agenda | efb2e91cc711557415c3c4650a314c01e46d0ddc62808032edc9fe4961ad06fa

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2023 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
Size

1.7MB
MD5

a72345f5a627a2c8222f71347a44b013
SHA1

595bf5761ec6eee55fb291cb465736bbbb4bfcf8
SHA256

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800
SHA512

5081c69929c6bd43277f416e942c7d8bb57a45c26089ade5a985ed9ae6a376128ed7dc9cba2618cf918941f7b919db73f1f48cf0c6d30b707927c4a77fbb3482
SSDEEP

24576:SV2LT3INDJRQDj4uFgjR9XKaNIAOgoXeQ7vIKiKyn9cr2Uy9TnFXlDi9uIIg:fLT4NDG4uGlF6AubJyKr2UBuIIg

Score

10^/10

agenda ransomware spyware stealer

Malware Config

Extracted

Family

agenda

Attributes

company_id
feGDg5BHWw
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: feGDg5BHWw Domain: e3v6tjarcltwc4hdkn6fxnpkzq42ul7swf5cfqw6jzvic4577vxsxhid.onion login: _RgxgvCfv_3rQI5oinfr9gj5JS6_AGP7 password:

rsa_privkey.plain

Signatures

Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
ransomware agenda

Drops file in Drivers directory 21 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops startup file 1 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Loads dropped DLL 11 IoCs

Processes:

OfficeClickToRun.exe

pid	process
1204	OfficeClickToRun.exe
1204	OfficeClickToRun.exe
1204	OfficeClickToRun.exe
1204	OfficeClickToRun.exe
1204	OfficeClickToRun.exe
1204	OfficeClickToRun.exe
1204	OfficeClickToRun.exe
1204	OfficeClickToRun.exe
1204	OfficeClickToRun.exe
1204	OfficeClickToRun.exe
1204	OfficeClickToRun.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Users\Public\Music\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1420546310-613437930-2990200354-1000\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description ioc process

File opened (read-only) \??\F: 9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened (read-only)	\??\F:	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops file in System32 directory 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\Dism\es-ES\ProvProvider.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-Common-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VMMS-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\downlevel\api-ms-win-core-wow64-l1-1-0.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\mswstr10.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-Package-ua~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnis5t.inf_amd64_c6e181de81a59b54\mdmnis5t.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\th-TH\quickassist.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-WOW64-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnmngr.vbs	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\samcli.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\AboveLockAppHost.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_096c9e42fe4749d2\WSDScan.sys	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\wvmic_ext.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\Windows.UI.Xaml.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\powershell.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\netsh.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsCore-Full-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ws3cap.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\b57nd60a.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\keyiso.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\perfmon.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-VirtualDevice-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\c_avc.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzyxlg.inf_amd64_c5ee07feb8dae038\mdmzyxlg.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\wcncsvc.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\Microsoft.Uev.Office2013CustomActions.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\mstscax.mfl	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\adp80xx.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\netrndis.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\comctl32.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\imapi.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.formats.ps1xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\aclui.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecConfig-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\ntdll.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ks.inf_amd64_9fac168e1cbea90c\ks.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\wstorvsc.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\isoburn.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\slmgr\0409\slmgr.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VMMS-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib120.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Multimedia-RestrictedCodecs-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ServicingStack-Base-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WMIC.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SmbDirect-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\megasas.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ialpss2i_gpio2_glk.inf_amd64_dad1e0a2b185e32b\iaLPSS2i_GPIO2_GLK.sys	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\fixmapi.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\wlansvc.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\GamePanel.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\msdt.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\MSOpusDecoder.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\MSFT_NetNatExternalAddress.cdxml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\agentactivationruntimewindows.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-UI-62-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Portable-Devices-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\eapphost.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops file in Program Files directory 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-black.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-300.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\ui-strings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerLargeTile.contrast-white_scale-125.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp5.scale-125.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-40_altform-unplated.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-125.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTile.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\ui-strings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msoshext.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-256_altform-unplated.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\dd_arrow_small.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoBeta.png.DATA	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\LICENSE	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EntityPickerIntl.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\FaceReco_Illustration_Cancel_SM.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailLargeTile.scale-100.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteReplayCrossHairIcon-1.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-150.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ru-ru\ui-strings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.json	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-48.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WideTile.scale-100_contrast-white.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square44x44Logo.scale-100.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.DataSetExtensions.Resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalSplashScreen.scale-200.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-48.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-36_contrast-black.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\ui-strings.js	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-80.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_export_18.svg	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-64_altform-unplated.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptySearch.scale-150.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.schema.mfl	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\local_policy.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextService.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-40.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\PackageLogo.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\LargeTile.scale-200.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Mozilla Firefox\d3dcompiler_47.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-150_contrast-black.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\remixCTA_welcome.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main.css	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul.xrm-ms	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-96_contrast-black.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-24_altform-unplated_contrast-white.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNotebookLargeTile.scale-150.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Drops file in Windows directory 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_mediumtrust.config	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..terysaver.resources_31bf3856ad364e35_10.0.19041.1_it-it_df90f2c87d37de19\SettingsHandlers_OneCore_BatterySaver.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\Securitycenter.admx	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.19041.610_en-us_01143680c911ce1e\Handwriting.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevpsmof_31bf3856ad364e35_10.0.19041.1288_none_206549b517cacd0b\f\Microsoft.Uev.AgentWmi.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rdbss.resources_31bf3856ad364e35_10.0.19041.1_de-de_31f7421117e87f45\rdbss.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_10.0.19041.1_it-it_fad1958cfeca4ad7\cscompui.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-predictionunit_31bf3856ad364e35_10.0.19041.264_none_114b639870183cb1\Windows.Internal.PredictionUnit.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\1031\CvtResUI.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-b..ment-bootsectortool_31bf3856ad364e35_10.0.19041.1_none_c27f721834e813f5\bootsect.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\INF\iaLPSS2i_GPIO2_CNL.PNF	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_acpi.inf.resources_31bf3856ad364e35_10.0.19041.1_it-it_f64eb577326d78ce\acpi.sys.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_c_image.inf_31bf3856ad364e35_10.0.19041.1_none_544b1663c032846e\c_image.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Cursors\aero_pin_l.cur	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\INF\ESENT\0000\esentprf.ini	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..troller-grouppolicy_31bf3856ad364e35_10.0.19041.1_none_56282c92fafa4fef\ServiceControlManager.admx	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.1288.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteFX-Graphics-Virtualization-Host-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..managerui.resources_31bf3856ad364e35_10.0.19041.1_en-us_fa586cc4b483c5ac\azroleui.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ipxlatcfg.resources_31bf3856ad364e35_10.0.19041.1_es-es_7c9047c62f13c21b\ipxlatcfg.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-printing-powershell_31bf3856ad364e35_10.0.19041.1_none_023f1303126663c4\MSFT_TcpIpPrinterPort_v1.0.cdxml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\en-US\tcpip.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-OneCore-Multimedia-MFPMP-WOW64-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-setupapi_31bf3856ad364e35_10.0.19041.1237_none_a9b815907b71fe1a\f\wowreg32.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..codepage-additional_31bf3856ad364e35_10.0.19041.1_none_0b4e711bdf4c1580\C_1146.NLS	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\r\MicrosoftAccount.UserOperations.winmd	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-com-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6cadce5e5ce9544c\COM.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Vpci-VirtualDevice-Gpup-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\main.html	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.BlockedShutdown\pris\Windows.UI.BlockedShutdown.de-DE.pri	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..rding-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_b0f557adb1c2506c\EventForwarding.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.1_none_c1f5bc6ceffe0e16\FXSCOM.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..uestmonitorbinaries_31bf3856ad364e35_10.0.19041.1_none_ee5c478604dd705b\iisreqs.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.1_none_75cd350cc8b5dbcf\intellisenseListBox.css	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..rationmanagement-ui_31bf3856ad364e35_10.0.19041.746_none_4001164d258177dd\r\wsecedit.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Routing.resources\v4.0_4.0.0.0_ja_31bf3856ad364e35\System.ServiceModel.Routing.resources.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\HyperV-Compute-Host-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd3\ramparser.sys	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\f\Family.Cache.winmd	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.746_none_2b9acc2d69574796\RequestedDownloadsLargeCloudIcon.contrast-black_scale-100.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-Optional-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\headerminimize.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-onecore-c..shandlers.resources_31bf3856ad364e35_10.0.19041.1_en-us_6da3db0fcf018dfb\SettingsHandlers_CapabilityAccess.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-bcp47languages_31bf3856ad364e35_10.0.19041.1266_none_0f3021468c05099e\BCP47mrm.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-stobject.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_7a0def3fa73e2194\stobject.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..andinkinputservices_31bf3856ad364e35_10.0.19041.1_none_d29e3857b870499d\tiptsf.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\ICM.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Presentation-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..oning-wmi.resources_31bf3856ad364e35_10.0.19041.1_en-us_bb9ea2ce6322db8f\mspsprov.mfl	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..u-education-license_31bf3856ad364e35_10.0.19041.1266_none_698b5e99f49a9026\Education-ppdlic.xrm-ms	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-search_31bf3856ad364e35_10.0.19041.746_none_d30a83ff81d13ba6\r\Windows.UI.Search.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-PeerDist-Client-Group-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_c_fsundelete.inf.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_dc9b1f48f9d8f27b\c_fsundelete.inf_loc	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-appidcore_31bf3856ad364e35_10.0.19041.1202_none_a391067a6b9b433c\r\AppLockerCSP.dll	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_ko-kr_f780a3426d25fec1\r\msimsg.dll.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_11.0.19041.264_none_34dcc771aa7f6b3b\edgehtml.dll.mun	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.1_none_4a388618f6365227\NarratorUWPSquare44x44Logo.targetsize-40_altform-unplated.png	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-r..ienttools.resources_31bf3856ad364e35_10.0.19041.1_es-es_b78e1c81619701e3\rasphone.exe.mui	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\INF\mdmarn.inf	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\appv.adml	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-chrome-contentview-template.html	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 22 IoCs

Processes:

OfficeClickToRun.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t\|1688653267"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

pid	process
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
1996	9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OfficeClickToRun.exe

pid process

1204 OfficeClickToRun.exe

C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe
"C:\Users\Admin\AppData\Local\Temp\9c9a264f5f1a78753f7f80ee6143d6c8967fa1375821bc09187767756d366800.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1996

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll

Filesize
230KB

MD5
2fc4d42f568c9fee6e069f7ea46d5cc0

SHA1
318429f05909b5d4097c2840d64029bc76d08d0f

SHA256
f0d4d5993e3e236c288ab8534583da7a624b340c0f6160f61ff4e2df4a82d390

SHA512
8e419505b40f55486aaa25ddca9e19c575986ffcd606168dca0ffda25e3affc5e5104185647f5cc277c5f647a6358f0fd35f53ca20bcc208728659eaf43daee9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll

Filesize
672KB

MD5
f5d4c22ced66b4f563c6640068aec6b4

SHA1
33ce26f849b4f981448567c379e6c88031c919e4

SHA256
df7abcdf3da7c974c481c90535cb143d5ba005c2972639c1b0613634dc6f055f

SHA512
97ed0d91c18a4a056f7914dd7899710c9447adde3bbbcc395197dfa297b265e835687ef9d030e850b2b031759448cf9369642bdc67f08c306c0c4aa1d7d9682f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll

Filesize
304KB

MD5
d89cb906c358b2649e15b444a5e0411a

SHA1
93869f7039ae43e04344516234ab9e6a7811307b

SHA256
3ce0887e31ede3772dd5ff44a11fd8bf1611442e88b28605ffe881affc533aa0

SHA512
e4bcbd596b8ae810af9bddfb4b2128af2718e12e886ef9218a6c81638e60dcd69f162997c9771f830fe5248ade961d50a2abbfa2633bd28d90310d30710e23f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll

Filesize
2.2MB

MD5
64fa89fe1bdc88ef8db4cc8c7c8319ec

SHA1
e1aff65c5b65a6a06303d5fe3bb9b8b6cdf5921b

SHA256
863b48351587489dc53337324d2d0602f6df57cc51b39d5713cf4bbec9046621

SHA512
11af835730f761ba86f518bd8d18425287fbb25f49faaa2d82defc84f7794d5684327e84f36b91ef57262828b0989d4a126e75fce30911eecc552c266223658c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll

Filesize
486KB

MD5
c9dab12378f3f914ed34c23494ce74c0

SHA1
69c14443b2ebb2f1e726243288aab1d12b97db37

SHA256
18c514f88f60310f3cf25cda77924a01e0a36d14a0e9762756648c2c648ce705

SHA512
150fc79994d2af3fa38d61d875220c1baa3c24364423ee670718bd149be1129c52b30296bba44394eac8cbc587c065f04aa527522ef5c605f7221439fb7c7ca9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll

Filesize
210KB

MD5
761277d21e3a31948012fef82b42f022

SHA1
08f7b27e33dd2d3cdfd54c283cdd22994a53402b

SHA256
6e1fec70fc0013137957242159edf04eafdb3c14d8a6f1ee2204d451114a19be

SHA512
0401fa3425ac8b472f9f42166e70906cc531c94782f2b0338281f983a5ad6f6fd6817b26fe59e841be25aacbfca0df88f672db5a4e17fa9e99d281d912db2d8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll

Filesize
1.5MB

MD5
cd68777721d728fe1f0417afd2a7b8fa

SHA1
2b245556966182e297eca0a53e1af9f732182272

SHA256
62023fd2449f16654306b645c1617aeb84c913778ce128fa1c90840dd230361e

SHA512
93a500ee36496211d108d950d5b2877010d1544528fac16abc64a5798f535093a7a78f209b848527e6f559a6b4bd29317a4aa4afbac0be609afb946789a35e66

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll

Filesize
600KB

MD5
ccc94602a6a71b59771ef2c321fe7bcd

SHA1
72fa3ce5942e46a3ddff792a6a9c95bcd9575646

SHA256
ef9d1539107155cf0fabe420790cb58d36fe562a5e2255ce472266669fc4bf98

SHA512
a731734703e12260a6fa37b4c0ec37d8afd0d97538c3383b59a9c15b6e44e6876babc3dba34e2bfc691b7f349632b6daeaaa97f388af7d5e57aa1fe17b781e31

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll

Filesize
1.2MB

MD5
c7f5af65598cf219f1f7544f895edd4c

SHA1
82f2decf1eb8a3c3dd015194f02e07abe651959f

SHA256
d872c5c1b312f4b257cad8c1f77c7e3b1ed090611e7186438f0b0ca6db6638d0

SHA512
8fb9378b798ec099079a23ccb7c2ec29ca0d87e6864ecf020fa5e300bc0bd9425f13a466c677818ee38fe560ceb493aff33fa831c6af03fac1566deb07535829

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll

Filesize
952KB

MD5
25297efc3bf8d2cb34972e49f033fa0a

SHA1
291881891e917c780fc00b22021e5c391b060dfe

SHA256
1ed32eb18896bd5fb1f6281eb875ce21dfa9ea20ffaa7e6c3b94eeb23f13aedd

SHA512
2ebb012a8973913c4b849988884372550bc1e7c5dd3af01ac01feab49dca40227e653876fce6b13a2c364c04931d5c6bfe88ef23e7065d22279779605954d2dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll

Filesize
1.2MB

MD5
77055f17bb0ddb795ef3a63ca0039bac

SHA1
433d647221c9bb54c3c76be44eed0c6a67b0a0de

SHA256
20f7fa3c8ab200d87ffa9f58c2700ab393893291338090ec900b6111ca561040

SHA512
5aab26f303672c3d745c303ea54ed5891529a0cc5860a4fb8fbb33abc2559ac064c44ea1a943301bd399f2616dd1e15d358474b1089d1cb11eb046d88d9d8d04

Download Submit
memory/1996-145-0x0000000000050000-0x000000000020E000-memory.dmp

Filesize
1.7MB

Download
memory/1996-144-0x0000000000050000-0x000000000020E000-memory.dmp

Filesize
1.7MB

Download
memory/1996-147-0x0000000000050000-0x000000000020E000-memory.dmp

Filesize
1.7MB

Download
memory/1996-148-0x0000000000050000-0x000000000020E000-memory.dmp

Filesize
1.7MB

Download
memory/1996-149-0x0000000000050000-0x000000000020E000-memory.dmp

Filesize
1.7MB

Download
memory/1996-150-0x0000000000050000-0x000000000020E000-memory.dmp

Filesize
1.7MB

Download
memory/1996-151-0x0000000000050000-0x000000000020E000-memory.dmp

Filesize
1.7MB

Download
memory/1996-152-0x0000000000050000-0x000000000020E000-memory.dmp

Filesize
1.7MB

Download
memory/1996-153-0x0000000000050000-0x000000000020E000-memory.dmp

Filesize
1.7MB

Download
memory/1996-154-0x0000000000050000-0x000000000020E000-memory.dmp

Filesize
1.7MB

Download