0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Size

52KB
MD5

2cd285151c06274a9cbec89f6a97e5a7
SHA1

825592195c444e5642a7407c8147d372abf1b0fb
SHA256

0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658
SHA512

fef1729c20e83ba465f3a6e7c45cf12d7decac722c078e6f2cc5163da6a7d37c6e9bca105274e437a8e0c39ea84aa57a451015804cbc18269c06e1b20474a6ee
SSDEEP

768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1+33j5n/wZf2kfw:IzaEW5gMxZVXf8a3yO10pwZc

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WishfulThinking.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE

Windows security bypass 2 TTPs 25 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe

Blocks application from running via registry modification 30 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	SERVICES.EXE

Disables RegEdit via registry modification 10 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	SERVICES.EXE

Executes dropped EXE 20 IoCs

pid	Process
2524	nEwb0Rn.exe
2976	WishfulThinking.exe
2804	WINLOGON.EXE
2960	SERVICES.EXE
2776	nEwb0Rn.exe
2348	WishfulThinking.exe
2112	nEwb0Rn.exe
2032	WINLOGON.EXE
480	SERVICES.EXE
660	WishfulThinking.exe
1292	nEwb0Rn.exe
1652	WINLOGON.EXE
2924	SERVICES.EXE
296	WishfulThinking.exe
2416	WINLOGON.EXE
1812	SERVICES.EXE
2704	nEwb0Rn.exe
2736	WishfulThinking.exe
2644	WINLOGON.EXE
2548	SERVICES.EXE

Loads dropped DLL 28 IoCs

pid	Process
1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
2524	nEwb0Rn.exe
2524	nEwb0Rn.exe
2524	nEwb0Rn.exe
2524	nEwb0Rn.exe
2524	nEwb0Rn.exe
2524	nEwb0Rn.exe
2976	WishfulThinking.exe
2976	WishfulThinking.exe
2976	WishfulThinking.exe
2976	WishfulThinking.exe
2976	WishfulThinking.exe
2976	WishfulThinking.exe
2804	WINLOGON.EXE
2804	WINLOGON.EXE
2804	WINLOGON.EXE
2804	WINLOGON.EXE
2804	WINLOGON.EXE
2960	SERVICES.EXE
2960	SERVICES.EXE
2960	SERVICES.EXE
2960	SERVICES.EXE
2960	SERVICES.EXE

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE

Windows security modification 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	WishfulThinking.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WINLOGON.EXE

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	nEwb0Rn.exe
File created	C:\desktop.ini	nEwb0Rn.exe
File opened for modification	F:\desktop.ini	nEwb0Rn.exe
File created	F:\desktop.ini	nEwb0Rn.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	SERVICES.EXE
File opened (read-only)	\??\K:	nEwb0Rn.exe
File opened (read-only)	\??\H:	WishfulThinking.exe
File opened (read-only)	\??\T:	WishfulThinking.exe
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\N:	WINLOGON.EXE
File opened (read-only)	\??\T:	WINLOGON.EXE
File opened (read-only)	\??\G:	SERVICES.EXE
File opened (read-only)	\??\S:	SERVICES.EXE
File opened (read-only)	\??\I:	nEwb0Rn.exe
File opened (read-only)	\??\B:	WishfulThinking.exe
File opened (read-only)	\??\Y:	WishfulThinking.exe
File opened (read-only)	\??\M:	WINLOGON.EXE
File opened (read-only)	\??\R:	SERVICES.EXE
File opened (read-only)	\??\E:	nEwb0Rn.exe
File opened (read-only)	\??\M:	nEwb0Rn.exe
File opened (read-only)	\??\R:	nEwb0Rn.exe
File opened (read-only)	\??\K:	WishfulThinking.exe
File opened (read-only)	\??\X:	SERVICES.EXE
File opened (read-only)	\??\L:	nEwb0Rn.exe
File opened (read-only)	\??\S:	WishfulThinking.exe
File opened (read-only)	\??\E:	WINLOGON.EXE
File opened (read-only)	\??\W:	WINLOGON.EXE
File opened (read-only)	\??\W:	nEwb0Rn.exe
File opened (read-only)	\??\Q:	WishfulThinking.exe
File opened (read-only)	\??\L:	WINLOGON.EXE
File opened (read-only)	\??\G:	nEwb0Rn.exe
File opened (read-only)	\??\J:	nEwb0Rn.exe
File opened (read-only)	\??\O:	nEwb0Rn.exe
File opened (read-only)	\??\S:	nEwb0Rn.exe
File opened (read-only)	\??\K:	WINLOGON.EXE
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\B:	SERVICES.EXE
File opened (read-only)	\??\U:	SERVICES.EXE
File opened (read-only)	\??\G:	WishfulThinking.exe
File opened (read-only)	\??\R:	WishfulThinking.exe
File opened (read-only)	\??\X:	WishfulThinking.exe
File opened (read-only)	\??\H:	WINLOGON.EXE
File opened (read-only)	\??\P:	nEwb0Rn.exe
File opened (read-only)	\??\J:	WishfulThinking.exe
File opened (read-only)	\??\I:	WishfulThinking.exe
File opened (read-only)	\??\P:	WishfulThinking.exe
File opened (read-only)	\??\V:	WINLOGON.EXE
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\Z:	SERVICES.EXE
File opened (read-only)	\??\X:	nEwb0Rn.exe
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\N:	SERVICES.EXE
File opened (read-only)	\??\O:	SERVICES.EXE
File opened (read-only)	\??\E:	WishfulThinking.exe
File opened (read-only)	\??\I:	WINLOGON.EXE
File opened (read-only)	\??\Q:	WINLOGON.EXE
File opened (read-only)	\??\Z:	WishfulThinking.exe
File opened (read-only)	\??\G:	WINLOGON.EXE
File opened (read-only)	\??\R:	WINLOGON.EXE
File opened (read-only)	\??\U:	WINLOGON.EXE
File opened (read-only)	\??\B:	nEwb0Rn.exe
File opened (read-only)	\??\N:	nEwb0Rn.exe
File opened (read-only)	\??\T:	nEwb0Rn.exe
File opened (read-only)	\??\L:	WishfulThinking.exe
File opened (read-only)	\??\X:	WINLOGON.EXE
File opened (read-only)	\??\M:	SERVICES.EXE
File opened (read-only)	\??\H:	nEwb0Rn.exe
File opened (read-only)	\??\V:	nEwb0Rn.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\JawsOfLife.exe	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\DamageControl.scr	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File opened for modification	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File opened for modification	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File created	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File created	C:\Windows\nEwb0Rn.exe	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Animate"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Inanimate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Inanimate"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Inanimate"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Animate"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Inanimate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Animate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\AutoEndTasks = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Animate"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s1159 = "Inanimate"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\s2359 = "Animate"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\	WishfulThinking.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\	WINLOGON.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WINLOGON.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2804	WINLOGON.EXE
2524	nEwb0Rn.exe
2976	WishfulThinking.exe
2960	SERVICES.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
2524	nEwb0Rn.exe
2976	WishfulThinking.exe
2804	WINLOGON.EXE
2960	SERVICES.EXE
2776	nEwb0Rn.exe
2348	WishfulThinking.exe
2032	WINLOGON.EXE
2112	nEwb0Rn.exe
480	SERVICES.EXE
660	WishfulThinking.exe
1652	WINLOGON.EXE
1292	nEwb0Rn.exe
2924	SERVICES.EXE
296	WishfulThinking.exe
2416	WINLOGON.EXE
1812	SERVICES.EXE
2704	nEwb0Rn.exe
2736	WishfulThinking.exe
2644	WINLOGON.EXE
2548	SERVICES.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2524	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	28
PID 1736 wrote to memory of 2524	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	28
PID 1736 wrote to memory of 2524	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	28
PID 1736 wrote to memory of 2524	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	28
PID 1736 wrote to memory of 2976	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	29
PID 1736 wrote to memory of 2976	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	29
PID 1736 wrote to memory of 2976	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	29
PID 1736 wrote to memory of 2976	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	29
PID 1736 wrote to memory of 2804	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	30
PID 1736 wrote to memory of 2804	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	30
PID 1736 wrote to memory of 2804	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	30
PID 1736 wrote to memory of 2804	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	30
PID 1736 wrote to memory of 2960	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	31
PID 1736 wrote to memory of 2960	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	31
PID 1736 wrote to memory of 2960	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	31
PID 1736 wrote to memory of 2960	1736	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe	31
PID 2524 wrote to memory of 2776	2524	nEwb0Rn.exe	32
PID 2524 wrote to memory of 2776	2524	nEwb0Rn.exe	32
PID 2524 wrote to memory of 2776	2524	nEwb0Rn.exe	32
PID 2524 wrote to memory of 2776	2524	nEwb0Rn.exe	32
PID 2524 wrote to memory of 2348	2524	nEwb0Rn.exe	33
PID 2524 wrote to memory of 2348	2524	nEwb0Rn.exe	33
PID 2524 wrote to memory of 2348	2524	nEwb0Rn.exe	33
PID 2524 wrote to memory of 2348	2524	nEwb0Rn.exe	33
PID 2976 wrote to memory of 2112	2976	WishfulThinking.exe	34
PID 2976 wrote to memory of 2112	2976	WishfulThinking.exe	34
PID 2976 wrote to memory of 2112	2976	WishfulThinking.exe	34
PID 2976 wrote to memory of 2112	2976	WishfulThinking.exe	34
PID 2524 wrote to memory of 2032	2524	nEwb0Rn.exe	35
PID 2524 wrote to memory of 2032	2524	nEwb0Rn.exe	35
PID 2524 wrote to memory of 2032	2524	nEwb0Rn.exe	35
PID 2524 wrote to memory of 2032	2524	nEwb0Rn.exe	35
PID 2524 wrote to memory of 480	2524	nEwb0Rn.exe	36
PID 2524 wrote to memory of 480	2524	nEwb0Rn.exe	36
PID 2524 wrote to memory of 480	2524	nEwb0Rn.exe	36
PID 2524 wrote to memory of 480	2524	nEwb0Rn.exe	36
PID 2976 wrote to memory of 660	2976	WishfulThinking.exe	37
PID 2976 wrote to memory of 660	2976	WishfulThinking.exe	37
PID 2976 wrote to memory of 660	2976	WishfulThinking.exe	37
PID 2976 wrote to memory of 660	2976	WishfulThinking.exe	37
PID 2804 wrote to memory of 1292	2804	WINLOGON.EXE	38
PID 2804 wrote to memory of 1292	2804	WINLOGON.EXE	38
PID 2804 wrote to memory of 1292	2804	WINLOGON.EXE	38
PID 2804 wrote to memory of 1292	2804	WINLOGON.EXE	38
PID 2976 wrote to memory of 1652	2976	WishfulThinking.exe	39
PID 2976 wrote to memory of 1652	2976	WishfulThinking.exe	39
PID 2976 wrote to memory of 1652	2976	WishfulThinking.exe	39
PID 2976 wrote to memory of 1652	2976	WishfulThinking.exe	39
PID 2976 wrote to memory of 2924	2976	WishfulThinking.exe	40
PID 2976 wrote to memory of 2924	2976	WishfulThinking.exe	40
PID 2976 wrote to memory of 2924	2976	WishfulThinking.exe	40
PID 2976 wrote to memory of 2924	2976	WishfulThinking.exe	40
PID 2804 wrote to memory of 296	2804	WINLOGON.EXE	41
PID 2804 wrote to memory of 296	2804	WINLOGON.EXE	41
PID 2804 wrote to memory of 296	2804	WINLOGON.EXE	41
PID 2804 wrote to memory of 296	2804	WINLOGON.EXE	41
PID 2804 wrote to memory of 2416	2804	WINLOGON.EXE	42
PID 2804 wrote to memory of 2416	2804	WINLOGON.EXE	42
PID 2804 wrote to memory of 2416	2804	WINLOGON.EXE	42
PID 2804 wrote to memory of 2416	2804	WINLOGON.EXE	42
PID 2804 wrote to memory of 1812	2804	WINLOGON.EXE	43
PID 2804 wrote to memory of 1812	2804	WINLOGON.EXE	43
PID 2804 wrote to memory of 1812	2804	WINLOGON.EXE	43
PID 2804 wrote to memory of 1812	2804	WINLOGON.EXE	43

System policy modification 1 TTPs 35 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe

C:\Users\Admin\AppData\Local\Temp\0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe
"C:\Users\Admin\AppData\Local\Temp\0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1736
- C:\Windows\nEwb0Rn.exe
  C:\Windows\nEwb0Rn.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2524
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2776
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2348
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2032
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:480
- C:\Windows\SysWOW64\WishfulThinking.exe
  C:\Windows\system32\WishfulThinking.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2976
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2112
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:660
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1652
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2924
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2804
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1292
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:296
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2416
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2960
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2704
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2736
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2644
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
52KB

MD5
0767697f00bd5f4d87fb3f7777c805c8

SHA1
e50eae96a94f5ccfe61ff16af1db08d138b3d900

SHA256
c3d594b989e8d54baebe9ccdf5c881b0986e2b2a4bac7edeca4bca6244883565

SHA512
e7347cb381c8c20a8a1b9d9fb207f410fdedb4a4d6b4f8f201aa7d9b4415eb9754ca011354626cc7ecdfd0f11955fd57455bb3d88eeba02aa2fd0c0670fccff4

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
52KB

MD5
e74c4b47716d2c096d31231005cdbd46

SHA1
504d148bc501ff19fe8c64d4223f04b84f37c1ca

SHA256
9a4a61b75263f84442b8dbecfb55571d0c408acbdea6343170500e2d5ebf734e

SHA512
f0406bb39bfb12f90338d29e6cea0bf3536ac08369d99a62476f4c2546b1fde68231cb720f547d1975e96cce68db0d6c06c78e94fbd6d58df82978e88c9658b7

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
52KB

MD5
cb995ff7fe6e21ec72dd43bfa9c25b56

SHA1
14d580435d4665571fed63ed741a4ee2ffbfb841

SHA256
ccba648beee791570a675471dbcff400e1cbd4aeefe134d94ded1d0f21fa5d86

SHA512
ea26b1acb07fb466c333c0699420afe6491e77dbce3d50e84bbc4d3ba7c788facd3ffb21778be07aa3b55cc2b9773935b2c2033be565802c534086779e71f9ac

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
9f9cba7799114fc837cc21ee20644b98

SHA1
8354e61532e407f3ab5a9c1a943de2d7970c2398

SHA256
b41e6c74d3ed451fde767903edc0278026ff5e1aaa3953cb504f33479e53b22d

SHA512
235994675c4eacd2bf7c06491b89e3ae252e74781578fbc9c43a2e3f1f8d7bfa2deec520b285121bd0ba8d8944f09d5fc0051ae6c56fc6dfb7fdfc2c89b0fa82

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
5eb16ff6ac8e0c3bac64e9d9b542d679

SHA1
ff4c659771ec76d8a0743087212040a957f63066

SHA256
b1a93348c652a23b74e7306d673d1fdf81b9dccb383118c6f1535e883d5d5389

SHA512
928b84e9e2baf6fbb7594296448778a79430e93447c0d1222daf73ad07f48078ed6bb20befcc5b316db48e03701bf5519c4320d4b177ae2ce3501badad42acdf

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
2bb5f11fdb01e2893860c038027298bc

SHA1
ccf4438ec0469daf3bd963c67f7c6cef871714cc

SHA256
f3e05cb5994ee2131cf412a7f7b04e0044b7c8dc7b3e49283eb9c08ef4cf7132

SHA512
4e0bac8623f6a3c1581027a27e546bbf54d93b9f6d6b8f8a2e03c3ed3de2523ef33e79b4fe2e36c2d7eb12a4943c50bbc78a3ab53b4d2b2cfe97a50f246c4417

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
2cd285151c06274a9cbec89f6a97e5a7

SHA1
825592195c444e5642a7407c8147d372abf1b0fb

SHA256
0fc20e0a1b084f412b1436a46fb618e38a45af6e35fd04e1216adc4101966658

SHA512
fef1729c20e83ba465f3a6e7c45cf12d7decac722c078e6f2cc5163da6a7d37c6e9bca105274e437a8e0c39ea84aa57a451015804cbc18269c06e1b20474a6ee

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
099340cc865b963f0cdd36e5e9ff05e3

SHA1
1386206c0f2e2b85dc48b70459c23978fd3d0cf7

SHA256
3f957c3bdc1266d12de4cea4b109b2f3486cc6acdb2a2915e512b82d8a6a621b

SHA512
fc6ffa2d067933f492357f2a5f75f5d56e02ba536cefe7e71773dcb625c5722a84e6e83809575d926d267eea9cc487abb1f6153905d4e79b068bb793b02f6107

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
abf9d4a716635f510d351eed18f2374a

SHA1
5b051e10c504d23f4e947c8d7b2161a5630f1bc7

SHA256
d6f7e441c290254dcc0c30da6faddd8794c1f23aad203c5c78a39b21e9e28f69

SHA512
da07f81b3325f04cb302f2ce9c0ef9037920caf602502db30b3f940bc8c5bad6fa4333071ce829cb9aad3595256f895e916f76e2f3824a42b13ee0fcbc55ace0

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
d9580f0dfb038b561e2cef9c11a523c7

SHA1
ed73311f6f3d39929b1b51b70a4b0f26d34f8e8e

SHA256
4b9a069c85bce5a1a2b2bdbd5af88529580de41d78db87ffcf42495d7b2a82a5

SHA512
2ff88a24c14e9da79abb9742c84a1bde11f27a1efe267b9f42004e0e44a6c0b5b310717910b6d2db8bc719f85c6b41c6f8cdff1302536a3364d70cb7399ff1a3

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
52KB

MD5
8f1d6d5a933839ba1e665a9ef33b1c8c

SHA1
d5d1cf5447315b9932aed2955995f1e6ecb0ff3a

SHA256
3a54278ec18efa9da61c0304cb20e129a9ae7d3857158cf6ebc6754cb3cc10f2

SHA512
c89887ee049550e19c83ada73f9535b42275e52c6bb0992c8ee816e94b5dd15a643da4c223012987761b698987fb65e3d1f97809329c48a1a91e3b8e8139c3a8

Download Submit
C:\about.htm

Filesize
2KB

MD5
94c0c5518c4f4bb044842a006d04932a

SHA1
23d9a914f6681d65e2b1faa171f4cf492562ebdb

SHA256
224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

SHA512
79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
fe576f42215423bf1f46da06064451d7

SHA1
8c6cd4dd3c716d6716116695988ec1fa7f61974d

SHA256
c7b82915d8f2657b7cb49c63e60dad2b3f50bbff57e0abd672a5f5b1829e1331

SHA512
4d7e68b51701c032857ca68f65e5d41e3c04baf3ef0186b544d40e0f6d147f9af2a85fb9f20916fedc120797ad8e8166cc773709c6ca82c1d176fb02b5422f24

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
d2d66977079cc14dd7c5af0cb7f0ee03

SHA1
b3cb82ad1257163644da3264b772f1573e5aecf1

SHA256
bb2396ff1cfcd5719d037ccdf4f2a1fd643949b225e463f1db6442d7ab52dfc6

SHA512
7e2c21951348cdf7903ba68c0da3d8229c1eb2eb61c313b00096151080c4421a9442817e5b2d838453ac1984071973dc5e5b6a69bd8d14053d4b51f8d69bce5a

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
bdb86ea26880384bc50a32f69266668a

SHA1
e2afe5eadf11fbd63727ef7d5833ce5ed8227500

SHA256
bdcecd37758d34b178624d786ac7d2611f5749e57e2598be685b6e872d3c907b

SHA512
ee95d3a7c441dc1145e22ba4abbb9639a2a466d2b85ba6210097d0e412d1c1145b95d57ca4b376ba106c9b4e104ca1f2f4941d7f655bf3620f8dc56c93165bec

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
52KB

MD5
7778501d3a8c06be94aff3a575793b2d

SHA1
bcff1ea2a3a7bf5bb2c0d69f26d7158637762852

SHA256
71ddb91befaac834eacc73132a79b3f2700dd8e7a330dfae90f215792b1423d1

SHA512
17709fb9ec2b308f761b5594818bd572da91806d53b99107a2197676f6462ea809d8e72840ef172803557ae7348ce71622a366f6ad9207d66dbf96726a57d850

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
52KB

MD5
61d1f8176829200f43ed7e00ad4bc153

SHA1
06d9b46bd8b147a8ca17cb3e442e84480f63c8d5

SHA256
4c4abe45f1b89f5433af4b909cee9867cee6406b1d329528b99ca93e9208b8ce

SHA512
a8d0f11b4dc8df894fbe429dba66c26e8a3bcefcc721acfdbcfbccb0812973bea243ced657d24dd2af071c864ba928e99abe29e8b0089b563128d11bd244fa34

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
52KB

MD5
c468c50d39a102abddb729151cc62662

SHA1
78253811bd68772a2b2f853df898061d6136731f

SHA256
0e381cd59c95ca10c9cf91e269c43abcc8e767089fd841028b516ee86ceba968

SHA512
5dd61ce63c99bc4f37aeb53eb72a071905d6d4d808a360429c9e2ba98873b1dbc9eb11b0d75a3f68236e9d18e19a6eee7356cdc518acfaae1d5e3eae8c48422c

Download Submit
memory/296-346-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/480-224-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/660-266-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/660-288-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1292-334-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1292-335-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1652-327-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1652-323-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-101-0x0000000002600000-0x0000000002628000-memory.dmp

Filesize
160KB

Download
memory/1736-102-0x0000000002600000-0x0000000002628000-memory.dmp

Filesize
160KB

Download
memory/1736-84-0x0000000002600000-0x0000000002628000-memory.dmp

Filesize
160KB

Download
memory/1736-114-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-79-0x0000000002600000-0x0000000002628000-memory.dmp

Filesize
160KB

Download
memory/1736-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1736-78-0x0000000002600000-0x0000000002628000-memory.dmp

Filesize
160KB

Download
memory/1736-112-0x0000000002600000-0x0000000002628000-memory.dmp

Filesize
160KB

Download
memory/1736-119-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1812-357-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1812-353-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2032-212-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2112-200-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2112-219-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2112-220-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2348-194-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2348-202-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2416-349-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2416-351-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2524-80-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2524-401-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2524-206-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2524-336-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2524-378-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2524-155-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2524-164-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2524-163-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2524-223-0x00000000027A0000-0x00000000027C8000-memory.dmp

Filesize
160KB

Download
memory/2548-399-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2644-391-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2644-393-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2704-383-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2704-382-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2736-388-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2776-154-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2776-162-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2776-161-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2804-222-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2804-352-0x0000000002530000-0x0000000002558000-memory.dmp

Filesize
160KB

Download
memory/2804-403-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2804-405-0x0000000002530000-0x0000000002558000-memory.dmp

Filesize
160KB

Download
memory/2924-337-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2924-338-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2924-342-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2924-339-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2960-115-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2960-303-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2960-395-0x0000000000530000-0x0000000000558000-memory.dmp

Filesize
160KB

Download
memory/2960-404-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2960-384-0x0000000000530000-0x0000000000558000-memory.dmp

Filesize
160KB

Download
memory/2960-406-0x0000000000530000-0x0000000000558000-memory.dmp

Filesize
160KB

Download
memory/2960-407-0x0000000000530000-0x0000000000558000-memory.dmp

Filesize
160KB

Download
memory/2976-394-0x0000000002650000-0x0000000002678000-memory.dmp

Filesize
160KB

Download
memory/2976-322-0x0000000002650000-0x0000000002678000-memory.dmp

Filesize
160KB

Download
memory/2976-402-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2976-195-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2976-196-0x0000000002650000-0x0000000002678000-memory.dmp

Filesize
160KB

Download