632afae0364939a18b6d18c91f9233f1db69524917d7ea3f763cd8e8dbea486d

Analysis

max time kernel
166s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2023 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Size

91KB
MD5

d706c2e356a3bebe0475aafc6a63dade
SHA1

ca5c68350f9243d604a12559db2e44db8144bdb3
SHA256

632afae0364939a18b6d18c91f9233f1db69524917d7ea3f763cd8e8dbea486d
SHA512

69f105dcc29e13ae47265631bcc76851ccc03c639ae05f125a094512d0789c327a996525c4c851e517a0d2fc769fbe7f519fd987b4fac4e41a3c9dad15c86c25
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuKyp3gRYjXbUeHORIC7:uT3OA3+KQsxfS4jynT3OA3+KQsxfS4q

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
2932	xk.exe
960	IExplorer.exe
5016	WINLOGON.EXE
1668	CSRSS.EXE
1340	SERVICES.EXE
1216	LSASS.EXE
4916	SMSS.EXE
3760	xk.exe
520	IExplorer.exe
2932	WINLOGON.EXE
3996	CSRSS.EXE
1340	SERVICES.EXE
2560	LSASS.EXE
2468	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened for modification	F:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	F:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\I:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\K:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\L:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\Q:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\S:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\V:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\E:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\J:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\M:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\U:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\W:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\B:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\O:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\T:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\X:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\Y:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\H:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\N:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\P:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\R:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\Z:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\SysWOW64\shell.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\xk.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2932	xk.exe
960	IExplorer.exe
5016	WINLOGON.EXE
1668	CSRSS.EXE
1340	SERVICES.EXE
1216	LSASS.EXE
4916	SMSS.EXE
3760	xk.exe
520	IExplorer.exe
2932	WINLOGON.EXE
3996	CSRSS.EXE
1340	SERVICES.EXE
2560	LSASS.EXE
2468	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	86
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	86
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	86
PID 2008 wrote to memory of 960	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	87
PID 2008 wrote to memory of 960	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	87
PID 2008 wrote to memory of 960	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	87
PID 2008 wrote to memory of 5016	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	88
PID 2008 wrote to memory of 5016	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	88
PID 2008 wrote to memory of 5016	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	88
PID 2008 wrote to memory of 1668	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	90
PID 2008 wrote to memory of 1668	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	90
PID 2008 wrote to memory of 1668	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	90
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	91
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	91
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	91
PID 2008 wrote to memory of 1216	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	92
PID 2008 wrote to memory of 1216	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	92
PID 2008 wrote to memory of 1216	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	92
PID 2008 wrote to memory of 4916	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	93
PID 2008 wrote to memory of 4916	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	93
PID 2008 wrote to memory of 4916	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	93
PID 2008 wrote to memory of 3760	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	100
PID 2008 wrote to memory of 3760	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	100
PID 2008 wrote to memory of 3760	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	100
PID 2008 wrote to memory of 520	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	101
PID 2008 wrote to memory of 520	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	101
PID 2008 wrote to memory of 520	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	101
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	103
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	103
PID 2008 wrote to memory of 2932	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	103
PID 2008 wrote to memory of 3996	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	104
PID 2008 wrote to memory of 3996	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	104
PID 2008 wrote to memory of 3996	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	104
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	105
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	105
PID 2008 wrote to memory of 1340	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	105
PID 2008 wrote to memory of 2560	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	106
PID 2008 wrote to memory of 2560	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	106
PID 2008 wrote to memory of 2560	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	106
PID 2008 wrote to memory of 2468	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	107
PID 2008 wrote to memory of 2468	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	107
PID 2008 wrote to memory of 2468	2008	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	107

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2008
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2932
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:960
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5016
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1668
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1340
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1216
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4916
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3760
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:520
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2932
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3996
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1340
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2560
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
f40196ff220ef2a1a940277b836cb437

SHA1
36d569e31ab7a2d5576d90c18dad724cd32a1707

SHA256
e13437555c69768692ad97d87d20a8f247f711e80827457f858e596192829d70

SHA512
06339d23ec7082e28dd78ad591f2bc43e9aed4380bf53602e351fa34cc529a55155a7c773ef240208f7bb30f646667773d833c1135a919a7b7f423ae5331895d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
c01d2aa650a9be297927af6bca63e2d0

SHA1
4e7b18b9ccc2f7673908a4112928588cf2bf3dad

SHA256
5f702fc4d827bc92e8f557bdf919ad171cc9218ed0b533d6bed853d1099c57dc

SHA512
5fec9cb9a4e264bf2fd31068de96b6e55aeb9a7611e78a58df007b7af3ca6663421a296298fdb51ea97eabeb1aff33b763f88e6d133c36dabb24c4c0c06b8fbe

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
30a821e1dde1eae794353198bc42eca2

SHA1
477f60377de53d97b2c825ea2ac8ae510fbcf2b1

SHA256
7b4f055e45adbb6dbaf8f1196e5ebdfc1ed36108b5dd1a978c0ac351647b139a

SHA512
67232f8fa565b587185d9b7d4ab884c31df4d45f6a666c42058d4361b1cac57b56c5fb698cea12068de201609cd4da9a97704400fb52b15904558ada50fdcb35

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
32622d9f67202fbc8fea0a7d9f0a6216

SHA1
0a81bdca45cb447d4491023c0847184ce081356e

SHA256
451223a784959e85589baa1fd5cfad1f45e1c3fb9051c90c50e77d751efd1bd5

SHA512
5087da0490f5144dcb56ef8cd43e8c0231e6b380d44630500d0cb1f730ea766b8e5bb4fda88f80f602f36e51dc87ffa27080a9c32a2474b76ad8da528761d502

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
50e790fe6f4e7e2c79d4010cb0efddb3

SHA1
bb027284b0c0e3286e9566fa6179e96db73b53f2

SHA256
dfad9f288adcfa7e0580bcae9c992e8f1fe6641b4cfdd79fa7873ec03044a655

SHA512
92f12e38904078151674d3be0df03232bcb2af2fe0072fc8e9ea8c389e761a9b1fc28f4bece6c64db388fffa3e46bc9da6c1c2e85548ffc0cccc452d4129f9b4

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
b749a523382b62f605025afb3ba29ae1

SHA1
f52a5af67e4c9f91c962cba83935366d2ce47b23

SHA256
f9192b94bec7bd7052758f5efc96b2b34613fc7ae1697dc22cdaf08e42638e08

SHA512
43632874b70cf7c38ee0df06bd51edc56d9d1509e4725b61ab63855b9304b77e72aac75be6217d79aff8577ae3b0efc0768ded04fdee140343d29c4f5ccdb1a7

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
8984a8ffe965412d180f214add82e86c

SHA1
5e9ba7ae50cb82357713a6f708245d60e9d67b0f

SHA256
e710f8ec2205d6a71607c388c8011120fb473c89bbd9c2b6caa73c9ba3e558bf

SHA512
cea9eea880c85968e2b4d8c8b8c6e7c952accbde89d946e11aa733e219ac6911bd3921a3d7658595bf524511e1abe5e5555feacd9a6c08af5ad5df324df2ad0b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
dba3f48faf3820b090f7571c4b62853d

SHA1
e06f9f30920b005c3dd43c4e13f1785c49a8945f

SHA256
efd5e5e792012258d4b1e1a0232a8a6fdd7ff465bb025d13042374e5490a216a

SHA512
ffc9116502ec0bade9b1741ba7cde89addb12faade92ff06247cacb9b5759077de8f2e476528a4eadc99aa9100408ff0c819d3260b669cda3ba953c6a2acb31d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
cd1018df037ad9c36ce7cf9440161d3d

SHA1
a6183b99f55ea42ae51f8fb415f508c67d68d22a

SHA256
af912bf1a82882a54a67749d5e3f6264109fb7d37e5e214a6b66bb70c743fe6e

SHA512
7908a08fdbae5012aaf23f60613c8d19eb4b84f8e168fb5cc829fba0bb8777e9912975c04b8a6b8007d6d2048ca46f2803a3287b389290c0975d2f5d709e7e6e

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
68ee88cb56d6f92758d2e4b75cbd4d52

SHA1
bce6f69b8d033bee6246f2e2c4e29a0be447ccb4

SHA256
0773a80b7f38446ab77705a048901cadd329c52956f54208829ef2eb529126e3

SHA512
316a8d832be5f683003607b0c1f5cd25277253891f363a558c3fa318dbaadd7ba2031254bb6e7b171b7b5ba763f16c8f1fe61bc103a7fb28261a76031227e16a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
c01d2aa650a9be297927af6bca63e2d0

SHA1
4e7b18b9ccc2f7673908a4112928588cf2bf3dad

SHA256
5f702fc4d827bc92e8f557bdf919ad171cc9218ed0b533d6bed853d1099c57dc

SHA512
5fec9cb9a4e264bf2fd31068de96b6e55aeb9a7611e78a58df007b7af3ca6663421a296298fdb51ea97eabeb1aff33b763f88e6d133c36dabb24c4c0c06b8fbe

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
30a821e1dde1eae794353198bc42eca2

SHA1
477f60377de53d97b2c825ea2ac8ae510fbcf2b1

SHA256
7b4f055e45adbb6dbaf8f1196e5ebdfc1ed36108b5dd1a978c0ac351647b139a

SHA512
67232f8fa565b587185d9b7d4ab884c31df4d45f6a666c42058d4361b1cac57b56c5fb698cea12068de201609cd4da9a97704400fb52b15904558ada50fdcb35

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
b749a523382b62f605025afb3ba29ae1

SHA1
f52a5af67e4c9f91c962cba83935366d2ce47b23

SHA256
f9192b94bec7bd7052758f5efc96b2b34613fc7ae1697dc22cdaf08e42638e08

SHA512
43632874b70cf7c38ee0df06bd51edc56d9d1509e4725b61ab63855b9304b77e72aac75be6217d79aff8577ae3b0efc0768ded04fdee140343d29c4f5ccdb1a7

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
8984a8ffe965412d180f214add82e86c

SHA1
5e9ba7ae50cb82357713a6f708245d60e9d67b0f

SHA256
e710f8ec2205d6a71607c388c8011120fb473c89bbd9c2b6caa73c9ba3e558bf

SHA512
cea9eea880c85968e2b4d8c8b8c6e7c952accbde89d946e11aa733e219ac6911bd3921a3d7658595bf524511e1abe5e5555feacd9a6c08af5ad5df324df2ad0b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
68ee88cb56d6f92758d2e4b75cbd4d52

SHA1
bce6f69b8d033bee6246f2e2c4e29a0be447ccb4

SHA256
0773a80b7f38446ab77705a048901cadd329c52956f54208829ef2eb529126e3

SHA512
316a8d832be5f683003607b0c1f5cd25277253891f363a558c3fa318dbaadd7ba2031254bb6e7b171b7b5ba763f16c8f1fe61bc103a7fb28261a76031227e16a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
d706c2e356a3bebe0475aafc6a63dade

SHA1
ca5c68350f9243d604a12559db2e44db8144bdb3

SHA256
632afae0364939a18b6d18c91f9233f1db69524917d7ea3f763cd8e8dbea486d

SHA512
69f105dcc29e13ae47265631bcc76851ccc03c639ae05f125a094512d0789c327a996525c4c851e517a0d2fc769fbe7f519fd987b4fac4e41a3c9dad15c86c25

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
06299fd6684cb939625010032e296460

SHA1
d01e80a2ec2d00c1ea6726253ca9a102237bd656

SHA256
6b455814d567b1778fe9ccc0e536d19c502888924bc31ae828aa40350e325c4d

SHA512
0719fbc4cf17f9f5a9a294577b45a173ad3c3e89da6d90da2e56d87361e3eb77294391b76f243f313f8d34a62d0133a6e52f582cdfc7c38d373de8887f56e43c

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
c6c40f40d4a88c34095a3fbecdc3df5b

SHA1
fef734970daf8d519167a10cf4c04ae6c676e9f5

SHA256
92db8595ec4d07cbea96c186836f260ebe7a571d40b589d372209a55a33512b3

SHA512
5b2778fc3c1584aec1bd9dbc1e1518add0b95ca9ff4c08114e854a2aca947e3575c0849510d2a540ecd63f1322a4e4fa79dfed61e3c94eaddef261785006bd79

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
c6c40f40d4a88c34095a3fbecdc3df5b

SHA1
fef734970daf8d519167a10cf4c04ae6c676e9f5

SHA256
92db8595ec4d07cbea96c186836f260ebe7a571d40b589d372209a55a33512b3

SHA512
5b2778fc3c1584aec1bd9dbc1e1518add0b95ca9ff4c08114e854a2aca947e3575c0849510d2a540ecd63f1322a4e4fa79dfed61e3c94eaddef261785006bd79

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
097b56f98b9f14e8686fc856ee46a6e8

SHA1
a4f94c7a324f50399721c73df31bf1336d8cb34a

SHA256
98886995dbb07ad15660385c2a15dbf4c1d546cabd42dd114644121a893bb9fb

SHA512
fc80c1bfba887da75a14425a9ad9e00a937ba0d67216d4bac745c218a2534cfcba62ba49cba477aa09547ea2ed77f84d876b1417bcb77398c390dae632d64f9b

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
56a5a33b0018d95cefa6153533652682

SHA1
bcc6237a40c5f28a63d5f692a5aeec70c9bc8b8b

SHA256
70a7469d9ed71674c81dcdd390149fa2af74a542a22e5c76c8ea25d366648cfb

SHA512
3f747fc156b6ab272a12c1ff71d74cd09545c1d5d244314fd7e0fbc5aec1f87438f4f98c7da7fa04dbc389b66df8d30a9b62ed98a55867008acbcc52bff7273f

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
56a5a33b0018d95cefa6153533652682

SHA1
bcc6237a40c5f28a63d5f692a5aeec70c9bc8b8b

SHA256
70a7469d9ed71674c81dcdd390149fa2af74a542a22e5c76c8ea25d366648cfb

SHA512
3f747fc156b6ab272a12c1ff71d74cd09545c1d5d244314fd7e0fbc5aec1f87438f4f98c7da7fa04dbc389b66df8d30a9b62ed98a55867008acbcc52bff7273f

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
memory/520-263-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/520-259-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/960-63-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/960-67-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/960-64-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/960-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1216-102-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/1216-103-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/1216-107-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1340-341-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/1340-94-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/1340-93-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1340-345-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1668-89-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1668-85-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/1668-84-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/2008-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-140-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/2008-291-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-390-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-2-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/2008-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2008-7-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/2008-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2468-385-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/2468-389-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2560-382-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2560-378-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/2932-55-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/2932-295-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2932-296-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/2932-300-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2932-302-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2932-65-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/2932-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3760-258-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3760-252-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/3760-251-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/3996-309-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3996-330-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/3996-304-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/4916-111-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/5016-75-0x0000000074C00000-0x0000000074D5D000-memory.dmp

Filesize
1.4MB

Download
memory/5016-74-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download
memory/5016-79-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5016-80-0x00000000001C0000-0x00000000001C4000-memory.dmp

Filesize
16KB

Download