agenda | 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2023 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01764099.exe
Size

1.7MB
MD5

a72345f5a627a2c8222f71347a44b013
SHA1

595bf5761ec6eee55fb291cb465736bbbb4bfcf8
SHA256

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800
SHA512

5081c69929c6bd43277f416e942c7d8bb57a45c26089ade5a985ed9ae6a376128ed7dc9cba2618cf918941f7b919db73f1f48cf0c6d30b707927c4a77fbb3482
SSDEEP

24576:SV2LT3INDJRQDj4uFgjR9XKaNIAOgoXeQ7vIKiKyn9cr2Uy9TnFXlDi9uIIg:fLT4NDG4uGlF6AubJyKr2UBuIIg

Score

10^/10

agenda ransomware spyware stealer

Malware Config

Extracted

Family

agenda

Attributes

company_id
feGDg5BHWw
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: feGDg5BHWw Domain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion login: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 password:

rsa_privkey.plain

Signatures

Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
ransomware agenda

Drops file in Drivers directory 21 IoCs

Processes:

01764099.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	01764099.exe

Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

01764099.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\GrantOptimize.tiff 01764099.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\GrantOptimize.tiff	01764099.exe

Drops startup file 1 IoCs

Processes:

01764099.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	01764099.exe

Loads dropped DLL 12 IoCs

Processes:

OfficeClickToRun.exeOfficeClickToRun.exe

pid	process
3152	OfficeClickToRun.exe
3152	OfficeClickToRun.exe
3152	OfficeClickToRun.exe
3152	OfficeClickToRun.exe
3152	OfficeClickToRun.exe
3152	OfficeClickToRun.exe
3152	OfficeClickToRun.exe
220	OfficeClickToRun.exe
220	OfficeClickToRun.exe
220	OfficeClickToRun.exe
220	OfficeClickToRun.exe
220	OfficeClickToRun.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

01764099.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	01764099.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	01764099.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	01764099.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	01764099.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	01764099.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	01764099.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	01764099.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	01764099.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	01764099.exe
File opened for modification	C:\Windows\Media\Desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	01764099.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	01764099.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	01764099.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	01764099.exe
File opened for modification	C:\Program Files\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	01764099.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	01764099.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	01764099.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	01764099.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	01764099.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	01764099.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	01764099.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	01764099.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	01764099.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	01764099.exe
File opened for modification	C:\Users\Public\desktop.ini	01764099.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	01764099.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	01764099.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	01764099.exe

Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

01764099.exe

description ioc process

File opened for modification C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf 01764099.exe

description	ioc	process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	01764099.exe

Drops file in System32 directory 64 IoCs

Processes:

01764099.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wtsapi32.dll	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-IsolatedVm-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Streaming-WOW64-merged-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netmscli.inf_loc	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_399f04975a0af112\breecemc.sys	01764099.exe
File opened for modification	C:\Windows\SysWOW64\useractivitybroker.dll	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netl160a.inf_loc	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\netvwwanmp.inf_loc	01764099.exe
File opened for modification	C:\Windows\SysWOW64\ETWCoreUIComponentsResources.dll	01764099.exe
File opened for modification	C:\Windows\SysWOW64\imageres.dll	01764099.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\GamePanel.exe.mui	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PAW-Feature-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\net8192se64.inf_loc	01764099.exe
File opened for modification	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-DynamicMemory-VirtualDevice-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\SysWOW64\en-US\regedit.exe.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Media.dll	01764099.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\sendmail.dll.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\UserDeviceRegistration.Ngc.dll.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\fontext.dll.mui	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmChipset-Package~31bf3856ad364e35~amd64~~10.0.19041.153.cat	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\SysWOW64\CoreShellAPI.dll	01764099.exe
File opened for modification	C:\Windows\SysWOW64\fontext.dll	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Opt-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\SysWOW64\downlevel\api-ms-win-service-core-l1-1-1.dll	01764099.exe
File opened for modification	C:\Windows\SysWOW64\ru-RU\quickassist.exe.mui	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingTransmitter-Media-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectoryServices-ADAM-Tools-Opt-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Host-Guardian-Deployment-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\SysWOW64\sechost.dll	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\iaLPSS2i_I2C_BXT_P.inf_loc	01764099.exe
File opened for modification	C:\Windows\SysWOW64\en-US\winver.exe.mui	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Package-ua~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SearchEngine-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\SysWOW64\uReFSv1.dll	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\EhStorPwdDrv.inf_loc	01764099.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\sysdm.cpl.mui	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-ApplicationGuard-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.867.cat	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1151.cat	01764099.exe
File opened for modification	C:\Windows\SysWOW64\Dism\fr-FR\ProvProvider.dll.mui	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_media.inf_amd64_2dec3adbda5f7bb6\c_media.inf	01764099.exe
File opened for modification	C:\Windows\SysWOW64\wmidcom.dll	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\SysWOW64\WABSyncProvider.dll	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DirectPlay-OC-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\msmouse.inf_loc	01764099.exe
File opened for modification	C:\Windows\SysWOW64\ExplorerFrame.dll	01764099.exe
File opened for modification	C:\Windows\SysWOW64\msdtcuiu.dll	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\wvmgid.inf_loc	01764099.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\WLanConn.dll.mui	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\c_fsundelete.inf_loc	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\c_volume.inf_loc	01764099.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\storagewmi_passthru.mfl	01764099.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\WmiApRpl.dll.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\en-US\mmcshext.dll.mui	01764099.exe
File opened for modification	C:\Windows\SysWOW64\locale.nls	01764099.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetworkTransition\MSFT_NetDnsTransitionMonitoring.format.ps1xml	01764099.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package01~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_fscfsmetadataserver.inf_loc	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cht4sx64.inf_amd64_3a69b9b79f49eb50\cht4sx64.inf	01764099.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_86cdf3e1f512cca1\usbprint.sys	01764099.exe

Drops file in Program Files directory 64 IoCs

Processes:

01764099.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\EXPSRV.DLL	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Undo.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxManifest.xml	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-100.png	01764099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\ui-strings.js	01764099.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_ja_4.4.0.v20140623020002.jar	01764099.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-multibyte-l1-1-0.dll	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\LargeTile.scale-125.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionSmallTile.scale-125.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-300.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\Images\DefaultProfileImage.png	01764099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\example_icons2x.png	01764099.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll	01764099.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-black.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40.png	01764099.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ppd.xrm-ms	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.scale-100_contrast-white.png	01764099.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\MSFT_PackageManagement.psm1	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\InsiderHubAppList.scale-100.png	01764099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYML.TTF	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageSmallTile.scale-200.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\AppIcon.targetsize-16_altform-unplated_contrast-black.png	01764099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\circle_2x.png	01764099.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	01764099.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSmallTile.scale-100.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookLargeTile.scale-125.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-32_contrast-white.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_altform-unplated.png	01764099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\download-btn.png	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXEV.DLL	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailBadge.scale-400.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\thumb_stats_render_smallest.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService.dll	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated.png	01764099.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui	01764099.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	01764099.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jfxwebkit.dll	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\skype-to-phones-small.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated_contrast-white.png	01764099.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\main.css	01764099.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	01764099.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-125.png	01764099.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png	01764099.exe

Drops file in Windows directory 64 IoCs

Processes:

01764099.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\amd64_c_smrvolume.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_87094f2dfd01489b\c_smrvolume.inf_loc	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..ngshellapp.appxmain_31bf3856ad364e35_10.0.19041.746_none_0b4ed891dd9ccbc8\Splashscreen.scale-200_contrast-white.png	01764099.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\SqlPersistenceProviderLogic.sql	01764099.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\Speech.adml	01764099.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\VolumeEncryption.adml	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..usmanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_b876154f2b470a32\DeviceDisplayStatusManager.dll.mui	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Vpci-VirtualDevice-DDA-Package~31bf3856ad364e35~amd64~~10.0.19041.1110.cat	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\Multimedia-RestrictedCodecsCore-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.mum	01764099.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\MediumTile.scale-200.png	01764099.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Data.Entity.Build.Tasks.resources\v4.0_4.0.0.0_fr_b03f5f7f11d50a3a\Microsoft.Data.Entity.Build.Tasks.resources.dll	01764099.exe
File opened for modification	C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorUWPSquare44x44Logo.targetsize-80_altform-unplated_contrast-black.png	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobekeyboard-main.html	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..henabledapplication_31bf3856ad364e35_10.0.19041.746_none_47ba8771f946a14e\Windows.Networking.Sockets.PushEnabledApplication.dll	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..esslockapp.appxmain_31bf3856ad364e35_10.0.19041.844_none_15e5bfcd83a1911a\r\AssignedAccessLockApp.winmd	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-directshow-other_31bf3856ad364e35_10.0.19041.746_none_eb4ad2c63f89d4d8\mciqtz32.dll	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mfplay_31bf3856ad364e35_10.0.19041.746_none_d4a37191b245160c\r\MFPlay.dll	01764099.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml	01764099.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\cortana.js	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_rhproxy.inf_31bf3856ad364e35_10.0.19041.1_none_bf23bc1290f4573d\rhproxy.sys	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dhcpcmonitor.resources_31bf3856ad364e35_10.0.19041.1_en-us_53fd1d316bd1264a\dhcpcmonitor.dll.mui	01764099.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-US\tn1033.bin	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..erecovery.resources_31bf3856ad364e35_10.0.19041.1_en-us_800b95e199a379c1\cofire.exe.mui	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ll-broker.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_7ffad8eca631cd75\windows.internal.shell.broker.dll.mui	01764099.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Drawing.Resources.dll	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-c..orization.resources_31bf3856ad364e35_10.0.19041.1_it-it_c9efb6a822d6d50f\capauthz.dll.mui	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-vmbusvdev_31bf3856ad364e35_10.0.19041.928_none_ac1cf51d1258824d\vmbusvdev.dll	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..riverclassextension_31bf3856ad364e35_10.0.19041.746_none_f08256e7fcc2cff6\r\SensorsClassExtension.dll	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	01764099.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.Shell\Images\LocationIcon.contrast-white_scale-150.png	01764099.exe
File opened for modification	C:\Windows\servicing\InboxFodMetadataCache\metadata\Windows.Client.ShellComponents~~1.0.mum	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PhotoBasic-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	01764099.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\PhishSiteStyles.css	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_miradisp.inf_31bf3856ad364e35_10.0.19041.1_none_9855bc0311d2883a\MiraDisp.dll	01764099.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config.comments	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_mdmatm2k.inf_31bf3856ad364e35_10.0.19041.1_none_80f709aaa78352fa\mdmatm2k.inf	01764099.exe
File opened for modification	C:\Windows\SoftwareDistribution\EventCache.v2\{9C5A8E49-A660-4854-8479-9440F18C6097}.bin	01764099.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\pris\resources.he-IL.pri	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..e-apphelp.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6adf8922ee7e82c2\Apphlpdm.dll.mui	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Vpci-VirtualDevice-FlexIo-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.928.mum	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-VirtualizationBasedSecurity-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1288.mum	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.mum	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-f..tory-core.resources_31bf3856ad364e35_10.0.19041.1_es-es_ae8e628c60021eb5\fhcleanup.dll.mui	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dlna-dmrserver_31bf3856ad364e35_10.0.19041.1266_none_4ba603e64f357841\r\DMRServer.dll	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..iewer-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_8bd28239fd50110c\EventViewer.adml	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..riseclientsync-host_31bf3856ad364e35_10.0.19041.1202_none_42d3a7d52bcb0f8d\r\WorkFolders.exe	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_bth.inf.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e7cbf1419145fa8\bthenum.sys.mui	01764099.exe
File opened for modification	C:\Windows\rescache\_merged\1973483750\709512593.pri	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-tetheringservice_31bf3856ad364e35_10.0.19041.1_none_43a1294286598aee\tetheringclient.dll	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..gement-winproviders_31bf3856ad364e35_10.0.19041.153_none_9539283603c64592\r\ProvProvider.dll	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..cyscripts.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_70a156949cc5903e\iisext.ini	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.1_none_d0af17ec366548f3\TileSmall.contrast-black_scale-100.png	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dafupnp_31bf3856ad364e35_10.0.19041.746_none_9ff4160625a200df\f\dafupnp.dll	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Enterprise-Desktop-Shared-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_acpipmi.inf_31bf3856ad364e35_10.0.19041.1_none_f459aca972a706de\acpipmi.inf	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cdosys.resources_31bf3856ad364e35_10.0.19041.1_hu-hu_002f2b9a38a666a2\cdosys.dll.mui	01764099.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\fr\SqlPersistenceProviderSchema.sql	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..olsclient.appxsetup_31bf3856ad364e35_10.0.19041.1023_none_fe9996dc5d311970\AppxBlockMap.xml	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appsdiagnostic_31bf3856ad364e35_10.0.19041.1_none_909aa2855af297d4\RS_WSReset.ps1	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..osoftedge.resources_31bf3856ad364e35_10.0.19041.1_de-de_fa3317ce4cfa58b0\needhvsi.html	01764099.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..daptercim.resources_31bf3856ad364e35_10.0.19041.1_it-it_42a17673f6635e4e\NetAdapterCim.dll.mui	01764099.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll	01764099.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 52 IoCs

Processes:

OfficeClickToRun.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,41484365,39965824,7153487,17110988,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

01764099.exe

pid	process
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe
1312	01764099.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OfficeClickToRun.exeOfficeClickToRun.exe

pid process

3152 OfficeClickToRun.exe
220 OfficeClickToRun.exe

C:\Users\Admin\AppData\Local\Temp\01764099.exe
"C:\Users\Admin\AppData\Local\Temp\01764099.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll
Filesize
230KB

MD5
2fc4d42f568c9fee6e069f7ea46d5cc0

SHA1
318429f05909b5d4097c2840d64029bc76d08d0f

SHA256
f0d4d5993e3e236c288ab8534583da7a624b340c0f6160f61ff4e2df4a82d390

SHA512
8e419505b40f55486aaa25ddca9e19c575986ffcd606168dca0ffda25e3affc5e5104185647f5cc277c5f647a6358f0fd35f53ca20bcc208728659eaf43daee9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll
Filesize
230KB

MD5
2fc4d42f568c9fee6e069f7ea46d5cc0

SHA1
318429f05909b5d4097c2840d64029bc76d08d0f

SHA256
f0d4d5993e3e236c288ab8534583da7a624b340c0f6160f61ff4e2df4a82d390

SHA512
8e419505b40f55486aaa25ddca9e19c575986ffcd606168dca0ffda25e3affc5e5104185647f5cc277c5f647a6358f0fd35f53ca20bcc208728659eaf43daee9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll
Filesize
672KB

MD5
f5d4c22ced66b4f563c6640068aec6b4

SHA1
33ce26f849b4f981448567c379e6c88031c919e4

SHA256
df7abcdf3da7c974c481c90535cb143d5ba005c2972639c1b0613634dc6f055f

SHA512
97ed0d91c18a4a056f7914dd7899710c9447adde3bbbcc395197dfa297b265e835687ef9d030e850b2b031759448cf9369642bdc67f08c306c0c4aa1d7d9682f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll
Filesize
304KB

MD5
d89cb906c358b2649e15b444a5e0411a

SHA1
93869f7039ae43e04344516234ab9e6a7811307b

SHA256
3ce0887e31ede3772dd5ff44a11fd8bf1611442e88b28605ffe881affc533aa0

SHA512
e4bcbd596b8ae810af9bddfb4b2128af2718e12e886ef9218a6c81638e60dcd69f162997c9771f830fe5248ade961d50a2abbfa2633bd28d90310d30710e23f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll
Filesize
2.2MB

MD5
64fa89fe1bdc88ef8db4cc8c7c8319ec

SHA1
e1aff65c5b65a6a06303d5fe3bb9b8b6cdf5921b

SHA256
863b48351587489dc53337324d2d0602f6df57cc51b39d5713cf4bbec9046621

SHA512
11af835730f761ba86f518bd8d18425287fbb25f49faaa2d82defc84f7794d5684327e84f36b91ef57262828b0989d4a126e75fce30911eecc552c266223658c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll
Filesize
486KB

MD5
c9dab12378f3f914ed34c23494ce74c0

SHA1
69c14443b2ebb2f1e726243288aab1d12b97db37

SHA256
18c514f88f60310f3cf25cda77924a01e0a36d14a0e9762756648c2c648ce705

SHA512
150fc79994d2af3fa38d61d875220c1baa3c24364423ee670718bd149be1129c52b30296bba44394eac8cbc587c065f04aa527522ef5c605f7221439fb7c7ca9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll
Filesize
486KB

MD5
c9dab12378f3f914ed34c23494ce74c0

SHA1
69c14443b2ebb2f1e726243288aab1d12b97db37

SHA256
18c514f88f60310f3cf25cda77924a01e0a36d14a0e9762756648c2c648ce705

SHA512
150fc79994d2af3fa38d61d875220c1baa3c24364423ee670718bd149be1129c52b30296bba44394eac8cbc587c065f04aa527522ef5c605f7221439fb7c7ca9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll
Filesize
210KB

MD5
761277d21e3a31948012fef82b42f022

SHA1
08f7b27e33dd2d3cdfd54c283cdd22994a53402b

SHA256
6e1fec70fc0013137957242159edf04eafdb3c14d8a6f1ee2204d451114a19be

SHA512
0401fa3425ac8b472f9f42166e70906cc531c94782f2b0338281f983a5ad6f6fd6817b26fe59e841be25aacbfca0df88f672db5a4e17fa9e99d281d912db2d8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll
Filesize
1.5MB

MD5
cd68777721d728fe1f0417afd2a7b8fa

SHA1
2b245556966182e297eca0a53e1af9f732182272

SHA256
62023fd2449f16654306b645c1617aeb84c913778ce128fa1c90840dd230361e

SHA512
93a500ee36496211d108d950d5b2877010d1544528fac16abc64a5798f535093a7a78f209b848527e6f559a6b4bd29317a4aa4afbac0be609afb946789a35e66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll
Filesize
1.2MB

MD5
77055f17bb0ddb795ef3a63ca0039bac

SHA1
433d647221c9bb54c3c76be44eed0c6a67b0a0de

SHA256
20f7fa3c8ab200d87ffa9f58c2700ab393893291338090ec900b6111ca561040

SHA512
5aab26f303672c3d745c303ea54ed5891529a0cc5860a4fb8fbb33abc2559ac064c44ea1a943301bd399f2616dd1e15d358474b1089d1cb11eb046d88d9d8d04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll
Filesize
1.7MB

MD5
696a91a6131e4b65613447be1819f060

SHA1
abc6ba263dfdddbbf145eccd81cf532fa62aebcb

SHA256
fa0178a7e38881f44890bee67da131f6aadd4361e7610ea66d27fb79bc90783b

SHA512
52622297054224cb9a882db26b06056d29fd6af0652e1fa2626313085562c19b456f4d392181e2fdb9638add3d00a1c77a86b8c46033d819a1b13b6a84c8f558

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll
Filesize
644KB

MD5
8c8d1140787da60a343dd11c1cdf4992

SHA1
a05114d3f8ff9d4b286668b31d47d85bf0fac434

SHA256
6aa1ece9dd340d05aec43248592a78b70d21959de8727f506d21a3a962348583

SHA512
79eeb1c69687cda2b92d9f57c6cd65dd959e6ace7f21d5783b8957c07f023d8250a249018a2d158b20654fcfd40cbe73a8aa1304d9310d0cb65d45d721fc08ba

Download Submit
memory/1312-145-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-146-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-147-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-148-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-149-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-150-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-151-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-152-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-153-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-154-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-155-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-156-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-157-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-158-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download
memory/1312-159-0x0000000000570000-0x000000000072E000-memory.dmp

Filesize
1.7MB

Download