6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70

Resubmissions

27-07-2023 11:12

230727-nbajbsec22 10

27-07-2023 08:08

230727-j1rfxscg7s 10

Analysis

max time kernel
270s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2023 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
Size

1.8MB
MD5

247a8cc39384e93d258360a11381000f
SHA1

23893f035f8564dfea5030b9fdd54120d96072bb
SHA256

6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
SHA512

336eca9569c0072e92ce16743f47ba9d6be06390a196f8e81654d6a42642ff5c99e423bfed00a8396bb0b037d5b54df8c3bde53757646e7e1a204f3be271c998
SSDEEP

24576:ftncpVGP4I9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRp:epUP59FBJZEH1X1arF0vN/nX

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 28 IoCs

Processes:

Autoit3.execmd.exe

description	pid	process	target process
PID 924 created 3624	924	Autoit3.exe	StartMenuExperienceHost.exe
PID 924 created 3532	924	Autoit3.exe	DllHost.exe
PID 924 created 2352	924	Autoit3.exe	svchost.exe
PID 924 created 2340	924	Autoit3.exe	sihost.exe
PID 924 created 3148	924	Autoit3.exe	backgroundTaskHost.exe
PID 924 created 2452	924	Autoit3.exe	taskhostw.exe
PID 924 created 4344	924	Autoit3.exe	msiexec.exe
PID 924 created 3532	924	Autoit3.exe	DllHost.exe
PID 924 created 2452	924	Autoit3.exe	taskhostw.exe
PID 924 created 2352	924	Autoit3.exe	svchost.exe
PID 924 created 3148	924	Autoit3.exe	backgroundTaskHost.exe
PID 924 created 2340	924	Autoit3.exe	sihost.exe
PID 924 created 3796	924	Autoit3.exe	SearchApp.exe
PID 924 created 2352	924	Autoit3.exe	svchost.exe
PID 924 created 2352	924	Autoit3.exe	svchost.exe
PID 924 created 2452	924	Autoit3.exe	taskhostw.exe
PID 924 created 2452	924	Autoit3.exe	taskhostw.exe
PID 924 created 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 created 3624	924	Autoit3.exe	StartMenuExperienceHost.exe
PID 924 created 3624	924	Autoit3.exe	StartMenuExperienceHost.exe
PID 924 created 3532	924	Autoit3.exe	DllHost.exe
PID 924 created 3796	924	Autoit3.exe	SearchApp.exe
PID 924 created 4812	924	Autoit3.exe	TextInputHost.exe
PID 924 created 4812	924	Autoit3.exe	TextInputHost.exe
PID 924 created 3148	924	Autoit3.exe	backgroundTaskHost.exe
PID 924 created 3532	924	Autoit3.exe	DllHost.exe
PID 924 created 3532	924	Autoit3.exe	DllHost.exe
PID 5444 created 2452	5444	cmd.exe	taskhostw.exe

Blocklisted process makes network request 60 IoCs

Processes:

cmd.exe

flow	pid	process
71	5444	cmd.exe
72	5444	cmd.exe
73	5444	cmd.exe
75	5444	cmd.exe
76	5444	cmd.exe
77	5444	cmd.exe
81	5444	cmd.exe
82	5444	cmd.exe
83	5444	cmd.exe
84	5444	cmd.exe
91	5444	cmd.exe
94	5444	cmd.exe
95	5444	cmd.exe
96	5444	cmd.exe
97	5444	cmd.exe
98	5444	cmd.exe
99	5444	cmd.exe
100	5444	cmd.exe
101	5444	cmd.exe
102	5444	cmd.exe
103	5444	cmd.exe
104	5444	cmd.exe
105	5444	cmd.exe
106	5444	cmd.exe
107	5444	cmd.exe
108	5444	cmd.exe
109	5444	cmd.exe
110	5444	cmd.exe
111	5444	cmd.exe
112	5444	cmd.exe
113	5444	cmd.exe
114	5444	cmd.exe
115	5444	cmd.exe
116	5444	cmd.exe
117	5444	cmd.exe
118	5444	cmd.exe
119	5444	cmd.exe
120	5444	cmd.exe
121	5444	cmd.exe
122	5444	cmd.exe
123	5444	cmd.exe
124	5444	cmd.exe
125	5444	cmd.exe
126	5444	cmd.exe
127	5444	cmd.exe
128	5444	cmd.exe
129	5444	cmd.exe
130	5444	cmd.exe
131	5444	cmd.exe
132	5444	cmd.exe
133	5444	cmd.exe
134	5444	cmd.exe
135	5444	cmd.exe
136	5444	cmd.exe
137	5444	cmd.exe
138	5444	cmd.exe
139	5444	cmd.exe
140	5444	cmd.exe
141	5444	cmd.exe
142	5444	cmd.exe

Drops startup file 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abfgcag.lnk cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Autoit3.exe

pid process

924 Autoit3.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

2636 MsiExec.exe
2636 MsiExec.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

1672 ICACLS.EXE
5556 ICACLS.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abfgcag.lnk	cmd.exe

pid	process
924	Autoit3.exe

pid	process
2636	MsiExec.exe
2636	MsiExec.exe

pid	process
1672	ICACLS.EXE
5556	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2767A0BC-6CA3-4B8D-A6C0-A076D6FB71B9}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Autoit3.exe

description pid process target process

PID 924 set thread context of 5444 924 Autoit3.exe cmd.exe

description	pid	process	target process
PID 924 set thread context of 5444	924	Autoit3.exe	cmd.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI5119.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e584f92.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584f92.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{229FD164-E132-4ADB-8998-1DB40BF25484}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9537.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9548.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006505a1dc8b744c210000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006505a1dc0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809006505a1dc000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809196505a1dc000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006505a1dc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exeAutoit3.execmd.exejusched.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jusched.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jusched.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeAutoit3.execmd.exejusched.exe

pid	process
4016	msiexec.exe
4016	msiexec.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
924	Autoit3.exe
5444	cmd.exe
5444	cmd.exe
5444	cmd.exe
5444	cmd.exe
6036	jusched.exe
6036	jusched.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

cmd.exe

pid process

5444 cmd.exe

pid	process
5444	cmd.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	4344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4344	msiexec.exe
Token: SeSecurityPrivilege	4016	msiexec.exe
Token: SeCreateTokenPrivilege	4344	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4344	msiexec.exe
Token: SeLockMemoryPrivilege	4344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4344	msiexec.exe
Token: SeMachineAccountPrivilege	4344	msiexec.exe
Token: SeTcbPrivilege	4344	msiexec.exe
Token: SeSecurityPrivilege	4344	msiexec.exe
Token: SeTakeOwnershipPrivilege	4344	msiexec.exe
Token: SeLoadDriverPrivilege	4344	msiexec.exe
Token: SeSystemProfilePrivilege	4344	msiexec.exe
Token: SeSystemtimePrivilege	4344	msiexec.exe
Token: SeProfSingleProcessPrivilege	4344	msiexec.exe
Token: SeIncBasePriorityPrivilege	4344	msiexec.exe
Token: SeCreatePagefilePrivilege	4344	msiexec.exe
Token: SeCreatePermanentPrivilege	4344	msiexec.exe
Token: SeBackupPrivilege	4344	msiexec.exe
Token: SeRestorePrivilege	4344	msiexec.exe
Token: SeShutdownPrivilege	4344	msiexec.exe
Token: SeDebugPrivilege	4344	msiexec.exe
Token: SeAuditPrivilege	4344	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4344	msiexec.exe
Token: SeChangeNotifyPrivilege	4344	msiexec.exe
Token: SeRemoteShutdownPrivilege	4344	msiexec.exe
Token: SeUndockPrivilege	4344	msiexec.exe
Token: SeSyncAgentPrivilege	4344	msiexec.exe
Token: SeEnableDelegationPrivilege	4344	msiexec.exe
Token: SeManageVolumePrivilege	4344	msiexec.exe
Token: SeImpersonatePrivilege	4344	msiexec.exe
Token: SeCreateGlobalPrivilege	4344	msiexec.exe
Token: SeBackupPrivilege	3744	vssvc.exe
Token: SeRestorePrivilege	3744	vssvc.exe
Token: SeAuditPrivilege	3744	vssvc.exe
Token: SeBackupPrivilege	4016	msiexec.exe
Token: SeRestorePrivilege	4016	msiexec.exe
Token: SeRestorePrivilege	4016	msiexec.exe
Token: SeTakeOwnershipPrivilege	4016	msiexec.exe
Token: SeRestorePrivilege	4016	msiexec.exe
Token: SeTakeOwnershipPrivilege	4016	msiexec.exe
Token: SeBackupPrivilege	3636	srtasks.exe
Token: SeRestorePrivilege	3636	srtasks.exe
Token: SeSecurityPrivilege	3636	srtasks.exe
Token: SeTakeOwnershipPrivilege	3636	srtasks.exe
Token: SeBackupPrivilege	3636	srtasks.exe
Token: SeRestorePrivilege	3636	srtasks.exe
Token: SeSecurityPrivilege	3636	srtasks.exe
Token: SeTakeOwnershipPrivilege	3636	srtasks.exe
Token: SeRestorePrivilege	4016	msiexec.exe
Token: SeTakeOwnershipPrivilege	4016	msiexec.exe
Token: SeRestorePrivilege	4016	msiexec.exe
Token: SeTakeOwnershipPrivilege	4016	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4344 msiexec.exe
4344 msiexec.exe

pid	process
4344	msiexec.exe
4344	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exeAutoit3.exe

description	pid	process	target process
PID 4016 wrote to memory of 3636	4016	msiexec.exe	srtasks.exe
PID 4016 wrote to memory of 3636	4016	msiexec.exe	srtasks.exe
PID 4016 wrote to memory of 2636	4016	msiexec.exe	MsiExec.exe
PID 4016 wrote to memory of 2636	4016	msiexec.exe	MsiExec.exe
PID 4016 wrote to memory of 2636	4016	msiexec.exe	MsiExec.exe
PID 2636 wrote to memory of 1672	2636	MsiExec.exe	ICACLS.EXE
PID 2636 wrote to memory of 1672	2636	MsiExec.exe	ICACLS.EXE
PID 2636 wrote to memory of 1672	2636	MsiExec.exe	ICACLS.EXE
PID 2636 wrote to memory of 4772	2636	MsiExec.exe	EXPAND.EXE
PID 2636 wrote to memory of 4772	2636	MsiExec.exe	EXPAND.EXE
PID 2636 wrote to memory of 4772	2636	MsiExec.exe	EXPAND.EXE
PID 2636 wrote to memory of 924	2636	MsiExec.exe	Autoit3.exe
PID 2636 wrote to memory of 924	2636	MsiExec.exe	Autoit3.exe
PID 2636 wrote to memory of 924	2636	MsiExec.exe	Autoit3.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe
PID 924 wrote to memory of 5112	924	Autoit3.exe	AdobeARMHelper.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3148

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3796

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3532

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"
2⤵
PID:5268

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4344

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2452

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2352

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe"
2⤵
PID:5112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:880

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 443D58EB5E2F80A8CFD85CE5189D3037
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:1672

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:4772

C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\files\Autoit3.exe
"C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\files\Autoit3.exe" UGtZgHHT.au3
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\cmd.exe
cmd.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Drops startup file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:5444

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:5556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hhdeedf\Autoit3.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\hhdeedf\cdcadkh.au3
Filesize
767KB

MD5
20724597349b38e43d788c6c7ceb9b8d

SHA1
b186c3a0dc1d6bd2f201c1bbafccc6fd3894ab14

SHA256
400597daee58abe8873362707b892b92eb9828cad699e8c64ea035443ff4e4b4

SHA512
803ddea88b01c91d29a831851e0abcd082193749906c642f6e4c4541dc50dcdae36f57aadbadfd7ca8e1376c554e6cc82f0b8cf7ca47ca76ead5a4d5fa6768af

Download Submit
C:\ProgramData\hhdeedf\cdcadkh.au3
Filesize
767KB

MD5
20724597349b38e43d788c6c7ceb9b8d

SHA1
b186c3a0dc1d6bd2f201c1bbafccc6fd3894ab14

SHA256
400597daee58abe8873362707b892b92eb9828cad699e8c64ea035443ff4e4b4

SHA512
803ddea88b01c91d29a831851e0abcd082193749906c642f6e4c4541dc50dcdae36f57aadbadfd7ca8e1376c554e6cc82f0b8cf7ca47ca76ead5a4d5fa6768af

Download Submit
C:\ProgramData\hhdeedf\dacbhkb\ggdddaf
Filesize
129B

MD5
4e339e31c0d5d946ade04d7b695cfc55

SHA1
922327160f5a9b1a3fbd0fff416d76706989e5f1

SHA256
d2cbdf079c5eb1ca47bf2e0c00570f2ab89a61be5d93e40b30f9bd15eb32dc3a

SHA512
6b46589fcee1dae9843c565586f39f786003f3a158cc508c42ee07d01edd16ed29d2579c09050a298306877fd9494c5b0a06d0db3b99ee00747ee58e711937c7

Download Submit
C:\ProgramData\hhdeedf\dacbhkb\ggdddaf
Filesize
129B

MD5
4e339e31c0d5d946ade04d7b695cfc55

SHA1
922327160f5a9b1a3fbd0fff416d76706989e5f1

SHA256
d2cbdf079c5eb1ca47bf2e0c00570f2ab89a61be5d93e40b30f9bd15eb32dc3a

SHA512
6b46589fcee1dae9843c565586f39f786003f3a158cc508c42ee07d01edd16ed29d2579c09050a298306877fd9494c5b0a06d0db3b99ee00747ee58e711937c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\files.cab
Filesize
1.6MB

MD5
e7c3b16ed93b760546ae6756b12644da

SHA1
99b3b1af70b45b4b815a814f61f9b6e509cd3bb6

SHA256
659733a584c52078ac6b568dfb34a089bef2b3835a5ea737d32c1623a468b743

SHA512
b6eeaaeeb1f7c8335076075bc8033d5d4744544f3937eeaddcbef5f7ba257a64c20a47f8388c1e8f10c5821da8abe0683be8fd60c3e1a9aea25e4a705e2f8b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\files\Autoit3.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\files\Autoit3.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\files\UGtZgHHT.au3
Filesize
757KB

MD5
1b524d03b27b94906c1a87b207e08179

SHA1
8fbad6275708a69b764992b05126e053134fb9e9

SHA256
1af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622

SHA512
1e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\msiwrapper.ini
Filesize
1KB

MD5
5a032120fccc722f3b0ea768b1998247

SHA1
d329c084644ea53a319ba4ed6ae0fde3bc724e72

SHA256
0a7e4933db5dca303ffff7fc263cacfbd2ff030a2749c49a3c0fdc98b47eae65

SHA512
02dd7d88a61d38e026cef7ded0eb4bfbce987ff7d4c0d3ac256d5a6c7be316958211a56be101951552ec1d6efb79bf0060a470c5d0d7be41d46d642a4b441f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\msiwrapper.ini
Filesize
1KB

MD5
73696c70340bdae1bb4d327701c83ebe

SHA1
f3dd1957bcef809960fa1855ee328532adca28c3

SHA256
e5ef261d3a483304c14c325ba9c54106d5faf1dcdf7537ad60a13f0f097d9b49

SHA512
37f729a5fa66fcd4e59efe7e288fbb478ae2655fd907786fd22f57908483b420b110b1d6a3d7e9bb53e1a4715aa2bbd976185b92699c47562b1f0ad347abc15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\msiwrapper.ini
Filesize
1KB

MD5
73696c70340bdae1bb4d327701c83ebe

SHA1
f3dd1957bcef809960fa1855ee328532adca28c3

SHA256
e5ef261d3a483304c14c325ba9c54106d5faf1dcdf7537ad60a13f0f097d9b49

SHA512
37f729a5fa66fcd4e59efe7e288fbb478ae2655fd907786fd22f57908483b420b110b1d6a3d7e9bb53e1a4715aa2bbd976185b92699c47562b1f0ad347abc15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7a05a9e5-8d53-42e6-98e3-66988a8dd654\msiwrapper.ini
Filesize
1KB

MD5
0492d717c1e6058c489fc673dff2dc5c

SHA1
e21b0ab3008589604440473b12517928b058ae15

SHA256
f6b0f86405070c0f97b2cae63beaf2e4fa3d7e8f359c747e73473fccd2493200

SHA512
4708cb60f4183d6506c706d1cbe310b65455de5e79a4aa709633200be4af1f4ec425069ac936da5ff2064ad78cc43809870cc97f97f344e6464670ac85976a40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abfgcag.lnk
Filesize
647B

MD5
3c3b4f6d4e961fb4bb41ec1a9b58a217

SHA1
535aad5670b1dc48dd295af572b8c5d4162ac742

SHA256
eca2cd2e4c55e0e6402851f115f38ffbfac3e1223dd952daf63954a4a0cf4cdb

SHA512
19084ee7ec664732c21cc0d1274a7a3381c5290eff1a7d6ab6afadc98a1e3dfe7758c0a3619d661ff5cda67804b6936ce219d3ec908d93e81f722825e570010d

Download Submit
C:\Windows\Installer\MSI5119.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI5119.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI9548.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI9548.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
19b8e6bd53112bcdf38aedc970c971b6

SHA1
9466e5170d1ffda2afa36ce5122cf7c6687e0db0

SHA256
ba682a7e77e8684c8e9fd10a677db55b4f11fde6679ca9f3399648669e9281cb

SHA512
b65a23e3d843f1de8e80156f55b27525e3c6d04ec1a57462c5875e2457d59bc8be285cdde83ae0823360eaf47ecd51ab2e88c1fc522756ce2e1b4d3eb27ac110

Download Submit
\??\Volume{dca10565-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fad56296-44dc-4b00-ae14-fa0d06b9b1d2}_OnDiskSnapshotProp
Filesize
5KB

MD5
4d397364d467c32254ac73c23eb24272

SHA1
cfa52377518d98fdb5ad7da2671406d69b969278

SHA256
83a487a2431f58ee70d2f32bc2a69a0e2f190ffdedc77cf3376dfd653c3e084f

SHA512
6474cb81698f1ba72a75beb560ec3012a790198c9549c8a8891e07782e8bacb3fefc60806910a4b020ab00a4fdba41b775d5f6ea5de6b089053401450c26d3d1

Download Submit
\??\c:\temp\cdcadkh.au3
Filesize
757KB

MD5
1b524d03b27b94906c1a87b207e08179

SHA1
8fbad6275708a69b764992b05126e053134fb9e9

SHA256
1af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622

SHA512
1e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e

Download Submit
memory/924-213-0x0000000001230000-0x0000000001630000-memory.dmp

Filesize
4.0MB

Download
memory/924-219-0x0000000004700000-0x00000000048D9000-memory.dmp

Filesize
1.8MB

Download
memory/924-775-0x0000000004700000-0x00000000048D9000-memory.dmp

Filesize
1.8MB

Download
memory/924-233-0x0000000004700000-0x00000000048D9000-memory.dmp

Filesize
1.8MB

Download
memory/924-230-0x0000000001230000-0x0000000001630000-memory.dmp

Filesize
4.0MB

Download
memory/924-214-0x0000000003ED0000-0x0000000003FC5000-memory.dmp

Filesize
980KB

Download
memory/924-215-0x0000000004700000-0x00000000048D9000-memory.dmp

Filesize
1.8MB

Download
memory/5112-221-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/5112-222-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/5444-935-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5444-777-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/6036-811-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/6036-1408-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/6036-810-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/6036-1433-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download