2ef8516beb7e6307ab15bf5710d1c3c57cb07b442682ccb568ed55363b5c532b

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Size

91KB
MD5

dc744fd8cb6d44e835c4996412a5d560
SHA1

9ffa223a624f356a0a72555e3e6ff716488fdc09
SHA256

2ef8516beb7e6307ab15bf5710d1c3c57cb07b442682ccb568ed55363b5c532b
SHA512

d977a5f4a12214449007d8c650362cd99f3a48e3d77c9a656a59884efc736c99cad78e5aa7366f2e156d3476749f80ab205be92128005f2dba53d3706b116a49
SSDEEP

1536:ERsjdf1aM67v32Z9x5nouy8VTrjRsjdf1aM67v32Z9x5nouy8VTm:EOaHv3YpoutNrjOaHv3YpoutNm

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
3332	xk.exe
4900	IExplorer.exe
2784	xk.exe
2700	IExplorer.exe
2880	WINLOGON.EXE
4804	CSRSS.EXE
4916	SERVICES.EXE
4404	LSASS.EXE
1336	SMSS.EXE
4492	WINLOGON.EXE
1432	CSRSS.EXE
5008	SERVICES.EXE
5028	LSASS.EXE
2668	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1876-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0008000000022d4b-8.dat	upx
behavioral2/files/0x0006000000022e13-105.dat	upx
behavioral2/files/0x0006000000022e13-107.dat	upx
behavioral2/files/0x0006000000022e17-111.dat	upx
behavioral2/files/0x0006000000022e17-112.dat	upx
behavioral2/memory/3332-113-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/4900-119-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e13-166.dat	upx
behavioral2/memory/2784-169-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e17-171.dat	upx
behavioral2/memory/2700-174-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e19-176.dat	upx
behavioral2/files/0x0006000000022e19-177.dat	upx
behavioral2/memory/2880-180-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1a-182.dat	upx
behavioral2/files/0x0006000000022e1a-183.dat	upx
behavioral2/memory/4804-186-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1b-188.dat	upx
behavioral2/files/0x0006000000022e1b-189.dat	upx
behavioral2/memory/4916-192-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/1876-195-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1c-196.dat	upx
behavioral2/memory/4404-198-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1c-194.dat	upx
behavioral2/memory/4404-200-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1d-203.dat	upx
behavioral2/files/0x0006000000022e1d-202.dat	upx
behavioral2/memory/1336-204-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/1336-207-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/1876-233-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e19-235.dat	upx
behavioral2/memory/4492-239-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1a-269.dat	upx
behavioral2/memory/1432-272-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1b-302.dat	upx
behavioral2/memory/5008-305-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1c-306.dat	upx
behavioral2/memory/5028-310-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1d-340.dat	upx
behavioral2/memory/2668-343-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/1876-344-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File created	C:\desktop.ini	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened for modification	F:\desktop.ini	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File created	F:\desktop.ini	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\L:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\O:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\W:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\Y:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\H:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\G:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\M:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\N:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\P:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\S:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\T:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\E:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\I:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\K:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\Q:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\R:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\V:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\Z:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\B:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\X:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened (read-only)	\??\U:	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
File created	C:\Windows\xk.exe	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\Desktop\	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1511405631-3522522280-778892991-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
3332	xk.exe
4900	IExplorer.exe
2784	xk.exe
2700	IExplorer.exe
2880	WINLOGON.EXE
4804	CSRSS.EXE
4916	SERVICES.EXE
4404	LSASS.EXE
1336	SMSS.EXE
4492	WINLOGON.EXE
1432	CSRSS.EXE
5008	SERVICES.EXE
5028	LSASS.EXE
2668	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 3332	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	88
PID 1876 wrote to memory of 3332	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	88
PID 1876 wrote to memory of 3332	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	88
PID 1876 wrote to memory of 4900	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	89
PID 1876 wrote to memory of 4900	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	89
PID 1876 wrote to memory of 4900	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	89
PID 1876 wrote to memory of 2784	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	90
PID 1876 wrote to memory of 2784	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	90
PID 1876 wrote to memory of 2784	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	90
PID 1876 wrote to memory of 2700	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	91
PID 1876 wrote to memory of 2700	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	91
PID 1876 wrote to memory of 2700	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	91
PID 1876 wrote to memory of 2880	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	92
PID 1876 wrote to memory of 2880	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	92
PID 1876 wrote to memory of 2880	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	92
PID 1876 wrote to memory of 4804	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	94
PID 1876 wrote to memory of 4804	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	94
PID 1876 wrote to memory of 4804	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	94
PID 1876 wrote to memory of 4916	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	95
PID 1876 wrote to memory of 4916	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	95
PID 1876 wrote to memory of 4916	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	95
PID 1876 wrote to memory of 4404	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	96
PID 1876 wrote to memory of 4404	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	96
PID 1876 wrote to memory of 4404	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	96
PID 1876 wrote to memory of 1336	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	97
PID 1876 wrote to memory of 1336	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	97
PID 1876 wrote to memory of 1336	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	97
PID 1876 wrote to memory of 4492	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	100
PID 1876 wrote to memory of 4492	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	100
PID 1876 wrote to memory of 4492	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	100
PID 1876 wrote to memory of 1432	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	103
PID 1876 wrote to memory of 1432	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	103
PID 1876 wrote to memory of 1432	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	103
PID 1876 wrote to memory of 5008	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	105
PID 1876 wrote to memory of 5008	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	105
PID 1876 wrote to memory of 5008	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	105
PID 1876 wrote to memory of 5028	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	106
PID 1876 wrote to memory of 5028	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	106
PID 1876 wrote to memory of 5028	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	106
PID 1876 wrote to memory of 2668	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	108
PID 1876 wrote to memory of 2668	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	108
PID 1876 wrote to memory of 2668	1876	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe	108

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.dc744fd8cb6d44e835c4996412a5d560.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.dc744fd8cb6d44e835c4996412a5d560.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.dc744fd8cb6d44e835c4996412a5d560.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1876
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3332
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4900
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2700
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4804
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4916
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4404
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1336
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4492
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1432
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5008
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5028
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
0429275d7a48bcbee66470f21467d2a6

SHA1
0c24dedd49fa093126f1280f79346faafc7b1249

SHA256
705ce4a7fb965d0931bc235aeccdb0d97f3d35a592d59409ca0ff88b7aa6c886

SHA512
bd2ac7c592d5b158dd51b55d03a8b26fea8079bf7124af804bf9b420bb19aa9a50fe3f158ce73d2a5d3629160fa03af3df4fd691ba4ff3ce4b0feadc7b834479

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
0429275d7a48bcbee66470f21467d2a6

SHA1
0c24dedd49fa093126f1280f79346faafc7b1249

SHA256
705ce4a7fb965d0931bc235aeccdb0d97f3d35a592d59409ca0ff88b7aa6c886

SHA512
bd2ac7c592d5b158dd51b55d03a8b26fea8079bf7124af804bf9b420bb19aa9a50fe3f158ce73d2a5d3629160fa03af3df4fd691ba4ff3ce4b0feadc7b834479

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
8c02a5ba599593548169f52f25fd2882

SHA1
913baec70d19c27b91d15c7b947affb4b7c5b3e3

SHA256
26ca65882ab9e3e02e2017cc5642c1ad2ba91b784bc5c63e3de30aa672304eea

SHA512
3309a6092e767a6c12fd8d55806591c130923a8c7637b04a90b111e94f89ac4551103fe60839a4645482a60edf4a451b0a230247845fe4bc1c008bb139d0e1d4

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
8c02a5ba599593548169f52f25fd2882

SHA1
913baec70d19c27b91d15c7b947affb4b7c5b3e3

SHA256
26ca65882ab9e3e02e2017cc5642c1ad2ba91b784bc5c63e3de30aa672304eea

SHA512
3309a6092e767a6c12fd8d55806591c130923a8c7637b04a90b111e94f89ac4551103fe60839a4645482a60edf4a451b0a230247845fe4bc1c008bb139d0e1d4

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
1ad165ca2b0bd92cb10c89af10e49c02

SHA1
efe1b4e252ccdc50cdba727ecd9ab8a206cb2361

SHA256
0e9e4bad72e0564266d02106f8582e2a18f2f20a18b8a77c00a09e29b318df4f

SHA512
ce342de7eff27c67db605fc1ffaa7acc455f066a2d6c960eafc881aee1ad0edfc117c1faf8e73fa79c1d54bcc0de29c6d3cd9ec58a6fe4b4e8d40e7a291ff61a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
1ad165ca2b0bd92cb10c89af10e49c02

SHA1
efe1b4e252ccdc50cdba727ecd9ab8a206cb2361

SHA256
0e9e4bad72e0564266d02106f8582e2a18f2f20a18b8a77c00a09e29b318df4f

SHA512
ce342de7eff27c67db605fc1ffaa7acc455f066a2d6c960eafc881aee1ad0edfc117c1faf8e73fa79c1d54bcc0de29c6d3cd9ec58a6fe4b4e8d40e7a291ff61a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
34eca7e1d5ca9e8244474b03c42b7b9f

SHA1
c8c399386b05941d926058c02b00c32f78468d3f

SHA256
071a86f1f1f048d1dcfbe5ec43c00016b2204cee0fd61f33ac0f0b2ab8ed8c0f

SHA512
ea138b942d2caa4ee1ace14d0ff88b0cac3b8198e1f4094a4302673423903858726095b69353d3597fb20448f0f50a071bc88089749650175e1efc662993c439

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
34eca7e1d5ca9e8244474b03c42b7b9f

SHA1
c8c399386b05941d926058c02b00c32f78468d3f

SHA256
071a86f1f1f048d1dcfbe5ec43c00016b2204cee0fd61f33ac0f0b2ab8ed8c0f

SHA512
ea138b942d2caa4ee1ace14d0ff88b0cac3b8198e1f4094a4302673423903858726095b69353d3597fb20448f0f50a071bc88089749650175e1efc662993c439

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
9c6a6b4522abf7d72337b2f15962c9a9

SHA1
8228f452b9158573a5855f037f4dd70276ed580a

SHA256
4b5970e6434dc2e35201f6b075fa38756b22e4286ebe363ea8a474bdfa35858a

SHA512
73d98a832603d1b61ea9e3ebbbcd6cffcd60b03a39221b8cabef05e4721d4530716aba7e3eedcf9089fa87fdcb94ad8443537435e19b360fcb6be10576a27de1

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
9c6a6b4522abf7d72337b2f15962c9a9

SHA1
8228f452b9158573a5855f037f4dd70276ed580a

SHA256
4b5970e6434dc2e35201f6b075fa38756b22e4286ebe363ea8a474bdfa35858a

SHA512
73d98a832603d1b61ea9e3ebbbcd6cffcd60b03a39221b8cabef05e4721d4530716aba7e3eedcf9089fa87fdcb94ad8443537435e19b360fcb6be10576a27de1

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
dc744fd8cb6d44e835c4996412a5d560

SHA1
9ffa223a624f356a0a72555e3e6ff716488fdc09

SHA256
2ef8516beb7e6307ab15bf5710d1c3c57cb07b442682ccb568ed55363b5c532b

SHA512
d977a5f4a12214449007d8c650362cd99f3a48e3d77c9a656a59884efc736c99cad78e5aa7366f2e156d3476749f80ab205be92128005f2dba53d3706b116a49

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
0429275d7a48bcbee66470f21467d2a6

SHA1
0c24dedd49fa093126f1280f79346faafc7b1249

SHA256
705ce4a7fb965d0931bc235aeccdb0d97f3d35a592d59409ca0ff88b7aa6c886

SHA512
bd2ac7c592d5b158dd51b55d03a8b26fea8079bf7124af804bf9b420bb19aa9a50fe3f158ce73d2a5d3629160fa03af3df4fd691ba4ff3ce4b0feadc7b834479

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
8c02a5ba599593548169f52f25fd2882

SHA1
913baec70d19c27b91d15c7b947affb4b7c5b3e3

SHA256
26ca65882ab9e3e02e2017cc5642c1ad2ba91b784bc5c63e3de30aa672304eea

SHA512
3309a6092e767a6c12fd8d55806591c130923a8c7637b04a90b111e94f89ac4551103fe60839a4645482a60edf4a451b0a230247845fe4bc1c008bb139d0e1d4

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
1ad165ca2b0bd92cb10c89af10e49c02

SHA1
efe1b4e252ccdc50cdba727ecd9ab8a206cb2361

SHA256
0e9e4bad72e0564266d02106f8582e2a18f2f20a18b8a77c00a09e29b318df4f

SHA512
ce342de7eff27c67db605fc1ffaa7acc455f066a2d6c960eafc881aee1ad0edfc117c1faf8e73fa79c1d54bcc0de29c6d3cd9ec58a6fe4b4e8d40e7a291ff61a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
34eca7e1d5ca9e8244474b03c42b7b9f

SHA1
c8c399386b05941d926058c02b00c32f78468d3f

SHA256
071a86f1f1f048d1dcfbe5ec43c00016b2204cee0fd61f33ac0f0b2ab8ed8c0f

SHA512
ea138b942d2caa4ee1ace14d0ff88b0cac3b8198e1f4094a4302673423903858726095b69353d3597fb20448f0f50a071bc88089749650175e1efc662993c439

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
9c6a6b4522abf7d72337b2f15962c9a9

SHA1
8228f452b9158573a5855f037f4dd70276ed580a

SHA256
4b5970e6434dc2e35201f6b075fa38756b22e4286ebe363ea8a474bdfa35858a

SHA512
73d98a832603d1b61ea9e3ebbbcd6cffcd60b03a39221b8cabef05e4721d4530716aba7e3eedcf9089fa87fdcb94ad8443537435e19b360fcb6be10576a27de1

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
75cf28e4df552ef18709f16b420f26ef

SHA1
d995e98d6437fe3c07dcb72fea82ef5a7317d2c0

SHA256
510083cedc3065c25cd76a8a237836191c0823cb07ffe15b8952dde7035a460f

SHA512
7eeb16f451ff571ad3a0c85b5a86841572adbf711de566bf347d47d2202a4c59172b6c5cd42da9c9b1f3281a3ec2e79243fc24df395f6883e3a1557afa246217

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
75cf28e4df552ef18709f16b420f26ef

SHA1
d995e98d6437fe3c07dcb72fea82ef5a7317d2c0

SHA256
510083cedc3065c25cd76a8a237836191c0823cb07ffe15b8952dde7035a460f

SHA512
7eeb16f451ff571ad3a0c85b5a86841572adbf711de566bf347d47d2202a4c59172b6c5cd42da9c9b1f3281a3ec2e79243fc24df395f6883e3a1557afa246217

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
0630fc6e9a66cdfab18c3f8ecac4c92f

SHA1
24367ec87956104a0ae8dd252bed3e253c8c64f6

SHA256
04b4ea9eb1096e1865c70c747b030aded2c0fe7cd765540e016048446893fdf4

SHA512
8baeec449e7807b3e880612b6403d04e258840b36362c31abf793370fad8c678f23a5fb61004a3183f12ea977a0bbf95736a66cb5a4b402689294b9afaff1815

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
219ab57033391705dfa275e2bceb74a7

SHA1
4b2b46a90157532fdb5e6c0d6cc4517a051b8e0b

SHA256
52d3e4c3eceab5cdcb553cb91014a6dc407fb542362b946bfb1232b5f7bac1cb

SHA512
a8084f3c14357389bbfd4cf56d4884986ed64e069fb63ff6b59a99e68bb73791f00f8879105604e55a0a53a416c44b319599fd9aabacdebc468c93039edecfe4

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
219ab57033391705dfa275e2bceb74a7

SHA1
4b2b46a90157532fdb5e6c0d6cc4517a051b8e0b

SHA256
52d3e4c3eceab5cdcb553cb91014a6dc407fb542362b946bfb1232b5f7bac1cb

SHA512
a8084f3c14357389bbfd4cf56d4884986ed64e069fb63ff6b59a99e68bb73791f00f8879105604e55a0a53a416c44b319599fd9aabacdebc468c93039edecfe4

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
eb7b0728b9ca4c7e1737f5e75f47d0a4

SHA1
f64e40f8a589b95246df4129aaeeac72b8921edd

SHA256
db8523c9002ba99294523939b2114e0d9db859c418e4eefefc1522e19cfe3595

SHA512
111273d61036dbfba35357eeca623971a4c25c235b76f5a591aa1bd208b4a8cb94cbbed90e27191bf90f38e762fba6d7f84a61d6de25c6b29551cade8c345dc1

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
memory/1336-204-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1336-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1432-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-233-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2668-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2880-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3332-113-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-198-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-200-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-186-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4900-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4916-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5008-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download