6c9e8a66a1b84d7e69fa6dcfc1ad58691a985def39b67ffcabdbf1ab5304ad02

Analysis

max time kernel
226s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 20:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Size

196KB
MD5

9f6cfc9a1f5d00187054dc14956be5f0
SHA1

a5d322d57fde5b978ff13471e7481dcf61f789c6
SHA256

6c9e8a66a1b84d7e69fa6dcfc1ad58691a985def39b67ffcabdbf1ab5304ad02
SHA512

20ff86288261bb4562e5ba8cf9ef725fdfcb3379100694568738a4a8deaa4ac0d2e47d6dd201a560bc402ca3533b110196327db5204c24067a643d01abc6b9f9
SSDEEP

3072:ZOgUXoutNlxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoSjRARoYlld9n2Qpmx

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
3272	xk.exe
3740	IExplorer.exe
4192	WINLOGON.EXE
2864	CSRSS.EXE
4620	xk.exe
4068	IExplorer.exe
4044	WINLOGON.EXE
3108	CSRSS.EXE
4928	SERVICES.EXE
4308	LSASS.EXE
4020	SMSS.EXE
4064	SERVICES.EXE
2140	LSASS.EXE
4512	SMSS.EXE

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2348-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0007000000022dd4-8.dat	upx
behavioral2/files/0x0006000000022ddb-107.dat	upx
behavioral2/files/0x0006000000022ddb-106.dat	upx
behavioral2/memory/3272-110-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022ddf-112.dat	upx
behavioral2/files/0x0006000000022ddf-113.dat	upx
behavioral2/memory/3740-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de1-119.dat	upx
behavioral2/files/0x0006000000022de1-118.dat	upx
behavioral2/memory/4192-120-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/4192-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de2-125.dat	upx
behavioral2/files/0x0006000000022de2-126.dat	upx
behavioral2/memory/2864-130-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/2348-147-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022ddb-180.dat	upx
behavioral2/memory/4620-183-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022ddf-185.dat	upx
behavioral2/memory/4068-188-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de1-190.dat	upx
behavioral2/memory/4044-191-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/4044-194-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de2-196.dat	upx
behavioral2/memory/3108-199-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de3-201.dat	upx
behavioral2/files/0x0006000000022de3-202.dat	upx
behavioral2/memory/4928-206-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de4-208.dat	upx
behavioral2/files/0x0006000000022de4-210.dat	upx
behavioral2/memory/4928-209-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/4308-213-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de5-216.dat	upx
behavioral2/memory/4020-217-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de5-215.dat	upx
behavioral2/memory/4020-220-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/2348-245-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/2348-247-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de3-250.dat	upx
behavioral2/memory/4064-281-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de4-284.dat	upx
behavioral2/memory/2140-287-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/files/0x0006000000022de5-317.dat	upx
behavioral2/memory/4512-320-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/2348-321-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/2348-322-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	F:\desktop.ini	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File created	F:\desktop.ini	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened for modification	C:\desktop.ini	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File created	C:\desktop.ini	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\J:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\K:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\T:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\E:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\I:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\L:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\N:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\O:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\S:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\V:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\B:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\R:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\X:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\Y:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\Z:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\P:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\M:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\Q:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\U:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\W:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened (read-only)	\??\H:	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
File created	C:\Windows\xk.exe	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\Desktop\	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
3272	xk.exe
3740	IExplorer.exe
4192	WINLOGON.EXE
2864	CSRSS.EXE
4620	xk.exe
4068	IExplorer.exe
4044	WINLOGON.EXE
3108	CSRSS.EXE
4928	SERVICES.EXE
4308	LSASS.EXE
4020	SMSS.EXE
4064	SERVICES.EXE
2140	LSASS.EXE
4512	SMSS.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 3272	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	88
PID 2348 wrote to memory of 3272	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	88
PID 2348 wrote to memory of 3272	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	88
PID 2348 wrote to memory of 3740	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	89
PID 2348 wrote to memory of 3740	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	89
PID 2348 wrote to memory of 3740	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	89
PID 2348 wrote to memory of 4192	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	90
PID 2348 wrote to memory of 4192	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	90
PID 2348 wrote to memory of 4192	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	90
PID 2348 wrote to memory of 2864	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	91
PID 2348 wrote to memory of 2864	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	91
PID 2348 wrote to memory of 2864	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	91
PID 2348 wrote to memory of 4620	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	92
PID 2348 wrote to memory of 4620	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	92
PID 2348 wrote to memory of 4620	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	92
PID 2348 wrote to memory of 4068	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	93
PID 2348 wrote to memory of 4068	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	93
PID 2348 wrote to memory of 4068	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	93
PID 2348 wrote to memory of 4044	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	94
PID 2348 wrote to memory of 4044	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	94
PID 2348 wrote to memory of 4044	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	94
PID 2348 wrote to memory of 3108	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	96
PID 2348 wrote to memory of 3108	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	96
PID 2348 wrote to memory of 3108	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	96
PID 2348 wrote to memory of 4928	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	97
PID 2348 wrote to memory of 4928	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	97
PID 2348 wrote to memory of 4928	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	97
PID 2348 wrote to memory of 4308	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	98
PID 2348 wrote to memory of 4308	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	98
PID 2348 wrote to memory of 4308	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	98
PID 2348 wrote to memory of 4020	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	100
PID 2348 wrote to memory of 4020	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	100
PID 2348 wrote to memory of 4020	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	100
PID 2348 wrote to memory of 4064	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	108
PID 2348 wrote to memory of 4064	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	108
PID 2348 wrote to memory of 4064	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	108
PID 2348 wrote to memory of 2140	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	111
PID 2348 wrote to memory of 2140	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	111
PID 2348 wrote to memory of 2140	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	111
PID 2348 wrote to memory of 4512	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	112
PID 2348 wrote to memory of 4512	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	112
PID 2348 wrote to memory of 4512	2348	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe	112

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9f6cfc9a1f5d00187054dc14956be5f0.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2348
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3272
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3740
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4192
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2864
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4620
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4068
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4044
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3108
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4928
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4308
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4020
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4064
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2140
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
823e46238f35f89cf7227482606e3f92

SHA1
fc0291cb4d7d2177d34e9e47a436b3ed7e6e534c

SHA256
b155e4a6cde924f0ff8b2865773d4e5cf0fce6cc05a94b3ebed74d2459861d1b

SHA512
270e84f13d7ad1bffc327d0df0054b37cb1d98d43badf4d07dc91091c06d239bca25a399edb81db53540cba9fc5573aa6c1452ef0f924543c6806cc83cc146ae

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
5b1e3c7f8aeb7ac9b1aea7c8fe930e2c

SHA1
3abadefe32f994e3478c70d9c5fe68ccd766e000

SHA256
dd5402d6b603d28c3ccebdaadeb5e1c001cfa1b4e58a55ed480bcdbe793f62c1

SHA512
7372362e40123ef201cde880b25f319b8b47fa5a3a4fa754c903fe975e3169cf7178ec45f21e1baf63b699690e0985e2defeac3c41286d31ca7184b0bcb3162a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
103d4c94a50eb7291cc5324c08613a22

SHA1
8910cae41958436e3a5b47f0bf906a38a989fc64

SHA256
757c4786dfca5d378f7797fc43923860e719133c158561cd3007067e016f894d

SHA512
c178b93ee65deb7dffb4effab556c5c8ec5687f5eccb77889f00d6731d2dd68f1e375a7a973aaafaa3be2f5ce9bb5f30ee55bcb0b18e750debd686401d8cd04b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
103d4c94a50eb7291cc5324c08613a22

SHA1
8910cae41958436e3a5b47f0bf906a38a989fc64

SHA256
757c4786dfca5d378f7797fc43923860e719133c158561cd3007067e016f894d

SHA512
c178b93ee65deb7dffb4effab556c5c8ec5687f5eccb77889f00d6731d2dd68f1e375a7a973aaafaa3be2f5ce9bb5f30ee55bcb0b18e750debd686401d8cd04b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
3eb712c41791b8085add168c4ad56626

SHA1
0b43c5cd1bb7d5c52e4e2807cafd1dada457f437

SHA256
980d3697bd1c3cf3d2fb548819ad779bd53cf11c88f006f23f818d9f16975cd9

SHA512
db65488eea36f080359a67d147fdb156e31ec2c67313ab30cd0703e4a9adf8ad8333dee85c7a75d4ab3351b63b9461a7378f5cee21a068b0116f249e26c5c632

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
3eb712c41791b8085add168c4ad56626

SHA1
0b43c5cd1bb7d5c52e4e2807cafd1dada457f437

SHA256
980d3697bd1c3cf3d2fb548819ad779bd53cf11c88f006f23f818d9f16975cd9

SHA512
db65488eea36f080359a67d147fdb156e31ec2c67313ab30cd0703e4a9adf8ad8333dee85c7a75d4ab3351b63b9461a7378f5cee21a068b0116f249e26c5c632

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
bada9f2f960b993a8a248314d3f89e32

SHA1
49409107555d91e62015f9e3781dce14eb0bc934

SHA256
0b036241f6d930f6f4eb539f20eacee4495fd00a324eb724e7138351e337ace3

SHA512
da017d8be5c6b5b6cb263461847626aec13f7fbaf45d696321e77cd1ae3714b4bd2aee2b1249971916f186851d5111d02b18f27615530860104145af51cc02db

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
bada9f2f960b993a8a248314d3f89e32

SHA1
49409107555d91e62015f9e3781dce14eb0bc934

SHA256
0b036241f6d930f6f4eb539f20eacee4495fd00a324eb724e7138351e337ace3

SHA512
da017d8be5c6b5b6cb263461847626aec13f7fbaf45d696321e77cd1ae3714b4bd2aee2b1249971916f186851d5111d02b18f27615530860104145af51cc02db

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
369609693ad519949ce75768f09ba497

SHA1
eea7de48cc85e8483d3bbabfcb7cd7265a6da216

SHA256
88b51e43d3f728e2bb42c1f3d8e39b259a0d8a8d5bfe94041a5d3eb937357215

SHA512
1f188bd4b9166357ae232b4206b659065eb9885ea3c0a552f84a906d60bcad8f495da0cda061d194b15b316732fe6deaa57ea3423dfceaad657aa33ac1c4db64

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
1f5dcd4ac4f84881db5512549ce070ea

SHA1
6a42f9f8d89d1029ea9862c9dc941dd0eee810ad

SHA256
8fa2115d6ce56269e9a46c0c4ee4e32e9611aeeead4a0d232637dcd93acb3a9f

SHA512
a17b5d1c936179039844cae25124f1bf5d9bd22d1e93612247337c0364d05ead13334f49675d3deb9d9c425f36e0aae21c227f032daa698b4ccb8f726e75b0a2

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
196KB

MD5
9f6cfc9a1f5d00187054dc14956be5f0

SHA1
a5d322d57fde5b978ff13471e7481dcf61f789c6

SHA256
6c9e8a66a1b84d7e69fa6dcfc1ad58691a985def39b67ffcabdbf1ab5304ad02

SHA512
20ff86288261bb4562e5ba8cf9ef725fdfcb3379100694568738a4a8deaa4ac0d2e47d6dd201a560bc402ca3533b110196327db5204c24067a643d01abc6b9f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
823e46238f35f89cf7227482606e3f92

SHA1
fc0291cb4d7d2177d34e9e47a436b3ed7e6e534c

SHA256
b155e4a6cde924f0ff8b2865773d4e5cf0fce6cc05a94b3ebed74d2459861d1b

SHA512
270e84f13d7ad1bffc327d0df0054b37cb1d98d43badf4d07dc91091c06d239bca25a399edb81db53540cba9fc5573aa6c1452ef0f924543c6806cc83cc146ae

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
103d4c94a50eb7291cc5324c08613a22

SHA1
8910cae41958436e3a5b47f0bf906a38a989fc64

SHA256
757c4786dfca5d378f7797fc43923860e719133c158561cd3007067e016f894d

SHA512
c178b93ee65deb7dffb4effab556c5c8ec5687f5eccb77889f00d6731d2dd68f1e375a7a973aaafaa3be2f5ce9bb5f30ee55bcb0b18e750debd686401d8cd04b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
3eb712c41791b8085add168c4ad56626

SHA1
0b43c5cd1bb7d5c52e4e2807cafd1dada457f437

SHA256
980d3697bd1c3cf3d2fb548819ad779bd53cf11c88f006f23f818d9f16975cd9

SHA512
db65488eea36f080359a67d147fdb156e31ec2c67313ab30cd0703e4a9adf8ad8333dee85c7a75d4ab3351b63b9461a7378f5cee21a068b0116f249e26c5c632

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
bada9f2f960b993a8a248314d3f89e32

SHA1
49409107555d91e62015f9e3781dce14eb0bc934

SHA256
0b036241f6d930f6f4eb539f20eacee4495fd00a324eb724e7138351e337ace3

SHA512
da017d8be5c6b5b6cb263461847626aec13f7fbaf45d696321e77cd1ae3714b4bd2aee2b1249971916f186851d5111d02b18f27615530860104145af51cc02db

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
369609693ad519949ce75768f09ba497

SHA1
eea7de48cc85e8483d3bbabfcb7cd7265a6da216

SHA256
88b51e43d3f728e2bb42c1f3d8e39b259a0d8a8d5bfe94041a5d3eb937357215

SHA512
1f188bd4b9166357ae232b4206b659065eb9885ea3c0a552f84a906d60bcad8f495da0cda061d194b15b316732fe6deaa57ea3423dfceaad657aa33ac1c4db64

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
ba925d24a15e12c9f60b0654f58dfd46

SHA1
9d39c1e85dbf962a788cee370752e71109bec589

SHA256
bd9fd992390b39af1b72d14a4dfc24d0d6d006e5da41f757973378ce9575a970

SHA512
4e7c86f327b196df44168aaebaf09f70a84edb364cdcd5675341851b8ed689fbff5a2df93c9d0eb07070809c533e73e7b57267163c47148d2b58c4b43b32d7a0

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
ba925d24a15e12c9f60b0654f58dfd46

SHA1
9d39c1e85dbf962a788cee370752e71109bec589

SHA256
bd9fd992390b39af1b72d14a4dfc24d0d6d006e5da41f757973378ce9575a970

SHA512
4e7c86f327b196df44168aaebaf09f70a84edb364cdcd5675341851b8ed689fbff5a2df93c9d0eb07070809c533e73e7b57267163c47148d2b58c4b43b32d7a0

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
18f92b61e373bf62b575b9912e671c44

SHA1
06d6679e1cedde45945fc63c37e0be07e7d99722

SHA256
5ba9dea9d4f8eb491a98d3b7b9b0d618bfaa4d2508a871dbb00cf3905d3ba73f

SHA512
4e2aff4c40cb88d14a1362850f3734448b480a671d9648c4d5ba5292a30fbd20bc86fe654aeb3502baaf794391c7556513fbb4df884079e73131572c1e99b87a

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
db115454fedeb75d4d476ee3d7dc6a8f

SHA1
f050af7f0fb8a5bc6580cc566181ac4553fd98af

SHA256
822cdb58adedee2a4628ef68ade4375d68945a04fc5605cfa5dbed9dbec713b5

SHA512
af66d02d0cd1b045e1ce6e8d74bfcaa02fd0ca8e3b0aefc1cb82d04d4e248bca8c57410f9c88f4bdb6ab07a0e6785c4c503eb759736cdec9e1f294c164ba9c45

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
db115454fedeb75d4d476ee3d7dc6a8f

SHA1
f050af7f0fb8a5bc6580cc566181ac4553fd98af

SHA256
822cdb58adedee2a4628ef68ade4375d68945a04fc5605cfa5dbed9dbec713b5

SHA512
af66d02d0cd1b045e1ce6e8d74bfcaa02fd0ca8e3b0aefc1cb82d04d4e248bca8c57410f9c88f4bdb6ab07a0e6785c4c503eb759736cdec9e1f294c164ba9c45

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
73f99ef3465c37c89a1140715f64372a

SHA1
a8502825ed188c2f2364cf02836634ca4edeea36

SHA256
dcb7b7e4085a9c191623919a2d8bb620fc5e9581f52007190f03b6fc878fe871

SHA512
e780d564519c890d2ab6e8638908371063cfdc056354a4dc22083238b0f376dcc8aad0a759ee897ca7d8194578ac0dec2dff09c7f3a7c91e3778e7f8db15fca8

Download Submit
C:\XK\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\desktop.ini

Filesize
217B

MD5
c00d8433fe598abff197e690231531e0

SHA1
4f6b87a4327ff5343e9e87275d505b9f145a7e42

SHA256
52fb776a91b260bf196016ecb195550cdd9084058fe7b4dd3fe2d4fda1b6470e

SHA512
a71523ec2bd711e381a37baabd89517dff6c6530a435f4382b7f4056f98aff5d6014e85ce3b79bd1f02fdd6adc925cd3fc051752c1069e9eb511a465cd9908e1

Download Submit
memory/2140-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-130-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3108-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3272-110-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3740-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-220-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4020-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4044-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4064-281-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4068-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4192-120-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4308-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4512-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4620-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-206-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download