Malware Analysis Report

2025-08-06 00:04

Sample ID 240223-mfr4hafb99
Target Need-for-Speed-Most-Wanted-2005-Windows-en.exe
SHA256 7fc950d0546aaee6c96ce7f12e8e57546be1c53fa851eca511eb5b206be3457a
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7fc950d0546aaee6c96ce7f12e8e57546be1c53fa851eca511eb5b206be3457a

Threat Level: Shows suspicious behavior

The file Need-for-Speed-Most-Wanted-2005-Windows-en.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 10:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 10:24

Reported

2024-02-23 10:30

Platform

win10v2004-20240221-en

Max time kernel

92s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe

"C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 10:24

Reported

2024-02-23 10:29

Platform

win7-20240221-en

Max time kernel

99s

Max time network

79s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe N/A
N/A N/A C:\NFSMWDemo\AutoRun.exe N/A
N/A N/A C:\NFSMWDemo\AutoRun.exe N/A
N/A N/A C:\NFSMWDemo\AutoRun.exe N/A
N/A N/A C:\NFSMWDemo\AutoRun.exe N/A
N/A N/A C:\NFSMWDemo\AutoRun.exe N/A
N/A N/A C:\NFSMWDemo\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shell_inst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shell_inst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\shell_inst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
N/A N/A C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A
N/A N/A C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A
N/A N/A C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A
N/A N/A C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Checks installed software on the system

discovery

Drops autorun.inf file

Description Indicator Process Target
File created C:\NFSMWDemo\autorun.inf C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\SETD98D.tmp C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Windows\SysWOW64\SETD98D.tmp C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Windows\SysWOW64\d3dx9_26.dll C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\TRAILERCRATE\VINYLS.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\TRAFFIRE\GEOMETRY.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\EVT_SYS\STITCH_AEMS.csi C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\GLOBAL\HUDS_Custom_00.bin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\NIS\Scene_IntroNis03_BundleB.bun C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\TRAILERA\GEOMETRY.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\ENGINE\GIN_Corvette_Z06_DCL.gin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\ENGINE\GIN_Corvette_Z06.gin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\SPOILER\PREVINYL.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\COPMIDSIZEINT\TEXTURES.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\IG_GLOBAL\SIREN_MB.abk C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\ENGINE\GIN_Infinit_G35_DCL.gin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\SHIFTING\GEAR_MED_Lev1.abk C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\LANGUAGES\agree.fre C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\MEMCARD\LOCALE_DANISH.loc C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\PICKUPA\PREVINYL.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\LANGUAGES\French.bin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\ENGINE\CAR_42_ENG_MB_EE.abk C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\IG_GLOBAL\WIND_00_MB.abk C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\ENGINE\GIN_MustSal_Ramp_V2_CD.gin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\NIS\Scene_IntroNis10_BundleB.bun C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\NIS\Scene_IntroNis07_BundleB.bun C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\COPMIDSIZE\GEOMETRY.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\COPGHOST\GEOMETRY.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\TURBO\TURBO_TUN_SML_0_MB.abk C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\GLOBAL\InGameSplitScreen.bun C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\server.dll C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\TRAFCEMTR\GEOMETRY.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\LANGUAGES\Polish.bin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\SPEECH\copspeech.big C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\GARB\VINYLS.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\TRAFPICKUPA\GEOMETRY.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\GLOBAL\HUDS_Custom_01.bin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CREDITS\SWEDISH.TXT C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\SPOILER\GEOMETRY.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\NIS\Scene_ArrestM01_BundleB.bun C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\NIS\Scene_WMDriveIn_BundleB.bun C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\TRAFFICCOUP\TEXTURES.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\GLOBAL\HUDTEXDRAGSPLIT.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\GTO\PREVINYL.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\NISREVDATA\IntroNisBL15.bin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\NIS\Scene_ReplayCorner_BundleB.bun C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\NIS\Scene_ArrestM01_BundleB.bun C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\TRAFGARB\TEXTURES.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\TRAFNEWS\VINYLS.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\BRAKES\PREVINYL.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\IS300\VINYLS.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\NISREVDATA\IntroNis07.bin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\TURBO\TURBO_TUN_MED_0_MB.abk C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\NIS\Scene_WMFishingHouse_BundleB.bun C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\NIS\Scene_WMPorch_BundleB.bun C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\MEMCARD\LOCALE_GERMAN.loc C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\LANGUAGES\Polish.bin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\TRAILERA\TEXTURES.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\LANGUAGES\agree.kor C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\shell_inst.exe C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\COPMIDSIZE\TEXTURES.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\GLOBAL\attributes.bin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\SPOILER_HATCH\TEXTURES.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\PLATES\PREVINYL.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CARS\COPSUVL\VINYLS.BIN C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File created C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\ENGINE\SWTN_CAR_14_MB.abk C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\NISREVDATA\IntroNis04.bin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\NISREVDATA\IntroNis08.bin C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DirectX.log C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\ForegroundLockTimeout = "0" C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe C:\NFSMWDemo\AutoRun.exe
PID 2676 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe C:\NFSMWDemo\AutoRun.exe
PID 2676 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe C:\NFSMWDemo\AutoRun.exe
PID 2676 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe C:\NFSMWDemo\AutoRun.exe
PID 2676 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe C:\NFSMWDemo\AutoRun.exe
PID 2676 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe C:\NFSMWDemo\AutoRun.exe
PID 2676 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe C:\NFSMWDemo\AutoRun.exe
PID 2440 wrote to memory of 1188 N/A C:\NFSMWDemo\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1188 N/A C:\NFSMWDemo\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1188 N/A C:\NFSMWDemo\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1188 N/A C:\NFSMWDemo\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1188 N/A C:\NFSMWDemo\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1188 N/A C:\NFSMWDemo\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 1188 N/A C:\NFSMWDemo\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2288 N/A C:\NFSMWDemo\AutoRun.exe C:\Users\Admin\AppData\Local\Temp\AutoRun.exe
PID 2440 wrote to memory of 2288 N/A C:\NFSMWDemo\AutoRun.exe C:\Users\Admin\AppData\Local\Temp\AutoRun.exe
PID 2440 wrote to memory of 2288 N/A C:\NFSMWDemo\AutoRun.exe C:\Users\Admin\AppData\Local\Temp\AutoRun.exe
PID 2440 wrote to memory of 2288 N/A C:\NFSMWDemo\AutoRun.exe C:\Users\Admin\AppData\Local\Temp\AutoRun.exe
PID 2440 wrote to memory of 2288 N/A C:\NFSMWDemo\AutoRun.exe C:\Users\Admin\AppData\Local\Temp\AutoRun.exe
PID 2440 wrote to memory of 2288 N/A C:\NFSMWDemo\AutoRun.exe C:\Users\Admin\AppData\Local\Temp\AutoRun.exe
PID 2440 wrote to memory of 2288 N/A C:\NFSMWDemo\AutoRun.exe C:\Users\Admin\AppData\Local\Temp\AutoRun.exe
PID 2288 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2288 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\AutoRun.exe C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe

"C:\Users\Admin\AppData\Local\Temp\Need-for-Speed-Most-Wanted-2005-Windows-en.exe"

C:\NFSMWDemo\AutoRun.exe

"C:\NFSMWDemo\AutoRun.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /regserver "C:\Users\Admin\AppData\Local\Temp\AutoRun.exe"

C:\Users\Admin\AppData\Local\Temp\AutoRun.exe

"C:\Users\Admin\AppData\Local\Temp\AutoRun.exe" -restart -dir "C:\NFSMWDemo"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B8" "00000000000005B0"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /regserver "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\eauninstall.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /regserver "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /regserver "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\shell_inst.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /regserver "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\safemode_inst.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /regserver "C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s /regserver "C:\Users\Admin\AppData\Local\Temp\shell_inst.exe"

C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe

"C:\Users\Admin\AppData\Local\Temp\safemode_inst.exe" "C:\NFSMWDemo" "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Need for Speed™ Most Wanted PC Demo" "1"

C:\Users\Admin\AppData\Local\Temp\shell_inst.exe

"C:\Users\Admin\AppData\Local\Temp\shell_inst.exe" "C:\NFSMWDemo" "C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Need for Speed™ Most Wanted PC Demo" "1"

C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe

"C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 500

C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe

"C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 436

C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe

"C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 436

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl.microsoft.com udp
GB 88.221.134.83:80 crl.microsoft.com tcp

Files

\NFSMWDemo\AutoRun.exe

MD5 a0fd24d4cb82b8ad4714ac650793341e
SHA1 342599569522533afe5b936f2afac75790bd1d90
SHA256 4cad79b8778326b1cf873ea91655c7fa64fbaced8ba929ec3015068f1bb6760f
SHA512 982bc0fa18c4378ef6eda7dfc25383728c1395b71a34b40d74298396a0df5a74be8ee2d3ed6223e608d10731fe5a66032bdf4eaa407011c60d106e8b684f6132

C:\NFSMWDemo\AutoRunGUI.DLL

MD5 5d3d38da3f18c93f546149a60f431844
SHA1 4310d4fe5e9bde0a8449a8b62ea3e1f8dea9531b
SHA256 c8fd3eaf84ed3da08de0cece42b41632f3f7ac195f5beec641142243a6f4507c
SHA512 6d3fc9032c22c356252fb9f060a96cedfc206661eeec835d10bc58be0977938748da676babfa7e0e3ffe5b367c5a4a04e249167bd396019d3276924c161bc877

memory/2440-38-0x0000000000970000-0x0000000000A09000-memory.dmp

C:\NFSMWDemo\AutoRun\AutoRun.bmp

MD5 59ac9d9015f8b9963f6c9d9b8fe2e21f
SHA1 3781e0640ebf5949bc0fbda09c1db553923164ef
SHA256 4e3b40daf199b9887e19214e3ff72d186dda6655ba10ee0691731cd26f3be287
SHA512 008dc8d7f53ec9be85aa61c89f337da7d53d2991685a3373a2d66fae3e5726b87e29179a91a9c4dd668a103bfa2640e6442847793a213ac3117f283fddde065d

C:\NFSMWDemo\AutoRun\autorun.cfg

MD5 b4806c964937afe152a56cdee2f41280
SHA1 320a1e25edd70ff1d61d062ec1787f606bbac09c
SHA256 d2226c69443b0c2df02c1bebea151bb9af9f92f21c03c29d37470e9b32c05cca
SHA512 45d2dc2c8a299a1fd577e91f2fd737e4b4987735c99430a1ce7e0be3f817c9929b8a915e0e6a20e4f4722b4aac6359bd117b369eb3784a6254257c715b8536b3

C:\NFSMWDemo\AutoRun.inf

MD5 75a953de47bbcaf6b74af4f3855d95b9
SHA1 9dadb7cfd999c0c2b607f7effad023c6e3a71d94
SHA256 345aac6f90fbf14854d0096ef7c8eb393d2a343767c7fceda3f2959bf5a3f75a
SHA512 cb0013579468562be623adb63341fb77aa47d84332b3c914c5951f2ea1369a221210d3cd2d75730201c201e2fd2058368d284bfb5ead5589aee40709f49b1e3a

C:\NFSMWDemo\Support\Localization.ini

MD5 fc08554ec1bf5a473ea3c0d7204a5d59
SHA1 bd860a03ff66e0ea64075fa8a8e4399dd4a4b7af
SHA256 8d4af904219e3612eb3cd86600cdbce8c4e294d693ff40d22d0a705485cf42cc
SHA512 d692635b142004dc3236d67a871a5e41bb51b038007f0150f4869184a2479876ac4a6891fc9a96eba76e06ec5b9d5619ed9e08e7a0f9f83783c79dd6a50df689

C:\NFSMWDemo\DirectX\dsetup.dll

MD5 ea79347e17a8173df544cca1dc715a8d
SHA1 5c2a851c621410930c1ecdb422d2904798b4cbe6
SHA256 a1560c254894d3213c70408061d10308d49b390a2c1fb564fb2f71b3aa58f200
SHA512 1e39020d5bb679ae84ccf5ef8ec4ab813548a833374cdc81dd8fa50edeee82d3be6bd4ddcbfe1703e015964ae251db20df2e4a4edd22739e4e6b1d10c675fdcd

memory/2288-62-0x0000000003C60000-0x0000000003C76000-memory.dmp

C:\NFSMWDemo\DirectX\DSETUP32.DLL

MD5 c9ce4f51cf9e1afc2660e3d3d5612196
SHA1 17bc120ca7db8bb290483d9ec79be6f5e4fce6c4
SHA256 d4acd29e6717f4af4b7aaa3692d0a2a993aef91eff06c3aca5ccabef9b3222ed
SHA512 341366097edd2632ab3f795b700125e7cf29cb3adfdda8ed1c48b60cf4e0a4e0d47cbfae9806cdc210f101f27765c4919bd089fc2bec548d468f38bfad53f968

memory/2288-67-0x00000000042A0000-0x00000000044C7000-memory.dmp

memory/2288-72-0x0000000004330000-0x0000000004557000-memory.dmp

C:\Windows\DirectX.log

MD5 b9e0592d567f14449ac281c4907dfcee
SHA1 cf020b86d3c918fac8bd004ba7f752cf662544ba
SHA256 e3458a5f2fa275c28a5b5179bfcc08e11e1049a0f80dffdc4b56ac1cd0fefd66
SHA512 024ad2c373b0167a865cd0b29810dd40fee0945a9b2afc7ffcbc0e1d1f3f05b2f479cd5c090604a6f15a57b6fae4f337dfb8a441477fe9d5cfdf87e53327e4ed

C:\NFSMWDemo\DirectX\dxupdate.cab

MD5 8a7334ed83e752819591e1b698df4328
SHA1 e7ba1363c4e3e736c56a2b709c538454752720d5
SHA256 2fd55469c31071743762e7cb26af3380976d4d2a63785c7c26f3766a4fabae0c
SHA512 2d34c82c9e1e3216906ff3cda4082d9f058c7c9773bf21e2c78f0a2bc770f8b8ccd9108bdfebbcb73ed0f3e73edd774e9e4de7c602cb70e2d87dcaf9bdbca148

memory/2288-103-0x00000000042D0000-0x00000000042F5000-memory.dmp

\Users\Admin\AppData\Local\Temp\DXD6A0.tmp\dxupdate.dll

MD5 3ff3ab1afef0bf033e8b11c0f6f54126
SHA1 b53a490e712036eb51c5c5058d812252f5c4245f
SHA256 864360e97ae16942d7703bcb060fb4b10757dc4999bdcace991b8654471dd588
SHA512 815508c42c9180086ca44693139d0de535d62b2670681f32e3c236b86aadc891eb708025bbf483f31740b711a5324f47a4015a4ec67e60138342f201c2b0a68f

C:\NFSMWDemo\DirectX\Jun2005_d3dx9_26_x86.cab

MD5 60187e3c04e92d1902bf216e3a80aa4f
SHA1 4dbfcb83db7faca0fc59ea12d9a485d827fe7bc3
SHA256 4245d03aedd198bfb37328b60b3dc89824db2144b26ce4038dcdf7303384be90
SHA512 4b1c16b13bbad59144fd29ebd6d683d74078dc78ac671a2f64be04387ff1a129bbc9c34b2159196635818a0ff47efb21b928de1a4617da329f57a87e8b998901

C:\Windows\DirectX.log

MD5 398030928fc116f2dff834520178d574
SHA1 ae5dcc75bc003b157aea90d80eac3b86318f73fe
SHA256 6a7fb420a12759d73a34b0d642008eb492f0a217ab22bbc2950d8b4c3cfe165c
SHA512 b11f42c6a2377023cb3db954396f9de3aaafc386a3bd5d9d428f06ddffc2b8a412b5ddd8446eafbbfc2a13f1548427854dce72079394e6739b4664ac908d747b

C:\Users\Admin\AppData\Local\Temp\DXD6A0.tmp\jun2005_d3dx9_26_x86.inf

MD5 62f8ec9c0d3bd54ace90cb15f5caa208
SHA1 e84f4a60c79f862aca0f917d1d30898af4036fad
SHA256 262ed4a65dd45e19f196cb2d9946326693ee31a86b51bf77116dec2727971cb6
SHA512 3de4ad76b207c2a0ecc10835cb787d61faa02e3531f6242a606ac0686cbfa156f59c30695effe5560d9a8481800b356873b7590beb8a739b33c0b1fcccea3fab

C:\Windows\DirectX.log

MD5 5c7daa87476817e9786cad184b142d92
SHA1 830a5907bcf9bbe6d5c1f55039532e0c3955e66c
SHA256 d69c07fa7b4cd4169a380a879446fb594bca8d13b29503cd6312af940cc5d356
SHA512 aa12d14b68e3ae74bf784c38b13c42d9aed4ed18671cebbc50d91bc29a49e6ad156a6e8574043bd53f2bb9e62135f1cd326e207a3a65df0c6b2f23a2972c7018

C:\Windows\DirectX.log

MD5 99e4e28c3e56a062dfc27bad02a1c82e
SHA1 84c19ba8d7869a38096c0b0f2bf8144d0300c7a9
SHA256 0ac6af1c5758d0b24a3a9d50d62cd2ef02910a1066b1b5eb1707ccd53557e69f
SHA512 d183a87c205503eb12b021d707fe3d949a06b66c033d4d90609cdd3fa6336cd0b3f0624e60ef4b4fa2b64b556e2c0d21b928bdfa74ee82a18963b5f93f6fc3f5

C:\Windows\DirectX.log

MD5 9ccbad5a0589f846083050c0fb363845
SHA1 2b879f1a25923f8754f020ba0185aa7aa596eb52
SHA256 a561b7ef9f3d2d4414721dc7dc5b95dcc49948cb35d71c712725d272efb799ad
SHA512 1437115866b12dc9d1b8d91c6bca356b1efe3032586b4fdacbe6d947a961a3ae855f65b73ee87130bb3769ad068c5f1e75229f2353aa5482e698c2e2d2bd2fa9

C:\Users\Admin\AppData\Local\Temp\DXD6A0.tmp\d3dx9_26.dll

MD5 523ab607eef81cc4d909e7febd8a788e
SHA1 2fbf1444daab3312da6b34509763656a28252134
SHA256 8ea96fe01c3c86a36fcb3795ae03eb12034003e335ef475571efaeda17c5bc78
SHA512 791f520533f58cbccded4e7c1f64fc14d20942efe57f32a5ee75eca4107543718eb35ecaf52e6eb3d9112867141271b8c097766fcc3562f016bb612bf840528a

memory/2288-220-0x0000000004CD0000-0x0000000004EF7000-memory.dmp

C:\NFSMWDemo\AutoRun\Slide_002.bmp

MD5 d3d97b6189cb67adcd4b3f3be0384480
SHA1 f79845f85061198c147135a08d0c39d51c2ade20
SHA256 fb69f3b8ce7b86bfee4fc6135dcf20379bc3ae85d5131915933c653c0bfd9d09
SHA512 01db49cdac927046b0f54779a68c948e3dec608c9f7b0df4d95ae05946c7dbcc2cdbec68386b539b1c995469b39ce4744b0cdfa13f944f8d46a5382c0ec24c98

C:\NFSMWDemo\AutoRun\Slide_001.bmp

MD5 d11d198717d6fc35245e6dff7171d637
SHA1 e1a5dd6236f5ae32f8fc2775af03b8edf36a1554
SHA256 ff07c06e960c8ac35da9e63d51433e4811f3897af90d7affab5d0f812f240c83
SHA512 f44e3fb5a1c9d53c0ae27a53a7ef56661cba3b68caeedd160a3db1cc866a27b213c45cc7e80740655cb038fab2da0286146ab7a7e548206215e043f3322a3fe3

C:\NFSMWDemo\AutoRun\Slide_000.bmp

MD5 56aa60f2fe90176997df1e20e9adf2b8
SHA1 5300ba8c342594df80fe97d280f38d715776d3de
SHA256 0db9eb2a2e128719fc517e4588ff3e0425f4a93ea09f06dc794998594319e4c5
SHA512 fdd6a4f53139749f4d75b57cef1895b6f25e3c43185d40de02af20cceb056f8c1d02445906270b2afc4c1a3ff1bc7e1058cdd6c326c1b4447782050e8342a34f

C:\NFSMWDemo\common_filelist.txt

MD5 1f0f1de9c47158cb634ee72b03639109
SHA1 6790784f10def7d6a3c9152cff340dc5785411cf
SHA256 74cc6c1c388dfc907eff7eef61f7c61f9107c6fe0b1bc72cf10014e830b05000
SHA512 9fc3743f73d6698cf5fcb9020c23e39abb93e3aa402e896650c17eb81fae25fa30effa94639f4e08efc11022a1da6e366f1ce0af214c5537ead72f2d8632af18

C:\NFSMWDemo\Support\en-us\readme.txt

MD5 714c610ab8e0138d80b3ab0232f77a4f
SHA1 250e900e4abbca3e31e83fd6c5996d9dd9be1984
SHA256 a732dc2228bbd8e94ca7abb0cc19f06a3d5f60b53ee9feeed88f56eb70cd360c
SHA512 5e0ac9e9bd01caccd5e448c1ca6d3b08ea4cafb90d8ca5ec37fa2fe178af19bfb7d3faad9445691f2a0daa54f074c64ac1aaf9df025767770f802fcf27694e39

C:\NFSMWDemo\0compressed.zip

MD5 718c9c710586b88013ed795f76d31dcf
SHA1 902e71da3dc3c65df5fb4b2b98a6672c12fa5f7a
SHA256 58dc0e4543456f2dc29af3c94994c5a629f388e7c314008525ad89e3066b83bb
SHA512 423eee426daa87edd847d8f67c54c4ef97f3988ee7ebde3a89434d57ba287f2b9b0df41f6c2efaae0ca4447dfe90d7cefe26b98d8614f742ed8fe7b8c79f1de8

C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\SKIDS\SKID_SML_MB.abk

MD5 d0d65aaafefc7dbae1b2ab561d62b641
SHA1 ad21123653609cebd5c8859df30c782e5be0c405
SHA256 9a67363f97ebe7088d2d48e843008e199aada59cd9e24833083343ed18a69c8d
SHA512 387b71fc52cfe4abbcde27983c68d73b7655d054f97397e6a6c5e7a78bfa94a1a9febc6387a282cb2596a5443b0a3ba25a9c7ca95041bef8fed459e347b5c2ff

C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\CREDITS\JAPANESE.TXT

MD5 cd7aaae68990b3db0b613300c028171d
SHA1 010ce6ec23ce37fcfb27ad26fed1d98d4d474ac0
SHA256 ba613aefc4c0afabe6253201543a97cb6635352831afc814f0cbc73bd4ec7408
SHA512 c4eadd07af851c848d57c844dfac4c34a269b628b44476f3117484ec40fc41df287e1b04ae0fe69ba3eb5ba3dfb25440cd3d9fad520d67b5a07b0dd02def4868

C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\MIXMAPS\MAPOUTPUTDRG.dyn

MD5 d9f42cd6eb5af07323f0080ab1800a8f
SHA1 7bb75322c77a1cab6376342527129e38a7b97e3e
SHA256 e45606dd7d98a80f70272a15ee2cdb9d50ae47a24cbfe5d3df285e6fd5b262aa
SHA512 828fb7194cc46c55722bb7d73ad65a75f6ec39bb29fbfb6abb2bce169fd92ef201fd39133ec6895780392433824196f6b340758d34eb0d5d99b6ee30ce52f3aa

C:\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\SOUND\MIXMAPS\MAPOUTPUT2DR.mxb

MD5 46661612ade6d3726d537444daecff4e
SHA1 cb2d55d15d40e81b13c86abc59c321ca3396d23c
SHA256 da66feb97c37f7cca7c0945011ecf14643282efcde16b54a4aa7dfc101c12596
SHA512 e2070a7c3407a22ab2224bd1c4ea841ec817ac19db1f1ddef510dccbf9702a12ef3fc7ca780e8b7167b29c5b79be4a3fb177703ebe7cfab4ce987bae37a85d89

C:\NFSMWDemo\eauninstall.exe

MD5 4acc71517a496295e36dccc33c679fed
SHA1 52a4ba27ee1274fefbf7a5341bbc6ce4b7218a1a
SHA256 a22fd04f56af9aa2984c417bd88de50d988e5e7d636a4623c627a0108fd2b714
SHA512 c845b34fd0b4eea751cfe7c34085fcaf0613aa82fd04f4c9e21aaa0bc40746475c8f6c433609520f0332280055bd68ac219f7d41586ea1a4c7ebd79eb68d79a1

C:\NFSMWDemo\server.dll

MD5 7902494ae8b255d7afccde5e7b563c2b
SHA1 66d704e44ca181af560b81ca1564fa86d1e891a4
SHA256 da6825432c286de3c2c779824c86cd406017b80e3534b29f743e0edd7b9cd483
SHA512 950b333e9041d50b566436a718da70149be6b61c3bf97bab851e57f973766bca7a583217a1d209d00d138b2e9358d16b5077c1c763941323052c9c527101d557

\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\server.dll

MD5 8e70b172a9b8e9803ade649e760c98da
SHA1 6192cc1b30406ce979e47069d1b75976516f6baa
SHA256 c6a597c4ff1d2f5ec24f901fd8494a14603793bc551c0c2a609fcd290a331c5b
SHA512 441302baee8e064938c4ee42e4ecb21a46cab26ee01188dbd7196b99f3b9df3c3a986e3c3aa7a331e9bd52325bf12cd061a02deac53dc8178b492c408f51b73f

memory/2288-1189-0x0000000004490000-0x00000000044FF000-memory.dmp

C:\NFSMWDemo\server.cfg

MD5 b3c56e6cf07ca91e32fe4b57700db71d
SHA1 aa3173527db5c08587db70ea6d6c9498af17dd3a
SHA256 b91b1c448d189db45437a165dc41a1511057a0525b8ad31780b9c5ff75b44a7c
SHA512 9689495675b8c2687d940cbb7cc731480f807bf59c3fdd5d77c18e49e7599f854743630649f2cd914ffb378742f4b1e0a1792319e6849a618971bdccdd0805b0

C:\NFSMWDemo\speedDemo.exe

MD5 aecfc5c79e90b8c432f3f15c09df8736
SHA1 8c8eb7c2a863221506387a11eb84ee4e902552de
SHA256 5fb06c926718a799e85bafbc3b13b4dbd7809cffcb396d44dc95b80348ed3573
SHA512 039b106279f7be8fcf9a6b2992b2f85001e51f8df9f022ebaf20701bedae35efa2468416445c28d5b154e4e0ef1cec410669d0f54bfacb6d13c5f7f2e815272a

C:\NFSMWDemo\shell_inst.exe

MD5 515173bba58f25aff51802f1fec6f10b
SHA1 be54d9dc19a2899e421008186f3e84c2fd307942
SHA256 0c125958dc0191e59cbd1f68335674ad4a3e42f46f502eab980e4899bbd7bead
SHA512 27749ee760f6ce7b4339990ce0f7491ad1a4a1f9780cd28cb4ac82ef69cc641def02ba81f4ee98de896a3060df9b5f7fb6c1bc82d4ab7399196aa4b2df1a7ba7

C:\NFSMWDemo\safemode_inst.exe

MD5 637e0416eb34eafd91a90b46c7f3deb0
SHA1 725cf43a85429a7a2edab1f5225cc2999bbdf296
SHA256 c0185aba7054db39751c5163e30bc8aebd8a830ebb06dc523d79bf16538de0f0
SHA512 591dfa641b3e35c99aa97df84f13eb0d86dab3aa9e683ee75175f903c6a3c4520390418d74f7c05298188d68a2d9fedd401ed050dbefb1e45c42a9e7cbe2c59e

C:\NFSMWDemo\NFSMW_icon.ico

MD5 c20b589a58c133a2f786bfb906be45eb
SHA1 50dee793a05a1235f0ec966a3b6cffcd6c8575c8
SHA256 5bc0aae5c19ba5c9607df465a88b8d1c9a53c455e3b99415e6984a1d5bed4cd3
SHA512 470efa105ea45873253efd65ae977d15ff6684a674ded76b6f429590ffe7dd65ef328aa578c1d330d748c8ac0bf5436f048308c66feb64dbc4192246f78318ef

\Program Files (x86)\EA GAMES\Need for Speed Most Wanted PC Demo\speedDemo.exe

MD5 58e0089981bff77204c4554bd15387fb
SHA1 48b4eb640368dde014c12ee232793a8f86779639
SHA256 a603098bd3b2482c4ddf5f757a766108b770fda0877c693b4299ea45d01ebcbb
SHA512 aefdc49e38448b139cabbc7a4dfba2bf87cbeb5615bc43329f139241fd452792e88ac445847414afee45daa9f5bfe5a60c3c610fe32882dd3e9ccdf26ce69cf6

memory/1848-1247-0x0000000000AF0000-0x0000000000D3A000-memory.dmp

memory/1848-1248-0x0000000000270000-0x000000000027A000-memory.dmp

memory/1848-1249-0x0000000000270000-0x000000000027A000-memory.dmp

memory/1848-1250-0x0000000000DD0000-0x0000000000DDA000-memory.dmp

memory/1848-1251-0x0000000000270000-0x0000000000272000-memory.dmp

memory/1732-1252-0x0000000000C00000-0x0000000000E4A000-memory.dmp

memory/1732-1253-0x00000000002E0000-0x00000000002EA000-memory.dmp

memory/1732-1254-0x00000000002E0000-0x00000000002EA000-memory.dmp

memory/2888-1259-0x0000000000C40000-0x0000000000E8A000-memory.dmp

memory/2888-1261-0x0000000000260000-0x000000000026A000-memory.dmp

memory/2888-1260-0x0000000000260000-0x000000000026A000-memory.dmp