b61294c79d815fb3e5856fa64
SSDEEP

49152:dc75uCs+mC5d9CjZPl+jD63UxrWvNE+XJmJO5byML3GtHsEO+rTBtAYc1wxWRmri:dc77HBAdZN1fyMWzYZ/XOr

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 4 IoCs

pid	Process
636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
2776	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
2188	DesktopLayer.exe
2908	DesktopLayerSrv.exe

Loads dropped DLL 4 IoCs

pid	Process
108	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe
636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
2188	DesktopLayer.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001227e-1.dat	upx
behavioral1/files/0x0008000000016d0c-9.dat	upx
behavioral1/memory/636-7-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/636-10-0x0000000000230000-0x000000000025E000-memory.dmp	upx
behavioral1/memory/636-19-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/636-18-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/2776-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2776-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2188-30-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2776-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2908-40-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2908-43-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2188-36-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px28F4.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px27DB.tmp	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px27EB.tmp	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayerSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B4D5DC1-D30F-11EF-AF7A-C23FE47451C3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B7CF941-D30F-11EF-AF7A-C23FE47451C3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443086601"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2776	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
2776	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
2776	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
2776	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
2188	DesktopLayer.exe
2188	DesktopLayer.exe
2188	DesktopLayer.exe
2188	DesktopLayer.exe
2908	DesktopLayerSrv.exe
2908	DesktopLayerSrv.exe
2908	DesktopLayerSrv.exe
2908	DesktopLayerSrv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2836	iexplore.exe
2840	iexplore.exe
2852	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
108	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe
108	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe
2840	iexplore.exe
2840	iexplore.exe
2836	iexplore.exe
2836	iexplore.exe
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2852	iexplore.exe
2852	iexplore.exe
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 636	108	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe	29
PID 108 wrote to memory of 636	108	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe	29
PID 108 wrote to memory of 636	108	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe	29
PID 108 wrote to memory of 636	108	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe	29
PID 636 wrote to memory of 2776	636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe	30
PID 636 wrote to memory of 2776	636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe	30
PID 636 wrote to memory of 2776	636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe	30
PID 636 wrote to memory of 2776	636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe	30
PID 636 wrote to memory of 2188	636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe	31
PID 636 wrote to memory of 2188	636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe	31
PID 636 wrote to memory of 2188	636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe	31
PID 636 wrote to memory of 2188	636	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe	31
PID 2776 wrote to memory of 2836	2776	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe	32
PID 2776 wrote to memory of 2836	2776	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe	32
PID 2776 wrote to memory of 2836	2776	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe	32
PID 2776 wrote to memory of 2836	2776	3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe	32
PID 2188 wrote to memory of 2908	2188	DesktopLayer.exe	33
PID 2188 wrote to memory of 2908	2188	DesktopLayer.exe	33
PID 2188 wrote to memory of 2908	2188	DesktopLayer.exe	33
PID 2188 wrote to memory of 2908	2188	DesktopLayer.exe	33
PID 2188 wrote to memory of 2840	2188	DesktopLayer.exe	34
PID 2188 wrote to memory of 2840	2188	DesktopLayer.exe	34
PID 2188 wrote to memory of 2840	2188	DesktopLayer.exe	34
PID 2188 wrote to memory of 2840	2188	DesktopLayer.exe	34
PID 2908 wrote to memory of 2852	2908	DesktopLayerSrv.exe	35
PID 2908 wrote to memory of 2852	2908	DesktopLayerSrv.exe	35
PID 2908 wrote to memory of 2852	2908	DesktopLayerSrv.exe	35
PID 2908 wrote to memory of 2852	2908	DesktopLayerSrv.exe	35
PID 2840 wrote to memory of 2700	2840	iexplore.exe	36
PID 2840 wrote to memory of 2700	2840	iexplore.exe	36
PID 2840 wrote to memory of 2700	2840	iexplore.exe	36
PID 2840 wrote to memory of 2700	2840	iexplore.exe	36
PID 2836 wrote to memory of 2752	2836	iexplore.exe	37
PID 2836 wrote to memory of 2752	2836	iexplore.exe	37
PID 2836 wrote to memory of 2752	2836	iexplore.exe	37
PID 2836 wrote to memory of 2752	2836	iexplore.exe	37
PID 2852 wrote to memory of 3008	2852	iexplore.exe	38
PID 2852 wrote to memory of 3008	2852	iexplore.exe	38
PID 2852 wrote to memory of 3008	2852	iexplore.exe	38
PID 2852 wrote to memory of 3008	2852	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe
"C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
  C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
    C:\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2836 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2752
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3008
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2840 CREDAT:472065 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
057e6ef5b4ab28d89bd8312fb667fabb

SHA1
74e0870080491dc23e8dfbfa06460d7cb716518b

SHA256
2f6655a8d3d3146bfe3cebcb754eff05d4dc48b57fc739d8c02faea33d4023fe

SHA512
408300cfb94ef74a8191305fa3b82e116a2d9bac01d94a5efa98c91877f7918a678abd9867016795ba47b0dae0258888becbe48016562c9251fb3f13d904cfea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
322fa8619646c86cfa7420b3bc52897b

SHA1
63356e0f9ae1715931fde7c5ee2113e13ab62213

SHA256
70c046057f6e29e8d24dbe0198539c8ace79d53e65cb0712f2d98cad9cbde0c1

SHA512
527dbe067b3c45425c3f678fd087a115819755e631cc82fbd640bdac2db688ef7e83727c0b4136cd75a8575b82c7750bd2c24d532738191d69c7c4eaa5429e75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d37cd993dbe9115dd00900a3362d60b9

SHA1
fe3a0ff095188807610802733fcde97a96aaae14

SHA256
eba863c9b3f23e17176c1d8fd9c915186150041e10d14fcabe493420a6de8235

SHA512
2af93c52d5d8fd500e311ec077bc3798a909f304cd69dc255c24c75edd1bb83a4a2e062d842e87b949ca2d407edef34265b7820a26f58cc2e7972e2ca3e20c8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efb573a8387c907fa41226b2d2508e0c

SHA1
ffde4848befeeab36a528f70d9334923e36d3b86

SHA256
d32e52762315f40782053cb19d4f2416e62f8cec7c6f8da286e6825cc41544ae

SHA512
f2ea4803dcd4e73a96a3684f119729150d00d26e4c2b4b1f5972c5719f5d33a2aa3fbe3e4f1383ef45184dbdc4f87434e0fecc7760556f7ab6be0f8d91589acd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66cdc559d5fde584df57d2c65a909069

SHA1
28c29973d7b381247168e486818c8e1e523cac65

SHA256
e422af4b02a4c1ae4a623391d0d7f02be2b322ee5028458e8c9e0ed6e5f9fed7

SHA512
9bbde06b055d965a9618e7bf87619d1ecd25451a31691693e1df264c65faed048b637ccc70d2d0ce54c52e7a53b6b5eb3f20e86d350c544c1472ceab27cbb2d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5388f0e904fd04b8471bdbb4e39f5dfc

SHA1
f000224f29fda472918f882e4b0f8a7a6a20da07

SHA256
d1237b692fe20676130764b407764d065a1c54285ba3c49a79710342a62fd31e

SHA512
485e07ca5cfc17ceecdbb900654cb9404149733460014ec22e6eb178decd68cd942c3d7c2ca616cac873fb667a0cccf7ab4f94812883d8ee0453ebec9330a992

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fcf2a1165dadaa774854ff2b35fdd41

SHA1
3c9fdd7a3adedbdfe3bd0652501e596ee56f496a

SHA256
49d2ab09ef3063fc2824b6c5618fade2c6e572c66d87fd52f50fb8529b041a89

SHA512
5ff5562ec7c1c8b35835f260774649ef3b32c791641f05d953d8eea4a60c0088160f5da2d0aacdb8463c5dd56b58017437ba4b72884512492bbf6486ebf80728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c919d01638588c47834be648bd8f4a64

SHA1
d92c39e5efd3698eaf8c38e11dfaa2c3db24b58f

SHA256
0c73063ec92c6c882abb4fec1f05b7bd6180f705abf0e56bc90ebdece9524ba8

SHA512
840fb27ceeb79ed31f9073182cc15447a487477e5bc6d2e357a010e9148952fc4cac7b93dbf5d5724e310b67f5ba0994e39303bb79622b105e709ea810a590d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bf557c04f54fddf5987509f0ffa4560

SHA1
eaf4b5d75f0f7b1d6917a058001f2099e795db03

SHA256
cf6d2002d7932b6619963eabdd0417154f4d6103bae0de0823d2fc0748403ee8

SHA512
ebf8ebd6557a16e4ebc8276dd42085fb5aa0073e67b767c4aeb934bcfc6840825704c1cf0eb3804b078126e797eddecbc0f48f18cf33411eb3818d6b515949cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8176b4f621b3df364009e7406e19b71

SHA1
a545a103d23ba7c358b9591d9b7bb095ec3da885

SHA256
f7596904cd26201baacbb828c3ad00b29c1a1ff0684bc5669c2cad902332df98

SHA512
1b632c59e6283387e4d8425dba86935b127181e6873e6839e6c1226a9d7be6239f0d46bbd46dcb86f03f900c73283eda8c393b5ff82f0ed52108ed38030bbab9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
961a3103303a900e50d7b8dc83e8deba

SHA1
d0ecfd08256233ca17c3bf6f06769b806a816e8a

SHA256
3d1a362f134c4b4a3d152b523b1e9cb671efa532293fafcfdb212687e3be7b5d

SHA512
b75b38cb48b1b0da9e24e0d789fb2770d5666dcf83c92b0da22879bdf4dd1ac2717d0c8ba4c03b45913ca323099fda4bc3c597ddf9aa0ad443ea692bc7ff0b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d1260e3c0d114c8021c0cb8cdcac87e

SHA1
2ad3c8ac7ddf3121a6ff6da34c75662c02362c4c

SHA256
bfa7a31d26bfedc94af786e6d0e6cc26adac268e1dca7f0d064ae31d055ce3fc

SHA512
fb721cabf5a92643ae862de185f34b08c3a9b52c5eb7aca6a9226eae044a162e4191b717d64cbb2231671ccddd031309f39fd7872cbe12f22e8f203c3a18d39b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c17e986a0766ea715dd3f7535b69e66e

SHA1
3df0576fd96d209f37c8967d54d3a99b5a3feb06

SHA256
8c12d181df148f6b544d43679a65b457bd57458bb70d8eab88b1748619ce89c0

SHA512
458aafaa9729e951e0dfc29611a5af2811cf9bfa8915707d7a6cd476e9b882f7176e011ec0097259547d9c54ecf56f6bfaefad7c283078b5059b9ca34b59e281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bad990aab436e07f0965311ad77794a4

SHA1
597d0e445a2186a1562577b0c9f0f08f4c3e59aa

SHA256
9315a3bd4eab46b3e42042973192ad3b91f01b961e334f32f3a45e1a05469682

SHA512
f77497e8b64523729cb87f88537018dbcfbc49590929f62913602ee4ea0dfe553796e2fc6e82161d81c7d225c1c580ad2128ace8a1b8d3a63b047c3d1dbe4287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59e9eb293739fec31634ba136a4bfd9b

SHA1
19bb91df81f2d398c13eba284e2979b3cdcc6261

SHA256
dc617cc8762fcfed2d6c818d2f7061459b16005263bdd65113c96fb1d8ca1454

SHA512
2400aae8346dab1c8d614ecc0ef37d03091cef9278819953ea16fe5af70127dfb959324687b87f49024bb503c6ecd1477b5ae1f163487d150e11eec6c9417357

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
796a3fc65e4f913f3e19665f22b1a7ae

SHA1
923e974f8fdb0dab939208e452391716d21780c4

SHA256
308b47084b6ac246ef9765cdbf2751015613f3e3821ec3cccf38fd305df0f96a

SHA512
c8a60601b4e2153619e0e6166eee8071647ad0d8d700d953446d3bf475c78d9d1301c30a9773be598fc602cd9ea08e5f5219375deb0be7664d09ee8a26029e38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
087d900446b198cb92312a299ebbbf1c

SHA1
a0b28c03a066eb108f1028f4de54da389b81cb3c

SHA256
617905c34b6edb433e8178ac9af436c328e4af0d030fd272e4398dd715565c54

SHA512
d4b4f87b5e351a40773cac182451a6c5a9ea5540b65ca06b4f723869829205b606497815d13be44ebc90dd4ebf58fda6dda7013553b818fa37c4fe62c700269b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77c8c087cdf2249e255c4da482c296ae

SHA1
ae6cc52b589edd0a212bf085da8e0b162ebb7a4b

SHA256
6fa40b0b222984eaaaa8c6eae617e9186210fbba6c660b2b7265e23c71785494

SHA512
bd84f8e5ed1e0f439bdcf4f76549675de6bc2c6567849464fc5b09e4311397aeec5e67c08490e819204274e4f8b49acbfb2556ce69afd16c92fe1049fd2327d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2d81a576741451f7ac2fa900d0a5064

SHA1
a673b1bb765e1d6b72832e7e96833fb323c4fbde

SHA256
33e6f85ba82f3602188864a8fdd25146682fb3962187f7de393e8bfb1660f0f4

SHA512
b0fbf1ee80e41eaf0667db1b09eace7b7bc79c2d52f4160ea7ea5bf7c29aa7a1e331fc9e1f3e22e1bd45f24ba0a1aabd35345a9af50c0653e3b2937ae56cacb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f202e5d2d05fbdfde9103a6839c197e8

SHA1
b4935cf127cbcfda438c3a591c6f1b2b29bd6ab1

SHA256
9b9d3aa715a0701d2a11d0830040caaf0e2bc8bfd737127d0220b77ee431f070

SHA512
2a068aea34e3f69e8592a05142da9323b9eb73cc8a7d5e7054daab72eef503e8e1b507ce4bb0c37dfa64bccb3f17d77469ca28aa9a31442fe3dc6a9ae7a4c923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9287987a27c75d9878009ce93ab9f432

SHA1
7d3b3826e187802372bbeb7bb53d2358188e6811

SHA256
f9cbb4e7eb5fbd7ea11e024a92da075d6f786006ab1d1cc7a9fd368170e35c7c

SHA512
dd66fa9f58a199d443af7280de815bdf2f12aaca8b05e312342adb5782cc928afb867c6e64b5fe89e2f70ca4ada19ddbb44941e0a528d67856c75e0633c28a72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7b36e5a74a71b37cf39698b5e91d5c3

SHA1
2f260a05eb562b5448a13e65ffe634ec44d115d1

SHA256
135beea97f8d980e5c626157df0be14cd95285e34bde964388e8aa143cc2f74b

SHA512
6c95905fb92f312dce8490b6137e630c4af8e650dafc52b7fb01294288fe58321f5a1a3efe9f41ea5efd5fedced189448649a68690e8ea2f5f6aa4e297512e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B4D5DC1-D30F-11EF-AF7A-C23FE47451C3}.dat

Filesize
3KB

MD5
1b3cba05501bb3e112c99a6a6528f91d

SHA1
f0d8fda19e1fe34980aa94ce1f5a2f83dca2aa45

SHA256
8c3d8760ce893930b74c094cd77c39c12edbb6d9fa43d04a7833f932da3bff78

SHA512
7090fdfa1ac16742ff7f57797235c94ba7aea28e5c77b49b4f3450f99f5b0719e8447556f0df208ba22ab71b2d178e96ad87ed5acb8fab64fe50d2ed349f4d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B5944A1-D30F-11EF-AF7A-C23FE47451C3}.dat

Filesize
3KB

MD5
c7cfbf7e196715249070edafb92cb2bf

SHA1
f997cca6921db6a79586355031b5a74a556f709a

SHA256
ffc07eedbf65d3999345aef3f2bb93235a9cde378c91d1280afff531462cff2a

SHA512
b270a304f0a21e4accfb6f2ba0796c1930090ecd46a932998dcc0cbc9a177feb032ad9cac423b03a1b20125e23cc141092fd513bfbb563a1309023aba80d997f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B5944A1-D30F-11EF-AF7A-C23FE47451C3}.dat

Filesize
5KB

MD5
f8885c81f3837a602f4841c035e44bc4

SHA1
dc7ec02f948fa93f1c30919bdfb051af4d5bda49

SHA256
82ec63e72a89d9a95de3a65981c07182d1393981e18ec15417c5e3b4b76ac18b

SHA512
925e974759eca2dcf8967e72146ecaf92e14fd534f4cfe6a292f8601e9e7ae8c6f52bb13d7230702c60e5491317ca3d3592847ed54e6c317e3add05a77a72b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab44A0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar457F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34Srv.exe

Filesize
111KB

MD5
ccc937bcd06f7bfa99abbdf16d4af87b

SHA1
22c08152fa73d1d055919283604fcf4685ba0e9a

SHA256
6841eefc56ca10ac8b40a71b23f471fa4fc36d71f19fb0bbfe548035f9cdab27

SHA512
875e2cdf0d158e00684d6a30b4adebb7f18c6f2918fa2328eddae173193cabe111badb72ce354cec223b409d713356854bf6125103bb06bd0496d9e615095d4b

Download Submit
\Users\Admin\AppData\Local\Temp\3ac11012aae6ee127b637a5cab667fff70d54d7ff31a7beb998e65340e5fba34SrvSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/108-6-0x00000000008C0000-0x00000000010C9000-memory.dmp

Filesize
8.0MB

Download
memory/108-39-0x00000000008C0000-0x00000000010C9000-memory.dmp

Filesize
8.0MB

Download
memory/108-8-0x0000000000140000-0x000000000017D000-memory.dmp

Filesize
244KB

Download
memory/636-18-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/636-7-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/636-10-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/636-19-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2188-30-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2188-35-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2188-36-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2776-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2776-24-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2776-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2908-40-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2908-43-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download