sality | ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b

Analysis

max time kernel
29s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Size

124KB
MD5

fd127c6270d8c359a72ca527bc0e3909
SHA1

1eb9d4278b845e7fa5df7795da4a4b8a8d04e198
SHA256

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b
SHA512

059a00a4617db5c6d9f1671f594bd10271622dda14d9c93760f3170e86cdc9758f8899d1b41e922ac97797909ed5440e18095a7680804213a0cbeadd93cfa5f8
SSDEEP

3072:oCGVhOg013Uh59Td/9L+Ik0IrylyrgZQMHXSaj3A:ooUV11+T0Iryly8xXQ

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exeEXPLORER.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	regedit.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exeEXPLORER.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXPLORER.EXE

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

EXPLORER.EXEec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	EXPLORER.EXE

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 38 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4472-3-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-7-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-11-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-8-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-16-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-12-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-10-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-17-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-1-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-29-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-30-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4472-34-0x00000000029D0000-0x0000000003A5E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-66-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-58-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-67-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-71-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-72-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-70-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-65-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-60-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-64-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-74-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-75-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-81-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-92-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-93-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-105-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-121-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-123-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-127-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-132-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-131-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-160-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-163-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-165-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-166-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/3516-194-0x00000000032D0000-0x000000000435E000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
C:\lqjto.exe	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 39 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4472-3-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-7-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-11-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-8-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-16-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-12-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-10-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-17-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/3516-25-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/4472-1-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-29-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-30-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-34-0x00000000029D0000-0x0000000003A5E000-memory.dmp	UPX
behavioral2/memory/4472-45-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral2/memory/3516-66-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-58-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-67-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-71-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-72-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-70-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-65-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-60-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-64-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-74-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-75-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-81-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-92-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-93-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-105-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-121-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-123-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-127-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-132-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-131-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-160-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-163-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-165-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-166-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX
behavioral2/memory/3516-194-0x00000000032D0000-0x000000000435E000-memory.dmp	UPX

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

regedit.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	regedit.exe

Disables Task Manager via registry modification
evasion
Deletes itself 1 IoCs

Processes:

EXPLORER.EXE

pid process

3516 EXPLORER.EXE
Executes dropped EXE 1 IoCs

Processes:

EXPLORER.EXE

pid process

3516 EXPLORER.EXE
Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

regedit.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt regedit.exe

pid	process
3516	EXPLORER.EXE

pid	process
3516	EXPLORER.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4472-3-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-7-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-11-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-8-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-16-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-12-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-10-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-17-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-1-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-29-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-30-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/4472-34-0x00000000029D0000-0x0000000003A5E000-memory.dmp	upx
behavioral2/memory/3516-66-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-58-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-67-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-71-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-72-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-70-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-65-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-60-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-64-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-74-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-75-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-81-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-92-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-93-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-105-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-121-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-123-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-127-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-132-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-131-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-160-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-163-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-165-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-166-0x00000000032D0000-0x000000000435E000-memory.dmp	upx
behavioral2/memory/3516-194-0x00000000032D0000-0x000000000435E000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exeEXPLORER.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	EXPLORER.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	EXPLORER.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	EXPLORER.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

regedit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FolderRaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe"	regedit.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exeEXPLORER.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXPLORER.EXE

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

EXPLORER.EXE

description	ioc	process
File opened (read-only)	\??\M:	EXPLORER.EXE
File opened (read-only)	\??\E:	EXPLORER.EXE
File opened (read-only)	\??\G:	EXPLORER.EXE
File opened (read-only)	\??\H:	EXPLORER.EXE
File opened (read-only)	\??\I:	EXPLORER.EXE
File opened (read-only)	\??\J:	EXPLORER.EXE
File opened (read-only)	\??\K:	EXPLORER.EXE
File opened (read-only)	\??\L:	EXPLORER.EXE

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

EXPLORER.EXE

description	ioc	process
File opened for modification	\??\c:\Autorun.inf	EXPLORER.EXE
File opened for modification	\??\d:\Autorun.inf	EXPLORER.EXE
File opened for modification	\??\f:\Autorun.inf	EXPLORER.EXE

Drops file in Program Files directory 6 IoCs

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exeEXPLORER.EXE

description	ioc	process
File created	C:\Program Files\EXPLORER.EXE	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
File opened for modification	C:\Program Files\EXPLORER.EXE	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
File opened for modification	C:\Program Files\Funny!.reg	EXPLORER.EXE
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	EXPLORER.EXE
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	EXPLORER.EXE
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	EXPLORER.EXE

Drops file in Windows directory 1 IoCs

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies registry class 25 IoCs

Processes:

explorer.exeregedit.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe

Runs .reg file with regedit 23 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
3564	regedit.exe
2676	regedit.exe
536	regedit.exe
432	regedit.exe
1652	regedit.exe
1576	regedit.exe
3328	regedit.exe
1912	regedit.exe
692	regedit.exe
1584	regedit.exe
2960	regedit.exe
5056	regedit.exe
1632	regedit.exe
4276	regedit.exe
3980	regedit.exe
2264	regedit.exe
4780	regedit.exe
3816	regedit.exe
3696	regedit.exe
916	regedit.exe
3280	regedit.exe
4852	regedit.exe
2236	regedit.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

1216 explorer.exe

pid	process
1216	explorer.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exeEXPLORER.EXE

pid	process
4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
3516	EXPLORER.EXE
3516	EXPLORER.EXE
3516	EXPLORER.EXE
3516	EXPLORER.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe

description	pid	process
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Token: SeDebugPrivilege	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exeEXPLORER.EXEexplorer.exe

pid process

4472 ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
3516 EXPLORER.EXE
1216 explorer.exe
1216 explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exeEXPLORER.EXE

description	pid	process	target process
PID 4472 wrote to memory of 776	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	fontdrvhost.exe
PID 4472 wrote to memory of 784	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	fontdrvhost.exe
PID 4472 wrote to memory of 384	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	dwm.exe
PID 4472 wrote to memory of 3060	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	sihost.exe
PID 4472 wrote to memory of 2204	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	svchost.exe
PID 4472 wrote to memory of 3084	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	taskhostw.exe
PID 4472 wrote to memory of 3444	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	Explorer.EXE
PID 4472 wrote to memory of 3584	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	svchost.exe
PID 4472 wrote to memory of 3768	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	DllHost.exe
PID 4472 wrote to memory of 3856	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	StartMenuExperienceHost.exe
PID 4472 wrote to memory of 3920	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 4052	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	SearchApp.exe
PID 4472 wrote to memory of 4020	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 4384	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	RuntimeBroker.exe
PID 4472 wrote to memory of 2164	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	TextInputHost.exe
PID 4472 wrote to memory of 4496	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	backgroundTaskHost.exe
PID 4472 wrote to memory of 3420	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	backgroundTaskHost.exe
PID 4472 wrote to memory of 4264	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	explorer.exe
PID 4472 wrote to memory of 4264	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	explorer.exe
PID 4472 wrote to memory of 4264	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	explorer.exe
PID 4472 wrote to memory of 3564	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	regedit.exe
PID 4472 wrote to memory of 3564	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	regedit.exe
PID 4472 wrote to memory of 3564	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	regedit.exe
PID 4472 wrote to memory of 3516	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	EXPLORER.EXE
PID 4472 wrote to memory of 3516	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	EXPLORER.EXE
PID 4472 wrote to memory of 3516	4472	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe	EXPLORER.EXE
PID 3516 wrote to memory of 3980	3516	EXPLORER.EXE	regedit.exe
PID 3516 wrote to memory of 3980	3516	EXPLORER.EXE	regedit.exe
PID 3516 wrote to memory of 3980	3516	EXPLORER.EXE	regedit.exe
PID 3516 wrote to memory of 776	3516	EXPLORER.EXE	fontdrvhost.exe
PID 3516 wrote to memory of 784	3516	EXPLORER.EXE	fontdrvhost.exe
PID 3516 wrote to memory of 384	3516	EXPLORER.EXE	dwm.exe
PID 3516 wrote to memory of 3060	3516	EXPLORER.EXE	sihost.exe
PID 3516 wrote to memory of 2204	3516	EXPLORER.EXE	svchost.exe
PID 3516 wrote to memory of 3084	3516	EXPLORER.EXE	taskhostw.exe
PID 3516 wrote to memory of 3444	3516	EXPLORER.EXE	Explorer.EXE
PID 3516 wrote to memory of 3584	3516	EXPLORER.EXE	svchost.exe
PID 3516 wrote to memory of 3768	3516	EXPLORER.EXE	DllHost.exe
PID 3516 wrote to memory of 3856	3516	EXPLORER.EXE	StartMenuExperienceHost.exe
PID 3516 wrote to memory of 3920	3516	EXPLORER.EXE	RuntimeBroker.exe
PID 3516 wrote to memory of 4052	3516	EXPLORER.EXE	SearchApp.exe
PID 3516 wrote to memory of 4020	3516	EXPLORER.EXE	RuntimeBroker.exe
PID 3516 wrote to memory of 4384	3516	EXPLORER.EXE	RuntimeBroker.exe
PID 3516 wrote to memory of 2164	3516	EXPLORER.EXE	TextInputHost.exe
PID 3516 wrote to memory of 4496	3516	EXPLORER.EXE	backgroundTaskHost.exe
PID 3516 wrote to memory of 3420	3516	EXPLORER.EXE	backgroundTaskHost.exe
PID 3516 wrote to memory of 1216	3516	EXPLORER.EXE	explorer.exe
PID 3516 wrote to memory of 3464	3516	EXPLORER.EXE	RuntimeBroker.exe
PID 3516 wrote to memory of 232	3516	EXPLORER.EXE	RuntimeBroker.exe
PID 3516 wrote to memory of 2264	3516	EXPLORER.EXE	regedit.exe
PID 3516 wrote to memory of 2264	3516	EXPLORER.EXE	regedit.exe
PID 3516 wrote to memory of 2264	3516	EXPLORER.EXE	regedit.exe
PID 3516 wrote to memory of 776	3516	EXPLORER.EXE	fontdrvhost.exe
PID 3516 wrote to memory of 784	3516	EXPLORER.EXE	fontdrvhost.exe
PID 3516 wrote to memory of 384	3516	EXPLORER.EXE	dwm.exe
PID 3516 wrote to memory of 3060	3516	EXPLORER.EXE	sihost.exe
PID 3516 wrote to memory of 2204	3516	EXPLORER.EXE	svchost.exe
PID 3516 wrote to memory of 3084	3516	EXPLORER.EXE	taskhostw.exe
PID 3516 wrote to memory of 3444	3516	EXPLORER.EXE	Explorer.EXE
PID 3516 wrote to memory of 3584	3516	EXPLORER.EXE	svchost.exe
PID 3516 wrote to memory of 3768	3516	EXPLORER.EXE	DllHost.exe
PID 3516 wrote to memory of 3856	3516	EXPLORER.EXE	StartMenuExperienceHost.exe
PID 3516 wrote to memory of 3920	3516	EXPLORER.EXE	RuntimeBroker.exe
PID 3516 wrote to memory of 4052	3516	EXPLORER.EXE	SearchApp.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exeEXPLORER.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	EXPLORER.EXE

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:384

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2204

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3084

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe
"C:\Users\Admin\AppData\Local\Temp\ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4472

C:\Windows\SysWOW64\explorer.exe
explorer C:\Users\Admin\AppData\Local\Temp\ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b
3⤵
PID:4264

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Users\Admin\AppData\Local\Temp\Funny!.reg
3⤵
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Runs .reg file with regedit
PID:3564

C:\Program Files\EXPLORER.EXE
"C:\Program Files\EXPLORER.EXE"
3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3516

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:3980

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:2264

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:2676

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:1652

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:536

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:1576

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:2960

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:4780

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:3816

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:3328

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:1912

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:3696

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:692

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:916

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:432

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:5056

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:3280

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:4852

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:1584

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:1632

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:4276

C:\Windows\SysWOW64\regedit.exe
regedit /s C:\Program Files\Funny!.reg
4⤵
- Runs .reg file with regedit
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4052

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4384

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2164

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4496

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3420

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:232

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3460

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
PID:3476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Autorun.inf
Filesize
99B

MD5
9bf1e5a2afbe7da98a68e24153056e89

SHA1
a081dd05387f0a820c090d1d1d003af4f4374b63

SHA256
bca0db21212fb26b90ca976ad73636249ee40e70f59d867698a760b674ef13d2

SHA512
591855a387d8e28b89821e3d5c0c9418ebc2d644732ab9ce75e90e9db0b2bf7fecfd273fd6ef22a8d8fde87b97002e176d49e274b6c6cfa5798ef151092fcdcf

Download Submit
C:\Program Files\EXPLORER.EXE
Filesize
124KB

MD5
fd127c6270d8c359a72ca527bc0e3909

SHA1
1eb9d4278b845e7fa5df7795da4a4b8a8d04e198

SHA256
ec73db81b957f786d6447335ea3ad371612a046a6ad22ab3bcc6de2f54f9307b

SHA512
059a00a4617db5c6d9f1671f594bd10271622dda14d9c93760f3170e86cdc9758f8899d1b41e922ac97797909ed5440e18095a7680804213a0cbeadd93cfa5f8

Download Submit
C:\Program Files\Funny!.reg
Filesize
572B

MD5
c2ab01b697609862244ae7365e7e03d9

SHA1
63f95bf1efc2f7fb66a51627131150a01856ab36

SHA256
3e8770c1a3b8112a25d08b47a1bc0eed22aae31389b16dc03b07f3f10093e092

SHA512
afb30a04c3b50ccd913200b012409a9a1e2411ca97f1143a8e6f879fb8bc50acb3ec0c32a76fa4aea2b5ad35450578b53c51bb6e5e982da4f63136f8734f7da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Funny!.reg
Filesize
649B

MD5
04fdb91e4f31252545a98d94582f222a

SHA1
6e9144b93384d4d76975a96d96d912204515a06b

SHA256
8758c9438a12a9576a69b1b88ba51938f5c92b9bfe4ced50281bf98ce5dfd670

SHA512
f3beb767e01c1089ffe35d9e5d5f2fee3253c45d8c96ce6a9c6796775e5363fbeb2c5e89af063cccff9e6bcc9d248f1db3e29e540a25f1b9aeacce6d565030e4

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
4700cc3e352695670f40867c480ac1bb

SHA1
e76a1361fdd440acf8d13c5c0e3e341a4390aec3

SHA256
343c5fe41968f96c72e8b4566a0e867f1edec257bc6a01804a94c9adac5fab9c

SHA512
3510f2eef87c30c9aaa381566a0284af7dff73cbca43e7395bd675f6d0259700eed89c04127346461c4d0ec7606896ea6b378fe79c81eb7644f2b0489288bb10

Download Submit
C:\lqjto.exe
Filesize
100KB

MD5
989c081931171ae95f7e2f3f6aaf1455

SHA1
67dcb71e2168cee8f39eb58ae1e2d251b08f7a8f

SHA256
c28a7d03444fd0eb20781ad585ad9a00fcc76e747de0ac4c67c4992c47d25fa3

SHA512
883d54f4ef1d4ff32009ef2ea4f77d2d5d13a749dbcaf9f0a6b0bc912228a03de09a2a953524b6750af143155a67ce073b50f272e169c70ae96f714ecbf0448f

Download Submit
memory/3516-73-0x00000000020F0000-0x00000000020F2000-memory.dmp

Filesize
8KB

Download
memory/3516-132-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3516-66-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-194-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-166-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-165-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-163-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-160-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-131-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-127-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-123-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-121-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-105-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-93-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-58-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-67-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-71-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-72-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-70-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-92-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-65-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-60-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-64-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-69-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/3516-74-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-75-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/3516-81-0x00000000032D0000-0x000000000435E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4472-29-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-10-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-12-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-1-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-9-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download
memory/4472-3-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-17-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4472-30-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-5-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download
memory/4472-16-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-8-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-11-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-7-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-13-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download
memory/4472-34-0x00000000029D0000-0x0000000003A5E000-memory.dmp

Filesize
16.6MB

Download
memory/4472-6-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download