d966f610667639d9763b08c3992550d71a8fa4b927f79f2abfcbb082014e6f04

Analysis

max time kernel
6s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06/10/2023, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Size

1.1MB
MD5

ec139a3e242be5dfb2f5005116a811e1
SHA1

bbd9ba813db931da7272b0f4fd0bf111d9e7f8ee
SHA256

d966f610667639d9763b08c3992550d71a8fa4b927f79f2abfcbb082014e6f04
SHA512

469eb79bfd5d73b8a3ec9bb668c73f21ee12b6f33e574f9694fb53b3945b96eba881dc5255ad5c27925f5d267a6f46fe39965102278d80963c130974ce13934c
SSDEEP

6144:mjUjMj9jCfj9j3j9jtj9jOj9j9j9jvj9jGj9jSj9jSj9jmj9jE:jf

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	WINLOGON.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE

Disables RegEdit via registry modification 8 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 12 IoCs

pid	Process
1864	4k51k4.exe
384	IExplorer.exe
1416	4k51k4.exe
2128	IExplorer.exe
1012	4k51k4.exe
2180	IExplorer.exe
1152	WINLOGON.EXE
2464	WINLOGON.EXE
1728	4k51k4.exe
2908	CSRSS.EXE
2252	CSRSS.EXE
552	IExplorer.exe

Loads dropped DLL 18 IoCs

pid	Process
2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
1864	4k51k4.exe
1864	4k51k4.exe
2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
1864	4k51k4.exe
1864	4k51k4.exe
2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
1864	4k51k4.exe
2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
1864	4k51k4.exe
2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
384	IExplorer.exe
384	IExplorer.exe
384	IExplorer.exe
384	IExplorer.exe

Modifies system executable filetype association 2 TTPs 57 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0007000000014a93-8.dat	upx
behavioral1/files/0x0009000000014edc-113.dat	upx
behavioral1/memory/1864-114-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x00060000000155f2-117.dat	upx
behavioral1/files/0x00060000000155f2-123.dat	upx
behavioral1/files/0x00060000000155f2-119.dat	upx
behavioral1/memory/384-125-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0009000000014edc-183.dat	upx
behavioral1/memory/1416-186-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2088-184-0x0000000000540000-0x0000000000563000-memory.dmp	upx
behavioral1/files/0x00060000000155f2-190.dat	upx
behavioral1/files/0x00060000000155f2-192.dat	upx
behavioral1/files/0x00060000000155f2-196.dat	upx
behavioral1/memory/1416-189-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2088-200-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0006000000015beb-202.dat	upx
behavioral1/files/0x0006000000015c1e-203.dat	upx
behavioral1/files/0x0009000000014edc-251.dat	upx
behavioral1/memory/1864-252-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2128-253-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x000700000001558b-209.dat	upx
behavioral1/files/0x002b0000000144a2-208.dat	upx
behavioral1/files/0x00060000000155f2-256.dat	upx
behavioral1/files/0x00060000000155f2-225.dat	upx
behavioral1/memory/1012-258-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x00060000000155f2-257.dat	upx
behavioral1/files/0x00060000000155f8-214.dat	upx
behavioral1/files/0x00060000000155e4-212.dat	upx
behavioral1/files/0x0009000000014edc-207.dat	upx
behavioral1/files/0x0006000000015c38-206.dat	upx
behavioral1/files/0x0006000000015c11-205.dat	upx
behavioral1/files/0x0006000000015c01-204.dat	upx
behavioral1/files/0x00060000000155f2-259.dat	upx
behavioral1/memory/2180-262-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x00060000000155f8-274.dat	upx
behavioral1/files/0x00060000000155e4-272.dat	upx
behavioral1/files/0x000700000001558b-269.dat	upx
behavioral1/files/0x002b0000000144a2-268.dat	upx
behavioral1/files/0x0006000000015c38-267.dat	upx
behavioral1/memory/384-276-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0006000000015c11-266.dat	upx
behavioral1/files/0x0006000000015c01-265.dat	upx
behavioral1/files/0x0006000000015c1e-264.dat	upx
behavioral1/files/0x0006000000015beb-278.dat	upx
behavioral1/files/0x0006000000015beb-277.dat	upx
behavioral1/files/0x0006000000015beb-263.dat	upx
behavioral1/files/0x0006000000015beb-279.dat	upx
behavioral1/files/0x0006000000015beb-282.dat	upx
behavioral1/files/0x0006000000015beb-284.dat	upx
behavioral1/files/0x0006000000015beb-281.dat	upx
behavioral1/files/0x0009000000014edc-319.dat	upx
behavioral1/memory/2464-320-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0006000000015c01-323.dat	upx
behavioral1/files/0x0006000000015c01-325.dat	upx
behavioral1/files/0x0006000000015c01-322.dat	upx
behavioral1/files/0x0006000000015c01-328.dat	upx
behavioral1/memory/2088-327-0x0000000000540000-0x0000000000563000-memory.dmp	upx
behavioral1/files/0x0006000000015c01-326.dat	upx
behavioral1/files/0x0006000000015c01-324.dat	upx
behavioral1/files/0x00060000000155f2-333.dat	upx
behavioral1/files/0x00060000000155f2-334.dat	upx
behavioral1/files/0x00060000000155f2-336.dat	upx
behavioral1/memory/1728-339-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4k51k4.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MrHelloween.scr	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
File created	C:\Windows\SysWOW64\shell.exe	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\4k51k4.exe	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	4k51k4.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
File created	C:\Windows\4k51k4.exe	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 20 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Control Panel\Desktop\	CSRSS.EXE

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
1864	4k51k4.exe
384	IExplorer.exe
1416	4k51k4.exe
2128	IExplorer.exe
1012	4k51k4.exe
2180	IExplorer.exe
1152	WINLOGON.EXE
2464	WINLOGON.EXE
1728	4k51k4.exe
2908	CSRSS.EXE
552	IExplorer.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1864	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	28
PID 2088 wrote to memory of 1864	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	28
PID 2088 wrote to memory of 1864	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	28
PID 2088 wrote to memory of 1864	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	28
PID 2088 wrote to memory of 384	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	29
PID 2088 wrote to memory of 384	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	29
PID 2088 wrote to memory of 384	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	29
PID 2088 wrote to memory of 384	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	29
PID 2088 wrote to memory of 1416	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	30
PID 2088 wrote to memory of 1416	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	30
PID 2088 wrote to memory of 1416	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	30
PID 2088 wrote to memory of 1416	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	30
PID 2088 wrote to memory of 2128	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	31
PID 2088 wrote to memory of 2128	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	31
PID 2088 wrote to memory of 2128	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	31
PID 2088 wrote to memory of 2128	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	31
PID 1864 wrote to memory of 1012	1864	4k51k4.exe	32
PID 1864 wrote to memory of 1012	1864	4k51k4.exe	32
PID 1864 wrote to memory of 1012	1864	4k51k4.exe	32
PID 1864 wrote to memory of 1012	1864	4k51k4.exe	32
PID 1864 wrote to memory of 2180	1864	4k51k4.exe	33
PID 1864 wrote to memory of 2180	1864	4k51k4.exe	33
PID 1864 wrote to memory of 2180	1864	4k51k4.exe	33
PID 1864 wrote to memory of 2180	1864	4k51k4.exe	33
PID 1864 wrote to memory of 2464	1864	4k51k4.exe	34
PID 1864 wrote to memory of 2464	1864	4k51k4.exe	34
PID 1864 wrote to memory of 2464	1864	4k51k4.exe	34
PID 1864 wrote to memory of 2464	1864	4k51k4.exe	34
PID 2088 wrote to memory of 1152	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	35
PID 2088 wrote to memory of 1152	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	35
PID 2088 wrote to memory of 1152	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	35
PID 2088 wrote to memory of 1152	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	35
PID 384 wrote to memory of 1728	384	IExplorer.exe	36
PID 384 wrote to memory of 1728	384	IExplorer.exe	36
PID 384 wrote to memory of 1728	384	IExplorer.exe	36
PID 384 wrote to memory of 1728	384	IExplorer.exe	36
PID 1864 wrote to memory of 2908	1864	4k51k4.exe	41
PID 1864 wrote to memory of 2908	1864	4k51k4.exe	41
PID 1864 wrote to memory of 2908	1864	4k51k4.exe	41
PID 1864 wrote to memory of 2908	1864	4k51k4.exe	41
PID 2088 wrote to memory of 2252	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	37
PID 2088 wrote to memory of 2252	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	37
PID 2088 wrote to memory of 2252	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	37
PID 2088 wrote to memory of 2252	2088	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe	37
PID 384 wrote to memory of 552	384	IExplorer.exe	38
PID 384 wrote to memory of 552	384	IExplorer.exe	38
PID 384 wrote to memory of 552	384	IExplorer.exe	38
PID 384 wrote to memory of 552	384	IExplorer.exe	38
PID 384 wrote to memory of 2428	384	IExplorer.exe	79
PID 384 wrote to memory of 2428	384	IExplorer.exe	79
PID 384 wrote to memory of 2428	384	IExplorer.exe	79
PID 384 wrote to memory of 2428	384	IExplorer.exe	79

System policy modification 1 TTPs 22 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	IExplorer.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ec139a3e242be5dfb2f5005116a811e1exe_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2088
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1864
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1012
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2180
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2464
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    PID:2012
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      PID:1648
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      PID:944
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      PID:1736
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      PID:2796
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      PID:2556
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      PID:2532
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2908
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      PID:3004
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      PID:2972
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      PID:2052
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      PID:1556
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      PID:848
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      PID:584
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      PID:2584
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    PID:2380
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      PID:912
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      PID:1064
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      PID:1324
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      PID:2544
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      PID:2188
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      PID:2336
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    PID:1200
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:384
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1728
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:552
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    PID:2428
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    PID:2836
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    PID:2992
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    PID:1824
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    PID:1484
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1416
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2128
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1152
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    PID:2752
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    PID:1252
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    PID:2840
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    PID:3068
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    PID:1548
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    PID:1176
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  PID:2384
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  PID:2720
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  PID:1584
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    PID:240
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    PID:2428
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    PID:2572
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    PID:2964
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    PID:2864
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    PID:2888
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  PID:1820
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  PID:1656
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  PID:2924
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  PID:2776
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4k51k4.exe

Filesize
1.1MB

MD5
f2f893e49faf97c161aa19e3a4de8a91

SHA1
1920f1e3df5d8fafecdf48d66a3ab15a7c59a0e7

SHA256
25fac18c9be5610fca03c4355fc6c7e2a36964234cce168387843221d9589451

SHA512
131c6f2e9d231b1845dfe6172d0a9d722a7ef1b933d508c97c6ac177161e8c73be381581dd01a6f3899ba2438d4ff5578979ff8cb59a5728243d010c17d63161

Download Submit
C:\4k51k4.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
C:\4k51k4.exe

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
a0c8d2ea38aaa37720fd20cb2de6f3a8

SHA1
c2d53178dad6460cc8f41f4c1e81c0bc81620c01

SHA256
0e03009d17c93d5259182c23273b1cce5138d03039e6b0335d069db003617e3c

SHA512
a1cd205ead03f7f6850bcd4677e4bc75d0ddfa890525720bf22b5c3adf092d2a91934fe726c0851757f1314b973a85582acd95ca6dd85bde9ba15ca7223e0a2c

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
a0c8d2ea38aaa37720fd20cb2de6f3a8

SHA1
c2d53178dad6460cc8f41f4c1e81c0bc81620c01

SHA256
0e03009d17c93d5259182c23273b1cce5138d03039e6b0335d069db003617e3c

SHA512
a1cd205ead03f7f6850bcd4677e4bc75d0ddfa890525720bf22b5c3adf092d2a91934fe726c0851757f1314b973a85582acd95ca6dd85bde9ba15ca7223e0a2c

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
1.1MB

MD5
ec139a3e242be5dfb2f5005116a811e1

SHA1
bbd9ba813db931da7272b0f4fd0bf111d9e7f8ee

SHA256
d966f610667639d9763b08c3992550d71a8fa4b927f79f2abfcbb082014e6f04

SHA512
469eb79bfd5d73b8a3ec9bb668c73f21ee12b6f33e574f9694fb53b3945b96eba881dc5255ad5c27925f5d267a6f46fe39965102278d80963c130974ce13934c

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
3b803f7263cfbc2c976223e686e40ce8

SHA1
89eb98701ead42ac94363e4d536c7dca6c49cf73

SHA256
1d39016ec7e0f4a3e4f9c19deba13dec02c115a591d72d9b247231d55973cf55

SHA512
d5aa619acdebc868a3f2d16f276eef5fe2738347ec807b49926ab784ce0353d8ffe921f72548b858d58163dec1f043fd2852244a0f273ac6b5b4f64cf3c0455a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
3b803f7263cfbc2c976223e686e40ce8

SHA1
89eb98701ead42ac94363e4d536c7dca6c49cf73

SHA256
1d39016ec7e0f4a3e4f9c19deba13dec02c115a591d72d9b247231d55973cf55

SHA512
d5aa619acdebc868a3f2d16f276eef5fe2738347ec807b49926ab784ce0353d8ffe921f72548b858d58163dec1f043fd2852244a0f273ac6b5b4f64cf3c0455a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
a0c8d2ea38aaa37720fd20cb2de6f3a8

SHA1
c2d53178dad6460cc8f41f4c1e81c0bc81620c01

SHA256
0e03009d17c93d5259182c23273b1cce5138d03039e6b0335d069db003617e3c

SHA512
a1cd205ead03f7f6850bcd4677e4bc75d0ddfa890525720bf22b5c3adf092d2a91934fe726c0851757f1314b973a85582acd95ca6dd85bde9ba15ca7223e0a2c

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.exe

Filesize
1.1MB

MD5
e16daebb30e26eac3b5cb6df7c5ec4cc

SHA1
ab4071d4e74ffbe2a9e393ee72aa37e47949c200

SHA256
c9c03c812b382fa94b7e70a1a12b259c8172ba4226b833a2af37592cfd91119c

SHA512
88f55960720652dd2ae79132ecef703cc6db753217ee88203c395ba811f43c6aa152830474be61c25d4db9935641c2044b8bc4cc6939dbbaa1b34b9ff3c251c8

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.exe

Filesize
1.1MB

MD5
e16daebb30e26eac3b5cb6df7c5ec4cc

SHA1
ab4071d4e74ffbe2a9e393ee72aa37e47949c200

SHA256
c9c03c812b382fa94b7e70a1a12b259c8172ba4226b833a2af37592cfd91119c

SHA512
88f55960720652dd2ae79132ecef703cc6db753217ee88203c395ba811f43c6aa152830474be61c25d4db9935641c2044b8bc4cc6939dbbaa1b34b9ff3c251c8

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.exe

Filesize
1.1MB

MD5
33c279bbf8b82b26bb1a94a3f6d1dc5b

SHA1
dbb1661ddbf5730769f68f0751770defda837d0d

SHA256
c095037d65f479aaeecc05fa373d5c1ab02ccd5fc7a158fbae28ed778793f192

SHA512
8610a57f17b707daee6ed8267cd1dbaa5c8a3b9e975fa64c89017cdc9fb95250a47dc0b1160833df2cc7906f8245a7653a20b047d60366caac9558bfaa423810

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
1.1MB

MD5
65e29ca1fcee25d6418d9bc96844f4e3

SHA1
c2415f77d3cebe2a896cadea7dbd937339e1922b

SHA256
1a2934392d518b61570f26873396e6fd4b1afe0c4311706572fa243a6a311735

SHA512
1558f70400a76fe0e9e34386d4c9470188468f0d557295dd8538284d5f87b529f20755ca14e4838d73865404cc90d31237919adcf7a50d0411a54e79d29e9282

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
1.1MB

MD5
65e29ca1fcee25d6418d9bc96844f4e3

SHA1
c2415f77d3cebe2a896cadea7dbd937339e1922b

SHA256
1a2934392d518b61570f26873396e6fd4b1afe0c4311706572fa243a6a311735

SHA512
1558f70400a76fe0e9e34386d4c9470188468f0d557295dd8538284d5f87b529f20755ca14e4838d73865404cc90d31237919adcf7a50d0411a54e79d29e9282

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
1.1MB

MD5
bf261d36430918c5c8220ecfdfc3f0f3

SHA1
8fc2846b9b8ac9ce928af7f515889567ba7a51bc

SHA256
60afce55bf0cdd75720888d76b56e33e55d0c7d735ed35f18b5760336ad10f86

SHA512
cae0c0efa9c6f41497c1cfd400eccdd0a66ce4de611b56f93097c616940c63a99f927056290139639e451008b516bc52525f9bde0b1f89b74abae56b1bb2bd5e

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
1.1MB

MD5
57b1155f5c367a3d7a4fe1ccf8d16e4a

SHA1
991df035913406ce83128a1cf54f37415b3e75f5

SHA256
bd00d904158f1f72f4318acd88bca7ddda8847dd756ad4294753c31fabd6fdb5

SHA512
742fa5397b5b90fc880f4ea49b175d7d52189da7cf1a7c8ee26f42ac9fa448c5be687e8ecfb0926f203dd804400bac491735e980fa27b474f5309e4f8cb1f982

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
1.1MB

MD5
57b1155f5c367a3d7a4fe1ccf8d16e4a

SHA1
991df035913406ce83128a1cf54f37415b3e75f5

SHA256
bd00d904158f1f72f4318acd88bca7ddda8847dd756ad4294753c31fabd6fdb5

SHA512
742fa5397b5b90fc880f4ea49b175d7d52189da7cf1a7c8ee26f42ac9fa448c5be687e8ecfb0926f203dd804400bac491735e980fa27b474f5309e4f8cb1f982

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

Filesize
1.1MB

MD5
92c79c066cdd2728f675de4d38ec6525

SHA1
774963fb15482559d605354c4259408f8bb194a1

SHA256
8451da618e0f842ee13d8d9b13c5374478764678c497b166305094726a2080a9

SHA512
9041c3defad5a3ab36b8fa26e63c72b68a98ddde7841ded4cb5af36b595bcff354f45f84bae1febf1d2811997d85d064245611e2d6fb7d35c755e5495b2ac286

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
bf8dad3d999eb1d98a39332558d7dc51

SHA1
a16db8329c2ed7a9f47567aa195a143d44be05d2

SHA256
cd1841313b4a1e292f4198898fb6d4cf0973f1f6a75913405001fc668e61de14

SHA512
4bc49fcc2878a50eb2d8d4e7b89105faabf9cbdd850df0e062806398f02a7fb0993ea18ca291761a5ad500d51f5ee1c9737cd1019b1d76ad145f260d483a9e3a

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
1.1MB

MD5
f5dde119844a2418395d22a0be0b2731

SHA1
8191b6c4863ad02b0237ff5a05e8e835e5eece28

SHA256
6ad650ca9092b263a3572c2c73133589b31b8774c343df5d3411ac1134354950

SHA512
bc1d1f37b30c5458b24bad71b75915d21d27d5de0690e5d91fa4778df33f6163cbb448436e2f4311ba30b5d2a6e3f041f2128f13e57741048297da558b6221fd

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
C:\Windows\4k51k4.exe

Filesize
1.1MB

MD5
bf8dad3d999eb1d98a39332558d7dc51

SHA1
a16db8329c2ed7a9f47567aa195a143d44be05d2

SHA256
cd1841313b4a1e292f4198898fb6d4cf0973f1f6a75913405001fc668e61de14

SHA512
4bc49fcc2878a50eb2d8d4e7b89105faabf9cbdd850df0e062806398f02a7fb0993ea18ca291761a5ad500d51f5ee1c9737cd1019b1d76ad145f260d483a9e3a

Download Submit
C:\Windows\4k51k4.exe

Filesize
1.1MB

MD5
bf8dad3d999eb1d98a39332558d7dc51

SHA1
a16db8329c2ed7a9f47567aa195a143d44be05d2

SHA256
cd1841313b4a1e292f4198898fb6d4cf0973f1f6a75913405001fc668e61de14

SHA512
4bc49fcc2878a50eb2d8d4e7b89105faabf9cbdd850df0e062806398f02a7fb0993ea18ca291761a5ad500d51f5ee1c9737cd1019b1d76ad145f260d483a9e3a

Download Submit
C:\Windows\4k51k4.exe

Filesize
1.1MB

MD5
bf8dad3d999eb1d98a39332558d7dc51

SHA1
a16db8329c2ed7a9f47567aa195a143d44be05d2

SHA256
cd1841313b4a1e292f4198898fb6d4cf0973f1f6a75913405001fc668e61de14

SHA512
4bc49fcc2878a50eb2d8d4e7b89105faabf9cbdd850df0e062806398f02a7fb0993ea18ca291761a5ad500d51f5ee1c9737cd1019b1d76ad145f260d483a9e3a

Download Submit
C:\Windows\4k51k4.exe

Filesize
1.1MB

MD5
bf8dad3d999eb1d98a39332558d7dc51

SHA1
a16db8329c2ed7a9f47567aa195a143d44be05d2

SHA256
cd1841313b4a1e292f4198898fb6d4cf0973f1f6a75913405001fc668e61de14

SHA512
4bc49fcc2878a50eb2d8d4e7b89105faabf9cbdd850df0e062806398f02a7fb0993ea18ca291761a5ad500d51f5ee1c9737cd1019b1d76ad145f260d483a9e3a

Download Submit
C:\Windows\4k51k4.exe

Filesize
1.1MB

MD5
bf8dad3d999eb1d98a39332558d7dc51

SHA1
a16db8329c2ed7a9f47567aa195a143d44be05d2

SHA256
cd1841313b4a1e292f4198898fb6d4cf0973f1f6a75913405001fc668e61de14

SHA512
4bc49fcc2878a50eb2d8d4e7b89105faabf9cbdd850df0e062806398f02a7fb0993ea18ca291761a5ad500d51f5ee1c9737cd1019b1d76ad145f260d483a9e3a

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
1.1MB

MD5
b874f66a1473590215603e562039cc04

SHA1
d11855bfd87a3b10434f4f1134cdfeaa2b102588

SHA256
7a510f08cf3cac495eaef24c46761901fa47d1c0615632d1cc06a6101f90fdce

SHA512
32e6d8c9984d1ddb1eacf7a0011fcd4c0a91d6be0e927c3917b5059a96d8bda6ecf82c8666d510e456e4def45d187118a318b2ac3535493b7c6c8d50dbaf75c0

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
1.1MB

MD5
cc405806b26fda619cd5ce535c36c696

SHA1
66592e6b18b3d579931c04b7af3080a359a00e0a

SHA256
02a32f35172c585f4eb7b055fa3b94ede55cc801c8ab03084a5b809744b886ae

SHA512
b8d5837a6ee8853cfa0a1821978a1f29299715d65893a54762a503fc76016b503c45edf1941611ef50d34bb3248f68735ba9a30108f2f51c8b3a3dcf360f3c81

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
F:\4K51K4\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
F:\desktop.ini

Filesize
221B

MD5
eac89efdcfea825026dfab7138c6bea4

SHA1
8f72066ea7dd029348abda8efcffbd5df407d9ab

SHA256
a0dd10de1158a4d05ea916c190bf95dc4c53ae3851c47ab8449a9ce96943334f

SHA512
53be6131110d45808a26f442cf3da2244a9380e5f5747e0498bd8fcf54dec9cf4a230c413b0e54b5caaf9eb222f78f3932733f2479cb6b591613af41dc3e2f98

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
a0c8d2ea38aaa37720fd20cb2de6f3a8

SHA1
c2d53178dad6460cc8f41f4c1e81c0bc81620c01

SHA256
0e03009d17c93d5259182c23273b1cce5138d03039e6b0335d069db003617e3c

SHA512
a1cd205ead03f7f6850bcd4677e4bc75d0ddfa890525720bf22b5c3adf092d2a91934fe726c0851757f1314b973a85582acd95ca6dd85bde9ba15ca7223e0a2c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
a0c8d2ea38aaa37720fd20cb2de6f3a8

SHA1
c2d53178dad6460cc8f41f4c1e81c0bc81620c01

SHA256
0e03009d17c93d5259182c23273b1cce5138d03039e6b0335d069db003617e3c

SHA512
a1cd205ead03f7f6850bcd4677e4bc75d0ddfa890525720bf22b5c3adf092d2a91934fe726c0851757f1314b973a85582acd95ca6dd85bde9ba15ca7223e0a2c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
a0c8d2ea38aaa37720fd20cb2de6f3a8

SHA1
c2d53178dad6460cc8f41f4c1e81c0bc81620c01

SHA256
0e03009d17c93d5259182c23273b1cce5138d03039e6b0335d069db003617e3c

SHA512
a1cd205ead03f7f6850bcd4677e4bc75d0ddfa890525720bf22b5c3adf092d2a91934fe726c0851757f1314b973a85582acd95ca6dd85bde9ba15ca7223e0a2c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
a0c8d2ea38aaa37720fd20cb2de6f3a8

SHA1
c2d53178dad6460cc8f41f4c1e81c0bc81620c01

SHA256
0e03009d17c93d5259182c23273b1cce5138d03039e6b0335d069db003617e3c

SHA512
a1cd205ead03f7f6850bcd4677e4bc75d0ddfa890525720bf22b5c3adf092d2a91934fe726c0851757f1314b973a85582acd95ca6dd85bde9ba15ca7223e0a2c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
1.1MB

MD5
bf261d36430918c5c8220ecfdfc3f0f3

SHA1
8fc2846b9b8ac9ce928af7f515889567ba7a51bc

SHA256
60afce55bf0cdd75720888d76b56e33e55d0c7d735ed35f18b5760336ad10f86

SHA512
cae0c0efa9c6f41497c1cfd400eccdd0a66ce4de611b56f93097c616940c63a99f927056290139639e451008b516bc52525f9bde0b1f89b74abae56b1bb2bd5e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
1.1MB

MD5
bf261d36430918c5c8220ecfdfc3f0f3

SHA1
8fc2846b9b8ac9ce928af7f515889567ba7a51bc

SHA256
60afce55bf0cdd75720888d76b56e33e55d0c7d735ed35f18b5760336ad10f86

SHA512
cae0c0efa9c6f41497c1cfd400eccdd0a66ce4de611b56f93097c616940c63a99f927056290139639e451008b516bc52525f9bde0b1f89b74abae56b1bb2bd5e

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7beed7ef5d9d25dfe202711d50fc70f5

SHA1
279062309bd891407a9981b869445bdc1719ec53

SHA256
6ed0c1a8c42fd1b9ef9ac8e553d4fef38ece4af441d6da6617c9beccd7d0224b

SHA512
ee2214119262ba1aed9941eaf05225a738d6d7f989948b857556b6866429a045a61d0fff3d2350954f3e6bdef57963530f0727502bf8d3e2c486bd1c73c40519

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
2ff9ac7d7eeb30b397527e0f75734cf5

SHA1
4bb5f843bef77ff1dbf374d8e6c5c2aaba301e70

SHA256
111ad996beaa8fa0cf5072957c92c1a913191bdfcab5573eaa8d77ea2f0ffb19

SHA512
feb46186c649e63e975b50df727d1649a16ccef48080b25caf1a6ce43bd9a6f7d6fa9aa169c7c558ad9be5f8163958d3b3f39c2999e1b6813796b484b080d520

Download Submit
memory/240-678-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/384-399-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/384-603-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/384-428-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/384-465-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/384-427-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/384-402-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/384-446-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/384-452-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/384-125-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/384-276-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/384-445-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/384-348-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/384-490-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/384-338-0x0000000002490000-0x00000000024B3000-memory.dmp

Filesize
140KB

Download
memory/552-344-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/552-343-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/584-694-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/848-527-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/848-504-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1012-258-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1064-658-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1152-340-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1152-680-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1152-483-0x0000000000840000-0x0000000000863000-memory.dmp

Filesize
140KB

Download
memory/1152-459-0x0000000000840000-0x0000000000863000-memory.dmp

Filesize
140KB

Download
memory/1152-450-0x0000000000840000-0x0000000000863000-memory.dmp

Filesize
140KB

Download
memory/1152-385-0x0000000000840000-0x0000000000863000-memory.dmp

Filesize
140KB

Download
memory/1152-425-0x0000000000840000-0x0000000000863000-memory.dmp

Filesize
140KB

Download
memory/1200-579-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1252-466-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1324-674-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1416-189-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1416-186-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1484-584-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1548-599-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1648-597-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1728-339-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1736-669-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1820-607-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1824-524-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1864-280-0x0000000001DC0000-0x0000000001DE3000-memory.dmp

Filesize
140KB

Download
memory/1864-449-0x0000000001DC0000-0x0000000001DE3000-memory.dmp

Filesize
140KB

Download
memory/1864-600-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1864-335-0x0000000001DC0000-0x0000000001DE3000-memory.dmp

Filesize
140KB

Download
memory/1864-252-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1864-503-0x0000000001DC0000-0x0000000001DE3000-memory.dmp

Filesize
140KB

Download
memory/1864-474-0x0000000001DC0000-0x0000000001DE3000-memory.dmp

Filesize
140KB

Download
memory/1864-447-0x0000000001DC0000-0x0000000001DE3000-memory.dmp

Filesize
140KB

Download
memory/1864-114-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1864-498-0x0000000001DC0000-0x0000000001DE3000-memory.dmp

Filesize
140KB

Download
memory/1940-673-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2012-448-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2012-525-0x0000000002D00000-0x0000000002D23000-memory.dmp

Filesize
140KB

Download
memory/2052-495-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-200-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-429-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-481-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-482-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-706-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-198-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-124-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-433-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-285-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-585-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-112-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-327-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2088-197-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-493-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-384-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-457-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-523-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2088-184-0x0000000000540000-0x0000000000563000-memory.dmp

Filesize
140KB

Download
memory/2128-253-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2140-602-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2180-262-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2252-430-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2252-398-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2336-723-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2380-476-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2384-454-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2428-394-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2464-320-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2524-704-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2532-691-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2556-703-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2572-708-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2584-707-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2720-479-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2752-460-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2796-677-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2836-401-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2836-438-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-496-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2844-531-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2864-714-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2888-717-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2908-522-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2908-441-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2908-727-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2908-444-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2908-472-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2908-471-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2908-488-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2908-480-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2908-383-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2908-426-0x0000000000370000-0x0000000000393000-memory.dmp

Filesize
140KB

Download
memory/2924-676-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2972-469-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2972-470-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-468-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3004-443-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3068-593-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download