df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63

Analysis

max time kernel
82s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Size

118KB
MD5

8337ccbf0f07fe774fe402a2f04b8e18
SHA1

f9cc893f7ac72aa430567625ebeff6d7017203e7
SHA256

df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63
SHA512

57b985043ee39c88391ef04f7f7d3de7375ad9e4d8f917448ea317d0b8b74bc00de7cd264937e454d9a16a9b87f8650e251f6af7e1b1b9a2901d8f79ccf38956
SSDEEP

1536:fWwa6OYkIgzwOYFu/vWInvqTgiV6ZokAcgKwuT:+z6ODIn3u//vS4oE7tT

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 44 IoCs

pid	Process
2472	4k51k4.exe
1856	Shell.exe
1392	Shell.exe
2960	Shell.exe
2000	Shell.exe
580	Shell.exe
2152	Shell.exe
2404	IExplorer.exe
2468	Shell.exe
1972	Shell.exe
2028	4k51k4.exe
2736	IExplorer.exe
2580	Shell.exe
1036	Shell.exe
2076	WINLOGON.EXE
1620	Shell.exe
2968	Shell.exe
2904	CSRSS.EXE
2964	Shell.exe
2876	Shell.exe
3028	SERVICES.EXE
2800	Shell.exe
2056	Shell.exe
2820	LSASS.EXE
1836	Shell.exe
1044	Shell.exe
2240	SMSS.EXE
2136	Shell.exe
3068	Shell.exe
2216	WINLOGON.EXE
2152	Shell.exe
2376	Shell.exe
1876	CSRSS.EXE
2128	Shell.exe
1972	Shell.exe
720	SERVICES.EXE
1356	Shell.exe
1868	Shell.exe
2640	LSASS.EXE
2060	Shell.exe
2664	Shell.exe
1168	SMSS.EXE
2596	Shell.exe
1032	Shell.exe

Loads dropped DLL 64 IoCs

pid	Process
932	WerFault.exe
932	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
2252	WerFault.exe
932	WerFault.exe
932	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
384	WerFault.exe
2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
1576	WerFault.exe
2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe
3040	WerFault.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	F:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	C:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	F:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\H:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\I:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\M:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\V:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\X:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\Z:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\J:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\L:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\N:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\O:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\T:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\W:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\Y:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\K:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\P:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\U:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\E:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\G:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\Q:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\R:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\S:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\MrHelloween.scr	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2524-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x0008000000018b54-8.dat	upx
behavioral1/memory/2472-115-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x0007000000018b89-113.dat	upx
behavioral1/files/0x0008000000018bbf-118.dat	upx
behavioral1/memory/1856-121-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1392-132-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2960-142-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2524-144-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1856-147-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/580-157-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2472-156-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/580-160-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2152-170-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x000a000000018b28-172.dat	upx
behavioral1/memory/2524-174-0x00000000005A0000-0x00000000005C4000-memory.dmp	upx
behavioral1/memory/2468-187-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2000-195-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1972-198-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2404-203-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2524-253-0x00000000005A0000-0x00000000005C4000-memory.dmp	upx
behavioral1/files/0x000a000000018b28-258.dat	upx
behavioral1/memory/2028-259-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2524-260-0x00000000005A0000-0x00000000005C4000-memory.dmp	upx
behavioral1/memory/2580-275-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1036-285-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x0005000000019bf5-287.dat	upx
behavioral1/memory/2524-290-0x00000000005A0000-0x00000000005C4000-memory.dmp	upx
behavioral1/memory/2736-289-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2968-304-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2524-307-0x00000000005A0000-0x00000000005C4000-memory.dmp	upx
behavioral1/memory/2076-305-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2964-316-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2876-319-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2524-321-0x00000000005A0000-0x00000000005C4000-memory.dmp	upx
behavioral1/memory/2904-322-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2800-330-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2524-335-0x00000000005A0000-0x00000000005C4000-memory.dmp	upx
behavioral1/memory/3028-334-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2820-340-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1836-344-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1044-347-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2820-349-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2524-348-0x00000000005A0000-0x00000000005C4000-memory.dmp	upx
behavioral1/memory/2136-358-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/3068-361-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2240-362-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2152-396-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2376-399-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2216-401-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1876-406-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1972-413-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1876-415-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1868-426-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/720-428-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2060-439-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2664-442-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2640-444-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2596-454-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1032-457-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1168-458-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2524-460-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\4k51k4.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\4k51k4.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
932	2472	WerFault.exe	30
2252	1856	WerFault.exe	32
384	2000	WerFault.exe	36
2632	2404	WerFault.exe	40
2764	2736	WerFault.exe	45
1576	2076	WerFault.exe	49
3040	2904	WerFault.exe	53
2788	3028	WerFault.exe	57
2840	2820	WerFault.exe	61
2832	2240	WerFault.exe	65
2356	2216	WerFault.exe	69
892	1876	WerFault.exe	73
1704	720	WerFault.exe	77
1936	2640	WerFault.exe	81
1020	1168	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe

Modifies Control Panel 64 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2472	4k51k4.exe
1856	Shell.exe
1392	Shell.exe
2960	Shell.exe
2000	Shell.exe
580	Shell.exe
2152	Shell.exe
2404	IExplorer.exe
2468	Shell.exe
1972	Shell.exe
2028	4k51k4.exe
2736	IExplorer.exe
2580	Shell.exe
1036	Shell.exe
2076	WINLOGON.EXE
1620	Shell.exe
2968	Shell.exe
2904	CSRSS.EXE
2964	Shell.exe
2876	Shell.exe
3028	SERVICES.EXE
2800	Shell.exe
2056	Shell.exe
2820	LSASS.EXE
1836	Shell.exe
1044	Shell.exe
2240	SMSS.EXE
2136	Shell.exe
3068	Shell.exe
2216	WINLOGON.EXE
2152	Shell.exe
2376	Shell.exe
1876	CSRSS.EXE
2128	Shell.exe
1972	Shell.exe
720	SERVICES.EXE
1356	Shell.exe
1868	Shell.exe
2640	LSASS.EXE
2060	Shell.exe
2664	Shell.exe
1168	SMSS.EXE
2596	Shell.exe
1032	Shell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2472	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	30
PID 2524 wrote to memory of 2472	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	30
PID 2524 wrote to memory of 2472	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	30
PID 2524 wrote to memory of 2472	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	30
PID 2472 wrote to memory of 932	2472	4k51k4.exe	31
PID 2472 wrote to memory of 932	2472	4k51k4.exe	31
PID 2472 wrote to memory of 932	2472	4k51k4.exe	31
PID 2472 wrote to memory of 932	2472	4k51k4.exe	31
PID 1856 wrote to memory of 2252	1856	Shell.exe	33
PID 1856 wrote to memory of 2252	1856	Shell.exe	33
PID 1856 wrote to memory of 2252	1856	Shell.exe	33
PID 1856 wrote to memory of 2252	1856	Shell.exe	33
PID 2000 wrote to memory of 384	2000	Shell.exe	37
PID 2000 wrote to memory of 384	2000	Shell.exe	37
PID 2000 wrote to memory of 384	2000	Shell.exe	37
PID 2000 wrote to memory of 384	2000	Shell.exe	37
PID 2524 wrote to memory of 2404	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	40
PID 2524 wrote to memory of 2404	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	40
PID 2524 wrote to memory of 2404	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	40
PID 2524 wrote to memory of 2404	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	40
PID 2404 wrote to memory of 2632	2404	IExplorer.exe	41
PID 2404 wrote to memory of 2632	2404	IExplorer.exe	41
PID 2404 wrote to memory of 2632	2404	IExplorer.exe	41
PID 2404 wrote to memory of 2632	2404	IExplorer.exe	41
PID 2524 wrote to memory of 2028	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	44
PID 2524 wrote to memory of 2028	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	44
PID 2524 wrote to memory of 2028	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	44
PID 2524 wrote to memory of 2028	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	44
PID 2524 wrote to memory of 2736	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	45
PID 2524 wrote to memory of 2736	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	45
PID 2524 wrote to memory of 2736	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	45
PID 2524 wrote to memory of 2736	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	45
PID 2736 wrote to memory of 2764	2736	IExplorer.exe	46
PID 2736 wrote to memory of 2764	2736	IExplorer.exe	46
PID 2736 wrote to memory of 2764	2736	IExplorer.exe	46
PID 2736 wrote to memory of 2764	2736	IExplorer.exe	46
PID 2524 wrote to memory of 2076	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	49
PID 2524 wrote to memory of 2076	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	49
PID 2524 wrote to memory of 2076	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	49
PID 2524 wrote to memory of 2076	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	49
PID 2076 wrote to memory of 1576	2076	WINLOGON.EXE	50
PID 2076 wrote to memory of 1576	2076	WINLOGON.EXE	50
PID 2076 wrote to memory of 1576	2076	WINLOGON.EXE	50
PID 2076 wrote to memory of 1576	2076	WINLOGON.EXE	50
PID 2524 wrote to memory of 2904	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	53
PID 2524 wrote to memory of 2904	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	53
PID 2524 wrote to memory of 2904	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	53
PID 2524 wrote to memory of 2904	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	53
PID 2904 wrote to memory of 3040	2904	CSRSS.EXE	54
PID 2904 wrote to memory of 3040	2904	CSRSS.EXE	54
PID 2904 wrote to memory of 3040	2904	CSRSS.EXE	54
PID 2904 wrote to memory of 3040	2904	CSRSS.EXE	54
PID 2524 wrote to memory of 3028	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	57
PID 2524 wrote to memory of 3028	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	57
PID 2524 wrote to memory of 3028	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	57
PID 2524 wrote to memory of 3028	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	57
PID 3028 wrote to memory of 2788	3028	SERVICES.EXE	58
PID 3028 wrote to memory of 2788	3028	SERVICES.EXE	58
PID 3028 wrote to memory of 2788	3028	SERVICES.EXE	58
PID 3028 wrote to memory of 2788	3028	SERVICES.EXE	58
PID 2524 wrote to memory of 2820	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	61
PID 2524 wrote to memory of 2820	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	61
PID 2524 wrote to memory of 2820	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	61
PID 2524 wrote to memory of 2820	2524	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	61

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

C:\Users\Admin\AppData\Local\Temp\df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
"C:\Users\Admin\AppData\Local\Temp\df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2524
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 220
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:932
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 244
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2252
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1392
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2960
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 248
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:384
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:580
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2152
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 224
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2632
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2468
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1972
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2028
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 224
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2764
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2580
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1036
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 204
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1576
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1620
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2968
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 220
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3040
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2964
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2876
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 204
    3⤵
    - Program crash
    PID:2788
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2800
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2056
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:2820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 204
    3⤵
    - Program crash
    PID:2840
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1836
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1044
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:2240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 220
    3⤵
    - Program crash
    PID:2832
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2136
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3068
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 204
    3⤵
    - Program crash
    PID:2356
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2152
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2376
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:1876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 220
    3⤵
    - Program crash
    PID:892
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2128
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1972
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 204
    3⤵
    - Program crash
    PID:1704
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1356
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1868
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 204
    3⤵
    - Program crash
    PID:1936
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2060
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2664
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:1168
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 220
    3⤵
    - Program crash
    PID:1020
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2596
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
118KB

MD5
8337ccbf0f07fe774fe402a2f04b8e18

SHA1
f9cc893f7ac72aa430567625ebeff6d7017203e7

SHA256
df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63

SHA512
57b985043ee39c88391ef04f7f7d3de7375ad9e4d8f917448ea317d0b8b74bc00de7cd264937e454d9a16a9b87f8650e251f6af7e1b1b9a2901d8f79ccf38956

Download Submit
C:\Windows\4k51k4.exe

Filesize
118KB

MD5
6a8be22b3eed02ad6f1394dbbc917416

SHA1
5c24424a7575216c85c32b896185b405191c0920

SHA256
5834e7314e180a77db6ce8b361a56fb03f925ef729f620ec5f7fbb7e4c4d45f3

SHA512
4b509eb2c567f60a73e780b0fabead3d57ec9693d716b94243b8ea95a003a7ff6346181abc8f5e76e9ebb5fdce3a232d717f32fe969f1616366b5882207f63f7

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
118KB

MD5
9ce640967724fa7c7377dbd4fbb791e3

SHA1
3acab1221eca228d1801712b9ca5a89642ee5b2f

SHA256
e40bf3c396722edb3034b7389054a644e9e0df61e8f5f2911f23e664ae6f34aa

SHA512
b1e1c1828cf50c5b609c0d29f7a09e2e175d16f98b809abb92ef682ae8e3d84cfece2c21f0a63d9ec99ca5accf2c8bc1309cdb69565fcac39cffac75c12efcce

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
118KB

MD5
c8d03455e85daad386e1648d48f11c19

SHA1
5881e80b676419cad5cd7a561502e0395ee4cb2f

SHA256
88c23f61c592f9d1d313c08101575718fefb8516471c796e8e6f5b730eecc466

SHA512
7d9258cc44318c9ab21d943bbf5373940f227bb28abaf4dfec703401b972be90fa872f33608a31f6e343262b262be31712d31a8b5887dfa9f24e0cdfb4e0d55d

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
118KB

MD5
7fb4996dc20736bf11d7c56128f5e57e

SHA1
9dcf851545f31ffd4fcbf883fdda967075fee815

SHA256
4fd1aeeb44d08458e46d60cf262c63fe1663cc042932833491ba866c1dcc0219

SHA512
6ba929401218e482b5b022bb444b0d594fcfb59988feeec072947c7a36487358d76ad28ed34623955ec05fab8a14fcc289ad9b217e9654c1b34a493ff78d8602

Download Submit
\Windows\SysWOW64\shell.exe

Filesize
118KB

MD5
c4321258bf5c8d75c72626adeede92e5

SHA1
4e2237097201f08b1924a3c194ed33ec1649575b

SHA256
27c33be7b68c848517c6eba342bac4c7ef03512f882f98452641e0f06da1ab60

SHA512
2484b3eee896bd000da095bf1ce3268a982b5f645ac06bec62badb86d652b8fd44efc46b0dc9bd9280e49198b16499c2cf2f0590cedf7325772e8f17281ea65a

Download Submit
memory/580-157-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/580-160-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/720-428-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1032-457-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1036-285-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1044-347-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1168-458-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1392-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1836-344-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1856-121-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1856-147-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1868-426-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1876-406-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1876-415-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1972-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1972-413-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2000-195-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2028-259-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2028-257-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2060-439-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2076-305-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2136-358-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2152-396-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2152-170-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2216-401-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2240-362-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2376-399-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2404-203-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2468-187-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-115-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2472-156-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2524-174-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-145-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-260-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-112-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-321-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-434-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-433-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-335-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-114-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-449-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-266-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-253-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-144-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2524-348-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-307-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-311-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2524-460-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2524-146-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2524-290-0x00000000005A0000-0x00000000005C4000-memory.dmp

Filesize
144KB

Download
memory/2580-275-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2596-454-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2640-444-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2664-442-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-289-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-330-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2820-349-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2820-340-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2876-319-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2904-322-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2960-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2964-316-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2968-304-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3028-334-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3068-361-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download