5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/12/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
Size

7.6MB
MD5

17d82b7cc1b6e667a90dc36c7a28e35a
SHA1

ee0b8dae09347e1bb8bb96a8dee0ab8b07f8ae51
SHA256

5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca
SHA512

e9e8d8f2052dbb20a659026e3d5e58e07722b4dc8901d5cee1e1aa8dc4fbd2fe960c193604cdbee5334f18a023ed2ea89ce0f71e116851214b94e4fad0c4f8bf
SSDEEP

196608:DG0DNww2S9qRkGpdHbwbDVBQqepp53Na0S6qAV8WE4:hQRbAQTpZNa0vx

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1624	ShopeePlus.exe

Loads dropped DLL 25 IoCs

pid	Process
2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
584	MsiExec.exe
2648	MSIEXEC.EXE
2648	MSIEXEC.EXE
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\ShopeePlus.exe	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\System.Data.SQLite.dll	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\UpdateShopeePlus.exe	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\Facebook.dll	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\MetroFramework.Fonts.dll	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\MetroFramework.dll	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\Microsoft.mshtml.dll	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\Newtonsoft.Json.dll	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ShopeePlus.exe_3BC26883C8FA4C709CB7D62A11E4ED35.exe	msiexec.exe
File created	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ShopeePlus.exe1_28695D4FAF354CA1BAED07B5252E839A.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ShopeePlus.exe1_28695D4FAF354CA1BAED07B5252E839A.exe	msiexec.exe
File created	C:\Windows\Installer\f76ef3f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ef3f.msi	msiexec.exe
File created	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\UpdateShopeePlus.e_40B956DED35A407291C966AB61A97D2E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\UpdateShopeePlus.e_F2C8FAA61CBD4B98A75B4534E957C58F.exe	msiexec.exe
File created	C:\Windows\Installer\f76ef42.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ef40.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIF152.tmp	msiexec.exe
File created	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ShopeePlus.exe_3BC26883C8FA4C709CB7D62A11E4ED35.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\UpdateShopeePlus.e_40B956DED35A407291C966AB61A97D2E.exe	msiexec.exe
File created	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\UpdateShopeePlus.e_F2C8FAA61CBD4B98A75B4534E957C58F.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIEFDB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76ef40.ipi	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShopeePlus.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	ShopeePlus.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	ShopeePlus.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	ShopeePlus.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ShopeePlus.exe = "11001"	ShopeePlus.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Facebook.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|System.Data.SQLite.dll\System.Data.SQLite,Version="1.0.103.0",PublicKeyToken="DB937BC2D44FF139",Culture="neutral",FileVersion="1.0.103.0",ProcessorArchite = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e0051005300430052002b004400750077004d0039006d0071007600610072002c00520061005e005e0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\841F115901FEB3344B57EFA8322B3FEB\AlwaysInstall	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\Net\1 = "C:\\CachedFiles\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|ShopeePlus.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\PackageName = "ShopeePlus_V1.0.0.17.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\ProductIcon = "C:\\Windows\\Installer\\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|MetroFramework.dll\MetroFramework,Version="1.2.0.3",PublicKeyToken="5F91A84759BF584A",Culture="neutral",FileVersion="1.2.0.3",ProcessorArchitecture="MSIL" = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e0055004d007d006c0030003400270038006c0039007b007b00720021002d0053007b0038003200610000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Microsoft.mshtml.dll\Microsoft.mshtml,Version="7.0.3300.0",PublicKeyToken="B03F5F7F11D50A3A",Culture="neutral",FileVersion="7.0.3300.1" = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e002a004a007a0047007a0070002d005a00670040004d0032007a00340052005900440030002c00750000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|ShopeePlus.exe\ShopeePlus,Version="2.0.0.0",PublicKeyToken="F70E2388E996517E",Culture="neutral",FileVersion="2.0.0.0",ProcessorArchitecture="X86" = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e00510043004d002500670054002c006e00420040005e006b00340079003100690044004c002100490000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|UpdateShopeePlus.exe\UpdateShopeePlus,Version="1.0.0.0",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e005d003d005e007d00570041007200540062003800310034006c002e005b005e006d00770057004f0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\841F115901FEB3344B57EFA8322B3FEB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\ProductName = "ShopeePlus"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Facebook.dll\Facebook,Version="6.0.10.0",PublicKeyToken="58CB4F2111D1E6DE",Culture="neutral",FileVersion="7.0.6.0",ProcessorArchitecture="MSIL" = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e004f0033004d0029005a003400550053003f0040002d0078004e006d006d00740068005f006b00610000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|MetroFramework.Fonts.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|MetroFramework.Fonts.dll\MetroFramework.Fonts,Version="1.2.0.3",PublicKeyToken="5F91A84759BF584A",Culture="neutral",FileVersion="1.2.0.3",ProcessorArchite = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e0072004a0032004b003400540076002400630038003300650029004000600042003200580044003d0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|MetroFramework.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Newtonsoft.Json.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\PackageCode = "4F77418D90944AA4E9A2C703B62C7FAE"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C64BDA3BA1923484D95C9123168CE01C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Microsoft.mshtml.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|UpdateShopeePlus.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\LastUsedSource = "n;1;C:\\CachedFiles\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Newtonsoft.Json.dll\Newtonsoft.Json,Version="6.0.0.0",PublicKeyToken="30AD4FE6B2A6AEED",Culture="neutral",FileVersion="6.0.8.18111",ProcessorArchitecture= = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e00560072006a003d00790040007100390029003f00360027005f004f006000510063002d005d00690000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|System.Data.SQLite.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C64BDA3BA1923484D95C9123168CE01C\841F115901FEB3344B57EFA8322B3FEB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2664	msiexec.exe
2664	msiexec.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe
1624	ShopeePlus.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2648	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2648	MSIEXEC.EXE
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeSecurityPrivilege	2664	msiexec.exe
Token: SeCreateTokenPrivilege	2648	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2648	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2648	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2648	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2648	MSIEXEC.EXE
Token: SeTcbPrivilege	2648	MSIEXEC.EXE
Token: SeSecurityPrivilege	2648	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2648	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2648	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2648	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2648	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2648	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2648	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2648	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2648	MSIEXEC.EXE
Token: SeBackupPrivilege	2648	MSIEXEC.EXE
Token: SeRestorePrivilege	2648	MSIEXEC.EXE
Token: SeShutdownPrivilege	2648	MSIEXEC.EXE
Token: SeDebugPrivilege	2648	MSIEXEC.EXE
Token: SeAuditPrivilege	2648	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2648	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2648	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2648	MSIEXEC.EXE
Token: SeUndockPrivilege	2648	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2648	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2648	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2648	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2648	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2648	MSIEXEC.EXE
Token: SeBackupPrivilege	1188	vssvc.exe
Token: SeRestorePrivilege	1188	vssvc.exe
Token: SeAuditPrivilege	1188	vssvc.exe
Token: SeBackupPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2936	DrvInst.exe
Token: SeRestorePrivilege	2936	DrvInst.exe
Token: SeRestorePrivilege	2936	DrvInst.exe
Token: SeRestorePrivilege	2936	DrvInst.exe
Token: SeRestorePrivilege	2936	DrvInst.exe
Token: SeRestorePrivilege	2936	DrvInst.exe
Token: SeRestorePrivilege	2936	DrvInst.exe
Token: SeLoadDriverPrivilege	2936	DrvInst.exe
Token: SeLoadDriverPrivilege	2936	DrvInst.exe
Token: SeLoadDriverPrivilege	2936	DrvInst.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2648	MSIEXEC.EXE
2648	MSIEXEC.EXE
1624	ShopeePlus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1624	ShopeePlus.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1624	ShopeePlus.exe
1624	ShopeePlus.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2648	2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe	30
PID 2096 wrote to memory of 2648	2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe	30
PID 2096 wrote to memory of 2648	2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe	30
PID 2096 wrote to memory of 2648	2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe	30
PID 2096 wrote to memory of 2648	2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe	30
PID 2096 wrote to memory of 2648	2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe	30
PID 2096 wrote to memory of 2648	2096	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe	30
PID 2664 wrote to memory of 584	2664	msiexec.exe	36
PID 2664 wrote to memory of 584	2664	msiexec.exe	36
PID 2664 wrote to memory of 584	2664	msiexec.exe	36
PID 2664 wrote to memory of 584	2664	msiexec.exe	36
PID 2664 wrote to memory of 584	2664	msiexec.exe	36
PID 2664 wrote to memory of 584	2664	msiexec.exe	36
PID 2664 wrote to memory of 584	2664	msiexec.exe	36
PID 2648 wrote to memory of 1624	2648	MSIEXEC.EXE	38
PID 2648 wrote to memory of 1624	2648	MSIEXEC.EXE	38
PID 2648 wrote to memory of 1624	2648	MSIEXEC.EXE	38
PID 2648 wrote to memory of 1624	2648	MSIEXEC.EXE	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
"C:\Users\Admin\AppData\Local\Temp\5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\CachedFiles\ShopeePlus_V1.0.0.17.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe"
  2⤵
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Program Files (x86)\Plus24h.com\ShopeePlus\ShopeePlus.exe
    "C:\Program Files (x86)\Plus24h.com\ShopeePlus\ShopeePlus.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1624

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7DFC24B6A72046D443A0A371C281A124
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000498" "000000000000055C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\CachedFiles\ShopeePlus_V1.0.0.17.msi

Filesize
7.6MB

MD5
39e92a384d507088147a1205fd9ba30d

SHA1
8e4aec83d722114fc126b96274bd54cc368619df

SHA256
9d0846ddff9c0235c902fed190a302cdcfc60037ae09a35014e4cb351f6edd2d

SHA512
b30f12e6405c4916b51694a4bba6eb6fdd0c14cb75e97dd5a6687475ceb9c8fdb2d11164f71e9e9320ad31f0128fc609c834058e541ebf2fe6572cd539e59f26

Download Submit
C:\Config.Msi\f76ef41.rbs

Filesize
13KB

MD5
89319bb8703bf27ac4323bc23a90ddbd

SHA1
139a54d935b2bdcfdf0822c918cbdc3995fbfbc0

SHA256
4dacb1930d1d4eb11bc757a40b84db898853ac6d750a211846e207f582d8d669

SHA512
5989dbada14b260475e687e656faa21132fa06f6788600cd6ae4ba8b005081f392c6c48b6a6088baa64a4ad4cdefdba2a33115c110b84db48bb3b3e4591c2f99

Download Submit
C:\Program Files (x86)\Plus24h.com\ShopeePlus\Facebook.dll

Filesize
105KB

MD5
6b8b763ebf51086effa31e4f5515c6c0

SHA1
33d0debde0063f4d6561970ecc7ee698cca0aa66

SHA256
1b30b9614fef624721b6e1b717560353334e3c8138532a83b4a91152ea06fcba

SHA512
e6af1d6c0e9cfde9ff42ee992a486d14137fddea4b21b8823962af154ca5fc901cacc182d8a7792db94f121ab792ba40efa2767cb221db62169bc2328b045771

Download Submit
C:\Program Files (x86)\Plus24h.com\ShopeePlus\MetroFramework.Fonts.dll

Filesize
656KB

MD5
612080028164b12939751dcccbb68d4a

SHA1
db066593c63d2eff41a5af1b49a3e098b60e0013

SHA256
e96030fddaf7e78401567ee82480ad75ee48d3556199a3f85c0ec669edac2ef4

SHA512
1879c960e27e32941c0c992b84803e7a1f8d243bfc88d17d3d32baca772290b9ea60a6ea90d53170be3bf7f0a58fe71ec901dc66aa560b4bf68b1da56c09fe18

Download Submit
C:\Program Files (x86)\Plus24h.com\ShopeePlus\MetroFramework.dll

Filesize
256KB

MD5
ba06c42b12ac1ca8ff8f5e9ababf6b42

SHA1
6c9626736814dd05621a20aeae389010af84550a

SHA256
be03bbbaba8aa53c21ce6c651e114d0ff25e5ff90ebedcc09ab15265e7791a54

SHA512
36e0b89cdb58bdbaaaad29f4cfc36af5be16736c6a04c4b678d244631947add2a7a10daaeae78f67128f8c7edc687e5274a2a7edabc53eb55b014c84d02eb5eb

Download Submit
C:\Program Files (x86)\Plus24h.com\ShopeePlus\Newtonsoft.Json.dll

Filesize
492KB

MD5
5e02ddaf3b02e43e532fc6a52b04d14b

SHA1
67f0bd5cfa3824860626b6b3fff37dc89e305cec

SHA256
78bedd9fce877a71a8d8ff9a813662d8248361e46705c4ef7afc61d440ff2eeb

SHA512
38720cacbb169dfc448deef86af973eafefa19eaeb48c55c58091c9d6a8b12a1f90148c287faaaa01326ec47143969ad1b54ee2b81018e1de0b83350dc418d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{439215BB-F0B6-4C8F-A89C-710838AD6167}\0x0409.ini

Filesize
21KB

MD5
8586214463bd73e1c2716113e5bd3e13

SHA1
f02e3a76fd177964a846d4aa0a23f738178db2be

SHA256
089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54

SHA512
309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{439215BB-F0B6-4C8F-A89C-710838AD6167}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~A016.tmp

Filesize
6KB

MD5
51034d1ae230e5590943f5dc3762c197

SHA1
deb79a5a6c7202a38cca594e210af32686ff886d

SHA256
312210155b3909acabb69e8276251fa3b158b982751e01a3a2f010aba5999698

SHA512
6729812f6fcc6f4114d6be07bd64ce997ad7ee52086a600f9d23884503a730f0abfa5979a2cce34ee9424f3c220b6cc8499d741741ba5aec280cfbc0dcda7352

Download Submit
C:\Windows\Installer\MSIEFDB.tmp

Filesize
105KB

MD5
29e4cb02681bf0780985a429b48903ca

SHA1
474acf63ad259fa06164916259a40ffe8909f622

SHA256
3dd81287d4318c25ed9f0afa740c3ca59b746d9a587735e1e33107c14e1b40e0

SHA512
5c491bf4357bb1cee86ff0eb9662f6046c32b7e8b8fb406f12e4f866885a25994c34e8f46315f98f116be27a6a7a06c21ca52b030aacb1c1216910ac339500a1

Download Submit
\Program Files (x86)\Plus24h.com\ShopeePlus\ShopeePlus.exe

Filesize
4.2MB

MD5
b53f7a8186bbe7f5272d262078cfaa5f

SHA1
fac6d555dbba6dd3a175fa56dba5b9d9c5831a39

SHA256
fd90b68e1a7718a240e638052e13fd9c83ba71c63edfc9eb05a5dcacb1e2b2f7

SHA512
2fb3228f8ff7c6087f156401dba19d65ee676b326c94ed3815e5256fffa2a9cee42629d2fb90624fd59a620a37e5d54f356810fbdde125a7dcf88311ca7c35fb

Download Submit
\Users\Admin\AppData\Local\Temp\_isA037..dll

Filesize
2.2MB

MD5
0ce4d3bd306da6d1f6f233c403f5b667

SHA1
15dd2e31c5e9dc223befc5cfb6ca01737b262412

SHA256
6428ad0bd3732a2038cd372a06563e84f33dcdab4e2b203b3f75be678690dcad

SHA512
4275103c2148945e0ea7afc666402c3fa37b6443fb298fb40d668269694057b394fc23e1aeac99236e3ffee1a05ecb3ae2d394df9ad219bc7b6bd67412670ae9

Download Submit
memory/1624-149-0x0000000000970000-0x00000000009A4000-memory.dmp

Filesize
208KB

Download
memory/1624-148-0x0000000001020000-0x0000000001464000-memory.dmp

Filesize
4.3MB

Download
memory/1624-153-0x0000000000D50000-0x0000000000DD2000-memory.dmp

Filesize
520KB

Download
memory/1624-159-0x0000000000F80000-0x0000000000FC6000-memory.dmp

Filesize
280KB

Download
memory/1624-165-0x0000000000F00000-0x0000000000F20000-memory.dmp

Filesize
128KB

Download
memory/1624-223-0x0000000005670000-0x000000000571A000-memory.dmp

Filesize
680KB

Download
memory/1624-224-0x00000000065F0000-0x0000000006816000-memory.dmp

Filesize
2.1MB

Download
memory/1624-225-0x000000000BD40000-0x000000000C4E6000-memory.dmp

Filesize
7.6MB

Download