54efa98d0bc33a94b0c3938a9b7c519e3849a5a3f25de33d3fcacc6bdf08a45f

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/03/2024, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddd6daba856440eaf953b11fdbdab612.exe
Size

994KB
MD5

ddd6daba856440eaf953b11fdbdab612
SHA1

be6e81928db1d3a6bb7f630a88b973a9f5abb541
SHA256

54efa98d0bc33a94b0c3938a9b7c519e3849a5a3f25de33d3fcacc6bdf08a45f
SHA512

9790580b46a7a2e19112d8f547227837ee33571187a3216d2404df05fce396ae60b61d01857a54e022cf12a42af8b43a26e6889a8f6e172ba3cf00cb37bcd48c
SSDEEP

24576:QnyUxKy79rIuhwQQN2K3yWds0JkKyVTqhInl9S5Sz:+yg7ZIuhlFadsLYh8nlz

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\msn\\msn.exe restart"	ddd6daba856440eaf953b11fdbdab612.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	ddd6daba856440eaf953b11fdbdab612.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\msn\\msn.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe restart"	msn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	msn.exe

Executes dropped EXE 42 IoCs

pid	Process
2428	msn.exe
2436	msn.exe
1740	msn.exe
1472	msn.exe
568	msn.exe
2344	msn.exe
2016	msn.exe
2348	msn.exe
3032	msn.exe
884	msn.exe
1664	msn.exe
1820	msn.exe
2232	msn.exe
2780	msn.exe
1600	msn.exe
2064	msn.exe
2596	msn.exe
1696	msn.exe
476	msn.exe
1740	msn.exe
1508	msn.exe
1248	msn.exe
1984	msn.exe
1932	msn.exe
1088	msn.exe
2100	msn.exe
896	msn.exe
2920	msn.exe
2888	msn.exe
864	msn.exe
1708	msn.exe
2608	msn.exe
2620	msn.exe
2860	msn.exe
2172	msn.exe
2388	msn.exe
2504	msn.exe
1888	msn.exe
3064	msn.exe
2148	msn.exe
3036	msn.exe
2796	msn.exe

Loads dropped DLL 22 IoCs

pid	Process
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe
2776	svchost.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2552-5-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2552-7-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2552-9-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2552-14-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2552-16-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2552-17-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2552-23-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2776-22-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2552-24-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2436-45-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2436-46-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2436-47-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2436-49-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2436-50-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1472-68-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1472-69-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1472-70-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1472-73-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2776-74-0x0000000002560000-0x00000000029C3000-memory.dmp	upx
behavioral1/memory/1472-75-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2344-95-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2344-96-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2776-131-0x0000000002560000-0x00000000029C3000-memory.dmp	upx
behavioral1/memory/2776-157-0x0000000002560000-0x00000000029C3000-memory.dmp	upx
behavioral1/memory/2776-182-0x0000000002560000-0x00000000029C3000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	ddd6daba856440eaf953b11fdbdab612.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ddd6daba856440eaf953b11fdbdab612.exe"	ddd6daba856440eaf953b11fdbdab612.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\msn\\msn.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\msn\\msn.exe"	msn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\msn\\msn.exe"	ddd6daba856440eaf953b11fdbdab612.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
1664	msn.exe
2232	msn.exe
2596	msn.exe
476	msn.exe
2172	msn.exe
3036	msn.exe

Suspicious use of SetThreadContext 22 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 2552	2692	ddd6daba856440eaf953b11fdbdab612.exe	30
PID 2428 set thread context of 2436	2428	msn.exe	35
PID 1740 set thread context of 1472	1740	msn.exe	39
PID 568 set thread context of 2344	568	msn.exe	43
PID 2016 set thread context of 2348	2016	msn.exe	47
PID 3032 set thread context of 884	3032	msn.exe	53
PID 1664 set thread context of 1820	1664	msn.exe	57
PID 2232 set thread context of 2780	2232	msn.exe	61
PID 1600 set thread context of 2064	1600	msn.exe	65
PID 2596 set thread context of 1696	2596	msn.exe	69
PID 476 set thread context of 1740	476	msn.exe	73
PID 1508 set thread context of 1248	1508	msn.exe	77
PID 1984 set thread context of 1932	1984	msn.exe	81
PID 1088 set thread context of 2100	1088	msn.exe	85
PID 896 set thread context of 2920	896	msn.exe	89
PID 2888 set thread context of 864	2888	msn.exe	93
PID 1708 set thread context of 2608	1708	msn.exe	97
PID 2620 set thread context of 2860	2620	msn.exe	101
PID 2172 set thread context of 2388	2172	msn.exe	105
PID 2504 set thread context of 1888	2504	msn.exe	109
PID 3064 set thread context of 2148	3064	msn.exe	113
PID 3036 set thread context of 2796	3036	msn.exe	117

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	ddd6daba856440eaf953b11fdbdab612.exe
File opened for modification	C:\Windows\msn\msn.exe	ddd6daba856440eaf953b11fdbdab612.exe
File created	C:\Windows\msn\msn.exe	msn.exe
File created	C:\Windows\msn\msn.exe	msn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2692	ddd6daba856440eaf953b11fdbdab612.exe
2428	msn.exe
1740	msn.exe
568	msn.exe
2016	msn.exe
3032	msn.exe
1664	msn.exe
2232	msn.exe
1600	msn.exe
2596	msn.exe
476	msn.exe
1508	msn.exe
1984	msn.exe
1088	msn.exe
896	msn.exe
2888	msn.exe
1708	msn.exe
2620	msn.exe
2172	msn.exe
2504	msn.exe
3064	msn.exe
3036	msn.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
2692	ddd6daba856440eaf953b11fdbdab612.exe
2552	ddd6daba856440eaf953b11fdbdab612.exe
2428	msn.exe
2436	msn.exe
1740	msn.exe
1472	msn.exe
568	msn.exe
2344	msn.exe
2016	msn.exe
2348	msn.exe
3032	msn.exe
884	msn.exe
1664	msn.exe
1820	msn.exe
2232	msn.exe
2780	msn.exe
1600	msn.exe
2064	msn.exe
2596	msn.exe
1696	msn.exe
476	msn.exe
1740	msn.exe
1508	msn.exe
1248	msn.exe
1984	msn.exe
1932	msn.exe
1088	msn.exe
2100	msn.exe
896	msn.exe
2920	msn.exe
2888	msn.exe
864	msn.exe
1708	msn.exe
2608	msn.exe
2620	msn.exe
2860	msn.exe
2172	msn.exe
2388	msn.exe
2504	msn.exe
1888	msn.exe
3064	msn.exe
2148	msn.exe
3036	msn.exe
2796	msn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2948	2692	ddd6daba856440eaf953b11fdbdab612.exe	28
PID 2692 wrote to memory of 2948	2692	ddd6daba856440eaf953b11fdbdab612.exe	28
PID 2692 wrote to memory of 2948	2692	ddd6daba856440eaf953b11fdbdab612.exe	28
PID 2692 wrote to memory of 2948	2692	ddd6daba856440eaf953b11fdbdab612.exe	28
PID 2692 wrote to memory of 2948	2692	ddd6daba856440eaf953b11fdbdab612.exe	28
PID 2692 wrote to memory of 2948	2692	ddd6daba856440eaf953b11fdbdab612.exe	28
PID 2692 wrote to memory of 2948	2692	ddd6daba856440eaf953b11fdbdab612.exe	28
PID 2692 wrote to memory of 2548	2692	ddd6daba856440eaf953b11fdbdab612.exe	29
PID 2692 wrote to memory of 2548	2692	ddd6daba856440eaf953b11fdbdab612.exe	29
PID 2692 wrote to memory of 2548	2692	ddd6daba856440eaf953b11fdbdab612.exe	29
PID 2692 wrote to memory of 2548	2692	ddd6daba856440eaf953b11fdbdab612.exe	29
PID 2692 wrote to memory of 2548	2692	ddd6daba856440eaf953b11fdbdab612.exe	29
PID 2692 wrote to memory of 2548	2692	ddd6daba856440eaf953b11fdbdab612.exe	29
PID 2692 wrote to memory of 2548	2692	ddd6daba856440eaf953b11fdbdab612.exe	29
PID 2692 wrote to memory of 2552	2692	ddd6daba856440eaf953b11fdbdab612.exe	30
PID 2692 wrote to memory of 2552	2692	ddd6daba856440eaf953b11fdbdab612.exe	30
PID 2692 wrote to memory of 2552	2692	ddd6daba856440eaf953b11fdbdab612.exe	30
PID 2692 wrote to memory of 2552	2692	ddd6daba856440eaf953b11fdbdab612.exe	30
PID 2692 wrote to memory of 2552	2692	ddd6daba856440eaf953b11fdbdab612.exe	30
PID 2692 wrote to memory of 2552	2692	ddd6daba856440eaf953b11fdbdab612.exe	30
PID 2692 wrote to memory of 2552	2692	ddd6daba856440eaf953b11fdbdab612.exe	30
PID 2692 wrote to memory of 2552	2692	ddd6daba856440eaf953b11fdbdab612.exe	30
PID 2552 wrote to memory of 2776	2552	ddd6daba856440eaf953b11fdbdab612.exe	31
PID 2552 wrote to memory of 2776	2552	ddd6daba856440eaf953b11fdbdab612.exe	31
PID 2552 wrote to memory of 2776	2552	ddd6daba856440eaf953b11fdbdab612.exe	31
PID 2552 wrote to memory of 2776	2552	ddd6daba856440eaf953b11fdbdab612.exe	31
PID 2552 wrote to memory of 2776	2552	ddd6daba856440eaf953b11fdbdab612.exe	31
PID 2776 wrote to memory of 2428	2776	svchost.exe	32
PID 2776 wrote to memory of 2428	2776	svchost.exe	32
PID 2776 wrote to memory of 2428	2776	svchost.exe	32
PID 2776 wrote to memory of 2428	2776	svchost.exe	32
PID 2428 wrote to memory of 2408	2428	msn.exe	33
PID 2428 wrote to memory of 2408	2428	msn.exe	33
PID 2428 wrote to memory of 2408	2428	msn.exe	33
PID 2428 wrote to memory of 2408	2428	msn.exe	33
PID 2428 wrote to memory of 2408	2428	msn.exe	33
PID 2428 wrote to memory of 2408	2428	msn.exe	33
PID 2428 wrote to memory of 2408	2428	msn.exe	33
PID 2428 wrote to memory of 2424	2428	msn.exe	34
PID 2428 wrote to memory of 2424	2428	msn.exe	34
PID 2428 wrote to memory of 2424	2428	msn.exe	34
PID 2428 wrote to memory of 2424	2428	msn.exe	34
PID 2428 wrote to memory of 2424	2428	msn.exe	34
PID 2428 wrote to memory of 2424	2428	msn.exe	34
PID 2428 wrote to memory of 2424	2428	msn.exe	34
PID 2428 wrote to memory of 2436	2428	msn.exe	35
PID 2428 wrote to memory of 2436	2428	msn.exe	35
PID 2428 wrote to memory of 2436	2428	msn.exe	35
PID 2428 wrote to memory of 2436	2428	msn.exe	35
PID 2428 wrote to memory of 2436	2428	msn.exe	35
PID 2428 wrote to memory of 2436	2428	msn.exe	35
PID 2428 wrote to memory of 2436	2428	msn.exe	35
PID 2428 wrote to memory of 2436	2428	msn.exe	35
PID 2776 wrote to memory of 1740	2776	svchost.exe	36
PID 2776 wrote to memory of 1740	2776	svchost.exe	36
PID 2776 wrote to memory of 1740	2776	svchost.exe	36
PID 2776 wrote to memory of 1740	2776	svchost.exe	36
PID 1740 wrote to memory of 1100	1740	msn.exe	37
PID 1740 wrote to memory of 1100	1740	msn.exe	37
PID 1740 wrote to memory of 1100	1740	msn.exe	37
PID 1740 wrote to memory of 1100	1740	msn.exe	37
PID 1740 wrote to memory of 1100	1740	msn.exe	37
PID 1740 wrote to memory of 1100	1740	msn.exe	37
PID 1740 wrote to memory of 1100	1740	msn.exe	37

C:\Users\Admin\AppData\Local\Temp\ddd6daba856440eaf953b11fdbdab612.exe
"C:\Users\Admin\AppData\Local\Temp\ddd6daba856440eaf953b11fdbdab612.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2948
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\ddd6daba856440eaf953b11fdbdab612.exe
  C:\Users\Admin\AppData\Local\Temp\ddd6daba856440eaf953b11fdbdab612.exe
  2⤵
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies Installed Components in the registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2408
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2424
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2436
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1100
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1180
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1472
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:568
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2036
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2500
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2344
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2016
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:560
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1184
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2348
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3032
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2192
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2300
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:884
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1664
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1304
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1612
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1820
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2232
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2912
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2208
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2780
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1600
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:3048
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2336
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2064
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2596
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2904
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2480
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1696
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:476
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:780
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2720
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1740
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1508
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1640
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1880
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1248
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1984
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1992
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1948
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1932
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1088
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:552
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:532
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2100
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:600
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:948
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2920
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2888
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2236
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1736
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:864
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1708
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2992
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2544
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2608
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2620
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2416
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2636
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2860
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2172
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2436
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2468
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2388
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2504
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1020
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1684
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1888
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3064
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2040
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2464
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2148
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3036
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2280
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2140
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2796
  - - C:\Windows\msn\msn.exe
      "C:\Windows\msn\msn.exe"
      4⤵
      PID:1228
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1868
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2484
    - - C:\Windows\msn\msn.exe
        
        C:\Windows\msn\msn.exe
        5⤵
        
        PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\msn\msn.exe

Filesize
994KB

MD5
ddd6daba856440eaf953b11fdbdab612

SHA1
be6e81928db1d3a6bb7f630a88b973a9f5abb541

SHA256
54efa98d0bc33a94b0c3938a9b7c519e3849a5a3f25de33d3fcacc6bdf08a45f

SHA512
9790580b46a7a2e19112d8f547227837ee33571187a3216d2404df05fce396ae60b61d01857a54e022cf12a42af8b43a26e6889a8f6e172ba3cf00cb37bcd48c

Download Submit
\??\c:\users\admin\appdata\local\temp\80EB2F5C

Filesize
14B

MD5
accc1ed0da93eaa818fb0fe82dc31d67

SHA1
65d25ebf711aeb766b8a7e002e75eb05afa68f29

SHA256
56ebacf2c9b1aa637b00d999a04664591f4c1bbdc20d7d85d467b5f4a512060e

SHA512
ce3f57102206242b65a0a34287ac0a4dc57db7d08a71d74fc9ff94675493d0462988cd61a0c83ec0883e2ea93debaf9020616101a15459de1c0c02af94b80d94

Download Submit
memory/476-277-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/476-264-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/568-80-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/568-83-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/568-94-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/896-371-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/896-358-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1088-351-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1228-525-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1228-537-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1472-73-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1472-75-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1472-68-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1472-70-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1472-69-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1508-303-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1508-290-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1508-289-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1600-226-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1600-213-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1600-210-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1664-174-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1664-160-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1664-163-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1708-413-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1708-400-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1740-56-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1740-67-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1984-313-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/1984-329-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2016-108-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2016-121-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2172-454-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2232-187-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2232-201-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2344-95-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2344-96-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2428-44-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2428-31-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2428-29-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2436-46-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2436-50-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2436-45-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2436-47-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2436-49-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2504-476-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2504-463-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2552-5-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2552-24-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2552-14-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2552-4-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2552-15-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2552-16-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2552-17-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2552-23-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2552-9-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2552-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-7-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2596-252-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2596-239-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2620-421-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2620-422-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2620-434-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2692-1-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2692-2-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2692-13-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2776-460-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-131-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-74-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-398-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-22-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/2776-30-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-419-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-236-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-157-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-102-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-439-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-79-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-182-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-515-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2776-502-0x0000000002560000-0x00000000029C3000-memory.dmp

Filesize
4.4MB

Download
memory/2888-379-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/2888-392-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3032-132-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3032-147-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3036-503-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3036-517-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3064-483-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download
memory/3064-496-0x0000000000400000-0x0000000000863000-memory.dmp

Filesize
4.4MB

Download