2d512e79aae013b0e1049126b226d63ef56661e0684e4470603716fdf1cbcc21

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Size

336KB
MD5

7083c81f93b04d278f4cd16a4bc65c30
SHA1

cbbdceef0726cfb3cb2a747f2c0679cd3d9843d2
SHA256

2d512e79aae013b0e1049126b226d63ef56661e0684e4470603716fdf1cbcc21
SHA512

884bd459a5daedc487eccae9c258b7bf04d9222a33c4aeefe2a40f3f63f88b054ef2b60b4f674c43cc14e21da8499d60a1e8cc8afe592c9625e486bb2fe66c45
SSDEEP

6144:2hF4cO+wWJH7igNgjdFKsloS6RARoYlld9n2Qpmx:2MVzX5oSRoYXC

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
2292	xk.exe
2088	IExplorer.exe
1744	WINLOGON.EXE
228	CSRSS.EXE
3400	SERVICES.EXE
3196	LSASS.EXE
232	SMSS.EXE
1176	xk.exe
3784	IExplorer.exe
4988	WINLOGON.EXE
3992	CSRSS.EXE
2864	SERVICES.EXE
3696	LSASS.EXE
4168	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1316-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1316-3-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0009000000023068-8.dat	upx
behavioral2/files/0x0008000000023063-48.dat	upx
behavioral2/memory/2292-49-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0008000000023063-50.dat	upx
behavioral2/files/0x0009000000023068-54.dat	upx
behavioral2/files/0x0009000000023068-56.dat	upx
behavioral2/memory/2088-55-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2292-57-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2088-60-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306a-62.dat	upx
behavioral2/files/0x000600000002306a-64.dat	upx
behavioral2/memory/1744-63-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1744-67-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306b-69.dat	upx
behavioral2/memory/228-70-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306b-71.dat	upx
behavioral2/files/0x000600000002306c-76.dat	upx
behavioral2/memory/228-75-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3400-77-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306c-78.dat	upx
behavioral2/memory/3400-81-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306d-83.dat	upx
behavioral2/memory/3196-85-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306d-84.dat	upx
behavioral2/memory/3196-88-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306e-90.dat	upx
behavioral2/memory/232-91-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306e-92.dat	upx
behavioral2/memory/232-95-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0008000000023063-227.dat	upx
behavioral2/memory/1176-228-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0009000000023068-232.dat	upx
behavioral2/memory/1176-234-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3784-233-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306a-238.dat	upx
behavioral2/memory/4988-240-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3784-239-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4988-243-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306b-273.dat	upx
behavioral2/memory/3992-274-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306c-278.dat	upx
behavioral2/memory/2864-280-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3992-281-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2864-283-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3696-286-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000600000002306d-285.dat	upx
behavioral2/files/0x000600000002306e-290.dat	upx
behavioral2/memory/4168-291-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3696-292-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/4168-305-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1316-324-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\desktop.ini	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened for modification	F:\desktop.ini	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File created	F:\desktop.ini	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened for modification	C:\desktop.ini	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\W:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\Y:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\B:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\L:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\N:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\P:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\Q:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\Z:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\V:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\X:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\I:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\J:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\K:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\R:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\T:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\G:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\H:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\E:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\M:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\O:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened (read-only)	\??\U:	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File created	C:\Windows\SysWOW64\shell.exe	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
File created	C:\Windows\xk.exe	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\Desktop\	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
2292	xk.exe
2088	IExplorer.exe
1744	WINLOGON.EXE
228	CSRSS.EXE
3400	SERVICES.EXE
3196	LSASS.EXE
232	SMSS.EXE
1176	xk.exe
3784	IExplorer.exe
4988	WINLOGON.EXE
3992	CSRSS.EXE
2864	SERVICES.EXE
3696	LSASS.EXE
4168	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2292	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	88
PID 1316 wrote to memory of 2292	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	88
PID 1316 wrote to memory of 2292	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	88
PID 1316 wrote to memory of 2088	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	89
PID 1316 wrote to memory of 2088	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	89
PID 1316 wrote to memory of 2088	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	89
PID 1316 wrote to memory of 1744	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	90
PID 1316 wrote to memory of 1744	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	90
PID 1316 wrote to memory of 1744	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	90
PID 1316 wrote to memory of 228	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	91
PID 1316 wrote to memory of 228	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	91
PID 1316 wrote to memory of 228	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	91
PID 1316 wrote to memory of 3400	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	92
PID 1316 wrote to memory of 3400	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	92
PID 1316 wrote to memory of 3400	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	92
PID 1316 wrote to memory of 3196	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	93
PID 1316 wrote to memory of 3196	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	93
PID 1316 wrote to memory of 3196	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	93
PID 1316 wrote to memory of 232	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	94
PID 1316 wrote to memory of 232	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	94
PID 1316 wrote to memory of 232	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	94
PID 1316 wrote to memory of 1176	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	100
PID 1316 wrote to memory of 1176	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	100
PID 1316 wrote to memory of 1176	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	100
PID 1316 wrote to memory of 3784	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	102
PID 1316 wrote to memory of 3784	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	102
PID 1316 wrote to memory of 3784	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	102
PID 1316 wrote to memory of 4988	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	103
PID 1316 wrote to memory of 4988	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	103
PID 1316 wrote to memory of 4988	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	103
PID 1316 wrote to memory of 3992	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	106
PID 1316 wrote to memory of 3992	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	106
PID 1316 wrote to memory of 3992	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	106
PID 1316 wrote to memory of 2864	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	107
PID 1316 wrote to memory of 2864	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	107
PID 1316 wrote to memory of 2864	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	107
PID 1316 wrote to memory of 3696	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	108
PID 1316 wrote to memory of 3696	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	108
PID 1316 wrote to memory of 3696	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	108
PID 1316 wrote to memory of 4168	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	109
PID 1316 wrote to memory of 4168	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	109
PID 1316 wrote to memory of 4168	1316	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe	109

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7083c81f93b04d278f4cd16a4bc65c30.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1316
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2292
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2088
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1744
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:228
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3400
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3196
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:232
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1176
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3784
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4988
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3992
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2864
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3696
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
336KB

MD5
9d0e4ac59e14e81a8332bd6cb10f28a4

SHA1
c010bccef6245f1037ace7bae39e3676d1f8a758

SHA256
acacab7568e4f5edd949d1839d3c18976b3b73dc706dee18db1c822d65d51084

SHA512
710467edaffc4c5908e9b57af28a9cefafe08599b9f8562faf803f11c0e52d085d270e1ba2553a87a3d3453e51bdf921dc3d7d2045a0c8a3b6ae048fb74c168a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
336KB

MD5
fadc436e9ae8b9acd1e062a956df6f44

SHA1
718607e9c9f7b0f0f4733764dc851cace52ff944

SHA256
0e6ea26833d828cc1b6b99765f774f076029deffaa4f11276a2617218a0ee3df

SHA512
1f9f1995fa751a8566a95ba047114e2bb8603b3bce83300f3b6b1d45716bd911983bc628109a4f4b4081acbf6cb15ba3c18d02acd4823af66d0507f0a2525f61

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
336KB

MD5
7002816f9b239667998778445052a0ac

SHA1
46683c3ea5f83bfc0b93e83ca4461f6554c2c1b1

SHA256
54f0c72450add1481de44a79d0deb0347d35a2f040471f5f68e4d2802691a9d8

SHA512
e1556745dc349c88ca17e72c8a9fbcc27d72d491388a8d4edbbb4a90fd4a4ab7248efc7bda6f09be7d8f1005aa901a2aa0eccc753796986406664af27b6b15dd

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
336KB

MD5
9701f34d51c3d6777895aecaf70f7df2

SHA1
ed1d9604a259e244a3b7df802729f3edb22d497e

SHA256
1731afa3d10c28570f6cddd6a89d8462ff053c765ec1be13a9a0fee0351f0d74

SHA512
59d0dae23293c8e3ef512195be7b9161cdd5daa9c5440b6e3c013c97d779edf842c65532541cedc859914f6b470627d0f8b4609581500369f00ed98c4e714c64

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
336KB

MD5
2a2c3c8d581fd010b4ceb6c471d916b5

SHA1
41f820e383eaa70e5f454aec8289f602572d516a

SHA256
ca6e0c7c839de3da413a4839eb26d3794b4da65dc3b6dc9e30a1643756f69321

SHA512
286739c019f19f8412b20d3b76bdb0fdab5e6c5e50a0ee1ed7fa87d3f8cb74cce2d2efd56566981f920b11690047ca7735404fa868c2c1b46c487abef89ad725

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
336KB

MD5
024dd8a3ae7f2acac37dc2036da0eff9

SHA1
f1bc3917e5bb666be4aeb73ea9a615299c968f64

SHA256
356024cfbb7e605bb17634fe4243b4eabbfd854f3601b16db5052791fc501ecc

SHA512
bf7c5544013e7177293cd77d4c3868c0aaff1736fbc0352cbdb968a13ae89343f047456f6ca432912a5a693f21bc6adf3d77714c8dae6f3ec388e60bbcdbe635

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
336KB

MD5
3549a68146aeb7826a26ecfcdb3b4f82

SHA1
971030f45a8605064434a6047bc2869429635891

SHA256
80671d92e2628d56aec0d90a22c8dec6f63a1003197429aca1b5ea6ae1fcb973

SHA512
5db33bb42fa9300d7cd3e11a9da269cd88c19a0f080f5aa3454019aa2d14ddde85698836d236c49a89861a0b999afeb1976d1ba974e24ce2d0b71f1bf35c8bbc

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
336KB

MD5
2daf7de46830b69ef930354062aff59e

SHA1
7fb370b3b536e8bb44b2314b5138f083aa3f5070

SHA256
5e011be627540e48ee24de172c1f8c86de346d2bb41ecfe5840f961714e74c30

SHA512
f268d0611d16e559c42659f5fa7e54621cab28c2829c03421240b8eb89aca8853435ff61f185fd65c7da01b87a13074f3a909bd5e9195d22255739a210da6747

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
336KB

MD5
22c3b432cc1114fd2ceea380ec9b5049

SHA1
4c04770a7fdb9245ce75874266dcac4faa525fa9

SHA256
240e7e1774ad21dda979fc50bf80c27c1f177773839199e08a29396b695a75f3

SHA512
fd349ff22a04402dfa76371efb2c1e98136b17a20ea2c3ea341d38cf9b7f2197c06060b54dbbb0579923c30d39b8c14b80033f9bdaf53a3e1b15fb5c0ec9c6a9

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
336KB

MD5
4f3be313aae41a17c71bfc235e73b64f

SHA1
1b38befdd438d761e790e7303a7c37b037b5f486

SHA256
832c2aec9b49ad5100773ea1ccef666cc3bc2ea9f62a847f6101afd8f321f2bf

SHA512
4e3a1e03f51426205e18545c6f11bf877b659b66f1bfb438b989fc952436f618f50bf10251011e7b78dd99f65051fc25c486817ef5ca802e812e36934f4b4fe5

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
336KB

MD5
fadc436e9ae8b9acd1e062a956df6f44

SHA1
718607e9c9f7b0f0f4733764dc851cace52ff944

SHA256
0e6ea26833d828cc1b6b99765f774f076029deffaa4f11276a2617218a0ee3df

SHA512
1f9f1995fa751a8566a95ba047114e2bb8603b3bce83300f3b6b1d45716bd911983bc628109a4f4b4081acbf6cb15ba3c18d02acd4823af66d0507f0a2525f61

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
336KB

MD5
9701f34d51c3d6777895aecaf70f7df2

SHA1
ed1d9604a259e244a3b7df802729f3edb22d497e

SHA256
1731afa3d10c28570f6cddd6a89d8462ff053c765ec1be13a9a0fee0351f0d74

SHA512
59d0dae23293c8e3ef512195be7b9161cdd5daa9c5440b6e3c013c97d779edf842c65532541cedc859914f6b470627d0f8b4609581500369f00ed98c4e714c64

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
336KB

MD5
024dd8a3ae7f2acac37dc2036da0eff9

SHA1
f1bc3917e5bb666be4aeb73ea9a615299c968f64

SHA256
356024cfbb7e605bb17634fe4243b4eabbfd854f3601b16db5052791fc501ecc

SHA512
bf7c5544013e7177293cd77d4c3868c0aaff1736fbc0352cbdb968a13ae89343f047456f6ca432912a5a693f21bc6adf3d77714c8dae6f3ec388e60bbcdbe635

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
336KB

MD5
2daf7de46830b69ef930354062aff59e

SHA1
7fb370b3b536e8bb44b2314b5138f083aa3f5070

SHA256
5e011be627540e48ee24de172c1f8c86de346d2bb41ecfe5840f961714e74c30

SHA512
f268d0611d16e559c42659f5fa7e54621cab28c2829c03421240b8eb89aca8853435ff61f185fd65c7da01b87a13074f3a909bd5e9195d22255739a210da6747

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
336KB

MD5
4f3be313aae41a17c71bfc235e73b64f

SHA1
1b38befdd438d761e790e7303a7c37b037b5f486

SHA256
832c2aec9b49ad5100773ea1ccef666cc3bc2ea9f62a847f6101afd8f321f2bf

SHA512
4e3a1e03f51426205e18545c6f11bf877b659b66f1bfb438b989fc952436f618f50bf10251011e7b78dd99f65051fc25c486817ef5ca802e812e36934f4b4fe5

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
336KB

MD5
6ae5271903e29af6c366d9ce72aa8301

SHA1
87d6b4174daeee884158b3feef512284af3f0881

SHA256
1741a4704ee71154f28a72627feb4ccf340add4669e975886e14e58ed7655b4d

SHA512
2b17f41c73d604d710452c3036805b7595727b9e052d4ae9013c647eff06d5d6872b57c037a648fac629462b9090f0b57ee4e0c8a024b0687d43221e5caf3d9f

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
336KB

MD5
a9103fc433293acfe11609d2ed3e7d6a

SHA1
25a4d7195bc22f113544c95ece144278e0585feb

SHA256
94550e2d2de46777b116ff8be436224074cb62e849e81a19c57b95dc46bd7a6f

SHA512
360c35947705829218f86311e1d3797ef7950d5006f64dfa80aa5416776b60839ce2cffab5cade1e0ea6de20e35a6a2d2fe60ac53e3f8f456e2fa4e6d7592f67

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
336KB

MD5
a9103fc433293acfe11609d2ed3e7d6a

SHA1
25a4d7195bc22f113544c95ece144278e0585feb

SHA256
94550e2d2de46777b116ff8be436224074cb62e849e81a19c57b95dc46bd7a6f

SHA512
360c35947705829218f86311e1d3797ef7950d5006f64dfa80aa5416776b60839ce2cffab5cade1e0ea6de20e35a6a2d2fe60ac53e3f8f456e2fa4e6d7592f67

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
336KB

MD5
7083c81f93b04d278f4cd16a4bc65c30

SHA1
cbbdceef0726cfb3cb2a747f2c0679cd3d9843d2

SHA256
2d512e79aae013b0e1049126b226d63ef56661e0684e4470603716fdf1cbcc21

SHA512
884bd459a5daedc487eccae9c258b7bf04d9222a33c4aeefe2a40f3f63f88b054ef2b60b4f674c43cc14e21da8499d60a1e8cc8afe592c9625e486bb2fe66c45

Download Submit
C:\Windows\xk.exe

Filesize
336KB

MD5
8afc8713dc83aec6b8ce7749266c0bef

SHA1
1563f6b32f1897edb792aa192a0cbe3c570feb56

SHA256
5a05374832e5b255db6462a0e8b12024730d208e37b737c57e239ca76988eb32

SHA512
e905c4a69ad0a828db6e187192e47073bb84c002d8aae0c68b9e5d949e3d9570811a079789e6bc5142eaed7587fb230f334a75a287e096b9d92ae101370fc050

Download Submit
C:\Windows\xk.exe

Filesize
336KB

MD5
e2d20e37d747a29158e22c2a2eed35b8

SHA1
0596bd8290485ef2a8a78ffeffc8f7e06ca3886b

SHA256
945aab49b7e7d20930840bdaf1a983d25c7a67526ae1fbff9a92971c74492659

SHA512
31fccde73f3cce7ae144f47b4dd1c962bd1ed0f87a17bcd30ce461505008fbc6493a9f5c600b3faaceb707f95f46d8f36d32c854e162e0de1ab7ed92cbf05601

Download Submit
C:\Windows\xk.exe

Filesize
336KB

MD5
e2d20e37d747a29158e22c2a2eed35b8

SHA1
0596bd8290485ef2a8a78ffeffc8f7e06ca3886b

SHA256
945aab49b7e7d20930840bdaf1a983d25c7a67526ae1fbff9a92971c74492659

SHA512
31fccde73f3cce7ae144f47b4dd1c962bd1ed0f87a17bcd30ce461505008fbc6493a9f5c600b3faaceb707f95f46d8f36d32c854e162e0de1ab7ed92cbf05601

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
memory/228-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/228-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/232-95-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/232-91-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1176-234-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1176-228-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-324-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1316-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1744-63-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1744-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2088-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2088-60-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2292-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2292-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2864-280-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2864-283-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3196-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3196-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3400-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3400-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3696-292-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3696-286-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3784-233-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3784-239-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3992-281-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3992-274-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4168-291-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4168-305-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4988-240-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4988-243-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download