hermeticwiper | 74531f459fdb6837669583dc731b7a6afad5378782ab8bca5d726edac753f251

Analysis

max time kernel
108s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f267a71692c3683e3d6d0461e003f54f.exe
Size

2.3MB
MD5

f267a71692c3683e3d6d0461e003f54f
SHA1

189450a513d1f2412470eb965468f1324633d252
SHA256

74531f459fdb6837669583dc731b7a6afad5378782ab8bca5d726edac753f251
SHA512

b376166646548104ee092beba9af8af5a04695f828e1a1b21ccdfd8a1cb88347a40f31108066d0fe6176a5ce18bf3ef3b8ce4e82a6c6a6ee886efe2bfa7a7bd7
SSDEEP

49152:qjOIzFMNQnXmsIi7MS4bdotKHDG/GGcYsKYX78Y5Ye3:qjvzFMNQnWspj4bdot45GdsKYXl5Yo

Score

10^/10

hermeticwiper xworm zgrat bootkit persistence rat spyware stealer trojan upx wiper

Malware Config

Extracted

Family

xworm

Version

3.1

gamemodz.duckdns.org:6969

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/3004-26277-0x0000000000830000-0x000000000083C000-memory.dmp	disable_win_def

Detect HermeticWiper 1 IoCs

Detect HermeticWiper Payload.

wiper

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\xihbdo.exe	family_hermeticwiper

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3004-4932-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/2400-13435-0x0000000000080000-0x0000000000098000-memory.dmp	family_xworm

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2028-2-0x0000000005D50000-0x0000000005F9C000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-3-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-4-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-6-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-8-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-10-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-12-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-14-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-16-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-18-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-20-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-22-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-24-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-26-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-28-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-30-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-32-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-34-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-36-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-38-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-40-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-42-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-44-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-46-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-48-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-50-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-52-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-54-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-56-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-60-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-58-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-62-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-64-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1
behavioral1/memory/2028-66-0x0000000005D50000-0x0000000005F96000-memory.dmp	family_zgrat_v1

HermeticWiper
HermeticWiper is a partition-corrupting malware used in cyberattacks against Ukrainian organizations.
wiper hermeticwiper
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops file in Drivers directory 42 IoCs

Processes:

$775574fexihbdo.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\gm.dls	$775574fe
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	$775574fe
File created	C:\Windows\SysWOW64\drivers\wimmount.sys	$775574fe
File created	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	$775574fe
File opened for modification	C:\Windows\system32\Drivers\hzdr	xihbdo.exe
File created	C:\Windows\system32\Drivers\hzdr.sys	xihbdo.exe
File created	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	$775574fe
File created	C:\Windows\system32\Drivers\hzdr	xihbdo.exe
File created	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	$775574fe
File created	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	$775574fe

Manipulates Digital Signatures 1 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

Processes:

$775574fe

description ioc process

File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll $775574fe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	$775574fe

Drops startup file 3 IoCs

Processes:

$775574fe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$775574fe.lnk	$775574fe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$775574fe.lnk	$775574fe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	$775574fe

Executes dropped EXE 9 IoCs

Processes:

$77d8217c$775574fe$775574fe$77a3d85enwoakg.exembr.exebytebeat1.exergb.exexihbdo.exe

pid process

2508 $77d8217c
3004 $775574fe
2224 $775574fe
2400 $77a3d85e
2868 nwoakg.exe
1300 mbr.exe
760 bytebeat1.exe
2956 rgb.exe
108 xihbdo.exe

pid	process
2508	$77d8217c
3004	$775574fe
2224	$775574fe
2400	$77a3d85e
2868	nwoakg.exe
1300	mbr.exe
760	bytebeat1.exe
2956	rgb.exe
108	xihbdo.exe

Loads dropped DLL 13 IoCs

Processes:

f267a71692c3683e3d6d0461e003f54f.exeWerFault.exe$775574fe$775574fe

pid	process
2028	f267a71692c3683e3d6d0461e003f54f.exe
2500	WerFault.exe
2500	WerFault.exe
2500	WerFault.exe
2500	WerFault.exe
2500	WerFault.exe
2500	WerFault.exe
2500	WerFault.exe
2028	f267a71692c3683e3d6d0461e003f54f.exe
2224	$775574fe
3004	$775574fe
3004	$775574fe
3004	$775574fe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nwoakg.exe	upx
behavioral1/memory/2868-23329-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/2868-26146-0x0000000000400000-0x00000000004D8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

$775574fe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\$775574fe = "C:\\Users\\Admin\\AppData\\Roaming\\$775574fe"	$775574fe

Drops desktop.ini file(s) 64 IoCs

Processes:

$775574fe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	$775574fe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	$775574fe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	$775574fe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	$775574fe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	$775574fe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	$775574fe
File created	C:\Users\Public\Libraries\desktop.ini	$775574fe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	$775574fe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	$775574fe
File created	C:\Windows\Downloaded Program Files\desktop.ini	$775574fe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	$775574fe
File created	C:\Program Files (x86)\desktop.ini	$775574fe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	$775574fe
File created	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	$775574fe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	$775574fe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	$775574fe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	$775574fe
File created	C:\Users\Public\Downloads\desktop.ini	$775574fe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	$775574fe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	$775574fe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	$775574fe
File created	C:\Users\Public\Documents\desktop.ini	$775574fe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	$775574fe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	$775574fe
File created	C:\Windows\assembly\Desktop.ini	$775574fe
File created	C:\Windows\Media\Calligraphy\Desktop.ini	$775574fe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	$775574fe
File created	C:\Users\Admin\Links\desktop.ini	$775574fe
File created	C:\Windows\Media\Delta\Desktop.ini	$775574fe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	$775574fe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	$775574fe
File created	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	$775574fe
File created	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	$775574fe
File created	C:\Windows\Media\Raga\Desktop.ini	$775574fe
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	$775574fe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	$775574fe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	$775574fe
File created	C:\Windows\Media\Festival\Desktop.ini	$775574fe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	$775574fe
File created	C:\Windows\Media\Afternoon\Desktop.ini	$775574fe
File created	C:\Users\Admin\Videos\desktop.ini	$775574fe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	$775574fe
File created	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	$775574fe
File created	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	$775574fe
File created	C:\Users\Admin\Favorites\desktop.ini	$775574fe
File created	C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.ini	$775574fe
File created	C:\Users\Admin\Music\desktop.ini	$775574fe
File created	C:\Users\Public\desktop.ini	$775574fe
File created	C:\Windows\Media\Desktop.ini	$775574fe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	$775574fe
File created	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	$775574fe
File created	C:\Windows\Media\Savanna\Desktop.ini	$775574fe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	$775574fe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	$775574fe
File created	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	$775574fe
File created	C:\Windows\Media\Heritage\Desktop.ini	$775574fe
File created	C:\Windows\Media\Sonata\Desktop.ini	$775574fe
File created	C:\Users\Admin\Desktop\desktop.ini	$775574fe
File created	C:\Users\Public\Music\desktop.ini	$775574fe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	$775574fe
File created	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FW0P2MZH\desktop.ini	$775574fe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	$775574fe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	$775574fe
File created	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	$775574fe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

mbr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

$775574fe

description ioc process

File created C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf $775574fe

flow	ioc
4	ip-api.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	$775574fe

Drops file in System32 directory 64 IoCs

Processes:

$775574fe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\pnrmc.sys	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1402E3.PPD	$775574fe
File created	C:\Windows\SysWOW64\en-US\printui.exe.mui	$775574fe
File created	C:\Windows\SysWOW64\es-ES\tpm.msc	$775574fe
File created	C:\Windows\SysWOW64\fr-FR\mmci.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\fr-FR\rasplap.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Variables.help.txt	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\acpipmi.inf_amd64_neutral_256ad642985694b3\acpipmi.sys	$775574fe
File created	C:\Windows\SysWOW64\de-DE\winmm.dll.mui	$775574fe
File created	C:\Windows\System32\DriverStore\en-US\wpdmtphw.inf_loc	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\KYKC1030.PPD	$775574fe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_pssessions.help.txt	$775574fe
File created	C:\Windows\SysWOW64\infocardapi.dll	$775574fe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Networking-MPSSVC-Rules-HomeBasicEdition-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRD750CW.GPD	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\Amd64\BRM235C.GPD	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\Amd64\MSXPSINC.GPD	$775574fe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_command_precedence.help.txt	$775574fe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_arrays.help.txt	$775574fe
File created	C:\Windows\SysWOW64\en-US\NAPMONTR.DLL.MUI	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\NR40006.GPD	$775574fe
File created	C:\Windows\SysWOW64\migwiz\migfiles.dat	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00f.inf_amd64_neutral_777b6911d18869b7\Amd64\CNB_0293.GPD	$775574fe
File created	C:\Windows\SysWOW64\fr-FR\poqexec.exe.mui	$775574fe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB2786081~31bf3856ad364e35~amd64~~6.1.1.0.cat	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\ditrace.exe	$775574fe
File created	C:\Windows\System32\DriverStore\fr-FR\prnhp005.inf_loc	$775574fe
File created	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaCenter-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\iscsi.inf_amd64_neutral_2ef24e9270d8b2a9\iscsi.inf	$775574fe
File created	C:\Windows\SysWOW64\es-ES\dtsh.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0416\_setup.dll	$775574fe
File created	C:\Windows\SysWOW64\ja-JP\winsockhc.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-CustomLogging-Deployment-DL.man	$775574fe
File created	C:\Windows\SysWOW64\slmgr\0C0A\slmgr.ini	$775574fe
File created	C:\Windows\SysWOW64\de-DE\DisplaySwitch.exe.mui	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNB_0294.GPD	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\SV1401E3.PPD	$775574fe
File created	C:\Windows\SysWOW64\fr-FR\fltlib.dll.mui	$775574fe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-MiscRedirection-Package~31bf3856ad364e35~amd64~en-US~6.1.7600.16385.cat	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\Amd64\CNB_0284.GPD	$775574fe
File created	C:\Windows\SysWOW64\ja-JP\umpnpmgr.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\themeui-DL.man	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\prnbr005.PNF	$775574fe
File created	C:\Windows\SysWOW64\de-DE\dui70.dll.mui	$775574fe
File created	C:\Windows\System32\DriverStore\de-DE\prnfx002.inf_loc	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1216mk5_ibv64.inf_amd64_neutral_3eaae75b591bd148\cxraptor.rom	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpoa620t.gpd	$775574fe
File created	C:\Windows\SysWOW64\es-ES\hnetmon.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\fr-FR\asferror.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\fr-FR\kswdmcap.ax.mui	$775574fe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Premium-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	$775574fe
File created	C:\Windows\SysWOW64\it-IT\hgcpl.dll.mui	$775574fe
File created	C:\Windows\System32\DriverStore\en-US\WSDPrint.inf_loc	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmsier.inf_amd64_neutral_622ad8125bbeeda8\mdmsier.inf	$775574fe
File created	C:\Windows\SysWOW64\de-DE\autoplay.dll.mui	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\netvfx64.inf_amd64_neutral_194cb6d2ea3a486e\fet6x64.sys	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\prnso002.inf_amd64_neutral_c3b7ce4e6f71641f\Amd64\SODPPRC2.GPD	$775574fe
File created	C:\Windows\System32\DriverStore\ja-JP\prnbr004.inf_loc	$775574fe
File created	C:\Windows\System32\DriverStore\ja-JP\prnle003.inf_loc	$775574fe
File created	C:\Windows\SysWOW64\es-ES\urlmon.dll.mui	$775574fe
File created	C:\Windows\System32\DriverStore\en-US\brmfcmdm.inf_loc	$775574fe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\brmsl09f.icm	$775574fe
File created	C:\Windows\SysWOW64\it-IT\netiohlp.dll.mui	$775574fe
File created	C:\Windows\SysWOW64\ja-JP\systeminfo.exe.mui	$775574fe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f267a71692c3683e3d6d0461e003f54f.exe$775574fe

description	pid	process	target process
PID 2028 set thread context of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2028 set thread context of 3004	2028	f267a71692c3683e3d6d0461e003f54f.exe	$775574fe
PID 2224 set thread context of 2400	2224	$775574fe	$77a3d85e

Drops file in Program Files directory 64 IoCs

Processes:

$775574fe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02041_.WMF	$775574fe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\jaccess.jar	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP	$775574fe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_ja.jar	$775574fe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Mexico_City	$775574fe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.INF	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\MINUS.GIF	$775574fe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png	$775574fe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png	$775574fe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp	$775574fe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	$775574fe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar	$775574fe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DBGHELP.DLL	$775574fe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	$775574fe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSQRY32.CHM	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.DLL	$775574fe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif	$775574fe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_it.dll	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18251_.WMF	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\SUBMIT.JS	$775574fe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00932_.WMF	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png	$775574fe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext.png	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03795_.WMF	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FEZIP.POC	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00487_.WMF	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ADD.GIF	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	$775574fe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif	$775574fe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\shvlzm.exe.mui	$775574fe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.IDX	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\LINES.DLL	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\ColleagueImport.dll	$775574fe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\library.js	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF	$775574fe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF	$775574fe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\info.png	$775574fe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\clock.css	$775574fe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	$775574fe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.LTS	$775574fe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml	$775574fe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.HXS	$775574fe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png	$775574fe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	$775574fe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	$775574fe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png	$775574fe

Drops file in Windows directory 64 IoCs

Processes:

$775574fe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Caching.dll	$775574fe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageconsolidatedProviders.aspx.resx	$775574fe
File created	C:\Windows\PolicyDefinitions\en-US\WindowsUpdate.adml	$775574fe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-RemoteApplications-Client-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.mum	$775574fe
File created	C:\Windows\assembly\GAC_MSIL\system.servicemodel.resources\3.0.0.0_it_b77a5c561934e089\System.ServiceModel.Resources.dll	$775574fe
File created	C:\Windows\ehome\McxDataPath.dll	$775574fe
File created	C:\Windows\PLA\Reports\fr-FR\Report.System.Diagnostics.xml	$775574fe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-OfflineFiles-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	$775574fe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	$775574fe
File created	C:\Windows\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll	$775574fe
File created	C:\Windows\Fonts\vgasyst.fon	$775574fe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\WebAdminHelp_Application.aspx.it.resx	$775574fe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe.config	$775574fe
File created	C:\Windows\inf\ESENT\esentprf.hxx	$775574fe
File opened for modification	C:\Windows\inf\transfercable.inf	$775574fe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\JA\System.Deployment.resources.dll	$775574fe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-IIS-WebServer-AddOn-2-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	$775574fe
File created	C:\Windows\Help\Windows\es-ES\tablet.h1s	$775574fe
File created	C:\Windows\Media\Landscape\Windows User Account Control.wav	$775574fe
File opened for modification	C:\Windows\inf\aspnet_state\0013\aspnet_state_perf.ini	$775574fe
File created	C:\Windows\PolicyDefinitions\es-ES\Globalization.adml	$775574fe
File created	C:\Windows\assembly\GAC_MSIL\System.ServiceProcess.resources\2.0.0.0_it_b03f5f7f11d50a3a\System.ServiceProcess.Resources.dll	$775574fe
File created	C:\Windows\diagnostics\system\Audio\CL_RegSnapin.ps1	$775574fe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\manageUsers.aspx.fr.resx	$775574fe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\1041\alinkui.dll	$775574fe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-PeerToPeer-Full-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.mum	$775574fe
File created	C:\Windows\Speech\Engines\Lexicon\de-DE\grph1031.lxa	$775574fe
File created	C:\Windows\assembly\GAC_MSIL\system.servicemodel.install.resources\3.0.0.0_fr_b77a5c561934e089\System.ServiceModel.Install.Resources.dll	$775574fe
File created	C:\Windows\Help\Windows\es-ES\sharing.h1s	$775574fe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	$775574fe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-RasRip-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	$775574fe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-SnippingTool-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	$775574fe
File created	C:\Windows\Help\Windows\en-US\bckupbas.h1s	$775574fe
File created	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_amd64.dll	$775574fe
File created	C:\Windows\Media\Sonata\Windows Hardware Remove.wav	$775574fe
File created	C:\Windows\servicing\Packages\Microsoft-Windows-RecDisc-SDP-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.mum	$775574fe
File created	C:\Windows\Fonts\latha.ttf	$775574fe
File opened for modification	C:\Windows\inf\mdmke.PNF	$775574fe
File created	C:\Windows\Help\Windows\en-US\Windows_AssetId.H1K	$775574fe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Reflection.dll	$775574fe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Drawing.Resources.dll	$775574fe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~ro-RO~7.1.7601.16492.mum	$775574fe
File created	C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll	$775574fe
File created	C:\Windows\ehome\ehchsime.dll	$775574fe
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Routing\3.5.0.0__31bf3856ad364e35\System.Web.Routing.dll	$775574fe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\PerfCounter.dll	$775574fe
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Client.resources\3.5.0.0_es_b77a5c561934e089\System.Data.Services.Client.resources.dll	$775574fe
File created	C:\Windows\assembly\GAC_MSIL\System.Printing.resources\3.0.0.0_es_31bf3856ad364e35\System.Printing.resources.dll	$775574fe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\Microsoft.JScript.Resources.dll	$775574fe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.WorkflowServices.dll	$775574fe
File created	C:\Windows\PolicyDefinitions\fr-FR\Globalization.adml	$775574fe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	$775574fe
File created	C:\Windows\PolicyDefinitions\EnhancedStorage.admx	$775574fe
File created	C:\Windows\PolicyDefinitions\sdiageng.admx	$775574fe
File created	C:\Windows\inf\ja-JP\netavpna.inf_loc	$775574fe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\ucbrowser.browser	$775574fe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources\home0.aspx.it.resx	$775574fe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\legacy.web_mediumtrust.config.default	$775574fe
File created	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~fr-FR~7.1.7601.16492.mum	$775574fe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources\6.1.0.0_ja_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.Resources.dll	$775574fe
File opened for modification	C:\Windows\inf\mdmminij.PNF	$775574fe
File created	C:\Windows\Fonts\nyala.ttf	$775574fe
File created	C:\Windows\Help\mui\0410\iscsi_init.CHM	$775574fe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\DE\Microsoft.Build.Tasks.resources.dll	$775574fe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2500 2508 WerFault.exe $77d8217c
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2992 schtasks.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

480
480

pid	pid_target	process	target process
2500	2508	WerFault.exe	$77d8217c

pid	process
2992	schtasks.exe

pid	process
480
480

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

f267a71692c3683e3d6d0461e003f54f.exe$775574fe$775574fe$77a3d85exihbdo.exe

description	pid	process
Token: SeDebugPrivilege	2028	f267a71692c3683e3d6d0461e003f54f.exe
Token: SeDebugPrivilege	2028	f267a71692c3683e3d6d0461e003f54f.exe
Token: SeDebugPrivilege	3004	$775574fe
Token: SeDebugPrivilege	3004	$775574fe
Token: SeDebugPrivilege	2224	$775574fe
Token: SeDebugPrivilege	2224	$775574fe
Token: SeDebugPrivilege	2400	$77a3d85e
Token: 0	108	xihbdo.exe
Token: SeBackupPrivilege	108	xihbdo.exe
Token: SeLoadDriverPrivilege	108	xihbdo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f267a71692c3683e3d6d0461e003f54f.exe$77d8217c$775574fetaskeng.exe$775574fenwoakg.exewscript.exe

description	pid	process	target process
PID 2028 wrote to memory of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2028 wrote to memory of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2028 wrote to memory of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2028 wrote to memory of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2028 wrote to memory of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2028 wrote to memory of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2028 wrote to memory of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2028 wrote to memory of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2028 wrote to memory of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2028 wrote to memory of 2508	2028	f267a71692c3683e3d6d0461e003f54f.exe	$77d8217c
PID 2508 wrote to memory of 2500	2508	$77d8217c	WerFault.exe
PID 2508 wrote to memory of 2500	2508	$77d8217c	WerFault.exe
PID 2508 wrote to memory of 2500	2508	$77d8217c	WerFault.exe
PID 2508 wrote to memory of 2500	2508	$77d8217c	WerFault.exe
PID 2028 wrote to memory of 3004	2028	f267a71692c3683e3d6d0461e003f54f.exe	$775574fe
PID 2028 wrote to memory of 3004	2028	f267a71692c3683e3d6d0461e003f54f.exe	$775574fe
PID 2028 wrote to memory of 3004	2028	f267a71692c3683e3d6d0461e003f54f.exe	$775574fe
PID 2028 wrote to memory of 3004	2028	f267a71692c3683e3d6d0461e003f54f.exe	$775574fe
PID 2028 wrote to memory of 3004	2028	f267a71692c3683e3d6d0461e003f54f.exe	$775574fe
PID 2028 wrote to memory of 3004	2028	f267a71692c3683e3d6d0461e003f54f.exe	$775574fe
PID 2028 wrote to memory of 3004	2028	f267a71692c3683e3d6d0461e003f54f.exe	$775574fe
PID 2028 wrote to memory of 3004	2028	f267a71692c3683e3d6d0461e003f54f.exe	$775574fe
PID 2028 wrote to memory of 3004	2028	f267a71692c3683e3d6d0461e003f54f.exe	$775574fe
PID 3004 wrote to memory of 2992	3004	$775574fe	schtasks.exe
PID 3004 wrote to memory of 2992	3004	$775574fe	schtasks.exe
PID 3004 wrote to memory of 2992	3004	$775574fe	schtasks.exe
PID 3004 wrote to memory of 2992	3004	$775574fe	schtasks.exe
PID 1200 wrote to memory of 2224	1200	taskeng.exe	$775574fe
PID 1200 wrote to memory of 2224	1200	taskeng.exe	$775574fe
PID 1200 wrote to memory of 2224	1200	taskeng.exe	$775574fe
PID 1200 wrote to memory of 2224	1200	taskeng.exe	$775574fe
PID 2224 wrote to memory of 2400	2224	$775574fe	$77a3d85e
PID 2224 wrote to memory of 2400	2224	$775574fe	$77a3d85e
PID 2224 wrote to memory of 2400	2224	$775574fe	$77a3d85e
PID 2224 wrote to memory of 2400	2224	$775574fe	$77a3d85e
PID 2224 wrote to memory of 2400	2224	$775574fe	$77a3d85e
PID 2224 wrote to memory of 2400	2224	$775574fe	$77a3d85e
PID 2224 wrote to memory of 2400	2224	$775574fe	$77a3d85e
PID 2224 wrote to memory of 2400	2224	$775574fe	$77a3d85e
PID 2224 wrote to memory of 2400	2224	$775574fe	$77a3d85e
PID 3004 wrote to memory of 2868	3004	$775574fe	nwoakg.exe
PID 3004 wrote to memory of 2868	3004	$775574fe	nwoakg.exe
PID 3004 wrote to memory of 2868	3004	$775574fe	nwoakg.exe
PID 3004 wrote to memory of 2868	3004	$775574fe	nwoakg.exe
PID 2868 wrote to memory of 1924	2868	nwoakg.exe	wscript.exe
PID 2868 wrote to memory of 1924	2868	nwoakg.exe	wscript.exe
PID 2868 wrote to memory of 1924	2868	nwoakg.exe	wscript.exe
PID 2868 wrote to memory of 1924	2868	nwoakg.exe	wscript.exe
PID 1924 wrote to memory of 1300	1924	wscript.exe	mbr.exe
PID 1924 wrote to memory of 1300	1924	wscript.exe	mbr.exe
PID 1924 wrote to memory of 1300	1924	wscript.exe	mbr.exe
PID 1924 wrote to memory of 1300	1924	wscript.exe	mbr.exe
PID 1924 wrote to memory of 760	1924	wscript.exe	bytebeat1.exe
PID 1924 wrote to memory of 760	1924	wscript.exe	bytebeat1.exe
PID 1924 wrote to memory of 760	1924	wscript.exe	bytebeat1.exe
PID 1924 wrote to memory of 760	1924	wscript.exe	bytebeat1.exe
PID 1924 wrote to memory of 2956	1924	wscript.exe	rgb.exe
PID 1924 wrote to memory of 2956	1924	wscript.exe	rgb.exe
PID 1924 wrote to memory of 2956	1924	wscript.exe	rgb.exe
PID 1924 wrote to memory of 2956	1924	wscript.exe	rgb.exe
PID 3004 wrote to memory of 108	3004	$775574fe	xihbdo.exe
PID 3004 wrote to memory of 108	3004	$775574fe	xihbdo.exe
PID 3004 wrote to memory of 108	3004	$775574fe	xihbdo.exe
PID 3004 wrote to memory of 108	3004	$775574fe	xihbdo.exe

C:\Users\Admin\AppData\Local\Temp\f267a71692c3683e3d6d0461e003f54f.exe
"C:\Users\Admin\AppData\Local\Temp\f267a71692c3683e3d6d0461e003f54f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\$77d8217c
  "C:\Users\Admin\AppData\Local\Temp\$77d8217c"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 128
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2500
- C:\Users\Admin\AppData\Local\Temp\$775574fe
  "C:\Users\Admin\AppData\Local\Temp\$775574fe"
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$775574fe" /tr "C:\Users\Admin\AppData\Roaming\$775574fe"
    3⤵
    - Creates scheduled task(s)
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\nwoakg.exe
    "C:\Users\Admin\AppData\Local\Temp\nwoakg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\system32\wscript.exe
      "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\93F6.tmp\93F7.tmp\93F8.vbs //Nologo
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\93F6.tmp\mbr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\93F6.tmp\mbr.exe"
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1300
    - - C:\Users\Admin\AppData\Local\Temp\93F6.tmp\bytebeat1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\93F6.tmp\bytebeat1.exe"
        5⤵
        Executes dropped EXE
        
        PID:760
    - - C:\Users\Admin\AppData\Local\Temp\93F6.tmp\rgb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\93F6.tmp\rgb.exe"
        5⤵
        Executes dropped EXE
        
        PID:2956
    - - C:\Users\Admin\AppData\Local\Temp\93F6.tmp\sinewaves.exe
        
        "C:\Users\Admin\AppData\Local\Temp\93F6.tmp\sinewaves.exe"
        5⤵
        
        PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\93F6.tmp\Lines.exe
        
        "C:\Users\Admin\AppData\Local\Temp\93F6.tmp\Lines.exe"
        5⤵
        
        PID:2620
- - C:\Users\Admin\AppData\Local\Temp\xihbdo.exe
    "C:\Users\Admin\AppData\Local\Temp\xihbdo.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:108

C:\Windows\system32\taskeng.exe
taskeng.exe {28BAE6C8-7A71-4E26-9264-633DD00E9058} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Roaming\$775574fe
  C:\Users\Admin\AppData\Roaming\$775574fe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\$77a3d85e
    "C:\Users\Admin\AppData\Local\Temp\$77a3d85e"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

Filesize
9B

MD5
9d88efac0177f99fa528033afb54e378

SHA1
a6fef6b2f49cdb2e476020bd1e7da65997d9bfc3

SHA256
845640b68b92599fcab7a1a64ddd79087781cefcc5ed743ac4eee5c760b4ada5

SHA512
ffa3236f35b7e8ed5e52c31d330aaf1bb0ee87e5e107b033a3377f593d6a02c6716332f582c175fc2f17a520db9f28036254c58b2fea74844e1e90f75628abfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\93F6.tmp\93F7.tmp\93F8.vbs

Filesize
3KB

MD5
dbe460e73bc825119c6326250ac8f223

SHA1
191f599142390b486868a952f6c3df8eedc60ab2

SHA256
39ec4ede07d340f3ce319a28da8ebf3cdee86ae95241a53fa99fe729746aaef0

SHA512
f363475209e743e38b32078a24f99e89c93e18e7100a4c28d49d9054e981cbcaaef6960d434464af6f37789f76065d18671609e3a1b369ced34a8b14da1b06a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\93F6.tmp\Lines.exe

Filesize
103KB

MD5
6381e3e4b02204e1353218ee6ec45c2a

SHA1
a350d4432d2a1a8c7a34d5ea7214326ffc02c270

SHA256
df3cc9a807a80697cd8b72f8f17a365849146cb4e41b4340e42f78d1bc1722e1

SHA512
ac7f21c539667a77236b78006740c634b7d4c0a55dcb776872bb339501112c62e1990bbb73b8f3c4e5b065167b8102fe35aa4633248b19dca602606b68b15015

Download Submit
C:\Users\Admin\AppData\Local\Temp\93F6.tmp\bytebeat1.exe

Filesize
102KB

MD5
6b673ece600bcc8a665ebf251d7d926e

SHA1
64ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e

SHA256
41ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b

SHA512
feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\93F6.tmp\bytebeat1.wav

Filesize
1.3MB

MD5
09d2094f56d2d38aa64eac1d90c5a554

SHA1
c6268759b1eee9fdfafa0d605d62bbbf85defbca

SHA256
4599f6f06c7f491a50e3c4012a83cce9f3ee13ae209189cb8964f0b6ba14614c

SHA512
4ca756a06612c281ec03dd9f064b9ddaf6756b00a5d54dee62728f5cdd7ad3d928559b9857ed2f733b8b3e842b396fed94b212ef2a384265ac623433d67010f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\93F6.tmp\mbr.exe

Filesize
577KB

MD5
d1174d4066bc2b4c09059e7839651eac

SHA1
a2b326436cb9a61ab1a9c1daa0aa6e6d424dc878

SHA256
5000f70ff57cf2662d4b49c1c4ad275ac3f3d241f620988978e552c6f1c2d4fb

SHA512
7ddef5b623aaa5de346cafb51a88b527d98190f7dea747b8809cfe7e7fd869dd2a202385169896c84d77db76df3d68ecfdb7d7cbdec556d071028306fe7375bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\93F6.tmp\rgb.exe

Filesize
105KB

MD5
bfc9e8ab494313d6efb67fc8942f5ee9

SHA1
1b42cc97803221538e020cb90517cb808cf19381

SHA256
33cbdb6e00f3f42f58502af8a9150604a44bb9b26825c909aa0edb5c744a1f13

SHA512
2d01f92397b65eade1f6140f80e2cb626b3e53b112c7e77e84ea7f6092b07c05eacb9e5e9bcb4676c8bdd10fcfba4fe297f2a01eedffffa594af87839baae030

Download Submit
C:\Users\Admin\AppData\Local\Temp\93F6.tmp\sinewaves.exe

Filesize
108KB

MD5
e9534d452e7b06b5591e0509553f8d86

SHA1
2be1075e3ffe29c95fb0fcbed4dcf9fc54788a58

SHA256
edce21b4ec9b68e4e8a5232c1432d5de0865f1fded27fc69965a2d3d568de909

SHA512
21c40c98f9351676f9a105a733472b4b9145a2a2fe13a82b681fec1c73d893bd2be472938e2b84b70836875ed18d0e615a003b4af0f99d5d463f2031500b57c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwoakg.exe

Filesize
791KB

MD5
e9d46548e6009b9dd5648fce65b22511

SHA1
7f1aae821773d8481df3453d6ad2c6074cb55fb6

SHA256
e320066f7580bb1d65f073fc673e14b5fe07021474e9254e8a78b3bb4f28e0be

SHA512
bf15cee63ae05521407fc6d578daa44fd5d6f7dd876beeae01fc00906d2e949855121f81cde0042bf76a2f9bb35730606b47c5123cbf3d6ffc4a0abaf5543f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\xihbdo.exe

Filesize
114KB

MD5
3f4a16b29f2f0532b7ce3e7656799125

SHA1
61b25d11392172e587d8da3045812a66c3385451

SHA256
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591

SHA512
32acaceda42128ef9e0a9f36ee2678d2fc296fda2df38629eb223939c8a9352b3bb2b7021bb84e9f223a4a26df57b528a711447b1451213a013fe00f9b971d80

Download Submit
\Users\Admin\AppData\Local\Temp\$77d8217c

Filesize
2.3MB

MD5
f267a71692c3683e3d6d0461e003f54f

SHA1
189450a513d1f2412470eb965468f1324633d252

SHA256
74531f459fdb6837669583dc731b7a6afad5378782ab8bca5d726edac753f251

SHA512
b376166646548104ee092beba9af8af5a04695f828e1a1b21ccdfd8a1cb88347a40f31108066d0fe6176a5ce18bf3ef3b8ce4e82a6c6a6ee886efe2bfa7a7bd7

Download Submit
memory/2028-4885-0x0000000000E40000-0x0000000000EC8000-memory.dmp

Filesize
544KB

Download
memory/2028-4883-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/2028-22-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-24-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-26-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-28-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-30-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-32-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-34-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-36-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-38-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-40-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-42-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-44-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-46-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-48-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-50-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-52-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-54-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-56-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-60-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-58-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-62-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-64-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-66-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-12-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-4884-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2028-1-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2028-4886-0x00000000049E0000-0x0000000004A2C000-memory.dmp

Filesize
304KB

Download
memory/2028-18-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-4911-0x0000000004A30000-0x0000000004A84000-memory.dmp

Filesize
336KB

Download
memory/2028-4927-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2028-0-0x0000000001310000-0x000000000156E000-memory.dmp

Filesize
2.4MB

Download
memory/2028-2-0x0000000005D50000-0x0000000005F9C000-memory.dmp

Filesize
2.3MB

Download
memory/2028-20-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-10-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-3-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-4-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-14-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-6-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-16-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2028-8-0x0000000005D50000-0x0000000005F96000-memory.dmp

Filesize
2.3MB

Download
memory/2224-12875-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/2224-13424-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-12878-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2224-8148-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-4944-0x00000000001B0000-0x000000000040E000-memory.dmp

Filesize
2.4MB

Download
memory/2224-4943-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-13435-0x0000000000080000-0x0000000000098000-memory.dmp

Filesize
96KB

Download
memory/2400-13436-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2400-18687-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-23329-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2868-26146-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3004-7105-0x0000000002250000-0x000000000225A000-memory.dmp

Filesize
40KB

Download
memory/3004-9610-0x0000000004B30000-0x0000000004B60000-memory.dmp

Filesize
192KB

Download
memory/3004-23324-0x0000000008060000-0x0000000008138000-memory.dmp

Filesize
864KB

Download
memory/3004-5903-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-25868-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/3004-15483-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/3004-26145-0x0000000008060000-0x0000000008138000-memory.dmp

Filesize
864KB

Download
memory/3004-4932-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3004-26153-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/3004-4933-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-26275-0x0000000000850000-0x0000000000890000-memory.dmp

Filesize
256KB

Download
memory/3004-26277-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download