neshta | 910d16a563b45f12c900a6d1c534e21bf5a0bb6a46485985ef6cd4eecd22cfa2

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.exe
Size

7.2MB
MD5

912ebadfef2b79a661c0fce42a1b27b0
SHA1

f8c897682d6c2cc498cd2ddc96468a0c60fd5ef7
SHA256

910d16a563b45f12c900a6d1c534e21bf5a0bb6a46485985ef6cd4eecd22cfa2
SHA512

8a6ce1f9a00fae3238506b98bc34ee093a8d44974e51fdd4c6fdffaa78fc70c47c9006c353ece33c4411c84e6deba34a9a7f9e4ce7cca8104a1b20b18bb5ff29
SSDEEP

196608:IYvleFwTit7oAsKbscSd27W3lXz2K47M2L:IXwTCUApPSd2WlXz21Q2

Score

10^/10

neshta credential_access discovery execution persistence ransomware spyware stealer

Malware Config

Signatures

Detect Neshta payload 35 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016855-42.dat	family_neshta
behavioral1/files/0x0007000000004e74-69.dat	family_neshta
behavioral1/memory/2540-119-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0007000000016aa9-102.dat	family_neshta
behavioral1/files/0x0001000000010314-84.dat	family_neshta
behavioral1/files/0x0001000000010312-83.dat	family_neshta
behavioral1/files/0x000100000001070c-82.dat	family_neshta
behavioral1/files/0x00010000000107e5-81.dat	family_neshta
behavioral1/memory/2052-135-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000000f82d-146.dat	family_neshta
behavioral1/files/0x000100000000f872-148.dat	family_neshta
behavioral1/files/0x00010000000114c6-151.dat	family_neshta
behavioral1/files/0x0001000000010c12-157.dat	family_neshta
behavioral1/files/0x000300000001219c-182.dat	family_neshta
behavioral1/files/0x000300000001215b-187.dat	family_neshta
behavioral1/files/0x000300000001215e-186.dat	family_neshta
behavioral1/files/0x000200000001180f-195.dat	family_neshta
behavioral1/files/0x00010000000118f7-219.dat	family_neshta
behavioral1/files/0x0001000000010f4d-216.dat	family_neshta
behavioral1/files/0x0001000000011872-209.dat	family_neshta
behavioral1/files/0x0002000000011080-242.dat	family_neshta
behavioral1/memory/1512-267-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/3012-273-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2736-296-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/920-337-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1540-338-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2140-349-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2348-419-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2452-418-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2452-510-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2348-511-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2348-524-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2452-523-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2452-531-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2348-529-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
792	powershell.exe
792	powershell.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ScreenLockApp.exe	TROLL~~1.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VWYQFE.exe	TROLL~~1.EXE
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update.lnk	x.exe

Executes dropped EXE 18 IoCs

pid	Process
2904	x.exe
2452	ScreenLockApp.exe
2800	ServicesTweek.exe
1756	ScreenLockApp.exe
2348	Troll~Virus.exe
2052	svchost.com
2540	svchost.com
1512	svchost.com
2128	TWEEKS~1.EXE
2340	VWYQFE.exe
2112	TROLL~~1.EXE
3012	svchost.com
1484	SCREEN~1.EXE
2736	svchost.com
2880	VWYQFE.exe
1540	svchost.com
920	svchost.com
2140	svchost.com

Loads dropped DLL 37 IoCs

pid	Process
2800	ServicesTweek.exe
2452	ScreenLockApp.exe
2052	svchost.com
2540	svchost.com
2052	svchost.com
1512	svchost.com
1512	svchost.com
1512	svchost.com
2128	TWEEKS~1.EXE
2452	ScreenLockApp.exe
2348	Troll~Virus.exe
2348	Troll~Virus.exe
3012	svchost.com
3012	svchost.com
3012	svchost.com
2736	svchost.com
2736	svchost.com
2736	svchost.com
2736	svchost.com
2348	Troll~Virus.exe
2452	ScreenLockApp.exe
2348	Troll~Virus.exe
2452	ScreenLockApp.exe
2348	Troll~Virus.exe
2348	Troll~Virus.exe
2452	ScreenLockApp.exe
2348	Troll~Virus.exe
2452	ScreenLockApp.exe
1540	svchost.com
920	svchost.com
1540	svchost.com
1540	svchost.com
920	svchost.com
920	svchost.com
2140	svchost.com
2140	svchost.com
2140	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ScreenLockApp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\b:	x.exe
File opened (read-only)	\??\j:	x.exe
File opened (read-only)	\??\r:	x.exe
File opened (read-only)	\??\u:	x.exe
File opened (read-only)	\??\i:	VWYQFE.exe
File opened (read-only)	\??\n:	VWYQFE.exe
File opened (read-only)	\??\v:	VWYQFE.exe
File opened (read-only)	\??\z:	VWYQFE.exe
File opened (read-only)	\??\o:	x.exe
File opened (read-only)	\??\y:	x.exe
File opened (read-only)	\??\z:	x.exe
File opened (read-only)	\??\k:	VWYQFE.exe
File opened (read-only)	\??\o:	VWYQFE.exe
File opened (read-only)	\??\s:	VWYQFE.exe
File opened (read-only)	\??\m:	x.exe
File opened (read-only)	\??\s:	x.exe
File opened (read-only)	\??\v:	x.exe
File opened (read-only)	\??\b:	VWYQFE.exe
File opened (read-only)	\??\w:	VWYQFE.exe
File opened (read-only)	\??\y:	VWYQFE.exe
File opened (read-only)	\??\l:	x.exe
File opened (read-only)	\??\h:	x.exe
File opened (read-only)	\??\k:	x.exe
File opened (read-only)	\??\x:	x.exe
File opened (read-only)	\??\e:	VWYQFE.exe
File opened (read-only)	\??\h:	VWYQFE.exe
File opened (read-only)	\??\u:	VWYQFE.exe
File opened (read-only)	\??\x:	VWYQFE.exe
File opened (read-only)	\??\n:	x.exe
File opened (read-only)	\??\w:	x.exe
File opened (read-only)	\??\l:	VWYQFE.exe
File opened (read-only)	\??\m:	VWYQFE.exe
File opened (read-only)	\??\p:	VWYQFE.exe
File opened (read-only)	\??\e:	x.exe
File opened (read-only)	\??\i:	x.exe
File opened (read-only)	\??\a:	VWYQFE.exe
File opened (read-only)	\??\r:	VWYQFE.exe
File opened (read-only)	\??\t:	VWYQFE.exe
File opened (read-only)	\??\g:	x.exe
File opened (read-only)	\??\a:	x.exe
File opened (read-only)	\??\p:	x.exe
File opened (read-only)	\??\q:	x.exe
File opened (read-only)	\??\g:	VWYQFE.exe
File opened (read-only)	\??\j:	VWYQFE.exe
File opened (read-only)	\??\q:	VWYQFE.exe
File opened (read-only)	\??\t:	x.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0008000000015685-8.dat	autoit_exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\cryptbase.dll	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp	wusa.exe
File created	C:\Windows\system32\migwiz\$dpx$.tmp\6cb46047814c0643aa11126cedbe806c.tmp	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp\job.xml	wusa.exe
File created	C:\Windows\system32\migwiz\$dpx$.tmp\1c7c21dfe967bc4c98375a229ab2d638.tmp	wusa.exe
File created	C:\Windows\system32\migwiz\$dpx$.tmp\1640484ed73646489d073865281d22cc.tmp	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp\job.xml	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\cryptbase.dll	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\cryptbase.dll	wusa.exe
File opened for modification	C:\Windows\system32\migwiz\$dpx$.tmp\job.xml	wusa.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg"	x.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	ScreenLockApp.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	Troll~Virus.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	ScreenLockApp.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Troll~Virus.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	Troll~Virus.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	wusa.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	ScreenLockApp.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	wusa.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenLockApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenLockApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCREEN~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	migwiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	migwiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Troll~Virus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VWYQFE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VWYQFE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	migwiz.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop	x.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.md	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\md_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\md_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\cap_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\md_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\md_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\cap_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\cap_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\au3_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\cap_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\au3_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.md\ = "md_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\au3_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.au3	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.cap\ = "cap_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\cap_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\au3_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\md_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\au3_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\au3_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\cap_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	ScreenLockApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.au3\ = "au3_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\.cap	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
792	powershell.exe
1756	ScreenLockApp.exe
1756	ScreenLockApp.exe
1756	ScreenLockApp.exe
1756	ScreenLockApp.exe
1756	ScreenLockApp.exe
1756	ScreenLockApp.exe
1756	ScreenLockApp.exe
1756	ScreenLockApp.exe
1484	SCREEN~1.EXE
1484	SCREEN~1.EXE
1484	SCREEN~1.EXE
1484	SCREEN~1.EXE
1484	SCREEN~1.EXE
1484	SCREEN~1.EXE
1484	SCREEN~1.EXE
1484	SCREEN~1.EXE
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe
2904	x.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1756	ScreenLockApp.exe
Token: SeDebugPrivilege	1484	SCREEN~1.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2680	migwiz.exe
1924	migwiz.exe
2352	migwiz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2904	2708	Output.exe	31
PID 2708 wrote to memory of 2904	2708	Output.exe	31
PID 2708 wrote to memory of 2904	2708	Output.exe	31
PID 2708 wrote to memory of 2904	2708	Output.exe	31
PID 2708 wrote to memory of 3040	2708	Output.exe	32
PID 2708 wrote to memory of 3040	2708	Output.exe	32
PID 2708 wrote to memory of 3040	2708	Output.exe	32
PID 2708 wrote to memory of 2560	2708	Output.exe	33
PID 2708 wrote to memory of 2560	2708	Output.exe	33
PID 2708 wrote to memory of 2560	2708	Output.exe	33
PID 2708 wrote to memory of 2680	2708	Output.exe	34
PID 2708 wrote to memory of 2680	2708	Output.exe	34
PID 2708 wrote to memory of 2680	2708	Output.exe	34
PID 2680 wrote to memory of 792	2680	cmd.exe	36
PID 2680 wrote to memory of 792	2680	cmd.exe	36
PID 2680 wrote to memory of 792	2680	cmd.exe	36
PID 2708 wrote to memory of 2272	2708	Output.exe	37
PID 2708 wrote to memory of 2272	2708	Output.exe	37
PID 2708 wrote to memory of 2272	2708	Output.exe	37
PID 2708 wrote to memory of 2452	2708	Output.exe	38
PID 2708 wrote to memory of 2452	2708	Output.exe	38
PID 2708 wrote to memory of 2452	2708	Output.exe	38
PID 2708 wrote to memory of 2452	2708	Output.exe	38
PID 2708 wrote to memory of 2800	2708	Output.exe	39
PID 2708 wrote to memory of 2800	2708	Output.exe	39
PID 2708 wrote to memory of 2800	2708	Output.exe	39
PID 2708 wrote to memory of 2348	2708	Output.exe	40
PID 2708 wrote to memory of 2348	2708	Output.exe	40
PID 2708 wrote to memory of 2348	2708	Output.exe	40
PID 2708 wrote to memory of 2348	2708	Output.exe	40
PID 2452 wrote to memory of 1756	2452	ScreenLockApp.exe	41
PID 2452 wrote to memory of 1756	2452	ScreenLockApp.exe	41
PID 2452 wrote to memory of 1756	2452	ScreenLockApp.exe	41
PID 2452 wrote to memory of 1756	2452	ScreenLockApp.exe	41
PID 2904 wrote to memory of 2864	2904	x.exe	42
PID 2904 wrote to memory of 2864	2904	x.exe	42
PID 2904 wrote to memory of 2864	2904	x.exe	42
PID 2904 wrote to memory of 2864	2904	x.exe	42
PID 2708 wrote to memory of 1968	2708	Output.exe	43
PID 2708 wrote to memory of 1968	2708	Output.exe	43
PID 2708 wrote to memory of 1968	2708	Output.exe	43
PID 2348 wrote to memory of 1512	2348	Troll~Virus.exe	46
PID 2348 wrote to memory of 1512	2348	Troll~Virus.exe	46
PID 2348 wrote to memory of 1512	2348	Troll~Virus.exe	46
PID 2348 wrote to memory of 1512	2348	Troll~Virus.exe	46
PID 2708 wrote to memory of 2052	2708	Output.exe	45
PID 2708 wrote to memory of 2052	2708	Output.exe	45
PID 2708 wrote to memory of 2052	2708	Output.exe	45
PID 2708 wrote to memory of 2052	2708	Output.exe	45
PID 2708 wrote to memory of 2540	2708	Output.exe	47
PID 2708 wrote to memory of 2540	2708	Output.exe	47
PID 2708 wrote to memory of 2540	2708	Output.exe	47
PID 2708 wrote to memory of 2540	2708	Output.exe	47
PID 2540 wrote to memory of 2128	2540	svchost.com	48
PID 2540 wrote to memory of 2128	2540	svchost.com	48
PID 2540 wrote to memory of 2128	2540	svchost.com	48
PID 2540 wrote to memory of 2128	2540	svchost.com	48
PID 2052 wrote to memory of 2340	2052	svchost.com	49
PID 2052 wrote to memory of 2340	2052	svchost.com	49
PID 2052 wrote to memory of 2340	2052	svchost.com	49
PID 2052 wrote to memory of 2340	2052	svchost.com	49
PID 1512 wrote to memory of 2112	1512	svchost.com	50
PID 1512 wrote to memory of 2112	1512	svchost.com	50
PID 1512 wrote to memory of 2112	1512	svchost.com	50

C:\Users\Admin\AppData\Local\Temp\Output.exe
"C:\Users\Admin\AppData\Local\Temp\Output.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Roaming\x.exe
  "C:\Users\Admin\AppData\Roaming\x.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
    3⤵
    PID:2864
  - - C:\Windows\system32\wusa.exe
      wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      PID:2264
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
    3⤵
    PID:1800
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:1540
    - - C:\Windows\SysWOW64\migwiz\migwiz.exe
        
        C:\Windows\System32\migwiz\migwiz.exe C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2680
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\x_.au3
  2⤵
  - Modifies registry class
  PID:3040
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\2399x0.cap
  2⤵
  - Modifies registry class
  PID:2560
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\BypassObfuscator.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\README.md
  2⤵
  - Modifies registry class
  PID:2272
- C:\Users\Admin\AppData\Roaming\ScreenLockApp.exe
  "C:\Users\Admin\AppData\Roaming\ScreenLockApp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\3582-490\ScreenLockApp.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\ScreenLockApp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Users\Admin\AppData\Roaming\ServicesTweek.exe
  "C:\Users\Admin\AppData\Roaming\ServicesTweek.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2800
- C:\Users\Admin\AppData\Roaming\Troll~Virus.exe
  "C:\Users\Admin\AppData\Roaming\Troll~Virus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\TROLL~~1.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\TROLL~~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\TROLL~~1.EXE
      4⤵
      Drops startup file
      Executes dropped EXE
      PID:2112
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SCREEN~1.EXE"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:3012
      - C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SCREEN~1.EXE
        
        C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\SCREEN~1.EXE
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\VWYQFE.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2736
      - C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\VWYQFE.exe
        
        C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\VWYQFE.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
        7⤵
        
        PID:2856
        
        C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
        8⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
        7⤵
        
        PID:2976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\migwiz\migwiz.exe
        
        C:\Windows\System32\migwiz\migwiz.exe C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2352
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\VWYQFE_.au3
  2⤵
  - Modifies registry class
  PID:1968
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\VWYQFE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Users\Admin\AppData\Roaming\VWYQFE.exe
    C:\Users\Admin\AppData\Roaming\VWYQFE.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\ & exit
      4⤵
      PID:2976
    - - C:\Windows\system32\wusa.exe
        
        wusa C:\Users\Admin\AppData\Local\Temp\64.cab /quiet /extract:C:\Windows\system32\migwiz\
        5⤵
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:1704
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\888.vbs"
      4⤵
      PID:2316
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:920
      - C:\Windows\SysWOW64\migwiz\migwiz.exe
        
        C:\Windows\System32\migwiz\migwiz.exe C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1924
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\TWEEKS~1.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Roaming\TWEEKS~1.EXE
    C:\Users\Admin\AppData\Roaming\TWEEKS~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
140KB

MD5
e584c29c854081c78a366fbcc6f7f84c

SHA1
32b7e552e5916b43d57d7b088c543b77f1067338

SHA256
b2748833775c7c1bfce6959afbd5e472f6ff40497ee1a0b4c16d210270c56450

SHA512
c2e1d90d30f8799e4871c3eb87a2bff6b2ec7e46324027f4590503505808600db41583805d265786771a53f658b2d4b0edea85c85b9ae88850119cc0a682be0c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
130KB

MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE

Filesize
899KB

MD5
80a2fab233077e3ef91d1b207a7f725f

SHA1
8d496e3fe85c347372eabd50a616327c78349d33

SHA256
a061bfaa92dd039806911a09d30b6f24553395b6af21ae4fa54d5e5ba85f3e3d

SHA512
d4b96b04d2a00f714d60d62f1d66592cb68249914047118e8a405930a1c2a489c0e8fc71f80ff6f0cafbae60bea6960d8b216a7b0c94316f3076640eb71217a6

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
a24fbb149eddf7a0fe981bd06a4c5051

SHA1
fce5bb381a0c449efad3d01bbd02c78743c45093

SHA256
5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d

SHA512
1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

Filesize
155KB

MD5
96a14f39834c93363eebf40ae941242c

SHA1
5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc

SHA256
8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a

SHA512
fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

Filesize
265KB

MD5
25e165d6a9c6c0c77ee1f94c9e58754b

SHA1
9b614c1280c75d058508bba2a468f376444b10c1

SHA256
8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217

SHA512
7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

Download Submit
C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe

Filesize
129KB

MD5
b1e0da67a985533914394e6b8ac58205

SHA1
5a65e6076f592f9ea03af582d19d2407351ba6b6

SHA256
67629b025fed676bd607094fa7f21550e18c861495ba664ee0d2b215a4717d7f

SHA512
188ebb9a58565ca7ed81a46967a66d583f7dea43a2fc1fe8076a79ef4a83119ccaa22f948a944abae8f64b3a4b219f5184260eff7201eb660c321f6c0d1eba22

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE

Filesize
109KB

MD5
44623cc33b1bd689381de8fe6bcd90d1

SHA1
187d4f8795c6f87dd402802723e4611bf1d8089e

SHA256
380154eab37e79ed26a7142b773b8a8df6627c64c99a434d5a849b18d34805ba

SHA512
19002885176caceb235da69ee5af07a92b18dac0fb8bb177f2c1e7413f6606b1666e0ea20f5b95b4fa3d82a3793b1dbe4a430f6f84a991686b024c4e11606082

Download Submit
C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE

Filesize
144KB

MD5
a2dddf04b395f8a08f12001318cc72a4

SHA1
1bd72e6e9230d94f07297c6fcde3d7f752563198

SHA256
b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373

SHA512
2159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3

Download Submit
C:\PROGRA~2\MICROS~1\Office14\OIS.EXE

Filesize
308KB

MD5
4545e2b5fa4062259d5ddd56ecbbd386

SHA1
c021dc8488a73bd364cb98758559fe7ba1337263

SHA256
318f1f3fbdd1cf17c176cb68b4bc2cf899338186161a16a1adc29426114fb4f8

SHA512
cf07436e0219ca5868e11046f2a497583066a9cf68262e7cca22daad72aded665ac66afea8db76182c172041c45fcef1628ea6852751c4bf97969c9af6cfefa1

Download Submit
C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE

Filesize
3.7MB

MD5
0abe938725568f25e3e34ec944a09208

SHA1
1fdaccd897adc4ead3582e9c28c2969dcab24956

SHA256
cc71c5ad5a1d34193308f86baa8bc3683b2ef8a0a6c9bddd7cad9b840e9e7ca1

SHA512
6e2b8792eac043adc9b537ff0f32e6b4da3d8e456083b2835659dff2be538a11b77dafbdebe603a6cc1dd8576733ce12344aae788a0638d2a3dc2d3962e27e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.cab

Filesize
47KB

MD5
9dda4db9e90ff039ad5a58785b9d626d

SHA1
507730d87b32541886ec1dd77f3459fa7bf1e973

SHA256
fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe

SHA512
4cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\ScreenLockApp.exe

Filesize
1.1MB

MD5
ef7a9bd97bec8a6070b2b99053d54ab1

SHA1
2ab06b299df7896555220b5fc5f8924a8fc901a5

SHA256
50814f4e49e5150e41fc9a3e4bd3145b27043d23f5d72780cdfa956df00ba8da

SHA512
1c0b3f06317ca0916a102eb374207d9ff2f9ba2e14f855e9296d104ed4ccaf7f119ab44c43f492ab36269b3e1fa3f81c19cb0f661ca33bf2e1a2a400d4d989d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.cab

Filesize
49KB

MD5
8cfa6b4acd035a2651291a2a4623b1c7

SHA1
43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9

SHA256
6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9

SHA512
e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685

Download Submit
C:\Users\Admin\AppData\Local\Temp\888.vbs

Filesize
560B

MD5
7b86ae37b45d197115f7ad60fccb4936

SHA1
78c17c59d5a77770317f0628be347183f46d2473

SHA256
9d5db32220ae590622389eb07ac2445dbb64e24127606227df45facb2add5912

SHA512
bca2effdadd852e51181f5105b14232f138a050edf2448db331b895c82a8b7c5d66d4aa99e2ad63d9980abf87c265553ba1477a5285c6fb8a071b65b8ea91c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\wl.jpg

Filesize
22KB

MD5
bde674be75317ab178ce59d133a4d507

SHA1
996b9b0a0f4bf8234ee95df5beb58614e1b85c67

SHA256
d0bd2c6f0161d2d45473206777634be8a79907cfd5fc45cf6433edc5280ebe63

SHA512
846d133b57254d77b835361ec506a5e99d24ae631f1a0f3ad0c21147629f5c378a2f13e4bbc1f5ca468b9a27f7faf04c055b52edce7bd634a00cc92577e03894

Download Submit
C:\Users\Admin\AppData\Roaming\BypassObfuscator.bat

Filesize
90B

MD5
b66ee906b7e069d7eea40fbe49377c08

SHA1
4979c25663ef93e48f5ac814bef8a8a383bcdd7c

SHA256
e76f8325db6e3d63a9b7184a173bbd017d756a980ab0cc0ac9b109d36ff8cdd3

SHA512
6a0e5d41cdafb1ff3950edbd3c5a1f081c424156bfd2a3903c3a15b849e292ce6f43e90a07294f3ded1e34669bbf13a8847adf42b9fe91417aa597718a045f52

Download Submit
C:\Users\Admin\AppData\Roaming\Lock.BypassObfuscator.bat

Filesize
8B

MD5
de6fdff1993c731e52e49d52a6e684d9

SHA1
120d1ff8a24109eed24ac1a5697383d50bcc0f47

SHA256
645c2d0cb9f6edf276f7dead9ab8c72531cdae22f54962d174c1339c30cb1b42

SHA512
99d05bf76a3a7466ccf27ac304ba35639716089d8dae388aaa707bfb6feb3f362251a65951663dd86abcac5a5e7358a5f29faedfe4c0b55ae136ba9d8f1209c1

Download Submit
C:\Users\Admin\AppData\Roaming\Lock.ScreenLockApp.exe

Filesize
1.1MB

MD5
c8037dc756d37824360f5c6c4f9dbb75

SHA1
cdb056673455b52786d8159caab07b10e9650e1d

SHA256
ecb4cf9f77a3d2ad6a84da75f1def9a94e1565cf2b756fa79e7b1b9108fdde50

SHA512
c76329e5d3812d33bf9d2eedf205f16c433da02142639b796776e6cb3475507292fcbd902d6066fa40a776294ec37e9ab6a87c03218f9b40ee9854d874141df0

Download Submit
C:\Users\Admin\AppData\Roaming\ScreenLockApp.exe

Filesize
1.1MB

MD5
f70eeb19a96e3ee21b289e86ac97700c

SHA1
3b99ffb7ac3dcc18bae898f379f869128d31a03b

SHA256
82e0a977f2d2454ddb0fbaa8cc3ffd103eb4be453d2d1a176751e4e3b1ee93ff

SHA512
8d4d3efb42901f59d26835f4c903155bd49f7176aa209d7f4a2714fc2f76b1ec2c91ce58a34e46500b757e3fb068cab854557ea88c1b400475b0974bcd6f4915

Download Submit
C:\Users\Admin\AppData\Roaming\ServicesTweek.exe

Filesize
208KB

MD5
929bf3d80c2ce1d445d4ca30edcf447e

SHA1
d130cf65f38620d0778d5fe9261afe9f671c2a99

SHA256
1431e1602f424e8489dd9d5567ccc695946593addd2e458f80ae2647c1130d9b

SHA512
4ff86591e9d6421a1aa3af1d78580ca86bba4d98bf618fd4d6735df09fa95b8df97f06b4c28f582fa861d6b8b016c7ebd11bdccee0e98118c96dd9e52f2c6fdc

Download Submit
C:\Users\Admin\AppData\Roaming\TWEEKS~1.EXE

Filesize
42KB

MD5
ececf31c293ec9dc3cc02e9d81568c8c

SHA1
f67678c2148fe8591c273944d47315c1059148a8

SHA256
3e4fb38a38a0f01e75f361f7280ad5cf8b2a5715ecbe86b2dc889161f9bf7c26

SHA512
b0850df69c0a10bc804409a57cde2bcaee1c34cf36a6fc84b390fa7163023280215327808db084dce343b0d158188577360931eef8ddea29622083933603f104

Download Submit
C:\Users\Admin\AppData\Roaming\Troll~Virus.exe

Filesize
2.0MB

MD5
18316e2ce9dd5c2117493f4f2f4e72d3

SHA1
55bef85ee50a863f3658db6ad692a8ba11d29923

SHA256
e23b7014e4497e9111c3ac5d31420b6e04ba7d8939e8b1de02e3590c1176414d

SHA512
0cb5ed138440698b065a55c13611c3b09c1233e952b10380bc8396715274eac5b374f8e7a56b1695e476dbb0321e08204e8a7aacbfdde291574ece3d0a3a92bc

Download Submit
C:\Users\Admin\AppData\Roaming\x.exe

Filesize
741KB

MD5
80041f5a17c53028f8603321de845061

SHA1
33a25cbd6cabca83c78b6f0e668f64d5a096f29b

SHA256
0370fe07f7a6150a7d7acdbd9776a3c0be85620ea00bf625701db6cf02f458df

SHA512
9ea6a75518490e6ffee822b69447c9af9beeacc68aec271990cb0561f02766e9c367e12305ada485f4a0359368ec269542c630f52301292c401f114008524dea

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
6KB

MD5
70136480bdfcd8b399b7ab281c9edf8d

SHA1
f55cf67e58c0d5484891e439652fa9ff2e3777a0

SHA256
f6058a19009b5bcfcbdd74bdce1c3337bb9d81a470c816829e40f78a44dfa0f5

SHA512
a5c81a2125298087096f12b6c30590c97bf12b558195a3370dbf93893e7be4ee4a27c942aa67c66741eac6379a73ebaab7f887775220fea7a3bc80d91bbf469c

Download Submit
C:\Windows\directx.sys

Filesize
88B

MD5
ed345ace8d6c733f03c96da4c0ddf47e

SHA1
918d319ed456354a0263ea80ce2ae08b7bf30ac8

SHA256
fa1622169a2006a708f3d9c0adf1d8ea864f41d0817b50b6f4a834ac34f9e9c2

SHA512
d3b92bdf6031412f1ae9d0c250997213fea6038dff96ea2901234c7dc3b99282d774c3273625b9d0e84e806b5c609b571cdbaf2d90279a6cdaae5d200410dbc5

Download Submit
C:\Windows\directx.sys

Filesize
145B

MD5
76ce8301039fcb0e4b63c7bda0f88252

SHA1
e0fcf052893e5944cd4ebbcc4afaf50ad618666a

SHA256
c18039e6d62f2312c8be13ed419528c5607b12699502f23b71167cc5fcf20635

SHA512
11707a4f21e3fd42d09d83a1aa096365acc9591153d90357edbcbcf806c7ee6b2e044c3c88276d064c05b9ba9c1010f399806d03f1d5d2f17449791e8ffef383

Download Submit
C:\Windows\directx.sys

Filesize
176B

MD5
080d512adaedf053210e217599893794

SHA1
db4fd9ef7b4db72fb4c5fcaf3ef37164c0247059

SHA256
fab14f31e8f9d12d92b334eb50aba3364240b8610a4a83863f1f2c453510c0c5

SHA512
247212947a8be0d0bba05b09c3867777dc41824991bbb08ed3a1f2b321d047d3e756f383ed43d48f2b3c2bf4e1a572bcde4f9020a50b0981224b18bda1a5df1b

Download Submit
C:\Windows\directx.sys

Filesize
217B

MD5
5dd92122f7add0ac570ed3d7956179e8

SHA1
5facffbfad14560942f3e5bc820b189331952e43

SHA256
fa361d461fcb5bbc569e74a5bc9ce6ff8139051f9a6be102c358247b28e8342b

SHA512
07b042362802fcc381c20717d9001282b4d6b42e0d534ed76c1a3de87d5b4935c1cd28e491b48576f9d831da28b4920767a30b204809cdd70527269e5c2c3bdc

Download Submit
C:\Windows\directx.sys

Filesize
256B

MD5
c964765a22e6d2fb710a118b98e5a324

SHA1
6b5ed7745fc3ef490b47cafe7103974eeca5f9cb

SHA256
3bc92621a61a12ebc9e1b434b07bfa4a8a46f7c949d92e6c62058a43076c2207

SHA512
751e5f3ffcf3c48caec5487483c6df5ca1004d5031a60da5eca09d36767a298208d564d5295aefc32846a85f11da63e4d4fe333d2ca70526a303a6cdc10dc003

Download Submit
C:\Windows\directx.sys

Filesize
314B

MD5
91d42c8104fb438f4070fe49408cc146

SHA1
ed01ec9e4d4c8f1f6544afb9d5653561f6a344ff

SHA256
d2e45bcab5a769fb7ee21690e4c8b5c9fe96a5cd30d78fa84d30edb223a7fd88

SHA512
e354077c8315e5df7e52b1b50d85f515c4de8cc6fdb27aa7735c43e2f30aa61a4ddb5d33f0f49812838d02a85b2b3f056732e80cc99fc9f178e7de79aa26c554

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8c82da886615880591097012f5c495e1

SHA1
e967cbe5bb33fb4ceb302a079e707e12d6ed013c

SHA256
6e8e9e3190510366c4f76ce47911d9c91e56741c282ffd897bfb9ca32e4aa9c6

SHA512
418c0a2aa43c4001ae913ac225596d6fd6c6e39361d15d602152517805a0e6421ca10d87ad582136e11b290aa3627ddb9032fe00f0041720e8d6105f0b93c54a

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\TROLL~~1.EXE

Filesize
1.9MB

MD5
0a38ff490ed8cf0cba13acf59f6d054e

SHA1
884cf0894711f44556312441f71c508e3f2f7fa1

SHA256
2ae2797f7f6543788cc7fd1ca7a89a17a9cddfd28af3f13515c8e521126e93c3

SHA512
bdd476f5509d758ac5518d0309e213fb5005ced349e452f4fe185b643264d84771be70d4901eeffc1c335ee584e0329bb7edee162372b8214b2d3d58036d4611

Download Submit
\Users\Admin\AppData\Roaming\cryptbase.dll

Filesize
106KB

MD5
1deeaa34fc153cffb989ab43aa2b0527

SHA1
7a58958483aa86d29cba8fc20566c770e1989953

SHA256
c3cfa6c00f3d2536c640f1ee6df3f289818628c0e290be2f08df2c330097158a

SHA512
abbd5e28096a981a1d07a38bb1808fab590d78a890fc7960a86d8d9a1ae0c597eab655a2457d61afbfbce8c720965b89c1071759b819168b08058ee5be17dc86

Download Submit
memory/792-117-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/792-80-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/920-337-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1484-268-0x0000000000380000-0x000000000049E000-memory.dmp

Filesize
1.1MB

Download
memory/1512-267-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1540-338-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1756-125-0x0000000000BE0000-0x0000000000CFE000-memory.dmp

Filesize
1.1MB

Download
memory/2052-135-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2112-124-0x0000000000D00000-0x0000000000EF6000-memory.dmp

Filesize
2.0MB

Download
memory/2140-349-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2348-529-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2348-524-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2348-419-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2348-511-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2452-531-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2452-523-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2452-510-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2452-418-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2540-119-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2708-1-0x0000000000380000-0x0000000000AB2000-memory.dmp

Filesize
7.2MB

Download
memory/2708-3-0x000000001B250000-0x000000001B260000-memory.dmp

Filesize
64KB

Download
memory/2708-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2736-296-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3012-273-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download