Analysis Overview
SHA256
85193644036aadb03b1573f25145fa89f13ee5b2399133a9424adb7609163b56
Threat Level: Known bad
The file death.exe was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Event Triggered Execution: Image File Execution Options Injection
Disables use of System Restore points
Executes dropped EXE
Modifies system executable filetype association
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Sets desktop wallpaper using registry
UPX packed file
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Scheduled Task/Job: Scheduled Task
System policy modification
Suspicious use of WriteProcessMemory
Enumerates system info in registry
NTFS ADS
Modifies Control Panel
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-05 19:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-05 19:28
Reported
2024-10-05 19:30
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
97s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsettings.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemsettings.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrss.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Windows\mbr.exe | N/A |
| N/A | N/A | C:\Windows\nt.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" | C:\Windows\mbr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" | C:\Windows\mbr.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\nt.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\mbr.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\nt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mbr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\mbr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" | C:\Windows\mbr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" | C:\Windows\mbr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" | C:\Windows\mbr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Windows\\mbr.exe" | C:\Windows\mbr.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\mbr.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallPaper = "C:\\Windows\\666.bmp" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\mbr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\death.exe" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| File opened for modification | C:\.C: | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\AppData\Local\Temp\death.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\death.exe
"C:\Users\Admin\AppData\Local\Temp\death.exe"
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\death.exe
C:\Users\Admin\AppData\Local\Temp\death.exe explorer.exe
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\death.exe
C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\death.exe
C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\death.exe
C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\death.exe
C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
C:\Windows\nt.exe
C:\Windows\nt.exe
C:\Users\Admin\AppData\Local\Temp\death.exe
C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\mbr.exe
"C:\Windows\mbr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3612-0-0x0000000000400000-0x0000000000697000-memory.dmp
memory/3612-1-0x0000000010000000-0x0000000010015000-memory.dmp
C:\Windows\mbr.exe
| MD5 | e134054e9b86ca5fd7f6102874fa2b1b |
| SHA1 | 8c31adb4c04754463dfa72f9fda21c86584b68d6 |
| SHA256 | ac6b7a459ab2ae4b618ffb392746ef5ecafcc2d74ad0538698d598ddeb6229c4 |
| SHA512 | cfc63ef3c57a912b02d1bbdbcaae0dfc917e0ceb30e91868313769fb1be1722d68cd9afc84f399df149c01193a984c1a09d360aaa78d8b9d3fac780ae5b28845 |
memory/1408-6-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1408-9-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\nt.exe
| MD5 | 462fcc409a04c19841d97845878a2103 |
| SHA1 | ea46e199131e6275cc9636d624c1edad25b16303 |
| SHA256 | 985e9ffaed5dfcfd00b33e5c2af3cb7284475172f8b7bfbd4393a94a31fcb96b |
| SHA512 | d222770d23c20865f9929284687967a6ad9cbc4b92de8d7ee053dc432e808ba7d9e50669184076407a4e0f6a4269a2bee3fad6cab3126c3744977d3e52fc3a0f |
memory/2108-13-0x00000000001D0000-0x00000000001EA000-memory.dmp
memory/2108-16-0x00000000001D0000-0x00000000001EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\death.exe
| MD5 | a39281364d707dd0921b0a36f4a25a4c |
| SHA1 | 9e4bc8604667e6295900cc8c2813032206435c6f |
| SHA256 | 85193644036aadb03b1573f25145fa89f13ee5b2399133a9424adb7609163b56 |
| SHA512 | ee85be6af2692823391c66e957ccb1d187b1e20e94ee3662660a98dbdc1c48ac29dfa6890f80664850622994e8eaf14858e3cb31124b069990cd4fdfa22626dd |
memory/3112-18-0x0000000000400000-0x0000000000697000-memory.dmp
C:\Windows\666.bmp
| MD5 | 95b1a43e40e5080a626372c916bc04aa |
| SHA1 | b969b8cc0580abe72547e4b70e6f25f24494fa46 |
| SHA256 | 432b44507d1665f903a65d3b04ef0e0c45ce9c03d1bf6b46d556e01c06138aa2 |
| SHA512 | 93c91951fa4f5554d40871519903435ec50c415c8ae6e808c30f5ad09912d51659680ba500d2abba1de05bd646616cf57305f3f54f64a0dcd64a14348f5f23ea |
memory/4960-25-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1456-29-0x0000000000CB0000-0x0000000000CCA000-memory.dmp
memory/1248-39-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4652-44-0x0000000000810000-0x000000000082A000-memory.dmp
memory/424-46-0x0000000000400000-0x0000000000697000-memory.dmp
memory/1592-55-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1200-60-0x0000000000300000-0x000000000031A000-memory.dmp
memory/3284-63-0x0000000000400000-0x0000000000697000-memory.dmp
memory/4520-65-0x0000000000400000-0x0000000000697000-memory.dmp
memory/3612-64-0x0000000000400000-0x0000000000697000-memory.dmp
memory/1688-75-0x0000000000400000-0x000000000043F000-memory.dmp
memory/540-78-0x0000000000AD0000-0x0000000000AEA000-memory.dmp
memory/3112-80-0x0000000000400000-0x0000000000697000-memory.dmp
memory/4520-82-0x0000000000400000-0x0000000000697000-memory.dmp
memory/232-90-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2684-95-0x0000000000DC0000-0x0000000000DDA000-memory.dmp
memory/2684-97-0x0000000000DC0000-0x0000000000DDA000-memory.dmp
memory/4296-98-0x0000000000400000-0x0000000000697000-memory.dmp
memory/4404-100-0x0000000000400000-0x0000000000697000-memory.dmp