f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38

Analysis

max time kernel
183s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe
Size

66KB
MD5

582b1b120cb451dd3473116f6f7fc5b0
SHA1

f46b118610d6f0aa91f06512e117048032bb94ca
SHA256

f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38
SHA512

4003dae9a7c30c2044fce07d0b5607b396b4a6a21c184fb2a1a8697886fbc988dc0aa79f3cd2939e7855ad32e36ec4fb314c641729b0226b4c5d153472482151
SSDEEP

1536:sr+Fum5LMI+WTJjcXnXMcpm/zOxJXKJwa:sr+Fu2II+HXXMcI/AKJd

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exef07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe

Executes dropped EXE 4 IoCs

Processes:

winlogon.exeAE 0124 BE.exewinlogon.exewinlogon.exe

pid process

560 winlogon.exe
4288 AE 0124 BE.exe
4364 winlogon.exe
236 winlogon.exe

pid	process
560	winlogon.exe
4288	AE 0124 BE.exe
4364	winlogon.exe
236	winlogon.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AE 0124 BE.exef07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	winlogon.exe

Loads dropped DLL 3 IoCs

Processes:

AE 0124 BE.exewinlogon.exewinlogon.exe

pid process

4288 AE 0124 BE.exe
4364 winlogon.exe
236 winlogon.exe

pid	process
4288	AE 0124 BE.exe
4364	winlogon.exe
236	winlogon.exe

Drops desktop.ini file(s) 24 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 25 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

winlogon.exeAE 0124 BE.exe

description	ioc	process
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe

Drops file in System32 directory 1 IoCs

Processes:

AE 0124 BE.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\regedit.exe AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\regedit.exe	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

Processes:

AE 0124 BE.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.PowerPoint	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\System.Messaging.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\es\System.Configuration.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ja\Microsoft.Data.Entity.Build.Tasks.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.WorkflowServices.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsCore-WCOSHeadless-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\aero_up_l.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\Policy.1.0.Microsoft.Interop.Security.AzRoles\v4.0_10.0.19041.1__31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\branding_Full2.gif	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\System.Configuration.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PeerDist-Client-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\Boot\PCAT\cs-CZ\memtest.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.resources\v4.0_4.0.0.0_de_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.WindowsRuntime.resources\v4.0_4.0.0.0_es_b77a5c561934e089\System.Runtime.WindowsRuntime.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.xml.resources\v4.0_4.0.0.0_es_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\fr\SqlPersistenceService_Schema.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\es\Regasm.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RDC-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.746.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SearchEngine-Client-Package-base-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Multimedia-MFCore-WCOSHeadless-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Power\es-ES\Power_Troubleshooter.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Search\CL_Utility.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\sbp2.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Transactions.Bridge.Dtc.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Runtime.DurableInstancing.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printing-XPSServices-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD\TS_WindowsMediaPlayer.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\TermService\0C0A\tslabels.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.SDCommon	AE 0124 BE.exe
File opened for modification	C:\Windows\PLA\Reports\ja-JP\Report.System.Wired.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\DiskNVCache.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\Printing2.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Storage-VirtualDevice-IDE-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Media-Streaming-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel.Selectors.resources\v4.0_4.0.0.0_de_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources\createPermission.aspx.es.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-UX-UI-63-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package0212~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions.Resources\3.5.0.0_it_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\ja\SqlPersistenceService_Schema.sql	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageProviders.aspx.de.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\msched.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\DeliveryOptimization.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Media-Foundation-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-AppCompat-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Multimedia-MFCore-WCOSHeadless-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Activities.DurableInstancing.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\System.Activities.DurableInstancing.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.ComponentModel.Composition.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\de\PresentationUI.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\Snmp.admx	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\AVSValidationGP.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\tcpip.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-UX-UI-Client-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PAW-merged-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PeerDist-Client-Group-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Install\3.0.0.0__b77a5c561934e089\System.ServiceModel.Install.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\3082\vbc7ui.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Editions\ProfessionalCountrySpecificEdition.xml	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998411"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2180811113"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998411"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2211591890"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2180811113"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998411"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A0A5BB7E-6B7E-11ED-B696-5A10AEE59B4B} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998411"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d2bc15ee4b3fe4bbe882944dc7734470000000002000000000010660000000100002000000052ba7443d4cbbff6d1164ccad0d7817c572db4a3424b21b100097c11af29f1e4000000000e8000000002000020000000b57eb9fc90addc6fbf3b254e76dd1ddf264109ac48d1b287e7b435cf4989c50a200000002fbc0203ecfd207c0304ccd20cb4f9c38f7671ac29351ddddf91abb32b1ace7440000000726fe7934a3978803e9eb4a9ee143ab2d7d3ff6ca5af34680ac9c77edc6dd5ba573e43ad8b64096079d05731668e73a6b62c43777646b883381182e81296ba20	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005d2bc15ee4b3fe4bbe882944dc773447000000000200000000001066000000010000200000009d0cc94d5e3b48d8f1051f9fb036fd78ba26246fc38f53da05e0700abd31a5ad000000000e800000000200002000000021eded0019f063a338ac93f9602a3e7822b4e4eedf1d523c8a6fd9ff30b681592000000049765d2da9234bd2c235337416bc7b49f4164f2ddbbe37576ace23e3d3ef2c2440000000b69fa9ef38c7e35e21005601996d52809f4da7975bd8de7db35b18b9642b7e0f7f1995a95d58f60a4e66853814c279b180b529e2d2ab9429b470ec1d05b05f43	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 804169838bffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c2cf7b8bffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2211591890"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376007702"	iexplore.exe

Modifies registry class 4 IoCs

Processes:

winlogon.exeAE 0124 BE.exef07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

5060 iexplore.exe

pid	process
5060	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exeiexplore.exewinlogon.exeIEXPLORE.EXEAE 0124 BE.exewinlogon.exewinlogon.exe

pid	process
4412	f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe
5060	iexplore.exe
5060	iexplore.exe
560	winlogon.exe
4928	IEXPLORE.EXE
4928	IEXPLORE.EXE
4288	AE 0124 BE.exe
4364	winlogon.exe
236	winlogon.exe
4928	IEXPLORE.EXE
4928	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exeiexplore.exewinlogon.exeAE 0124 BE.exe

description	pid	process	target process
PID 4412 wrote to memory of 5060	4412	f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe	iexplore.exe
PID 4412 wrote to memory of 5060	4412	f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe	iexplore.exe
PID 5060 wrote to memory of 4928	5060	iexplore.exe	IEXPLORE.EXE
PID 5060 wrote to memory of 4928	5060	iexplore.exe	IEXPLORE.EXE
PID 5060 wrote to memory of 4928	5060	iexplore.exe	IEXPLORE.EXE
PID 4412 wrote to memory of 560	4412	f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe	winlogon.exe
PID 4412 wrote to memory of 560	4412	f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe	winlogon.exe
PID 4412 wrote to memory of 560	4412	f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe	winlogon.exe
PID 560 wrote to memory of 4288	560	winlogon.exe	AE 0124 BE.exe
PID 560 wrote to memory of 4288	560	winlogon.exe	AE 0124 BE.exe
PID 560 wrote to memory of 4288	560	winlogon.exe	AE 0124 BE.exe
PID 560 wrote to memory of 4364	560	winlogon.exe	winlogon.exe
PID 560 wrote to memory of 4364	560	winlogon.exe	winlogon.exe
PID 560 wrote to memory of 4364	560	winlogon.exe	winlogon.exe
PID 4288 wrote to memory of 236	4288	AE 0124 BE.exe	winlogon.exe
PID 4288 wrote to memory of 236	4288	AE 0124 BE.exe	winlogon.exe
PID 4288 wrote to memory of 236	4288	AE 0124 BE.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe
"C:\Users\Admin\AppData\Local\Temp\f07321d518899920642ef12d783f600093e461afcc11c37413d3046cb53f1e38.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5060 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\AE 0124 BE.exe
"C:\Windows\AE 0124 BE.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:236

C:\Windows\SysWOW64\drivers\winlogon.exe
"C:\Windows\System32\drivers\winlogon.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
e32d02ce684c01ef3af05fae9066160e

SHA1
29c7a6e8ed553ac2765634265d1db041d6d422ec

SHA256
b00322d178a6cfc206458c26b26d6c80596073bb3283dcc3fc4e33a4b5f29d71

SHA512
e4e3175fb131095e4681ecb76d14dc74d059c0beafb6340965516c6d3d0538deb314b36a3f09df03b491edac84d5c0580e764fed1d8bca9abd4e65cb56167148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
a5ee28a9791eeb868d1273bd7ee2da2c

SHA1
a7b758b21867b11839a8c58003cee2c1fd62d3f8

SHA256
916e14f532ffdb6d2284cb4a045413cd33d720b74afee73d7964cb0f9309f2d0

SHA512
5acf836a7a717da94fc83fb578839f92d3d031e76e3161ad2816eb3806d1aa1e734cb5dd550c49f0a4586b86099a95bf19b9df2570ec9357a1742c9c8ac8fb9c

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
4027bf9b2bf3265f1da3f5aa9e4ec2c1

SHA1
c104f6f780032aa1592d9b1e309477e127f16067

SHA256
82177bfcb6ee47409884d33a0c4794b8536913e4be21c7badb2c375535587a3f

SHA512
32bf1999d8ad128e24b55b404a5b69102f386a1bbbec2d3077c1b28e3c90b2ea94d5ed072d3e401801c202a6f8c424fcb82ba9f3f1e9745e3f3452824c175c7e

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
130KB

MD5
4027bf9b2bf3265f1da3f5aa9e4ec2c1

SHA1
c104f6f780032aa1592d9b1e309477e127f16067

SHA256
82177bfcb6ee47409884d33a0c4794b8536913e4be21c7badb2c375535587a3f

SHA512
32bf1999d8ad128e24b55b404a5b69102f386a1bbbec2d3077c1b28e3c90b2ea94d5ed072d3e401801c202a6f8c424fcb82ba9f3f1e9745e3f3452824c175c7e

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
66KB

MD5
0d357db753e66654668e939fb9414b58

SHA1
4fd2aa7c70d4bd74e46d0e8ff90ea5961f77ec9a

SHA256
a6a20802a87d726a4b69faded5a0ee8814eceb0335ddd26401da6c88397e546c

SHA512
872a8bf82a4813db78aa52edd79b86a103f0ce54260f1a06bdc19409baebde55d02e620027eb4b7d83fd0c9f74495816f3162cd390097366369b4492fbfeea70

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
4027bf9b2bf3265f1da3f5aa9e4ec2c1

SHA1
c104f6f780032aa1592d9b1e309477e127f16067

SHA256
82177bfcb6ee47409884d33a0c4794b8536913e4be21c7badb2c375535587a3f

SHA512
32bf1999d8ad128e24b55b404a5b69102f386a1bbbec2d3077c1b28e3c90b2ea94d5ed072d3e401801c202a6f8c424fcb82ba9f3f1e9745e3f3452824c175c7e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
4027bf9b2bf3265f1da3f5aa9e4ec2c1

SHA1
c104f6f780032aa1592d9b1e309477e127f16067

SHA256
82177bfcb6ee47409884d33a0c4794b8536913e4be21c7badb2c375535587a3f

SHA512
32bf1999d8ad128e24b55b404a5b69102f386a1bbbec2d3077c1b28e3c90b2ea94d5ed072d3e401801c202a6f8c424fcb82ba9f3f1e9745e3f3452824c175c7e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
4027bf9b2bf3265f1da3f5aa9e4ec2c1

SHA1
c104f6f780032aa1592d9b1e309477e127f16067

SHA256
82177bfcb6ee47409884d33a0c4794b8536913e4be21c7badb2c375535587a3f

SHA512
32bf1999d8ad128e24b55b404a5b69102f386a1bbbec2d3077c1b28e3c90b2ea94d5ed072d3e401801c202a6f8c424fcb82ba9f3f1e9745e3f3452824c175c7e

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
130KB

MD5
4027bf9b2bf3265f1da3f5aa9e4ec2c1

SHA1
c104f6f780032aa1592d9b1e309477e127f16067

SHA256
82177bfcb6ee47409884d33a0c4794b8536913e4be21c7badb2c375535587a3f

SHA512
32bf1999d8ad128e24b55b404a5b69102f386a1bbbec2d3077c1b28e3c90b2ea94d5ed072d3e401801c202a6f8c424fcb82ba9f3f1e9745e3f3452824c175c7e

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
memory/236-154-0x0000000000000000-mapping.dmp

Download
memory/560-134-0x0000000000000000-mapping.dmp

Download
memory/4288-139-0x0000000000000000-mapping.dmp

Download
memory/4364-146-0x0000000000000000-mapping.dmp

Download