178b3630d7198d7a3e0e7b651b4dbd55870bf1d0a2df7df660047cb595817461

Analysis

max time kernel
151s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ed5604aa3bba7af780a3869163773c00.exe
Size

375KB
MD5

ed5604aa3bba7af780a3869163773c00
SHA1

2e05b358a3cb5d1a7ef89903cc5d0ed4452ec875
SHA256

178b3630d7198d7a3e0e7b651b4dbd55870bf1d0a2df7df660047cb595817461
SHA512

51d33fbcb1dba22d2e58d48fb8a07f51049910dd1c6af10c02f9b3fc2c0bbdc30b561aa2571d99f5cef4cef30ec89c08e34bfc4019fc0640d49888c99fb7e169
SSDEEP

6144:TL+rqKbSFy5P5K3E5+yOqkXWCnlboVrDo1bS2OcbSxbSxbSxbSPx5OnkP+6bfbSF:TLy95DK0kXWCnlboVrDMleeew1+Aeelq

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Drops file in Drivers directory 50 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Sets service image path in registry 2 TTPs 23 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Modifies system executable filetype association 2 TTPs 23 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1480-0-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022de2-5.dat	upx
behavioral2/memory/1480-8-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022de3-9.dat	upx
behavioral2/files/0x0008000000022de2-10.dat	upx
behavioral2/files/0x0008000000022de2-17.dat	upx
behavioral2/memory/3260-20-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022de7-21.dat	upx
behavioral2/files/0x0009000000022de2-29.dat	upx
behavioral2/memory/4660-31-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022de9-32.dat	upx
behavioral2/files/0x000a000000022de2-41.dat	upx
behavioral2/memory/3156-44-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022dea-45.dat	upx
behavioral2/files/0x00090000000222f4-53.dat	upx
behavioral2/memory/2184-56-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000b000000022de2-57.dat	upx
behavioral2/files/0x000a0000000222f4-65.dat	upx
behavioral2/memory/2340-68-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0008000000022df0-69.dat	upx
behavioral2/files/0x000b0000000222f4-78.dat	upx
behavioral2/memory/4408-77-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/2696-81-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022e04-82.dat	upx
behavioral2/files/0x000c0000000222f4-90.dat	upx
behavioral2/memory/4408-93-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0008000000022e0a-94.dat	upx
behavioral2/memory/3260-105-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x000d0000000222f4-102.dat	upx
behavioral2/files/0x000d000000022dfd-106.dat	upx
behavioral2/files/0x000e0000000222f4-114.dat	upx
behavioral2/memory/5012-117-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022e0e-118.dat	upx
behavioral2/files/0x000f0000000222f4-126.dat	upx
behavioral2/memory/1004-128-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022e12-129.dat	upx
behavioral2/files/0x00100000000222f4-135.dat	upx
behavioral2/memory/2220-139-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022e20-140.dat	upx
behavioral2/files/0x00110000000222f4-148.dat	upx
behavioral2/memory/2580-151-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022e23-152.dat	upx
behavioral2/files/0x00120000000222f4-160.dat	upx
behavioral2/memory/1048-161-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1048-162-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0009000000022820-168.dat	upx
behavioral2/files/0x0009000000022e28-173.dat	upx
behavioral2/files/0x00130000000222f4-176.dat	upx
behavioral2/files/0x0009000000022e28-178.dat	upx
behavioral2/memory/1036-180-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3608-183-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1008-185-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/1036-186-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x00140000000222f4-191.dat	upx
behavioral2/files/0x000a000000022e28-192.dat	upx
behavioral2/files/0x0006000000022e7e-197.dat	upx
behavioral2/files/0x00150000000222f4-198.dat	upx
behavioral2/memory/1076-201-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/memory/3608-202-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x00160000000222f4-210.dat	upx
behavioral2/memory/1064-213-0x0000000000400000-0x0000000000430000-memory.dmp	upx
behavioral2/files/0x0007000000022e7e-214.dat	upx
behavioral2/files/0x00170000000222f4-222.dat	upx
behavioral2/memory/2164-223-0x0000000000400000-0x0000000000430000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\S:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\Q:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\E:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\I:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\T:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\V:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\H:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\Q:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\M:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\E:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\Q:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\W:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\E:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\Q:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\J:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\J:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\V:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\R:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\W:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\X:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\I:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\M:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\H:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\O:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\H:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\W:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\N:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\R:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\W:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\P:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\E:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\G:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\T:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\H:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\N:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\E:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\K:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\R:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\W:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\X:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\O:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\K:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\R:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\O:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\L:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\E:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\S:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\U:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\V:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\K:	NEAS.ed5604aa3bba7af780a3869163773c00.exe
File opened (read-only)	\??\S:	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ftp33.dll	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
1480	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1480	NEAS.ed5604aa3bba7af780a3869163773c00.exe
3260	NEAS.ed5604aa3bba7af780a3869163773c00.exe
3260	NEAS.ed5604aa3bba7af780a3869163773c00.exe
4660	NEAS.ed5604aa3bba7af780a3869163773c00.exe
4660	NEAS.ed5604aa3bba7af780a3869163773c00.exe
3156	NEAS.ed5604aa3bba7af780a3869163773c00.exe
3156	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2184	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2184	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2340	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2340	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2696	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2696	NEAS.ed5604aa3bba7af780a3869163773c00.exe
4408	NEAS.ed5604aa3bba7af780a3869163773c00.exe
4408	NEAS.ed5604aa3bba7af780a3869163773c00.exe
3260	NEAS.ed5604aa3bba7af780a3869163773c00.exe
3260	NEAS.ed5604aa3bba7af780a3869163773c00.exe
5012	NEAS.ed5604aa3bba7af780a3869163773c00.exe
5012	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1004	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1004	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1004	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1004	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2220	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2220	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2220	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2580	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2580	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1008	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1008	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1036	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1036	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1076	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1076	NEAS.ed5604aa3bba7af780a3869163773c00.exe
3608	NEAS.ed5604aa3bba7af780a3869163773c00.exe
3608	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1076	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1076	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1064	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1064	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2164	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2164	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2840	NEAS.ed5604aa3bba7af780a3869163773c00.exe
2840	NEAS.ed5604aa3bba7af780a3869163773c00.exe
944	NEAS.ed5604aa3bba7af780a3869163773c00.exe
944	NEAS.ed5604aa3bba7af780a3869163773c00.exe
936	NEAS.ed5604aa3bba7af780a3869163773c00.exe
936	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe
1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe
416	NEAS.ed5604aa3bba7af780a3869163773c00.exe
416	NEAS.ed5604aa3bba7af780a3869163773c00.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 936	1480	NEAS.ed5604aa3bba7af780a3869163773c00.exe	82
PID 1480 wrote to memory of 936	1480	NEAS.ed5604aa3bba7af780a3869163773c00.exe	82
PID 1480 wrote to memory of 936	1480	NEAS.ed5604aa3bba7af780a3869163773c00.exe	82
PID 1480 wrote to memory of 3260	1480	NEAS.ed5604aa3bba7af780a3869163773c00.exe	84
PID 1480 wrote to memory of 3260	1480	NEAS.ed5604aa3bba7af780a3869163773c00.exe	84
PID 1480 wrote to memory of 3260	1480	NEAS.ed5604aa3bba7af780a3869163773c00.exe	84
PID 3260 wrote to memory of 4660	3260	NEAS.ed5604aa3bba7af780a3869163773c00.exe	89
PID 3260 wrote to memory of 4660	3260	NEAS.ed5604aa3bba7af780a3869163773c00.exe	89
PID 3260 wrote to memory of 4660	3260	NEAS.ed5604aa3bba7af780a3869163773c00.exe	89
PID 4660 wrote to memory of 3156	4660	NEAS.ed5604aa3bba7af780a3869163773c00.exe	92
PID 4660 wrote to memory of 3156	4660	NEAS.ed5604aa3bba7af780a3869163773c00.exe	92
PID 4660 wrote to memory of 3156	4660	NEAS.ed5604aa3bba7af780a3869163773c00.exe	92
PID 3156 wrote to memory of 2184	3156	NEAS.ed5604aa3bba7af780a3869163773c00.exe	96
PID 3156 wrote to memory of 2184	3156	NEAS.ed5604aa3bba7af780a3869163773c00.exe	96
PID 3156 wrote to memory of 2184	3156	NEAS.ed5604aa3bba7af780a3869163773c00.exe	96
PID 2184 wrote to memory of 2340	2184	NEAS.ed5604aa3bba7af780a3869163773c00.exe	100
PID 2184 wrote to memory of 2340	2184	NEAS.ed5604aa3bba7af780a3869163773c00.exe	100
PID 2184 wrote to memory of 2340	2184	NEAS.ed5604aa3bba7af780a3869163773c00.exe	100
PID 2340 wrote to memory of 2696	2340	NEAS.ed5604aa3bba7af780a3869163773c00.exe	104
PID 2340 wrote to memory of 2696	2340	NEAS.ed5604aa3bba7af780a3869163773c00.exe	104
PID 2340 wrote to memory of 2696	2340	NEAS.ed5604aa3bba7af780a3869163773c00.exe	104
PID 2696 wrote to memory of 4408	2696	NEAS.ed5604aa3bba7af780a3869163773c00.exe	105
PID 2696 wrote to memory of 4408	2696	NEAS.ed5604aa3bba7af780a3869163773c00.exe	105
PID 2696 wrote to memory of 4408	2696	NEAS.ed5604aa3bba7af780a3869163773c00.exe	105
PID 4408 wrote to memory of 3260	4408	NEAS.ed5604aa3bba7af780a3869163773c00.exe	106
PID 4408 wrote to memory of 3260	4408	NEAS.ed5604aa3bba7af780a3869163773c00.exe	106
PID 4408 wrote to memory of 3260	4408	NEAS.ed5604aa3bba7af780a3869163773c00.exe	106
PID 3260 wrote to memory of 5012	3260	NEAS.ed5604aa3bba7af780a3869163773c00.exe	107
PID 3260 wrote to memory of 5012	3260	NEAS.ed5604aa3bba7af780a3869163773c00.exe	107
PID 3260 wrote to memory of 5012	3260	NEAS.ed5604aa3bba7af780a3869163773c00.exe	107
PID 5012 wrote to memory of 1004	5012	NEAS.ed5604aa3bba7af780a3869163773c00.exe	110
PID 5012 wrote to memory of 1004	5012	NEAS.ed5604aa3bba7af780a3869163773c00.exe	110
PID 5012 wrote to memory of 1004	5012	NEAS.ed5604aa3bba7af780a3869163773c00.exe	110
PID 1004 wrote to memory of 2220	1004	NEAS.ed5604aa3bba7af780a3869163773c00.exe	111
PID 1004 wrote to memory of 2220	1004	NEAS.ed5604aa3bba7af780a3869163773c00.exe	111
PID 1004 wrote to memory of 2220	1004	NEAS.ed5604aa3bba7af780a3869163773c00.exe	111
PID 2220 wrote to memory of 2580	2220	NEAS.ed5604aa3bba7af780a3869163773c00.exe	112
PID 2220 wrote to memory of 2580	2220	NEAS.ed5604aa3bba7af780a3869163773c00.exe	112
PID 2220 wrote to memory of 2580	2220	NEAS.ed5604aa3bba7af780a3869163773c00.exe	112
PID 2580 wrote to memory of 1048	2580	NEAS.ed5604aa3bba7af780a3869163773c00.exe	114
PID 2580 wrote to memory of 1048	2580	NEAS.ed5604aa3bba7af780a3869163773c00.exe	114
PID 2580 wrote to memory of 1048	2580	NEAS.ed5604aa3bba7af780a3869163773c00.exe	114
PID 1048 wrote to memory of 1036	1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe	117
PID 1048 wrote to memory of 1036	1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe	117
PID 1048 wrote to memory of 1036	1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe	117
PID 1048 wrote to memory of 1008	1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe	118
PID 1048 wrote to memory of 1008	1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe	118
PID 1048 wrote to memory of 1008	1048	NEAS.ed5604aa3bba7af780a3869163773c00.exe	118
PID 1008 wrote to memory of 1076	1008	NEAS.ed5604aa3bba7af780a3869163773c00.exe	119
PID 1008 wrote to memory of 1076	1008	NEAS.ed5604aa3bba7af780a3869163773c00.exe	119
PID 1008 wrote to memory of 1076	1008	NEAS.ed5604aa3bba7af780a3869163773c00.exe	119
PID 1036 wrote to memory of 3608	1036	NEAS.ed5604aa3bba7af780a3869163773c00.exe	120
PID 1036 wrote to memory of 3608	1036	NEAS.ed5604aa3bba7af780a3869163773c00.exe	120
PID 1036 wrote to memory of 3608	1036	NEAS.ed5604aa3bba7af780a3869163773c00.exe	120
PID 1076 wrote to memory of 1064	1076	NEAS.ed5604aa3bba7af780a3869163773c00.exe	121
PID 1076 wrote to memory of 1064	1076	NEAS.ed5604aa3bba7af780a3869163773c00.exe	121
PID 1076 wrote to memory of 1064	1076	NEAS.ed5604aa3bba7af780a3869163773c00.exe	121
PID 1064 wrote to memory of 2164	1064	NEAS.ed5604aa3bba7af780a3869163773c00.exe	123
PID 1064 wrote to memory of 2164	1064	NEAS.ed5604aa3bba7af780a3869163773c00.exe	123
PID 1064 wrote to memory of 2164	1064	NEAS.ed5604aa3bba7af780a3869163773c00.exe	123
PID 2164 wrote to memory of 2840	2164	NEAS.ed5604aa3bba7af780a3869163773c00.exe	124
PID 2164 wrote to memory of 2840	2164	NEAS.ed5604aa3bba7af780a3869163773c00.exe	124
PID 2164 wrote to memory of 2840	2164	NEAS.ed5604aa3bba7af780a3869163773c00.exe	124
PID 2840 wrote to memory of 944	2840	NEAS.ed5604aa3bba7af780a3869163773c00.exe	125

C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:936
- C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
      4⤵
      Drops file in Drivers directory
      Sets service image path in registry
      Modifies system executable filetype association
      Adds Run key to start application
      Enumerates connected drives
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3156
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2184
      - C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        6⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        8⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        9⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        11⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        12⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        13⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        14⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Drops file in System32 directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        15⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        16⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        15⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        16⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        17⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        18⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        19⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        20⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        21⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        22⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        23⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.ed5604aa3bba7af780a3869163773c00.exe
        24⤵
        
        PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
393KB

MD5
66c6aeca4b371b003417b61a254b4926

SHA1
8d3576af25bdb5ae4e348fae916a6ac2016809d0

SHA256
3340b45fd54e288b6030a92fa284f242e156eaa798be98db1c5b06094ed467fb

SHA512
c4b3ebfcb7a4769abf86dedba103021aa4ff1037795ef747b8e0423a0d27cb39e4ab95465375e2d0a8aa8b02d86dc9d198475d6cfd225cd1fccb0c6590815296

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
401KB

MD5
f339e30432514393d9b445aa44f58f6c

SHA1
5334b545cc3265aff6111f45d1429d67f465acb7

SHA256
435904a9a5abbb82cc6d8248d8fb229e1448ac7b78d461cc5882689a97a30608

SHA512
30151a1a77951275f7e2b8d6229f5c9895162bbf109574ab06a4dd14f5098d1eea495ea500a827eef77fb4b17aebca5e4e6d2c12e661f895e8006ec2a49f2d50

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
397KB

MD5
987eda8e817ec8eb5830a2578b6015e7

SHA1
14abff0eb191bf88808759533f643cd71ef11e94

SHA256
103e8cff1efb5f5ee63523835144fdf1246cd8a7d75818e3b22175a5a03d379a

SHA512
dbb469b75aaeb2d594d2d4aa75bc6c8d568b78b742ae5ed917e0791cc09da6123a3a4ed8355e72b8e4b1e1ad9452b91824bb42ab4e0ac48bf3653be9cd41fb76

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
393KB

MD5
5227c2f9311bacdbd96110a983d19ac9

SHA1
9e3eddc378421c3c5dddfbb33555ad0b2ac6c418

SHA256
2797ae35022cca0ca60b4f3fc618e9e29baf5af9a740b2e4d12d588af2b139e1

SHA512
598da4dc7ae53c35a403c5ee8d2aab4c28622498dea4a06ff416aa2a7aea23a84d142ea8407da5ba3aec4a5e4914050ea4c7fc72eeff8338dba0f29309abcb0e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
388KB

MD5
f25440a7bc923659e14f062e61b82b73

SHA1
e0812903e9dce7321c653bd8917af6b042a583dd

SHA256
a7db695041377721e19d29f5caa3a2d0d67b4077b23d66769d0b77b1875d5dfd

SHA512
db9645e70fde500d2192a4a31d45b2a4269e76a2b253d5f58391490605f718da078448175700f7966ed1d68e7974eb81b4cd8a309363df09efcf9e212e59c1ac

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
402KB

MD5
c092e66fafd03fa2cf9890460bfe244d

SHA1
58078518f454181427b7fff1a213664c312653f2

SHA256
32e8315750214cfcddc68921767b73962ebd11eb52b197a480679d6c4dda104d

SHA512
a9121e7c5ec2bc550e4488fff5bb844701483e3bf29f5cf46d8be08c0f75e0fae489252f30abd93e5a8753c3b0e28822ecab4848e0d82d482e3f323d35cc529d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
394KB

MD5
31e7e3a6df9113458647119d7d8d41ba

SHA1
a1eeb7b5ce6b85b65b56dcc73d5bd6c5ac098dc3

SHA256
13e6759eebd3514e6d5724e7aa506c18cd5156c22b4d8acbf619cfde1b682dea

SHA512
543446c8bc9dd63d0022568264de36b9f7b84e403b0172bf823f5534be48ec5b7eb40e79758272063fb443f8542e574c7734e2ef975051463423048caf6b9478

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
387KB

MD5
f2225c7e52a9ed8f9593b8a825f24946

SHA1
8614251296a785737ff5e40af146a04e63aafeb2

SHA256
28cf2a99e1bfec42d3e4402b85fb481daf97bcde90ca4d6f695a408ee343d3a1

SHA512
f885e3e1cb3448ae16b90c48a05b1f112df1ed2a2f8a70907852daf423b143c3b85956fe4cae764ff13694be51e399904a10706bc5998ed797cd81553cd24080

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
406KB

MD5
9220d7c1539f3e8671823f8f88e6e233

SHA1
f5e79d4edc8341193e387d495eb30bcfa0fef3cd

SHA256
05ec245e0bada87b3b1c78ec72856c0dd2c876db694391d197e1e67a1cc5aab8

SHA512
64ece814165a1cda6db4f5f3af75c71168dc766c82b0e46730b36ba4ed2852691890ea3f395b94c1ed72031af3bf6b81c18997b0b5a000cd42b9de998c89f8f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
385KB

MD5
89adc7676f7ffa5d63b97210235f04f2

SHA1
8ad13a16ef0f4f5f48e123d72df561ad728c102f

SHA256
c93a96d5601c51997c48594e21c38943a2b6e1e5d36e30b9848bbb6975011fb9

SHA512
2798175bfcc643404dd12231553d43ce8baa8d49941dcaf16c732ec98bd8c7b60243e265ea2bbc22f6779da2251acaebd513c6d439c8ce57a835ef2d0593beed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
393KB

MD5
d61792a02c6a46054b425344dad324c7

SHA1
3897fd9f85dd09a20ab1d96eaa50cbc1e0254777

SHA256
5df65e5f952da9f42ae1d1080babe58d734f309055fb861df18032e95e9ee3bb

SHA512
45ca007602449376d72520fa81bf8c9a4ab54f6a273e6e3741108cecad551164909965c9b1bfc30f79d59457963741784fd3353c00b4ea9387e0de400ad8a4b7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
404KB

MD5
6fafe4a975730d668fb7c491c25d4bf4

SHA1
637b768e452a5a4035b713549be3820902871435

SHA256
c904b103d9776241dd07bc20f0b2498086558732261a6db57ed8acc5500e1eae

SHA512
526dfbe8e8abb19ecf3d989af82fe42abbe15d7ee73c0e9e5d8ff4650461556f5c716318aa96c80c8ed24045b06ff546b9a50178760cf2902fd8d8f38a928627

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
376KB

MD5
0938e54a61cfa5588d0ba6cebeb6c8be

SHA1
88cb96ae0fbd0c0618b51d6ea2520faa2c307288

SHA256
7d49c5b80770dcbc4c0d414734b750bde9de3d44f88bc932390a614fb9e21643

SHA512
9136750880d70dec2e46a3fe16f9ec1778c2d2e566ff5645889226a2ac84bae2314f3961490ca1d134f79085b72071b8f9be0877af7942c4c2eafafbd35de1b0

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
378KB

MD5
ca33883b0361541e10012d90dda0c349

SHA1
3e31a638a24720de63c62964c8ac4402722e4c23

SHA256
d4662c8933f12b2c187c2078adedadc5dffb6034f0f680e0738dc81ee43c3765

SHA512
31d5e91e0d4af7faa3c61c4c535e0a8eeacdde733319e97d394e2790a7bca993f5a92feacb9ce7968dc0617295b6b2a4cb569e852a3a5d5c6084646629313286

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
380KB

MD5
21f2dae0012b31c2ecb34c161f409658

SHA1
9df994a55ba57d7d7cb2491674a0348d34538e6a

SHA256
7dfd11ba04c73eec1dfabda02da1538a69f11c3812931b8439d1a2bea66c00dd

SHA512
a46b5b66b1c7e690978ba4f18666349952ff880708a8a184436314999c0955a8ae7b82b04e123d053af7c342bec51722245525f12ebc74ec898aa6cb1fc7db11

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
401KB

MD5
7896e66deb86a5ce327249a9495e19d3

SHA1
4691cfe3c9e3ee188d1fb4a4d9ded973a0d59b12

SHA256
b7544b041b113e772b0c5c035c276f8eb69d15985d13f95e40076e69b9ed1859

SHA512
a6615dc98c7b3a33395bf37495d8103c2d1a14d15af5094fe0b44b9b1051c04e34f79a112dc784ade3e13df72d906a2d9c2645c7342a476dab811b09f0415ac4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
403KB

MD5
51a1d45f17802c84646e29b584e91ef4

SHA1
ab60ee423386dbe868087a9168e83728e65f0151

SHA256
c5c3a45afb409d6a80fb96dd13bbbed531ef827a8ced8d45a9a52844113f370c

SHA512
a5b956dc7157da364c3bbc48282577b8a48f68dbe7eba116f4080030af3950ef96307f4fc4d0ec4651976ce32a99a68deadfb4de2648b17e19f487be143a6a91

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
385KB

MD5
7f452ae0c3695f07c6b914ee415cbd23

SHA1
e85f1c7bf2c678915121067348c43c7ad1a35e8c

SHA256
d9b5e3c34a967d56e7ec3107aab199abea8d5cd67ac8084216589694f32baf5f

SHA512
aa799e6a304cdc0cf310845c6179ae8b9c8b97cbde48496aa9327ba558986e132cddca35aa82e3038ff01ed1c0cedea25b09450b99f87501835e3964d343505a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
399KB

MD5
81d4dad74389c83bb26cefd6283ee165

SHA1
0b69760850ffbacae9c74013bb13d295d596490d

SHA256
49488d91714a3cd93b1bd7dbfdc632fbc4eeb80e52999002e3b1cfca8880420a

SHA512
5393a23a0ec0ac5917c5bd90bb94d9c6588a6f2184a2b81deb6b35748a171a3c4bac08aec501f4688cfed4f8c04d022076c11b32173ecdd25d269e1b7bb67b51

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
404KB

MD5
2da5bc71e6e0e56ed7c8383b1046a4c6

SHA1
3037ceb15cbf6c1afa5805374f3bd969bd29ea7d

SHA256
8263675aedb4049b9f2b6e37e0f01ac8858beb4bd03d8dcfe2d96b8db4056743

SHA512
5c167fdc8ab9b59d3a4e221b0a2a8230e417eb59affe840f458315fc3779b138f7a531ce06fa230301ce5ea3ac714adf795c434ed6fa4afcadb22041c15ff533

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
407KB

MD5
23845bdd3f8e07983a1c54f357718c71

SHA1
e3fabb84fb10f9c805d8abc4810997cec54723bc

SHA256
6d31caa33ee4ac7be87a401d6bbe6675253ac1980c3e1f31d4c7dac5bbb071f5

SHA512
94d91d9fe8d73246b6e74dc928f0e49f00f12c3924a60a1d16294f583986eb7708117e9310a243a6baf1e83ddf89eeb821fc16bd4b5dccb935327b92258fe290

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
391KB

MD5
3908820f19b7ebac75336375276d7252

SHA1
7a56234e2291b6d43423f0b3a9d5cb2856259e46

SHA256
f159b2bd17e39f5262151893ee7d06fe288232863e6b8ed4d84a25c2c3f205d8

SHA512
33f7ff63916be7f5de28e2660161b906dbc169c30b45c7971a5a1b4be71a99c17a8c56f4d0bcace34f42d48ede359fcaaef8e5bbafca02090e591b21fd5f62bb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
406KB

MD5
614fe74af14ce65b64576c8fee1bb3c6

SHA1
423c00837a599c408e3a9c8fbbad09b3f7486156

SHA256
89c7938bf36414dfef039636322f88360b5926d5ef5c9af21986acaded0f32c4

SHA512
7980325cf80de503e485fda011c0740b79122ef6b1c22a469cabc21d2e353692a55436d61091d3f40702f1d0e39d72c286bb660679426a5347a925571b6c5f9c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
390KB

MD5
9a3bd411bca6e3949431ff7ea2068aad

SHA1
e8d8d7533304118ad808266ff6245f36df832a42

SHA256
1874cba717eb8cdae48548d7743753f21de0f4da8847c570758299251cb10851

SHA512
e6f74fcd59df88a06e32275fa57f0a432d130472453f85f20d5ae596b7c61313b28d645a22be62c05a575505f3d0cb34957b6fbf0e8e4713186439810977bc1f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
403KB

MD5
d85c820248e23c2e06662a5610d9b15a

SHA1
f4000737199bd2cdc89f04bc237578118b08ad49

SHA256
5bf29f4028ab1f4bd1340ddf93a164d7e503d258d4893f20fb08c276c2c44433

SHA512
91dca1369885df157dfe3fa9c5a47595a5dc8a35e15614835db8b37ac7e518fe66c07390f6bb480125a8a5c26c44a6b3b25feda33ddb96b1eb1ca368fc4783b8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
403KB

MD5
d85c820248e23c2e06662a5610d9b15a

SHA1
f4000737199bd2cdc89f04bc237578118b08ad49

SHA256
5bf29f4028ab1f4bd1340ddf93a164d7e503d258d4893f20fb08c276c2c44433

SHA512
91dca1369885df157dfe3fa9c5a47595a5dc8a35e15614835db8b37ac7e518fe66c07390f6bb480125a8a5c26c44a6b3b25feda33ddb96b1eb1ca368fc4783b8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
386KB

MD5
cc35ef4d69de2c433f31e621228727b8

SHA1
2917edf7e13f03a9975e76787c71f3bf33923fcc

SHA256
e29d10e8dbe23ef8f120cdcf7e443adf8cb80f90feaae6c92db336a3bf8cdd69

SHA512
73bf3b2f396f84f11c8182835db2a070364d5176ae3a92c012d7b75c3b9e84672342ec30957c5ff43d6d80463470934a021bf2359ef08032bfa0b03edf1d40d9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
389KB

MD5
3df98bfbe9c4d8eaab27a57b952ebc29

SHA1
1b2c97b329abfe83558000fe49e601b79b26a4f4

SHA256
380a18e08f98efd9ceed6f94bda647c8940ffdfb818b2ff3732f4a2bebbc6ec3

SHA512
51d13a4c5273cc96e0fc41f98372b18f52d9e776611ff4249b9348348cb5623bf11419f84a7d7923b4414c52f81bda7583423bd25d838ee63eb17f7a5dd89acf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
405KB

MD5
d944713a320cfb457b592571d5b2d4bd

SHA1
8901d1dec7eb5cad4b17824c40f85f4ec5e278b6

SHA256
c7cdbdd88a9103a45821ed874e6698d94f8da8930916947aaa32bc7fe22f65e9

SHA512
7bb0e01ef1d00f90c2a07fc17d54adb9ddff2b4a9cec7e8d239e1417e79ea21ac7f7565a7f93112350a3a2f7d42b661cfedfc4f1774776969faa46d83f813c5c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
405KB

MD5
d944713a320cfb457b592571d5b2d4bd

SHA1
8901d1dec7eb5cad4b17824c40f85f4ec5e278b6

SHA256
c7cdbdd88a9103a45821ed874e6698d94f8da8930916947aaa32bc7fe22f65e9

SHA512
7bb0e01ef1d00f90c2a07fc17d54adb9ddff2b4a9cec7e8d239e1417e79ea21ac7f7565a7f93112350a3a2f7d42b661cfedfc4f1774776969faa46d83f813c5c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
403KB

MD5
d694880cf3c0461c6d08620778852798

SHA1
c70b9ea2dd34c796ff4b320760c70ad569e1a39c

SHA256
7dac74bd8ffcd119c86dc85cc8e3b34ed8f413f81c4a09fc2e08509f9f40b0f4

SHA512
ec155e4054c8af646874b8543c250fe6f4362fbce4316f8a1919f6d740c3a2d1d8232bc4ec7221eb28de05482f3dfda0725c3ae804f7a0111188dc72e06fb2d3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
376KB

MD5
bf20f19d0a2d431858543ba5f654abd6

SHA1
ad839b368cf2a6d2fa7a5697e8a1a0e0425bbb24

SHA256
477c47c5e4f3080d1fcc184992d452242bbfb5eaae8c03ee683e60b9f0e39372

SHA512
792250eca31ebddf91589e57c0070ec4a4d75e3701a2fce63fdefa453d647e215737c46f454be4469d5b0700081bfa55b041ad8a94ba64c1047b6c37a4d060c6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
387KB

MD5
8542f2f55b8e8c4f746941ce77fb10f4

SHA1
644631beadaea43915ec02414a0f5f6a6310b047

SHA256
8f061d49a155187974d0574b82db2f74dd429ad2894c27cde52b71f7be216d87

SHA512
d268d659134113db03ebb17b41f3ec073283bb9603eb9d7e3c24facbd4195bf0881f0106847b8c09352a1a2eb6bfd8d868de38098513655f1bae7b10ca0e0848

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
381KB

MD5
e570d43cae4076bbe0cf9178ccd6e1c9

SHA1
91d69cb395e1e774f4ad0c2620f65ab3ee711df8

SHA256
cd0c44b7bdd1b0821f46bfc00d52f236c7aa9bca8fec506c5f01440e8b1d7ff9

SHA512
c3f7c14d32aa7e160534a62cad330c34370f239951b3b6e1a55aa676f42e268ccc445b2622a9675532701efc622361132036412050268f01844e445ccf9f0a68

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
389KB

MD5
89dacf3cab697557fbdf54796700b0b8

SHA1
fd51dbd305e26a9e0324f56fcf03f13390f19a17

SHA256
1f07308656add01c7ddc3c9a029906f0baec3a1f294084af89b8ac19424ed5a5

SHA512
cbb2b51accadd63ffc9d6023167827545d813054621d6b9c95986e57f4cdda09b945045a9540ccebbca0b62dfad030da315a73ef4457c885cf589979485a1863

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
387KB

MD5
deaff24fce01c5b69ab3bec64d5448cc

SHA1
7d4f0120c3f5e71646754ab1731963be3c520b6d

SHA256
56bc2ca5543956ae05cb0b73837b96f8a874ea6ed8e7c5b85bf9ab3cbad28a4a

SHA512
0dc888edcbdff0269228cbbe8eefac5a0d47d99fd46df0bc3a8f9481404374baf5d436d31768d8f3acd85d90d17ba0253c5eae159dc9c5ccc09f3c7a6396fe4c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
389KB

MD5
3fd6390fae80b017a61650bdb806db3c

SHA1
59b5120e9f65d20c2033fcb875ba920c0de764f0

SHA256
500c696e361f204a4478e6f5d352a980cff47b90e69ef808c38ec4bf0fb8805c

SHA512
c559e469bdb7e1877259e65c9e34f95de263b51e837ed294f8483249eb54d669ad13b61c6e9a8bd64522f47927f50ec7cf3bf57e67d58f5c70c18d8be1b61a81

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
400KB

MD5
3d8058276126a202e3547e0b37819e58

SHA1
002d3fbbbb98b101bc80251bcc954ec162fada39

SHA256
1a4d4d35e71cd6a5532a3faba71ab2485119a686e861029cca0154da83dfa5c2

SHA512
ef08ae3ca6ee284d8bb6f2b7f8276e653817a3f5e7a15bbcb7ec41e8792c57fc7a4054aaf331a542917bf7383c1d6b32c9aa189bd3e412b5d79a70167095a1ac

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
390KB

MD5
1f70823606236baf5eb1f92979c74acd

SHA1
ebb5da2b20d6e1011d119505522e100634cf9266

SHA256
143a53a09b92be0f36cbda74d13959577b914e8e4c7396b4325128a9788bcde6

SHA512
47e8d34a3cff8542f01a5846449c507ffefee526560e82249698b53a0aacd4cc3e685acc5c3cb554feac9a2fc2dfe32960d2d5856c446ad5a4e8925862912a0a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
403KB

MD5
8568573ea7d9fb350280d44f0cc3d355

SHA1
9184a96223d7fb320777d26b47a61d421459bfff

SHA256
8e682dc70a5fed92fdb9391be893de9c0c0371c222ee7293cba1abfd29870a3c

SHA512
ee95c7f474a95ed2f085ef4424c5437b5df7f5e61eb7287c317a75567e61e719cb37f7b06988dcdb6da9e359716b8525b4d3b282cbb9c3359937e946af5757b7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
377KB

MD5
093fb2adbeac0db8ee30820017c52c4f

SHA1
48f7e14fc3752828c43df47d77fccd8472185923

SHA256
598658d5ea60dec1d1728c444f57a139ee7f9c59fef7359133e075001743977d

SHA512
fa92122dc614ed76a7855d40023cc289b3fba193c6c512ec431a70eab521cddb1e33f19d1ee07384944fb5f7c8271351831db09931c5b6b475243eee947a944f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
390KB

MD5
66d7f748d833027946d47a7ccd85385d

SHA1
0ee82b9776d91e1d71d4134ed05fee6d1a8c4afe

SHA256
2e1e4335c78f459529f652dc8d56104e4d0c6d7f8d62d406ea57e5c14fe8ec24

SHA512
fbae0d55bde0d7b3d23dc758b681920f80a06573dd986497139592bc39450373030cf95aac85a8a9341508e509a7d6122269e234582e2c9d744f2459ec52de6e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
382KB

MD5
c983bec8e3eee86839c7d6068d20365b

SHA1
1457d58d4a8de4cee891eb6414f2ea45ce0867ec

SHA256
2a8aec4f2efe32954849f235ba6cb1a6763763141f6a41b29f94309d98caa566

SHA512
b0c7d20dee7510aa539b71220b5b1db9276cfb511231b531b4671bfa39f7ccd2249ea91af961a12b93a804ea5235760f3885bda9eeccd6e8e8990b794b82570a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
382KB

MD5
77972a8544c20797063ce80a94ff3069

SHA1
4b4a7a4f04459ccd7fb65c19e8c5fa4a5f7565ee

SHA256
5e949a6b7ee646f24f5791c4b945ec055906b72b73669dc83c6a886badb0f900

SHA512
53d97b8adb4d869d2ccf15885116977737105fd51e5acad9e5fce736740a4d987d60a92e64a38093615a09069383d43c56bb04ae1708c6bf3c976a1f56bdb824

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
406KB

MD5
0db18e5208986de3762c26975e651ea8

SHA1
0e6f379b63ac3a63c2b01adc1f4be9fe695818f9

SHA256
1f4200c98f2677b958b2f2ff2a3a7c424bdd68a382835c5bc602db02bb467613

SHA512
971fb612e6cb23be5ce308d0513706f11707e71f496a99b39cd180a5609920d334cdf397705bd7108ce7a56a9415aa2454a3c93a877e98259ef06424a38e75d4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
407KB

MD5
107723ce253e92d714193cd274d76d18

SHA1
906f2f582cc76ec9eafeace559ee0fed99141dfd

SHA256
d2dc650df1bbe7f4dd426d60c1db918f5e57bfc0f0ad103c4442e16955ad9f19

SHA512
642312d8634c591e087176cdd3737bf1ec287cc1088f2968741cf863bcf6e391ab6034254b85d0c920e5e3ee8821ed11685ff619a14041aa83cddf67908baaa4

Download Submit
C:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/416-278-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/416-277-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/416-283-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/936-250-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/936-262-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/944-249-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1004-128-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1008-185-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1036-186-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1036-180-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1048-272-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1048-161-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1048-162-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1064-213-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1076-201-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1480-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1480-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2164-223-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2184-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2220-139-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2340-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2580-151-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2696-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2840-237-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3156-44-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3260-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3260-105-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3608-202-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3608-183-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4408-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4408-93-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4660-31-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5012-117-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download