f943dd4b187f62b888b8bc3effd81a882907da2fe95eb06be0512714f4418bc3

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
Size

532KB
MD5

bb3014ba20f8bb3c5cc0742b8f2946c0
SHA1

08f671eb0abc9e5384d03fc24572aae59e66cb29
SHA256

f943dd4b187f62b888b8bc3effd81a882907da2fe95eb06be0512714f4418bc3
SHA512

c924f05b42e5c9b59bd5990e134a56516cbd702eb00aff68b03d53653311118118b5a0dc4308996c1cd917c6060afc1916633ea8f52a13dc36abd10f37cf8b34
SSDEEP

6144:+vMgrmEs7eVyYr9AmEcmI5qpYDb1MV+w1ILKcjIBvGKkSLIM:+vMg9sKVyY3EcmIopMbv1OcjIBvGKkSH

Score

8^/10

upx

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	AE 0124 BE.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
2632	winlogon.exe
2700	AE 0124 BE.exe
1556	winlogon.exe
1684	winlogon.exe

Loads dropped DLL 8 IoCs

pid	Process
620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
2632	winlogon.exe
2632	winlogon.exe
1556	winlogon.exe
2700	AE 0124 BE.exe
2700	AE 0124 BE.exe
1684	winlogon.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/620-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/files/0x0008000000016d33-49.dat	upx
behavioral1/memory/2632-59-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1556-121-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/620-149-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1684-204-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2632-447-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2700-609-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2700-640-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2216	msiexec.exe
4	2416	msiexec.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Web\Wallpaper\Characters\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Cityscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Garden\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Festival\Desktop.ini	AE 0124 BE.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops autorun.inf file 1 TTPs 26 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	AE 0124 BE.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~pt-PT~7.1.7601.16492.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\imapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\servercore-wow64-rm.man	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\WMIC.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wdi\perftrack\wow64_wlansvc.ptxml	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ProfessionalEdition-wrapper~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\prnep002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\oleaccrc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnsh002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\Amd64\LR131N6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\L2SecHC.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmbr006.inf_amd64_neutral_40c76453575b1208\mdmbr006.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\sdchange.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Netplwiz.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0010	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\IME	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPF0450T.XML	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPP8700T.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wshext.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\diskperf.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Dism\ja-JP\UnattendProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnlx00w.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\credwiz.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\iphlpapi.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\en-US\cli.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\mstsc.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnlx009.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\route.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\SystemPropertiesAdvanced.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\ActionCenter.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\tasklist.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\MMFUtil.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\p2p-collab.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnok002.inf_amd64_neutral_616c1e9b7df7d5a9\Amd64\OK540NU5.PPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\netshell.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\Amd64\KYTAS250.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Networking-MPSSVC-Svc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wdi\perftrack\Microsoft-Windows-WLANConnectionFlow.ptxml	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Utilman.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\adsldp.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnky007.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vidcap.ax	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnts003.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\amdsata.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\prnso002.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D1.log	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\LocationNotifications.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\mapistub.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNBJOP99.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\NlsData0001.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spwizres.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPPH8400.EXP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasic	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_neutral_82f4c743c8996d67\amd64\winusb.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\MUI\0410	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-CodecPack-Basic-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgsm.inf_amd64_neutral_dd3fbd8c64c7c87d	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\blbdrive.inf_amd64_neutral_1aa816fe7dc98c3f\blbdrive.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp8500at.vdf	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ntdll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_51346de63ffde7c5	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ee871b8ab496c12c\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-shatter_31bf3856ad364e35_6.1.7600.16385_none_0cd72f8900478c68\NavigationUp_ButtonGraphic.png	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_es-es_dcd069cfcafeacf0.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ayer-core.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d67fded40c74e68e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-msxml30.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9fd3daa29505fb3c	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..layer-vis.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8c7db75340223ccb\mpvis.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..lsservice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_94d36544fcfcb068	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0001042b_31bf3856ad364e35_6.1.7600.16385_none_fc100c396281ee83\KBDARMW.DLL	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..core-base.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_68a3391d007cd856	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-u..trolpoint.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b4223180e30061e1	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wordpad.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dbb048727ddfb323	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00d.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_62efd6227ab667ed\CNBBR312.DLL.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\msil_microsoft.powershel..hicalhost.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9f20a6abfea7ad81.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\normalization.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\Microsoft.PowerShell.Security.dll-Help.xml	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-com-base-qfe-ole32_31bf3856ad364e35_6.1.7601.17514_none_ae2511475093798f.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..icecommon.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3037ec7f98bc37de	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b8490213a810a8a5\404-5.htm	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_6.1.7601.17514_it-it_46e7f1f4bdaedd67\System.Data.Entity.Design.Resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\Cursors\size3_m.cur	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f7cb8489869c1df8.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sendmail.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4b3311c59c2743f6\sendmail.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_prnsv003.inf_31bf3856ad364e35_6.1.7600.16385_none_61a2cdbcd95e2a4a\Amd64\SVC240D6.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-taskkill.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b34ce07c490e0e98	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7214f10d6056e81a	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_users_res_b03f5f7f11d50a3a_6.1.7600.16385_none_3db80e7607906d02\findUsers.aspx.resx	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3c7b6f8e1486969.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\msil_aspnet_regsql.resources_b03f5f7f11d50a3a_6.1.7600.16385_it-it_1f110f2815a4f22c\aspnet_regsql.resources.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_ipmidrv.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_30b2d47c9f7766ae\ipmidrv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-n..ients-svc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ec129652d5486566.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-rpc-local.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ca623cf7dc24c5d3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..spp-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_28be775de02fa8da\slmgr.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~amd64~ja-JP~6.1.7601.17514.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wpd-status.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_933d4bec9888524a\portabledevicestatus.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-d..vdsupport.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a2a92c5710d7278a.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..cbinaries.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e40405e76ad2c823.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-verclsid_31bf3856ad364e35_6.1.7600.16385_none_bbbd275974c7e191	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..workspace.resources_31bf3856ad364e35_6.1.7601.17514_es-es_6edcf65ba80608cd\TSWorkspace.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6d2da2f785ea0e9a\dot3svc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\Help\Windows\en-US\ripbsyn.H1S	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-userenv.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c3c89a0484c588c8.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..publicapi.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5e75d9fcf72c3633.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-msidntld.resources_31bf3856ad364e35_6.1.7600.16385_de-de_3d4884e09eb8201c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\IMJPDADM.EXE	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_es-es_76b445ae591253e2\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.1.7601.17514_none_8e140d2bdc47c0be\aaclient.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-other_31bf3856ad364e35_6.1.7600.16385_none_6079f415110c0210\winsockhc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0e4f12fdadcad992\pubprn.vbs	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-d..pertytool.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1262d6d86e6c572a.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d\adtschema.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_netfx-mscoree_tlb_b03f5f7f11d50a3a_6.1.7600.16385_none_b7eea4cc378f3256\mscoree.tlb	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msf.resources_31bf3856ad364e35_6.1.7601.17514_de-de_d81b3f66e937e037\syncreg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Windows Balloon.wav	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_tpm.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e9a36d7a5d1f2712\tpm.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-help-client.resources_31bf3856ad364e35_6.1.7600.16385_es-es_dd93b6bcf77e433e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_prnlx00b.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_05af17a54479e783.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_ko-kr_77821a692516b9b3.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_en-us_f04371ec21c4626e	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\selection_subpicture.png	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\amd64_netvwifibus.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_303fa497ae3036e7\vwifibus.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-hal_31bf3856ad364e35_6.1.7601.17514_none_094ef8137049c196.manifest	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	msiexec.exe
2416	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2216	msiexec.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2216	msiexec.exe
Token: SeRestorePrivilege	2416	msiexec.exe
Token: SeTakeOwnershipPrivilege	2416	msiexec.exe
Token: SeSecurityPrivilege	2416	msiexec.exe
Token: SeCreateTokenPrivilege	2216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2216	msiexec.exe
Token: SeLockMemoryPrivilege	2216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2216	msiexec.exe
Token: SeMachineAccountPrivilege	2216	msiexec.exe
Token: SeTcbPrivilege	2216	msiexec.exe
Token: SeSecurityPrivilege	2216	msiexec.exe
Token: SeTakeOwnershipPrivilege	2216	msiexec.exe
Token: SeLoadDriverPrivilege	2216	msiexec.exe
Token: SeSystemProfilePrivilege	2216	msiexec.exe
Token: SeSystemtimePrivilege	2216	msiexec.exe
Token: SeProfSingleProcessPrivilege	2216	msiexec.exe
Token: SeIncBasePriorityPrivilege	2216	msiexec.exe
Token: SeCreatePagefilePrivilege	2216	msiexec.exe
Token: SeCreatePermanentPrivilege	2216	msiexec.exe
Token: SeBackupPrivilege	2216	msiexec.exe
Token: SeRestorePrivilege	2216	msiexec.exe
Token: SeShutdownPrivilege	2216	msiexec.exe
Token: SeDebugPrivilege	2216	msiexec.exe
Token: SeAuditPrivilege	2216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2216	msiexec.exe
Token: SeChangeNotifyPrivilege	2216	msiexec.exe
Token: SeRemoteShutdownPrivilege	2216	msiexec.exe
Token: SeUndockPrivilege	2216	msiexec.exe
Token: SeSyncAgentPrivilege	2216	msiexec.exe
Token: SeEnableDelegationPrivilege	2216	msiexec.exe
Token: SeManageVolumePrivilege	2216	msiexec.exe
Token: SeImpersonatePrivilege	2216	msiexec.exe
Token: SeCreateGlobalPrivilege	2216	msiexec.exe
Token: SeBackupPrivilege	1876	vssvc.exe
Token: SeRestorePrivilege	1876	vssvc.exe
Token: SeAuditPrivilege	1876	vssvc.exe
Token: SeBackupPrivilege	2416	msiexec.exe
Token: SeRestorePrivilege	2416	msiexec.exe
Token: SeRestorePrivilege	3012	DrvInst.exe
Token: SeRestorePrivilege	3012	DrvInst.exe
Token: SeRestorePrivilege	3012	DrvInst.exe
Token: SeRestorePrivilege	3012	DrvInst.exe
Token: SeRestorePrivilege	3012	DrvInst.exe
Token: SeRestorePrivilege	3012	DrvInst.exe
Token: SeRestorePrivilege	3012	DrvInst.exe
Token: SeLoadDriverPrivilege	3012	DrvInst.exe
Token: SeLoadDriverPrivilege	3012	DrvInst.exe
Token: SeLoadDriverPrivilege	3012	DrvInst.exe
Token: SeRestorePrivilege	2416	msiexec.exe
Token: SeTakeOwnershipPrivilege	2416	msiexec.exe
Token: SeRestorePrivilege	2416	msiexec.exe
Token: SeTakeOwnershipPrivilege	2416	msiexec.exe
Token: SeRestorePrivilege	2416	msiexec.exe
Token: SeTakeOwnershipPrivilege	2416	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2216	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
2632	winlogon.exe
2700	AE 0124 BE.exe
1556	winlogon.exe
1684	winlogon.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2216	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	28
PID 620 wrote to memory of 2216	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	28
PID 620 wrote to memory of 2216	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	28
PID 620 wrote to memory of 2216	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	28
PID 620 wrote to memory of 2216	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	28
PID 620 wrote to memory of 2216	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	28
PID 620 wrote to memory of 2216	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	28
PID 620 wrote to memory of 2632	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	29
PID 620 wrote to memory of 2632	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	29
PID 620 wrote to memory of 2632	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	29
PID 620 wrote to memory of 2632	620	bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe	29
PID 2632 wrote to memory of 2700	2632	winlogon.exe	30
PID 2632 wrote to memory of 2700	2632	winlogon.exe	30
PID 2632 wrote to memory of 2700	2632	winlogon.exe	30
PID 2632 wrote to memory of 2700	2632	winlogon.exe	30
PID 2632 wrote to memory of 1556	2632	winlogon.exe	31
PID 2632 wrote to memory of 1556	2632	winlogon.exe	31
PID 2632 wrote to memory of 1556	2632	winlogon.exe	31
PID 2632 wrote to memory of 1556	2632	winlogon.exe	31
PID 2700 wrote to memory of 1684	2700	AE 0124 BE.exe	33
PID 2700 wrote to memory of 1684	2700	AE 0124 BE.exe	33
PID 2700 wrote to memory of 1684	2700	AE 0124 BE.exe	33
PID 2700 wrote to memory of 1684	2700	AE 0124 BE.exe	33

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bb3014ba20f8bb3c5cc0742b8f2946c0_NeikiAnalytics.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2216
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops autorun.inf file
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1684
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1556

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "0000000000000594" "000000000000057C"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a575734b86fceb649966c1ee4cce3b21

SHA1
0139f79b81fd43de2649c8008cdb3d9b697b4e1f

SHA256
1e6ba1e80327f7be4dc0c56751f13d2bc77b8c09727f9f294b2ab4cb4c7c6021

SHA512
0a5e1702d81c92403a58348f3e94ca635952a67c6d302a7c234382f4ce7fe06a2ce142ab90fe874e1530d22b9bde5bcf032cf96c66728e425ff0386cea432edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab256D.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2580.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\AE 0124 BE.msi

Filesize
532KB

MD5
b26c334286bb7c316a77323aa3d8fbdd

SHA1
fc54644b72b1c5e76ed801441d29147d57111fcb

SHA256
fb28755f0566e0994c7fd4a2a75628db8c4828ee7b296d8e13f6b333c1d417ef

SHA512
c36213ae79c91271da2029b6646989ebc7e393748dce7fc4cb4f6394f4f520e730aea50a106985714521cd06b10308772008804a914aa76d8c28dac3322c0ec5

Download Submit
C:\Windows\Installer\MSI4C89.tmp

Filesize
303KB

MD5
329faafc35db534e4415c6118bfa5273

SHA1
80e207f031ef37c21870135d8133f01985b8bb3e

SHA256
8aad0c943607df71ba74db5c9bb26724dd2068d9dcaffc12375a5df54d1ad359

SHA512
c573234c263e2f04415ab1470ef68a986bd67debf68764d56073aa16b81a5517d664b65653e400a8ff528c0376d207e16fe7309f661fa696d14a5e84d028cab3

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
48KB

MD5
2db16226ec2af12bf1d73307b0c6d6dc

SHA1
79b1ddaedb280f65fdb4fba0e570372183a6ae2d

SHA256
bef0b8025c58ceaa79b4e1e9457a85c84611b71b67742340af3cb027375407bb

SHA512
389ad50897145e18ba7339a3e83a3987161eda1989299ab55e7972ac3db8263004189aa6254cfc92b9e84f72e1f4924dd00fe6d3bc538a88a363c0aba0d58d44

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
21B

MD5
9cceaa243c5d161e1ce41c7dad1903dd

SHA1
e3da72675df53fffa781d4377d1d62116eafb35b

SHA256
814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

SHA512
af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

Download Submit
memory/620-58-0x0000000004640000-0x000000000464B000-memory.dmp

Filesize
44KB

Download
memory/620-57-0x0000000004640000-0x000000000464B000-memory.dmp

Filesize
44KB

Download
memory/620-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/620-149-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/620-12-0x0000000003960000-0x000000000441A000-memory.dmp

Filesize
10.7MB

Download
memory/1556-121-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1684-204-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2632-59-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2632-93-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/2632-92-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/2632-90-0x0000000003560000-0x000000000401A000-memory.dmp

Filesize
10.7MB

Download
memory/2632-100-0x00000000045A0000-0x00000000045AB000-memory.dmp

Filesize
44KB

Download
memory/2632-447-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2700-110-0x0000000003170000-0x0000000003C2A000-memory.dmp

Filesize
10.7MB

Download
memory/2700-356-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2700-205-0x0000000004680000-0x000000000468B000-memory.dmp

Filesize
44KB

Download
memory/2700-206-0x0000000004680000-0x000000000468B000-memory.dmp

Filesize
44KB

Download
memory/2700-609-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2700-619-0x0000000004680000-0x000000000468B000-memory.dmp

Filesize
44KB

Download
memory/2700-620-0x0000000004680000-0x000000000468B000-memory.dmp

Filesize
44KB

Download
memory/2700-640-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2700-639-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download