895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964

Analysis

max time kernel
153s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Size

65KB
MD5

0ea5db46e0f6a087c5dc98c6fb6c5fe7
SHA1

e9c609d1d75a560d21c5879bcfea37438d2ab067
SHA256

895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964
SHA512

f891238f7ad3820f8b9eca963f449757279829db2ab03d5027708fe9d7e64f32bceb419a6f8b2981856f71b97566cb47b2642430eaf9cf94ac8fcb78b30e7829
SSDEEP

768:hQAG+3HJPqwBcNpYje8KnUqWBGuwSG4lNKNeEbMbap2WU3i5nEwekfE9n:hRXJPQDZORb+ecoRwwR

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WINLOGON.EXE

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE

Windows security bypass 2 TTPs 25 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE

Blocks application from running via registry modification 55 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "regedit.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "regedit.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "install.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "install.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rstrui.exe"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "mmc.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ntvdm.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "msconfig.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "mmc.exe"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "regedit.exe"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "install.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "regedit.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "install.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "mmc.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "msconfig.exe"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "mmc.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ntvdm.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "msconfig.exe"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rstrui.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rstrui.exe"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "install.exe"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rstrui.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "regedit.exe"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "msconfig.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "msconfig.exe"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rstrui.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "mmc.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ntvdm.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ntvdm.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ntvdm.exe"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WishfulThinking.exe

Disables RegEdit via registry modification 10 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 24 IoCs

pid	Process
1652	nEwb0Rn.exe
952	nEwb0Rn.exe
1604	WishfulThinking.exe
1820	WishfulThinking.exe
1640	nEwb0Rn.exe
1524	WINLOGON.EXE
1772	SERVICES.EXE
1292	WishfulThinking.exe
1440	nEwb0Rn.exe
1748	WINLOGON.EXE
1500	SERVICES.EXE
2008	WishfulThinking.exe
1676	WINLOGON.EXE
1048	WINLOGON.EXE
1700	nEwb0Rn.exe
828	SERVICES.EXE
1720	nEwb0Rn.exe
848	WishfulThinking.exe
1808	WINLOGON.EXE
520	WishfulThinking.exe
1832	SERVICES.EXE
1880	SERVICES.EXE
988	WINLOGON.EXE
1640	SERVICES.EXE

Sets file execution options in registry 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE

Loads dropped DLL 34 IoCs

pid	Process
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1652	nEwb0Rn.exe
1652	nEwb0Rn.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1652	nEwb0Rn.exe
1652	nEwb0Rn.exe
1652	nEwb0Rn.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1652	nEwb0Rn.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1820	WishfulThinking.exe
1820	WishfulThinking.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1820	WishfulThinking.exe
1820	WishfulThinking.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1524	WINLOGON.EXE
1524	WINLOGON.EXE
1772	SERVICES.EXE
1772	SERVICES.EXE
1524	WINLOGON.EXE
1524	WINLOGON.EXE
1524	WINLOGON.EXE
1820	WishfulThinking.exe
1820	WishfulThinking.exe
1772	SERVICES.EXE
1772	SERVICES.EXE
1772	SERVICES.EXE

Windows security modification 2 TTPs 30 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	SERVICES.EXE

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\desktop.ini	nEwb0Rn.exe
File opened for modification	C:\desktop.ini	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File created	C:\desktop.ini	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened for modification	C:\desktop.ini	nEwb0Rn.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	nEwb0Rn.exe
File opened (read-only)	\??\O:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\E:	WishfulThinking.exe
File opened (read-only)	\??\G:	WishfulThinking.exe
File opened (read-only)	\??\E:	nEwb0Rn.exe
File opened (read-only)	\??\V:	SERVICES.EXE
File opened (read-only)	\??\T:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\X:	WINLOGON.EXE
File opened (read-only)	\??\H:	WINLOGON.EXE
File opened (read-only)	\??\K:	WINLOGON.EXE
File opened (read-only)	\??\H:	nEwb0Rn.exe
File opened (read-only)	\??\W:	nEwb0Rn.exe
File opened (read-only)	\??\K:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\X:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\S:	nEwb0Rn.exe
File opened (read-only)	\??\Y:	nEwb0Rn.exe
File opened (read-only)	\??\S:	WishfulThinking.exe
File opened (read-only)	\??\W:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\L:	WINLOGON.EXE
File opened (read-only)	\??\P:	WishfulThinking.exe
File opened (read-only)	\??\T:	WishfulThinking.exe
File opened (read-only)	\??\F:	nEwb0Rn.exe
File opened (read-only)	\??\U:	nEwb0Rn.exe
File opened (read-only)	\??\I:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\L:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\T:	SERVICES.EXE
File opened (read-only)	\??\Q:	SERVICES.EXE
File opened (read-only)	\??\Z:	SERVICES.EXE
File opened (read-only)	\??\M:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\Y:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\W:	WishfulThinking.exe
File opened (read-only)	\??\F:	SERVICES.EXE
File opened (read-only)	\??\O:	WishfulThinking.exe
File opened (read-only)	\??\J:	nEwb0Rn.exe
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\E:	SERVICES.EXE
File opened (read-only)	\??\H:	SERVICES.EXE
File opened (read-only)	\??\G:	nEwb0Rn.exe
File opened (read-only)	\??\R:	nEwb0Rn.exe
File opened (read-only)	\??\P:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\Q:	WINLOGON.EXE
File opened (read-only)	\??\P:	nEwb0Rn.exe
File opened (read-only)	\??\U:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\V:	WishfulThinking.exe
File opened (read-only)	\??\W:	SERVICES.EXE
File opened (read-only)	\??\Z:	nEwb0Rn.exe
File opened (read-only)	\??\R:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\S:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\X:	nEwb0Rn.exe
File opened (read-only)	\??\S:	WINLOGON.EXE
File opened (read-only)	\??\O:	SERVICES.EXE
File opened (read-only)	\??\S:	SERVICES.EXE
File opened (read-only)	\??\B:	WishfulThinking.exe
File opened (read-only)	\??\Q:	nEwb0Rn.exe
File opened (read-only)	\??\E:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\J:	WINLOGON.EXE
File opened (read-only)	\??\W:	WINLOGON.EXE
File opened (read-only)	\??\O:	nEwb0Rn.exe
File opened (read-only)	\??\B:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\Y:	SERVICES.EXE
File opened (read-only)	\??\H:	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened (read-only)	\??\U:	SERVICES.EXE
File opened (read-only)	\??\V:	nEwb0Rn.exe
File opened (read-only)	\??\B:	WINLOGON.EXE

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\DamageControl.scr	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\JawsOfLife.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File created	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File created	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "Inanimate"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "Inanimate"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "Animate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "Inanimate"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\AutoEndTasks = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "Animate"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "Animate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "Animate"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "Inanimate"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s1159 = "Inanimate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\s2359 = "Animate"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\	SERVICES.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WishfulThinking.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WINLOGON.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1652	nEwb0Rn.exe
1524	WINLOGON.EXE
1772	SERVICES.EXE
1820	WishfulThinking.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
1652	nEwb0Rn.exe
952	nEwb0Rn.exe
1820	WishfulThinking.exe
1604	WishfulThinking.exe
1524	WINLOGON.EXE
1640	nEwb0Rn.exe
1292	WishfulThinking.exe
1772	SERVICES.EXE
1748	WINLOGON.EXE
1440	nEwb0Rn.exe
1500	SERVICES.EXE
2008	WishfulThinking.exe
1048	WINLOGON.EXE
1700	nEwb0Rn.exe
828	SERVICES.EXE
848	WishfulThinking.exe
1720	nEwb0Rn.exe
1676	WINLOGON.EXE
1808	WINLOGON.EXE
520	WishfulThinking.exe
1832	SERVICES.EXE
1880	SERVICES.EXE
988	WINLOGON.EXE
1640	SERVICES.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 1652	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	27
PID 1256 wrote to memory of 1652	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	27
PID 1256 wrote to memory of 1652	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	27
PID 1256 wrote to memory of 1652	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	27
PID 1652 wrote to memory of 952	1652	nEwb0Rn.exe	29
PID 1652 wrote to memory of 952	1652	nEwb0Rn.exe	29
PID 1652 wrote to memory of 952	1652	nEwb0Rn.exe	29
PID 1652 wrote to memory of 952	1652	nEwb0Rn.exe	29
PID 1652 wrote to memory of 1820	1652	nEwb0Rn.exe	30
PID 1652 wrote to memory of 1820	1652	nEwb0Rn.exe	30
PID 1652 wrote to memory of 1820	1652	nEwb0Rn.exe	30
PID 1652 wrote to memory of 1820	1652	nEwb0Rn.exe	30
PID 1256 wrote to memory of 1604	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	28
PID 1256 wrote to memory of 1604	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	28
PID 1256 wrote to memory of 1604	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	28
PID 1256 wrote to memory of 1604	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	28
PID 1256 wrote to memory of 1640	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	31
PID 1256 wrote to memory of 1640	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	31
PID 1256 wrote to memory of 1640	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	31
PID 1256 wrote to memory of 1640	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	31
PID 1652 wrote to memory of 1524	1652	nEwb0Rn.exe	32
PID 1652 wrote to memory of 1524	1652	nEwb0Rn.exe	32
PID 1652 wrote to memory of 1524	1652	nEwb0Rn.exe	32
PID 1652 wrote to memory of 1524	1652	nEwb0Rn.exe	32
PID 1256 wrote to memory of 1292	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	34
PID 1256 wrote to memory of 1292	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	34
PID 1256 wrote to memory of 1292	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	34
PID 1256 wrote to memory of 1292	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	34
PID 1652 wrote to memory of 1772	1652	nEwb0Rn.exe	33
PID 1652 wrote to memory of 1772	1652	nEwb0Rn.exe	33
PID 1652 wrote to memory of 1772	1652	nEwb0Rn.exe	33
PID 1652 wrote to memory of 1772	1652	nEwb0Rn.exe	33
PID 1820 wrote to memory of 1440	1820	WishfulThinking.exe	35
PID 1820 wrote to memory of 1440	1820	WishfulThinking.exe	35
PID 1820 wrote to memory of 1440	1820	WishfulThinking.exe	35
PID 1820 wrote to memory of 1440	1820	WishfulThinking.exe	35
PID 1256 wrote to memory of 1748	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	36
PID 1256 wrote to memory of 1748	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	36
PID 1256 wrote to memory of 1748	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	36
PID 1256 wrote to memory of 1748	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	36
PID 1820 wrote to memory of 2008	1820	WishfulThinking.exe	37
PID 1820 wrote to memory of 2008	1820	WishfulThinking.exe	37
PID 1820 wrote to memory of 2008	1820	WishfulThinking.exe	37
PID 1820 wrote to memory of 2008	1820	WishfulThinking.exe	37
PID 1256 wrote to memory of 1500	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	38
PID 1256 wrote to memory of 1500	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	38
PID 1256 wrote to memory of 1500	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	38
PID 1256 wrote to memory of 1500	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	38
PID 1820 wrote to memory of 1676	1820	WishfulThinking.exe	39
PID 1820 wrote to memory of 1676	1820	WishfulThinking.exe	39
PID 1820 wrote to memory of 1676	1820	WishfulThinking.exe	39
PID 1820 wrote to memory of 1676	1820	WishfulThinking.exe	39
PID 1256 wrote to memory of 1048	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	40
PID 1256 wrote to memory of 1048	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	40
PID 1256 wrote to memory of 1048	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	40
PID 1256 wrote to memory of 1048	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	40
PID 1524 wrote to memory of 1700	1524	WINLOGON.EXE	41
PID 1524 wrote to memory of 1700	1524	WINLOGON.EXE	41
PID 1524 wrote to memory of 1700	1524	WINLOGON.EXE	41
PID 1524 wrote to memory of 1700	1524	WINLOGON.EXE	41
PID 1256 wrote to memory of 828	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	42
PID 1256 wrote to memory of 828	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	42
PID 1256 wrote to memory of 828	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	42
PID 1256 wrote to memory of 828	1256	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe	42

System policy modification 1 TTPs 35 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE

C:\Users\Admin\AppData\Local\Temp\895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe
"C:\Users\Admin\AppData\Local\Temp\895e377b59355afb4c971a6ea9408d630e415ba4a87ff2f3bb8c7f7bdea0c964.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1256
- C:\Windows\nEwb0Rn.exe
  C:\Windows\nEwb0Rn.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1652
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:952
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Windows security bypass
    - Blocks application from running via registry modification
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1820
  - - C:\Windows\nEwb0Rn.exe
      C:\Windows\nEwb0Rn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1440
  - - C:\Windows\SysWOW64\WishfulThinking.exe
      C:\Windows\system32\WishfulThinking.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2008
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1676
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1880
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Windows security bypass
    - Blocks application from running via registry modification
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1524
  - - C:\Windows\nEwb0Rn.exe
      C:\Windows\nEwb0Rn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1700
  - - C:\Windows\SysWOW64\WishfulThinking.exe
      C:\Windows\system32\WishfulThinking.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:848
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1808
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1832
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies system executable filetype association
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Windows security bypass
    - Blocks application from running via registry modification
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Sets file execution options in registry
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1772
  - - C:\Windows\nEwb0Rn.exe
      C:\Windows\nEwb0Rn.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1720
  - - C:\Windows\SysWOW64\WishfulThinking.exe
      C:\Windows\system32\WishfulThinking.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:520
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:988
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1640
- C:\Windows\SysWOW64\WishfulThinking.exe
  C:\Windows\system32\WishfulThinking.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1604
- C:\Windows\nEwb0Rn.exe
  C:\Windows\nEwb0Rn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1640
- C:\Windows\SysWOW64\WishfulThinking.exe
  C:\Windows\system32\WishfulThinking.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1292
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1748
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1500
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1048
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
65KB

MD5
8a60b6887a9fa69dc2fc631d5d302461

SHA1
1cedfaec025cf8e08aac2227e08b644921a25fa5

SHA256
a707e132aab6ba72ddbe882d08749b7e178dc9071d34da3d6b2c9135a02efe19

SHA512
bbde6c6599708c3d47781bc37fd8b99f306e09cc84713d1a32651444bca32eb6a3090cbcea3ed2eef2709aa9467a46e327d54a592b4a48d58bf33ce3da809e5e

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
65KB

MD5
8a60b6887a9fa69dc2fc631d5d302461

SHA1
1cedfaec025cf8e08aac2227e08b644921a25fa5

SHA256
a707e132aab6ba72ddbe882d08749b7e178dc9071d34da3d6b2c9135a02efe19

SHA512
bbde6c6599708c3d47781bc37fd8b99f306e09cc84713d1a32651444bca32eb6a3090cbcea3ed2eef2709aa9467a46e327d54a592b4a48d58bf33ce3da809e5e

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
65KB

MD5
8a60b6887a9fa69dc2fc631d5d302461

SHA1
1cedfaec025cf8e08aac2227e08b644921a25fa5

SHA256
a707e132aab6ba72ddbe882d08749b7e178dc9071d34da3d6b2c9135a02efe19

SHA512
bbde6c6599708c3d47781bc37fd8b99f306e09cc84713d1a32651444bca32eb6a3090cbcea3ed2eef2709aa9467a46e327d54a592b4a48d58bf33ce3da809e5e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
65KB

MD5
dcb44687a90856cf68ae03d5ed01ede8

SHA1
f88c4845c913fa9f3a3896b29f0c5b2aaa517441

SHA256
ab7bde69274735a8f1d46d4f65470f4c27c78d5c6b701799f16140af381b3e68

SHA512
5f00cbc1c037357ccfddbe5eeadf7878a19ef6d3d8de8d3909297c623b34941db463434e53d5f3f3c1d9ca9974b4d018876a77ad2f587b940c3704f37f37f8cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
65KB

MD5
f4e515983eb05856cc40f93129e44ede

SHA1
1a12d7ba025e6e0efe592cba2f0320fd5b386db8

SHA256
6ce94095b20a38f6407442379841c8a5a6a6dd57ea6a53f42eafa27b9583f21b

SHA512
b15278b856f364535b646ee98bd8483753008925af00e5c1bd7660c19d028956dc4007dc5899f36d8a73d2f1a5bd9ea5c11c781bbbda55a63b325d5b05635b0b

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
65KB

MD5
c84c5814729baf45f530d8ed55054a3c

SHA1
c2b240d6dd2afd620753c1e390884f6f8edcd9f1

SHA256
03f32eb0817a156ec5d233e179093452b06ab85823916cac699bc8b8cbd182eb

SHA512
c16068ef40cf4affd4a1d2b7010758f8a5422f91b339eb3fb5585355acbbaaf6b9d9b9de662512596d7883c4183f8e531566b5a67f839df6065f6ea8c333933a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
65KB

MD5
2b5b1ec5f91f29aa485c8f566f22613e

SHA1
8e8c2a7094dd5838c06088c45f0a9ee9a562adf8

SHA256
585a741e9390ce0d26504250e650022a64aa5a5329b2b83e3900d388ab0c7d94

SHA512
80738c4242b8fc445081f0d5ecddc9eeb478d690213a486d8f7d2d70d9cebf0270dd7f7c0f34b4c76bfc55b47bbc7bf83878ed1526c38e094790dc966bf4f031

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
65KB

MD5
d0cf9f1060bdcd22b5169565ba09f90a

SHA1
48d3b823868ca00c7e6494258dd6b7904eaf3d7b

SHA256
60291ac61de3468305b6a00dc3f62a09fa41eba5048dd75e0eefef4d9a5882be

SHA512
475be7d38efdf5fbc1e7d2687bfc55d7bc01efcb5830d0f8ecf22f0a3798867706d61694e2dd2e2e9bb7cdef6452797f05c58457249265500302fae2df4496db

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
65KB

MD5
9d132dd1bd8ce9a407f42823fbab7d90

SHA1
5ec7f5a7f521d5649e7e8da661e3cec577d12f0d

SHA256
898f9a2242de10e2c703aa7b84b8463f9e779f54a5a291f49080149e8af28446

SHA512
9121224e2e891a336689fb7f311c1b2f4977b5449c1f84681c730e57ebdcc640fb64e52b8e41c2a33a0fb3033bd67b3d3a5c0c79cd35ef054ec43c56d729eb89

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
65KB

MD5
91e423b46e5d07bb7bf306e75caf537c

SHA1
03084a3add2c027c67cce67030ea80504d9bc9ee

SHA256
16ee79aa26029559e4ae294edf559fdb0191f1214510f7406b869e6a22747f06

SHA512
ff2658480bd36900f5cb7a89bace638f837172e66039fd90fc096ec563dfa059520b51b1698c0b8bf90eef3efec1e61ec20d1da3a93bdc2e856da0672d19c5c3

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
65KB

MD5
30845f40535d2c5b019b0e758a07d118

SHA1
162f10945793b417f3fecfd8c6ce8ee63d30b6f8

SHA256
52cf3a5a1de23af14cd2c6ec77c3e7ac917a1c37d724d612b95b49b39f89c647

SHA512
ff6f377289f5023dfdf82ba247cde9ff0fca8b910734c035eef6b80e8add33e485be7ab63c6a8092a02a63ed44e2a4b7b585af4d352df63441fbc4e04339847c

Download Submit
C:\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
C:\about.htm

Filesize
2KB

MD5
94c0c5518c4f4bb044842a006d04932a

SHA1
23d9a914f6681d65e2b1faa171f4cf492562ebdb

SHA256
224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

SHA512
79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

Download Submit
C:\about.htm

Filesize
2KB

MD5
94c0c5518c4f4bb044842a006d04932a

SHA1
23d9a914f6681d65e2b1faa171f4cf492562ebdb

SHA256
224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

SHA512
79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

Download Submit
C:\about.htm

Filesize
2KB

MD5
94c0c5518c4f4bb044842a006d04932a

SHA1
23d9a914f6681d65e2b1faa171f4cf492562ebdb

SHA256
224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

SHA512
79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

Download Submit
C:\nEwb0Rn.exe

Filesize
65KB

MD5
241481bb7514db70481fd38317eafd24

SHA1
eed332a3bb1948e677fe323c0d56901e6282c481

SHA256
a7154e7afc9316e60872d2b8d2324f7099c0d4f3d9707fe48e3f35c8098464f1

SHA512
f650a10db6cd7ccad2a47e698d8901c360cff97e40de290b7efa4d67653bf5c1e7850caae28f666c492a204a69ae08aefce4af2d13ebf6aa71be4e8017e0f366

Download Submit
C:\nEwb0Rn.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
C:\nEwb0Rn.exe

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
C:\nEwb0Rn.exe

Filesize
65KB

MD5
20625a3776c4b3c079acd20598850f6e

SHA1
c6aafb6138f03176956dee4a672767862e4a63e9

SHA256
ffdd1dd193e8c2c9c882d20e82ceeeab6547d149b7300533b93d5098f63233dd

SHA512
39176cabaab4a0f8a5f384e95c12f457fd6d05f76a987d0dc85391ee013ac3b2de6e1fca05e9065dd178034b977dc5119c59904965088328d96042f698c42aeb

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
65KB

MD5
8a60b6887a9fa69dc2fc631d5d302461

SHA1
1cedfaec025cf8e08aac2227e08b644921a25fa5

SHA256
a707e132aab6ba72ddbe882d08749b7e178dc9071d34da3d6b2c9135a02efe19

SHA512
bbde6c6599708c3d47781bc37fd8b99f306e09cc84713d1a32651444bca32eb6a3090cbcea3ed2eef2709aa9467a46e327d54a592b4a48d58bf33ce3da809e5e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
65KB

MD5
8a60b6887a9fa69dc2fc631d5d302461

SHA1
1cedfaec025cf8e08aac2227e08b644921a25fa5

SHA256
a707e132aab6ba72ddbe882d08749b7e178dc9071d34da3d6b2c9135a02efe19

SHA512
bbde6c6599708c3d47781bc37fd8b99f306e09cc84713d1a32651444bca32eb6a3090cbcea3ed2eef2709aa9467a46e327d54a592b4a48d58bf33ce3da809e5e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
65KB

MD5
8a60b6887a9fa69dc2fc631d5d302461

SHA1
1cedfaec025cf8e08aac2227e08b644921a25fa5

SHA256
a707e132aab6ba72ddbe882d08749b7e178dc9071d34da3d6b2c9135a02efe19

SHA512
bbde6c6599708c3d47781bc37fd8b99f306e09cc84713d1a32651444bca32eb6a3090cbcea3ed2eef2709aa9467a46e327d54a592b4a48d58bf33ce3da809e5e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
65KB

MD5
8a60b6887a9fa69dc2fc631d5d302461

SHA1
1cedfaec025cf8e08aac2227e08b644921a25fa5

SHA256
a707e132aab6ba72ddbe882d08749b7e178dc9071d34da3d6b2c9135a02efe19

SHA512
bbde6c6599708c3d47781bc37fd8b99f306e09cc84713d1a32651444bca32eb6a3090cbcea3ed2eef2709aa9467a46e327d54a592b4a48d58bf33ce3da809e5e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
65KB

MD5
a8aa6bb949676f4a8fc51498f0fbea49

SHA1
f1f60aeb6f136a0cd3e8d47ebce34e587f42e5cf

SHA256
8c2843c80ef4ef0314a0b3c228434ad59b2500588b57190b2a9b1442d382a492

SHA512
dc924c2df30b9d9a32af8a4f8e60352fca765a21441bed64c4ef532519541c4cf52a979b8ef7f3de806f95d8130619e01056f20bfbba4e4bda4c42099f2a42e0

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
65KB

MD5
cbb60e0640e93282092039c67af359c3

SHA1
2a842ed2a01dd51e040a1d7a04c5b87660c2a060

SHA256
51abdab9fc4eb604ffb2296adade80cbdb9a7f44f09a72e27f6f96cab725adac

SHA512
b41e3230f992d72e145a2cb82af264b0c3e760bbe282a2ee9c816c7777d89904b1555433988764d5e7f327b61ceeb9e3c44a65ddca8f16064cd1a2e6e91bd9d0

Download Submit
memory/520-204-0x0000000000000000-mapping.dmp

Download
memory/520-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/828-185-0x0000000000000000-mapping.dmp

Download
memory/828-193-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/848-201-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/848-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/848-190-0x0000000000000000-mapping.dmp

Download
memory/952-78-0x0000000000000000-mapping.dmp

Download
memory/952-83-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/988-221-0x0000000000000000-mapping.dmp

Download
memory/988-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1048-177-0x0000000000000000-mapping.dmp

Download
memory/1048-184-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1256-120-0x0000000002450000-0x000000000248B000-memory.dmp

Filesize
236KB

Download
memory/1256-57-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1256-54-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1256-191-0x0000000002450000-0x000000000248B000-memory.dmp

Filesize
236KB

Download
memory/1256-192-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1256-64-0x0000000002450000-0x000000000248B000-memory.dmp

Filesize
236KB

Download
memory/1292-143-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1292-126-0x0000000000000000-mapping.dmp

Download
memory/1440-157-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1440-144-0x0000000000000000-mapping.dmp

Download
memory/1500-174-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1500-161-0x0000000000000000-mapping.dmp

Download
memory/1524-234-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1524-110-0x0000000000000000-mapping.dmp

Download
memory/1524-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1604-97-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1604-87-0x0000000000000000-mapping.dmp

Download
memory/1640-105-0x0000000000000000-mapping.dmp

Download
memory/1640-227-0x0000000000000000-mapping.dmp

Download
memory/1640-123-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1652-232-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1652-65-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1652-58-0x0000000000000000-mapping.dmp

Download
memory/1652-119-0x0000000002620000-0x000000000265B000-memory.dmp

Filesize
236KB

Download
memory/1676-176-0x0000000000000000-mapping.dmp

Download
memory/1676-216-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1676-199-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1700-180-0x0000000000000000-mapping.dmp

Download
memory/1700-189-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1720-200-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1720-188-0x0000000000000000-mapping.dmp

Download
memory/1720-208-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1748-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1748-148-0x0000000000000000-mapping.dmp

Download
memory/1772-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1772-231-0x0000000000830000-0x000000000086B000-memory.dmp

Filesize
236KB

Download
memory/1772-236-0x0000000000830000-0x000000000086B000-memory.dmp

Filesize
236KB

Download
memory/1772-235-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1772-128-0x0000000000000000-mapping.dmp

Download
memory/1808-215-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1808-207-0x0000000000000000-mapping.dmp

Download
memory/1820-198-0x0000000002790000-0x00000000027CB000-memory.dmp

Filesize
236KB

Download
memory/1820-197-0x0000000002790000-0x00000000027CB000-memory.dmp

Filesize
236KB

Download
memory/1820-121-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1820-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1820-85-0x0000000000000000-mapping.dmp

Download
memory/1832-223-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1832-213-0x0000000000000000-mapping.dmp

Download
memory/1880-225-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-218-0x0000000000000000-mapping.dmp

Download
memory/2008-175-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2008-159-0x0000000000000000-mapping.dmp

Download