48ee89f6e089032d3b762220bf9f411e44ea29e63589833faf83a1db01afb1ec

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe
Size

584KB
MD5

09006622ccc50ac4d7569ff59f6b3e20
SHA1

a84cbc3292109c0aa84ae8c19e50e5afac4e8072
SHA256

48ee89f6e089032d3b762220bf9f411e44ea29e63589833faf83a1db01afb1ec
SHA512

60195fa29e8aa0bd2fd8b34932ddaf00a97762d0be3e09ec7430c32c184dab99cc632b4384477d0648cff937b10ead79ad515316d396d238f981c11a6b33f4ac
SSDEEP

6144:VAMi6MOEMMAMiXtvaPtP5tZCbbFII0QSSob:VAMi6MOEMMAMipaPtP5jyns

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2172	winlogon.exe
548	AE 0124 BE.exe
1684	winlogon.exe
2108	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe
1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe
2172	winlogon.exe
2172	winlogon.exe
1684	winlogon.exe
548	AE 0124 BE.exe
548	AE 0124 BE.exe
2108	winlogon.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2480	msiexec.exe
5	2480	msiexec.exe
9	1064	msiexec.exe

Drops desktop.ini file(s) 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Delta\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Savanna\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Afternoon\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Raga\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops autorun.inf file 1 TTPs 27 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\de-DE\eudcedit.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ksfilter.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnts002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\Amd64\SVC25256.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\WindowsSideShowEnhancedDriver.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\msgsm32.acm.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicE\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmti.inf_amd64_neutral_4443b423d18c3ffc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\dhcpcmonitor.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\dsprop.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB2786081_SP1~31bf3856ad364e35~amd64~~6.1.1.0.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\netbxnda.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasicN	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\objsel.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\msvidc32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msdtcuiu.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\w32tm.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseE\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\ipmidrv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\rdvgumd32.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-RasApi	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj5500t.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaca00e.inf_amd64_neutral_5a376e6a7cb007d5\wiaca00e.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\brmfcmf.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\netvwifimp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\SampleRes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\verifier.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WMIADAP.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\0409	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\netmsg.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtkr.inf_amd64_neutral_8e3809aa77440c37\mdmtkr.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx005.inf_amd64_neutral_f65eeb9bff6bd8f3\Amd64\LMW812.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc302.inf_amd64_ja-jp_64ee91a0bf7b132c\prnrc302.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\ActionCenter.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\vss.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\pnpsetup.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\quick.ime	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr007.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\netsh.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\mmsys.cpl.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Premium-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ja-JP~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\mcicda.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\mprddm.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_preference_variables.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\NAPCLCFG.MSC	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_neutral_0cf7696e2236ca4e	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8000at.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\wmpdui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\psync-dl.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\es-ES\migres.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\netcorehc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\adicvls.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\Amd64\KYC3232J.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\WSDPrint.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\prnfldr.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\msra.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\usbperf.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Parsing.help.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~da-DK~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LGX00.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\inetcpl.cpl.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\mferror.dll.mui	AE 0124 BE.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.DynamicData.resources\3.5.0.0_de_31bf3856ad364e35\System.Web.DynamicData.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\prnle004.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\wpdcomp.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\SqlServer.targets	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Help-CoreClientUAUE-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Printer\fr-FR\DiagPackage.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SecStoreFile.ico	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.FileVersionInfo	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration\RS_ConfigurationErrors.ps1	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Characters\Windows Hardware Insert.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\security0.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.AddIn\2.0.0.0__b03f5f7f11d50a3a\System.AddIn.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\no_il.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\en-US\artcon2.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\System.Drawing.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Configuration.Install.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsForm0b574481#\501c549eee2d5c10d2ba0f46aba60f47	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\xcbdav.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\UGTHRSVC\gthrctr.h	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1040\CvtResUI.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\rescache\wip\Segment3.toc	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~lv-LV~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\21a1606b6c00f9abe7db55c02e0f87c9\System.Core.ni.dll.aux	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-ServicingBaseline-Ultimate-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\20008c75bb41e2febf84d4d4aea5b4e8	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ehstorcertdrv.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1033	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~sk-SK~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\it-IT\ehglid.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\it-IT\ics.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\c0a8f3f379d7a62a032783cc4e04a4dd\PresentationBuildTasks.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\cross_rm.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\aspnetmmcext.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2070\SetupResources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\Sharing.adml	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\browaui.ttf	AE 0124 BE.exe
File opened for modification	C:\Windows\Speech\Engines\SR\en-US\p1033.ngr	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\b2f6d024120fb8ac1b0225c025d7c1fa	AE 0124 BE.exe
File opened for modification	C:\Windows\ehome\Mcx2Filter.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\000A	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.1035.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~hi-IN~7.1.7601.16492.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4f68cd04686e5dc5a55070d112d44bdf	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\fr-FR\netvsta.h1s	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\it-IT\ServiceModelEvents.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-BLB-Client-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Sessions\31064975_2146910400.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\34b9fb782bc249da96266a5231d51873	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\cga80857.fon	AE 0124 BE.exe
File opened for modification	C:\Windows\inf\sffdisk.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\AppConfigHome.aspx.it.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.resources\6.1.0.0_fr_31bf3856ad364e35	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1064	msiexec.exe
1064	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2480	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeSecurityPrivilege	1064	msiexec.exe
Token: SeCreateTokenPrivilege	2480	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2480	msiexec.exe
Token: SeLockMemoryPrivilege	2480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2480	msiexec.exe
Token: SeMachineAccountPrivilege	2480	msiexec.exe
Token: SeTcbPrivilege	2480	msiexec.exe
Token: SeSecurityPrivilege	2480	msiexec.exe
Token: SeTakeOwnershipPrivilege	2480	msiexec.exe
Token: SeLoadDriverPrivilege	2480	msiexec.exe
Token: SeSystemProfilePrivilege	2480	msiexec.exe
Token: SeSystemtimePrivilege	2480	msiexec.exe
Token: SeProfSingleProcessPrivilege	2480	msiexec.exe
Token: SeIncBasePriorityPrivilege	2480	msiexec.exe
Token: SeCreatePagefilePrivilege	2480	msiexec.exe
Token: SeCreatePermanentPrivilege	2480	msiexec.exe
Token: SeBackupPrivilege	2480	msiexec.exe
Token: SeRestorePrivilege	2480	msiexec.exe
Token: SeShutdownPrivilege	2480	msiexec.exe
Token: SeDebugPrivilege	2480	msiexec.exe
Token: SeAuditPrivilege	2480	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2480	msiexec.exe
Token: SeChangeNotifyPrivilege	2480	msiexec.exe
Token: SeRemoteShutdownPrivilege	2480	msiexec.exe
Token: SeUndockPrivilege	2480	msiexec.exe
Token: SeSyncAgentPrivilege	2480	msiexec.exe
Token: SeEnableDelegationPrivilege	2480	msiexec.exe
Token: SeManageVolumePrivilege	2480	msiexec.exe
Token: SeImpersonatePrivilege	2480	msiexec.exe
Token: SeCreateGlobalPrivilege	2480	msiexec.exe
Token: SeBackupPrivilege	668	vssvc.exe
Token: SeRestorePrivilege	668	vssvc.exe
Token: SeAuditPrivilege	668	vssvc.exe
Token: SeBackupPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1296	DrvInst.exe
Token: SeRestorePrivilege	1296	DrvInst.exe
Token: SeRestorePrivilege	1296	DrvInst.exe
Token: SeRestorePrivilege	1296	DrvInst.exe
Token: SeRestorePrivilege	1296	DrvInst.exe
Token: SeRestorePrivilege	1296	DrvInst.exe
Token: SeRestorePrivilege	1296	DrvInst.exe
Token: SeLoadDriverPrivilege	1296	DrvInst.exe
Token: SeLoadDriverPrivilege	1296	DrvInst.exe
Token: SeLoadDriverPrivilege	1296	DrvInst.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2480	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe
2172	winlogon.exe
548	AE 0124 BE.exe
1684	winlogon.exe
2108	winlogon.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 2480	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	28
PID 1392 wrote to memory of 2480	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	28
PID 1392 wrote to memory of 2480	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	28
PID 1392 wrote to memory of 2480	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	28
PID 1392 wrote to memory of 2480	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	28
PID 1392 wrote to memory of 2480	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	28
PID 1392 wrote to memory of 2480	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	28
PID 1392 wrote to memory of 2172	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	30
PID 1392 wrote to memory of 2172	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	30
PID 1392 wrote to memory of 2172	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	30
PID 1392 wrote to memory of 2172	1392	NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe	30
PID 2172 wrote to memory of 548	2172	winlogon.exe	31
PID 2172 wrote to memory of 548	2172	winlogon.exe	31
PID 2172 wrote to memory of 548	2172	winlogon.exe	31
PID 2172 wrote to memory of 548	2172	winlogon.exe	31
PID 2172 wrote to memory of 1684	2172	winlogon.exe	32
PID 2172 wrote to memory of 1684	2172	winlogon.exe	32
PID 2172 wrote to memory of 1684	2172	winlogon.exe	32
PID 2172 wrote to memory of 1684	2172	winlogon.exe	32
PID 548 wrote to memory of 2108	548	AE 0124 BE.exe	34
PID 548 wrote to memory of 2108	548	AE 0124 BE.exe	34
PID 548 wrote to memory of 2108	548	AE 0124 BE.exe	34
PID 548 wrote to memory of 2108	548	AE 0124 BE.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.09006622ccc50ac4d7569ff59f6b3e20.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2480
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2108
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "0000000000000060"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C0018BB1B5834735BFA60CD063B31956

Filesize
1KB

MD5
884281f4ceaac45fa2cf2875a00175c8

SHA1
a5c0c612eeedefb16375ea06b11e65c564bcd483

SHA256
c6883b6e0eab1dd93c0292816eca190a0950ac8a3353c7873d42bbf0edfe129f

SHA512
3b8e7c2c769b7e5632e5e4fdcea409c4d9b8c1362afdb3d3f72281543601f86a6fbfe00ca120ec9860f978c89e7654698a3ac5a91c478b3642c69bc9304c56d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2593169879eca5cc79c02b868d048340

SHA1
3828653db54b6b22446950d83c76c248fec7b577

SHA256
6365bf1eb0c4a163ba5ad33760e51aa0f073804d362e016f9c4a4fb351a93b0f

SHA512
eedc82d15d8a626b3b69dbb822dc59dbb4727b5c33260f7819e4af3ac45e5ba6d45ac5c48c820149ed0057f6eb39747595d7986d313c9ba8727b5a5252fee004

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C0018BB1B5834735BFA60CD063B31956

Filesize
252B

MD5
5a0876114ee1c46f6dcdf6e67413eeea

SHA1
9eee1390821cff35044a84bcd544bca4aebdf805

SHA256
18be1238ed5a48fcf6df02bef6db086035ff1103e34fe6d4623034a0f1e74fc2

SHA512
f1b1b74f0b5ce2370d1200fb6ee9652a179ff7d8b9f8ed8247c97ff7f92c0f328301fe508c8724eb277182c15f9ebd9d56c91e921b84159180968e992b59b919

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab46B3.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar46C5.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
C:\Windows\AE 0124 BE.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
584KB

MD5
0d944bdb5d04ad36a2b582327a59826c

SHA1
6a020b7a02be8c686ff45d2144710b73cc153af2

SHA256
4dae727c76e7ae00647ff4e82e782045b3bc22c523de2f3479f427627f45846e

SHA512
c4de635d5f6aa1798c24ab74f1923ae6e2e8af357fc90e063de07abb55eb13b8329e8ea10984af4d804b16799925f708e23b6774b966778cc308f67a478b8160

Download Submit
C:\Windows\Installer\MSI48E7.tmp

Filesize
154KB

MD5
ba78ed91d973cf69fa81add1cf07e98d

SHA1
c48f8fe60a195c5fe5a4a0e62f1926a49901ee91

SHA256
d35237e814ea24c9d9cc69d915fdfe7675e6767646b3bda020558c094c087593

SHA512
704e2504af30be5619e6a4a6588dda104a51e6e94c9312308fa03223ac4f53a7e20a5273a521bd1dae2d5fb2d9fb188e3483e8b1a42f62e8fd5e9964429aaf51

Download Submit
C:\Windows\Installer\f774183.msi

Filesize
584KB

MD5
0d944bdb5d04ad36a2b582327a59826c

SHA1
6a020b7a02be8c686ff45d2144710b73cc153af2

SHA256
4dae727c76e7ae00647ff4e82e782045b3bc22c523de2f3479f427627f45846e

SHA512
c4de635d5f6aa1798c24ab74f1923ae6e2e8af357fc90e063de07abb55eb13b8329e8ea10984af4d804b16799925f708e23b6774b966778cc308f67a478b8160

Download Submit
C:\Windows\Installer\f774183.msi

Filesize
584KB

MD5
0d944bdb5d04ad36a2b582327a59826c

SHA1
6a020b7a02be8c686ff45d2144710b73cc153af2

SHA256
4dae727c76e7ae00647ff4e82e782045b3bc22c523de2f3479f427627f45846e

SHA512
c4de635d5f6aa1798c24ab74f1923ae6e2e8af357fc90e063de07abb55eb13b8329e8ea10984af4d804b16799925f708e23b6774b966778cc308f67a478b8160

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
\Windows\SysWOW64\drivers\winlogon.exe

Filesize
632KB

MD5
913483d3daac4ce77e927246783fdfb1

SHA1
61d691039a002ce5f47a2ef97939bb15698d04f0

SHA256
784c2430e523cb08df1b1c22cf0b99bba3e00c6f46e7ac167928305b7999b807

SHA512
f3db4746b94b27ccf16159753dafef348212d7d680d77316378778dce8bfe0aa1e9f3d774d143242152c4126410342339e46272e8e2529933e49c25d1feb3cce

Download Submit
memory/548-182-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/548-134-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/548-139-0x00000000029A0000-0x000000000345A000-memory.dmp

Filesize
10.7MB

Download
memory/1392-156-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1392-149-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1392-13-0x0000000002FA0000-0x0000000003A5A000-memory.dmp

Filesize
10.7MB

Download
memory/1392-108-0x0000000003EF0000-0x0000000003EFA000-memory.dmp

Filesize
40KB

Download
memory/1392-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1684-155-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2108-179-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2172-151-0x0000000003D80000-0x0000000003D8A000-memory.dmp

Filesize
40KB

Download
memory/2172-183-0x0000000003D80000-0x0000000003D8A000-memory.dmp

Filesize
40KB

Download
memory/2172-132-0x0000000002DF0000-0x00000000038AA000-memory.dmp

Filesize
10.7MB

Download
memory/2172-133-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2172-181-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2172-180-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2172-116-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2172-150-0x0000000003D80000-0x0000000003D8A000-memory.dmp

Filesize
40KB

Download