353cad2e2db635c3dbe7301dc03bcda5eb98797da0c1f1e98f10db8458d281f4

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

769b30ce75344facc1900f9ac642d760N.exe
Size

52KB
MD5

769b30ce75344facc1900f9ac642d760
SHA1

54c234564e97d7c401846fdc9b553d90f3325895
SHA256

353cad2e2db635c3dbe7301dc03bcda5eb98797da0c1f1e98f10db8458d281f4
SHA512

07f07fae6d5ced4e99770faad9c21f1704b1faa892a004361cf23dbe19b965b36fbe001a417edb137be8c036b3df294984c3d4618b85d3825352e1ffd4b02621
SSDEEP

768:d+ciLamXW9XgMxjFkpvMVX8q18q13yO1oj5n/w3Dkfw:IzaEW5gMxZVXf8a3yO1opw3z

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\""	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe"	769b30ce75344facc1900f9ac642d760N.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	769b30ce75344facc1900f9ac642d760N.exe

Windows security bypass 2 TTPs 25 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe

Blocks application from running via registry modification 30 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "install.exe"	WishfulThinking.exe

Disables RegEdit via registry modification 10 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	769b30ce75344facc1900f9ac642d760N.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 10 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	nEwb0Rn.exe

Executes dropped EXE 20 IoCs

pid	Process
2808	nEwb0Rn.exe
2788	WishfulThinking.exe
2456	WINLOGON.EXE
680	SERVICES.EXE
236	nEwb0Rn.exe
1564	WishfulThinking.exe
2956	WINLOGON.EXE
2912	nEwb0Rn.exe
2404	SERVICES.EXE
2704	nEwb0Rn.exe
576	WishfulThinking.exe
1464	WishfulThinking.exe
2468	WINLOGON.EXE
2620	WINLOGON.EXE
2752	nEwb0Rn.exe
2728	SERVICES.EXE
2636	SERVICES.EXE
2900	WishfulThinking.exe
2796	WINLOGON.EXE
3008	SERVICES.EXE

Loads dropped DLL 28 IoCs

pid	Process
776	769b30ce75344facc1900f9ac642d760N.exe
776	769b30ce75344facc1900f9ac642d760N.exe
776	769b30ce75344facc1900f9ac642d760N.exe
776	769b30ce75344facc1900f9ac642d760N.exe
776	769b30ce75344facc1900f9ac642d760N.exe
776	769b30ce75344facc1900f9ac642d760N.exe
2808	nEwb0Rn.exe
2808	nEwb0Rn.exe
2808	nEwb0Rn.exe
2808	nEwb0Rn.exe
2808	nEwb0Rn.exe
2808	nEwb0Rn.exe
2788	WishfulThinking.exe
2788	WishfulThinking.exe
2456	WINLOGON.EXE
2788	WishfulThinking.exe
2456	WINLOGON.EXE
2788	WishfulThinking.exe
2456	WINLOGON.EXE
2788	WishfulThinking.exe
2788	WishfulThinking.exe
2456	WINLOGON.EXE
2456	WINLOGON.EXE
680	SERVICES.EXE
680	SERVICES.EXE
680	SERVICES.EXE
680	SERVICES.EXE
680	SERVICES.EXE

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE

Windows security modification 2 TTPs 30 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	769b30ce75344facc1900f9ac642d760N.exe

Adds Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe"	WINLOGON.EXE

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	nEwb0Rn.exe
File created	C:\desktop.ini	nEwb0Rn.exe
File opened for modification	F:\desktop.ini	nEwb0Rn.exe
File created	F:\desktop.ini	nEwb0Rn.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	WINLOGON.EXE
File opened (read-only)	\??\E:	WishfulThinking.exe
File opened (read-only)	\??\M:	WishfulThinking.exe
File opened (read-only)	\??\P:	WishfulThinking.exe
File opened (read-only)	\??\W:	WishfulThinking.exe
File opened (read-only)	\??\H:	nEwb0Rn.exe
File opened (read-only)	\??\P:	nEwb0Rn.exe
File opened (read-only)	\??\U:	nEwb0Rn.exe
File opened (read-only)	\??\T:	SERVICES.EXE
File opened (read-only)	\??\U:	SERVICES.EXE
File opened (read-only)	\??\W:	SERVICES.EXE
File opened (read-only)	\??\G:	SERVICES.EXE
File opened (read-only)	\??\J:	SERVICES.EXE
File opened (read-only)	\??\S:	SERVICES.EXE
File opened (read-only)	\??\Q:	nEwb0Rn.exe
File opened (read-only)	\??\Z:	WINLOGON.EXE
File opened (read-only)	\??\G:	nEwb0Rn.exe
File opened (read-only)	\??\L:	nEwb0Rn.exe
File opened (read-only)	\??\M:	nEwb0Rn.exe
File opened (read-only)	\??\O:	SERVICES.EXE
File opened (read-only)	\??\X:	nEwb0Rn.exe
File opened (read-only)	\??\B:	SERVICES.EXE
File opened (read-only)	\??\M:	SERVICES.EXE
File opened (read-only)	\??\U:	WINLOGON.EXE
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\J:	WishfulThinking.exe
File opened (read-only)	\??\L:	WishfulThinking.exe
File opened (read-only)	\??\S:	WishfulThinking.exe
File opened (read-only)	\??\W:	nEwb0Rn.exe
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\G:	WINLOGON.EXE
File opened (read-only)	\??\Q:	SERVICES.EXE
File opened (read-only)	\??\T:	nEwb0Rn.exe
File opened (read-only)	\??\L:	WINLOGON.EXE
File opened (read-only)	\??\N:	WishfulThinking.exe
File opened (read-only)	\??\B:	WishfulThinking.exe
File opened (read-only)	\??\I:	WishfulThinking.exe
File opened (read-only)	\??\N:	nEwb0Rn.exe
File opened (read-only)	\??\R:	WINLOGON.EXE
File opened (read-only)	\??\T:	WINLOGON.EXE
File opened (read-only)	\??\E:	WINLOGON.EXE
File opened (read-only)	\??\R:	SERVICES.EXE
File opened (read-only)	\??\B:	nEwb0Rn.exe
File opened (read-only)	\??\E:	nEwb0Rn.exe
File opened (read-only)	\??\V:	nEwb0Rn.exe
File opened (read-only)	\??\H:	SERVICES.EXE
File opened (read-only)	\??\J:	nEwb0Rn.exe
File opened (read-only)	\??\O:	nEwb0Rn.exe
File opened (read-only)	\??\S:	WINLOGON.EXE
File opened (read-only)	\??\I:	WINLOGON.EXE
File opened (read-only)	\??\U:	WishfulThinking.exe
File opened (read-only)	\??\Y:	WishfulThinking.exe
File opened (read-only)	\??\Z:	WishfulThinking.exe
File opened (read-only)	\??\I:	SERVICES.EXE
File opened (read-only)	\??\R:	nEwb0Rn.exe
File opened (read-only)	\??\S:	nEwb0Rn.exe
File opened (read-only)	\??\H:	WINLOGON.EXE
File opened (read-only)	\??\Y:	SERVICES.EXE
File opened (read-only)	\??\Y:	nEwb0Rn.exe
File opened (read-only)	\??\P:	WINLOGON.EXE
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\L:	SERVICES.EXE
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\Z:	SERVICES.EXE

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	769b30ce75344facc1900f9ac642d760N.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\JawsOfLife.exe	769b30ce75344facc1900f9ac642d760N.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	769b30ce75344facc1900f9ac642d760N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	769b30ce75344facc1900f9ac642d760N.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	769b30ce75344facc1900f9ac642d760N.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\DamageControl.scr	SERVICES.EXE
File created	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\DamageControl.scr	769b30ce75344facc1900f9ac642d760N.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\SysWOW64\WishfulThinking.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\SysWOW64\JawsOfLife.exe	WishfulThinking.exe
File opened for modification	C:\Windows\SysWOW64\WishfulThinking.exe	WINLOGON.EXE

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	769b30ce75344facc1900f9ac642d760N.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File created	C:\Windows\nEwb0Rn.exe	nEwb0Rn.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WINLOGON.EXE
File created	C:\Windows\nEwb0Rn.exe	769b30ce75344facc1900f9ac642d760N.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File created	C:\Windows\nEwb0Rn.exe	SERVICES.EXE
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\nEwb0Rn.exe	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File created	C:\Windows\msvbvm60.dll	WishfulThinking.exe
File opened for modification	C:\Windows\msvbvm60.dll	WishfulThinking.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	769b30ce75344facc1900f9ac642d760N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nEwb0Rn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WishfulThinking.exe

Modifies Control Panel 45 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\s1159 = "Inanimate"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\s1159 = "Inanimate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\s1159 = "Inanimate"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\s2359 = "Animate"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\s2359 = "Animate"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\s2359 = "Animate"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\s2359 = "Animate"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\AutoEndTasks = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\s1159 = "Inanimate"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\s1159 = "Inanimate"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\s2359 = "Animate"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	nEwb0Rn.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A"	WishfulThinking.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\	SERVICES.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	nEwb0Rn.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WishfulThinking.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	WINLOGON.EXE
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WishfulThinking.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\	nEwb0Rn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1"	nEwb0Rn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WishfulThinking.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*"	WishfulThinking.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
776	769b30ce75344facc1900f9ac642d760N.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2456	WINLOGON.EXE
2808	nEwb0Rn.exe
2788	WishfulThinking.exe
680	SERVICES.EXE

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
776	769b30ce75344facc1900f9ac642d760N.exe
2808	nEwb0Rn.exe
2788	WishfulThinking.exe
2456	WINLOGON.EXE
680	SERVICES.EXE
236	nEwb0Rn.exe
1564	WishfulThinking.exe
2956	WINLOGON.EXE
2912	nEwb0Rn.exe
2404	SERVICES.EXE
2704	nEwb0Rn.exe
576	WishfulThinking.exe
1464	WishfulThinking.exe
2468	WINLOGON.EXE
2620	WINLOGON.EXE
2752	nEwb0Rn.exe
2728	SERVICES.EXE
2636	SERVICES.EXE
2900	WishfulThinking.exe
2796	WINLOGON.EXE
3008	SERVICES.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2808	776	769b30ce75344facc1900f9ac642d760N.exe	30
PID 776 wrote to memory of 2808	776	769b30ce75344facc1900f9ac642d760N.exe	30
PID 776 wrote to memory of 2808	776	769b30ce75344facc1900f9ac642d760N.exe	30
PID 776 wrote to memory of 2808	776	769b30ce75344facc1900f9ac642d760N.exe	30
PID 776 wrote to memory of 2788	776	769b30ce75344facc1900f9ac642d760N.exe	31
PID 776 wrote to memory of 2788	776	769b30ce75344facc1900f9ac642d760N.exe	31
PID 776 wrote to memory of 2788	776	769b30ce75344facc1900f9ac642d760N.exe	31
PID 776 wrote to memory of 2788	776	769b30ce75344facc1900f9ac642d760N.exe	31
PID 776 wrote to memory of 2456	776	769b30ce75344facc1900f9ac642d760N.exe	32
PID 776 wrote to memory of 2456	776	769b30ce75344facc1900f9ac642d760N.exe	32
PID 776 wrote to memory of 2456	776	769b30ce75344facc1900f9ac642d760N.exe	32
PID 776 wrote to memory of 2456	776	769b30ce75344facc1900f9ac642d760N.exe	32
PID 776 wrote to memory of 680	776	769b30ce75344facc1900f9ac642d760N.exe	33
PID 776 wrote to memory of 680	776	769b30ce75344facc1900f9ac642d760N.exe	33
PID 776 wrote to memory of 680	776	769b30ce75344facc1900f9ac642d760N.exe	33
PID 776 wrote to memory of 680	776	769b30ce75344facc1900f9ac642d760N.exe	33
PID 2808 wrote to memory of 236	2808	nEwb0Rn.exe	34
PID 2808 wrote to memory of 236	2808	nEwb0Rn.exe	34
PID 2808 wrote to memory of 236	2808	nEwb0Rn.exe	34
PID 2808 wrote to memory of 236	2808	nEwb0Rn.exe	34
PID 2808 wrote to memory of 1564	2808	nEwb0Rn.exe	35
PID 2808 wrote to memory of 1564	2808	nEwb0Rn.exe	35
PID 2808 wrote to memory of 1564	2808	nEwb0Rn.exe	35
PID 2808 wrote to memory of 1564	2808	nEwb0Rn.exe	35
PID 2808 wrote to memory of 2956	2808	nEwb0Rn.exe	36
PID 2808 wrote to memory of 2956	2808	nEwb0Rn.exe	36
PID 2808 wrote to memory of 2956	2808	nEwb0Rn.exe	36
PID 2808 wrote to memory of 2956	2808	nEwb0Rn.exe	36
PID 2788 wrote to memory of 2912	2788	WishfulThinking.exe	37
PID 2788 wrote to memory of 2912	2788	WishfulThinking.exe	37
PID 2788 wrote to memory of 2912	2788	WishfulThinking.exe	37
PID 2788 wrote to memory of 2912	2788	WishfulThinking.exe	37
PID 2808 wrote to memory of 2404	2808	nEwb0Rn.exe	38
PID 2808 wrote to memory of 2404	2808	nEwb0Rn.exe	38
PID 2808 wrote to memory of 2404	2808	nEwb0Rn.exe	38
PID 2808 wrote to memory of 2404	2808	nEwb0Rn.exe	38
PID 2456 wrote to memory of 2704	2456	WINLOGON.EXE	39
PID 2456 wrote to memory of 2704	2456	WINLOGON.EXE	39
PID 2456 wrote to memory of 2704	2456	WINLOGON.EXE	39
PID 2456 wrote to memory of 2704	2456	WINLOGON.EXE	39
PID 2788 wrote to memory of 576	2788	WishfulThinking.exe	40
PID 2788 wrote to memory of 576	2788	WishfulThinking.exe	40
PID 2788 wrote to memory of 576	2788	WishfulThinking.exe	40
PID 2788 wrote to memory of 576	2788	WishfulThinking.exe	40
PID 2456 wrote to memory of 1464	2456	WINLOGON.EXE	41
PID 2456 wrote to memory of 1464	2456	WINLOGON.EXE	41
PID 2456 wrote to memory of 1464	2456	WINLOGON.EXE	41
PID 2456 wrote to memory of 1464	2456	WINLOGON.EXE	41
PID 2788 wrote to memory of 2468	2788	WishfulThinking.exe	42
PID 2788 wrote to memory of 2468	2788	WishfulThinking.exe	42
PID 2788 wrote to memory of 2468	2788	WishfulThinking.exe	42
PID 2788 wrote to memory of 2468	2788	WishfulThinking.exe	42
PID 2456 wrote to memory of 2620	2456	WINLOGON.EXE	43
PID 2456 wrote to memory of 2620	2456	WINLOGON.EXE	43
PID 2456 wrote to memory of 2620	2456	WINLOGON.EXE	43
PID 2456 wrote to memory of 2620	2456	WINLOGON.EXE	43
PID 680 wrote to memory of 2752	680	SERVICES.EXE	44
PID 680 wrote to memory of 2752	680	SERVICES.EXE	44
PID 680 wrote to memory of 2752	680	SERVICES.EXE	44
PID 680 wrote to memory of 2752	680	SERVICES.EXE	44
PID 2788 wrote to memory of 2728	2788	WishfulThinking.exe	45
PID 2788 wrote to memory of 2728	2788	WishfulThinking.exe	45
PID 2788 wrote to memory of 2728	2788	WishfulThinking.exe	45
PID 2788 wrote to memory of 2728	2788	WishfulThinking.exe	45

System policy modification 1 TTPs 35 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	769b30ce75344facc1900f9ac642d760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WishfulThinking.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	769b30ce75344facc1900f9ac642d760N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	769b30ce75344facc1900f9ac642d760N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	nEwb0Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	WishfulThinking.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	nEwb0Rn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1"	nEwb0Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE

C:\Users\Admin\AppData\Local\Temp\769b30ce75344facc1900f9ac642d760N.exe
"C:\Users\Admin\AppData\Local\Temp\769b30ce75344facc1900f9ac642d760N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:776
- C:\Windows\nEwb0Rn.exe
  C:\Windows\nEwb0Rn.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2808
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:236
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1564
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2956
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2404
- C:\Windows\SysWOW64\WishfulThinking.exe
  C:\Windows\system32\WishfulThinking.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2788
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2912
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:576
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2468
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2728
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2456
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2704
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1464
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2636
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Blocks application from running via registry modification
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:680
- - C:\Windows\nEwb0Rn.exe
    C:\Windows\nEwb0Rn.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Windows\SysWOW64\WishfulThinking.exe
    C:\Windows\system32\WishfulThinking.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2900
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2796
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
52KB

MD5
5dd4c0b7c371137db61509e5aedd1b60

SHA1
5938061332d032a551ed6e6c538aed79a53e2422

SHA256
2bfb5e61cc82a18222c2c5ffc4f4ae1b21fa5e8c8a2f28598e412911ad4eda48

SHA512
7f3158bcb2fd87fde12a2b3025af7b55e8fc13451b9b05bf936f071455ac2587c6dbb92a51eba5f43a5da59d4c3b26719095677179c47751432a20ff0ad7acbd

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
355445625c7480f603fd821fc46f8411

SHA1
9d882f35f094b2af1bf9cdd60a1d3d9006c6e408

SHA256
1607e2cf6a80f755b55dcaf4ef93efec11dd89fc044193b2f99d0aebb7a95a67

SHA512
39fc55c1fa23e50be6df2aca62ca533588a3b655e02aef5c4319381a79d121f75cf8d8f685c720e7ff6aaec13072b90d6ddd5037ba26b432809ded434dee22f7

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
a0d2f2459ecd09013d2bb8c36ee7b241

SHA1
0829b52a3128f26c09b43c7e52dd294ffbc12744

SHA256
725c8acab7f73405b142f151f5ddc95da3e2f029d068205cc7ac071e2e10436f

SHA512
5d17d863219f269f4c9ec658715d5bd1a860c0fb031ef09e7629ebcc21d31244e07bbdf8761b640835cb10de23d8a5e64d15ffc5b3456e028048f930e6f1b6f8

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
8b79728724e0c753a694afc1edd3773d

SHA1
3a1ac32cc7786e91d1232da5d034be565f925d17

SHA256
da8ea5381d0457a5a000fb64d67cfd78f8c61702a9cd874c59d910d26438981e

SHA512
47ab0d2eb9ddb58aed1415dd4b02ac4edfa75bf7ed6a0c977ad80d30fcbd90c1709994e16fd961d9e7dac42a761bd54dbdfc66f08c581f8d327b478ff8dad00a

Download Submit
C:\Windows\SysWOW64\DamageControl.scr

Filesize
52KB

MD5
769b30ce75344facc1900f9ac642d760

SHA1
54c234564e97d7c401846fdc9b553d90f3325895

SHA256
353cad2e2db635c3dbe7301dc03bcda5eb98797da0c1f1e98f10db8458d281f4

SHA512
07f07fae6d5ced4e99770faad9c21f1704b1faa892a004361cf23dbe19b965b36fbe001a417edb137be8c036b3df294984c3d4618b85d3825352e1ffd4b02621

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
4d8329ee9c690a3189eb4bee835128ce

SHA1
7e03923f092387e74b473adb7ac4abfa4ec53d3e

SHA256
8bec21de62d5493a5619a0f08b43c1ccab8a56fb8a34bc178d47df2898b74247

SHA512
97cb0693670dc0c97b58ca6f31ec5c388b678b5e86236cc98c1f3c87f3d7b6b78f6c66950b9c241109f06376743cdba791debe7d7d8c032b44cb538181f730d7

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
ed61573bfed9323f100b176d20eb2c28

SHA1
c3f2169db904367f65f0ff3319ddb5b7ae887429

SHA256
6937890c82039436a78beb376c1cd8eb9995894bc5c8bfe77e163785432dba00

SHA512
6309c785ebb7c22f2a5dd78f386bb7ec2dcb33f75de253fce388ae88721925754ca74ac6d704257377cfced8b06db0992b4e8c38a6a30452fa48aa87f3e612fc

Download Submit
C:\Windows\SysWOW64\JawsOfLife.exe

Filesize
52KB

MD5
c96346b64d9d8616fd2de35d43146785

SHA1
d54e718903c2774a4b46d05e02b80d2b05b03c30

SHA256
96a4653326df98e720d325df4e6f042ef59bc5c3c5516b14bd703a15b62d97c4

SHA512
eed14cb0c27ac41c78b5ee8c5950580b0489e74af167745a68029f0a44afd54c611bf6b0379c46d2c9d87f736c98848dd9f97d782f5d2e357c12138f4077f88d

Download Submit
C:\Windows\nEwb0Rn.exe

Filesize
52KB

MD5
f9b3babb5f63f0a80131235ac8fb5a76

SHA1
47bac59a9e5b0c38aec1fe698191e084c74b6a91

SHA256
dc141267cda416577465786364d95ad495cbeb325cb6305698c408825132a69e

SHA512
aaff56ef57cded610b511ac2f349b418851d76753b1d0203a006096ca837ae232234ece974f728658b8996bf096589fbb5c4421a1aa494c0babb679ee1f5940f

Download Submit
C:\about.htm

Filesize
2KB

MD5
94c0c5518c4f4bb044842a006d04932a

SHA1
23d9a914f6681d65e2b1faa171f4cf492562ebdb

SHA256
224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e

SHA512
79cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
f2de1811f141ef6b6b35ab2a54af098e

SHA1
749ad77d9153082eb794030bf595771d412aeb77

SHA256
30aff13200516b90ca32e10c0907757f3706582c8e938dfa888ccc739bfbb7ca

SHA512
d8f9717f797061f9c91ee6f3ad7be9eca8014c25acfa47b613ce5705b54580aad1014696f0af5f866ed180d360d1a6798436a9d083a0b25cfaf64360d97b9863

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
f2ce7c053650aad671ae3293e2d0db9c

SHA1
f1e0e88ae06dd8e996e0a7a0bbb3d2d6328bd273

SHA256
8fabfcb4fd116689e77ed768f71d794e49474a767403b3a27bc7baf4f215a4a2

SHA512
eb48b9965121b31385f23e55d71b1b92b536c853faa90ace4a150838bbb4081a92a94e0cd24a91a0950e0e563e010f7a850c1ce0abeb69dac4bac70fa1e8c9ee

Download Submit
C:\nEwb0Rn.exe

Filesize
52KB

MD5
1cf0899c0c76d83ae8129954fa4d6b44

SHA1
715d0fb65e6717440ec2c74fa2c363924c50b224

SHA256
ff57313c8c4380ce41e44a023b1e27bd43acb24bbd708a19644b131ac4fb38b0

SHA512
981f18b05d03d4b4a38036cf36a48317712d81c776b439e630ed9424f41e942e1d8eda61277b8ac8a3be8af8b466f377097b2453e7932d050556c85d6f36d09b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
52KB

MD5
6ea2aa36d38cd2b70d52ca6820315fa7

SHA1
711375b1523d3999b2748b6eaa38605ed9a31e66

SHA256
45444b8db4f817eb8fd1c89e1ec208bc85c815189ca5f425036303d020e78bfc

SHA512
762369bc50ec3a363e51ea0dc0c7421d2bf437267e92c21217cad1612612fd24ab30e9968e28cc7e19f9f1a0809f2bb0ac2b2cbb7cd820c4f4ef6809d1bfaf4c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
52KB

MD5
2c56bc0e6f82c7ee054116d388de3c48

SHA1
b0b3da90f6fbe115f416e13663484bce835a99ee

SHA256
11320c25ac5d039db117d6a5f0e3ddf39761b3c7295519c96b2a8bb52589e6e3

SHA512
1bc8f763643cab1f9eae0497e6d8ec00bdc59a9778b2fd63f10f0d5905f6dc67f688661470abced87ff17ff1ad932a287a9c68e33a524f3417c25c296291b9ac

Download Submit
\Windows\SysWOW64\WishfulThinking.exe

Filesize
52KB

MD5
a71c20ed7957c0f63258202f36495afa

SHA1
ff2e5e239f1a624a982d10a4889d079dcee22c8e

SHA256
987866caf177ce4c81ada7d15a6a2c50807266c139bde779cd92b5352822ddd1

SHA512
9dc7857fc75c0fb5d6f90f07fa56859482dd493961cad57c620b11b93a34521e81977860158153be322bf6bfeda3554764ce0aa898183e26e03d0adc3ab3496b

Download Submit
memory/236-162-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/236-163-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/236-155-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/576-266-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/576-311-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/680-235-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/680-388-0x0000000002410000-0x0000000002438000-memory.dmp

Filesize
160KB

Download
memory/680-402-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/776-78-0x0000000002710000-0x0000000002738000-memory.dmp

Filesize
160KB

Download
memory/776-77-0x0000000002710000-0x0000000002738000-memory.dmp

Filesize
160KB

Download
memory/776-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/776-110-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/776-89-0x0000000002710000-0x0000000002738000-memory.dmp

Filesize
160KB

Download
memory/776-111-0x0000000002710000-0x0000000002738000-memory.dmp

Filesize
160KB

Download
memory/776-99-0x0000000002710000-0x0000000002738000-memory.dmp

Filesize
160KB

Download
memory/776-90-0x0000000002710000-0x0000000002738000-memory.dmp

Filesize
160KB

Download
memory/776-119-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1464-356-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1564-192-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1564-167-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2404-236-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2404-262-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2456-317-0x00000000004B0000-0x00000000004D8000-memory.dmp

Filesize
160KB

Download
memory/2456-105-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2456-401-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2456-216-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2468-360-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2468-322-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2620-379-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-381-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2636-383-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2636-380-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2704-251-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2704-308-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2704-309-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2728-387-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2752-371-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2752-374-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2752-372-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2752-375-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-214-0x0000000002400000-0x0000000002428000-memory.dmp

Filesize
160KB

Download
memory/2788-259-0x0000000002400000-0x0000000002428000-memory.dmp

Filesize
160KB

Download
memory/2788-400-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-92-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2788-215-0x0000000002400000-0x0000000002428000-memory.dmp

Filesize
160KB

Download
memory/2788-265-0x0000000002400000-0x0000000002428000-memory.dmp

Filesize
160KB

Download
memory/2788-165-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2796-394-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2808-264-0x0000000002660000-0x0000000002688000-memory.dmp

Filesize
160KB

Download
memory/2808-212-0x0000000002660000-0x0000000002688000-memory.dmp

Filesize
160KB

Download
memory/2808-263-0x0000000002660000-0x0000000002688000-memory.dmp

Filesize
160KB

Download
memory/2808-80-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2808-232-0x0000000002660000-0x0000000002688000-memory.dmp

Filesize
160KB

Download
memory/2808-250-0x0000000002660000-0x0000000002688000-memory.dmp

Filesize
160KB

Download
memory/2808-154-0x0000000002660000-0x0000000002688000-memory.dmp

Filesize
160KB

Download
memory/2808-156-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2808-246-0x0000000002660000-0x0000000002688000-memory.dmp

Filesize
160KB

Download
memory/2808-164-0x0000000002660000-0x0000000002688000-memory.dmp

Filesize
160KB

Download
memory/2808-399-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2808-315-0x0000000002660000-0x0000000002688000-memory.dmp

Filesize
160KB

Download
memory/2900-390-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2912-254-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2912-253-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2912-247-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2956-213-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2956-218-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3008-398-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download