df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Size

118KB
MD5

8337ccbf0f07fe774fe402a2f04b8e18
SHA1

f9cc893f7ac72aa430567625ebeff6d7017203e7
SHA256

df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63
SHA512

57b985043ee39c88391ef04f7f7d3de7375ad9e4d8f917448ea317d0b8b74bc00de7cd264937e454d9a16a9b87f8650e251f6af7e1b1b9a2901d8f79ccf38956
SSDEEP

1536:fWwa6OYkIgzwOYFu/vWInvqTgiV6ZokAcgKwuT:+z6ODIn3u//vS4oE7tT

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
1072	4k51k4.exe
3868	Shell.exe
1452	Shell.exe
4828	Shell.exe
3488	Shell.exe
644	Shell.exe
3060	Shell.exe
4172	IExplorer.exe
1696	Shell.exe
3340	Shell.exe
2172	Shell.exe
2948	Shell.exe
3348	Shell.exe
348	Shell.exe
4688	4k51k4.exe
2784	Shell.exe
2424	Shell.exe
1416	Shell.exe
3132	Shell.exe
4276	Shell.exe
1112	Shell.exe
3868	IExplorer.exe
2572	Shell.exe
644	Shell.exe
892	Shell.exe
4112	Shell.exe
4668	Shell.exe
4048	Shell.exe
372	WINLOGON.EXE
4976	Shell.exe
1444	Shell.exe
2700	Shell.exe
348	Shell.exe
1880	Shell.exe
4952	Shell.exe
2840	CSRSS.EXE
4456	Shell.exe
3020	Shell.exe
2336	Shell.exe
1468	Shell.exe
2008	Shell.exe
1640	Shell.exe
3524	SERVICES.EXE
708	Shell.exe
1112	Shell.exe
4196	Shell.exe
2304	Shell.exe
432	Shell.exe
1168	Shell.exe
4984	LSASS.EXE
3488	Shell.exe
4884	Shell.exe
4188	Shell.exe
2192	Shell.exe
4472	Shell.exe
1800	Shell.exe
2024	SMSS.EXE
1852	Shell.exe
232	Shell.exe
1820	Shell.exe
1612	Shell.exe
2912	Shell.exe
4656	Shell.exe
2164	WINLOGON.EXE

Loads dropped DLL 64 IoCs

pid	Process
3488	Shell.exe
644	Shell.exe
3060	Shell.exe
4172	IExplorer.exe
1696	Shell.exe
3340	Shell.exe
2172	Shell.exe
2948	Shell.exe
3348	Shell.exe
348	Shell.exe
4688	4k51k4.exe
2784	Shell.exe
2424	Shell.exe
1416	Shell.exe
3132	Shell.exe
4276	Shell.exe
1112	Shell.exe
3868	IExplorer.exe
2572	Shell.exe
644	Shell.exe
892	Shell.exe
4112	Shell.exe
4668	Shell.exe
4048	Shell.exe
372	WINLOGON.EXE
4976	Shell.exe
1444	Shell.exe
2700	Shell.exe
348	Shell.exe
1880	Shell.exe
4952	Shell.exe
2840	CSRSS.EXE
4456	Shell.exe
3020	Shell.exe
2336	Shell.exe
1468	Shell.exe
2008	Shell.exe
1640	Shell.exe
3524	SERVICES.EXE
708	Shell.exe
1112	Shell.exe
4196	Shell.exe
2304	Shell.exe
432	Shell.exe
1168	Shell.exe
4984	LSASS.EXE
3488	Shell.exe
4884	Shell.exe
4188	Shell.exe
2192	Shell.exe
4472	Shell.exe
1800	Shell.exe
2024	SMSS.EXE
1852	Shell.exe
232	Shell.exe
1820	Shell.exe
1612	Shell.exe
2912	Shell.exe
4656	Shell.exe
2164	WINLOGON.EXE
3472	Shell.exe
2608	Shell.exe
4908	Shell.exe
2676	Shell.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Adds Run key to start application 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	F:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	F:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\O:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\P:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\L:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\N:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\T:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\U:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\W:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\X:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\Z:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\Y:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\E:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\I:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\J:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\K:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\M:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\Q:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\V:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\B:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\G:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\R:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\S:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\SysWOW64\shell.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\MrHelloween.scr	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4860-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-8.dat	upx
behavioral2/files/0x0007000000023cc8-110.dat	upx
behavioral2/memory/1072-111-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3868-116-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0007000000023cca-115.dat	upx
behavioral2/memory/1452-126-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4828-130-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3868-131-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/644-140-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3060-145-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3488-146-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1072-147-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0007000000023ccc-149.dat	upx
behavioral2/memory/4172-150-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4860-160-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3340-164-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2172-169-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1696-170-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3348-179-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/348-182-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/348-185-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2948-186-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4172-197-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-238.dat	upx
behavioral2/memory/4688-239-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0007000000023cca-243.dat	upx
behavioral2/memory/2784-245-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2424-252-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1416-257-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2784-258-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4276-267-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1112-272-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3132-273-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4688-274-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0007000000023ccc-276.dat	upx
behavioral2/memory/3868-278-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/644-289-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/892-294-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2572-295-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4668-304-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4048-309-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4112-310-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3868-311-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/files/0x0007000000023cce-313.dat	upx
behavioral2/memory/372-317-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1444-327-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2700-331-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4976-332-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1880-337-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4952-340-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/348-341-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/372-342-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2840-344-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3020-351-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2336-354-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4456-355-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2008-360-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1640-363-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1468-364-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/2840-365-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/3524-367-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/1112-374-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral2/memory/4196-377-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\4k51k4.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\4k51k4.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe

Program crash 42 IoCs

pid	pid_target	Process	procid_target
5020	1072	WerFault.exe	85
4972	3868	WerFault.exe	89
2128	3488	WerFault.exe	94
5036	4172	WerFault.exe	99
4916	1696	WerFault.exe	102
2664	2948	WerFault.exe	107
3460	4688	WerFault.exe	115
3524	2784	WerFault.exe	118
3644	3132	WerFault.exe	123
1800	3868	WerFault.exe	131
4072	2572	WerFault.exe	134
2232	4112	WerFault.exe	139
4968	372	WerFault.exe	144
1524	4976	WerFault.exe	147
1680	348	WerFault.exe	152
1508	2840	WerFault.exe	159
3368	4456	WerFault.exe	162
5060	1468	WerFault.exe	167
3408	3524	WerFault.exe	172
1452	708	WerFault.exe	175
4948	2304	WerFault.exe	180
4280	4984	WerFault.exe	185
4500	3488	WerFault.exe	188
5020	2192	WerFault.exe	193
220	2024	WerFault.exe	198
2664	1852	WerFault.exe	204
4960	1612	WerFault.exe	209
1484	2164	WerFault.exe	214
4076	3472	WerFault.exe	217
2884	2676	WerFault.exe	222
3628	432	WerFault.exe	227
5092	1784	WerFault.exe	230
1512	924	WerFault.exe	235
4472	4008	WerFault.exe	240
4264	1800	WerFault.exe	243
3340	4636	WerFault.exe	248
4672	2388	WerFault.exe	253
3204	3000	WerFault.exe	256
2424	4456	WerFault.exe	261
4756	4276	WerFault.exe	266
468	4076	WerFault.exe	269
1584	2884	WerFault.exe	274

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe

Modifies Control Panel 64 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	4k51k4.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\	SMSS.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
1072	4k51k4.exe
3868	Shell.exe
1452	Shell.exe
4828	Shell.exe
3488	Shell.exe
644	Shell.exe
3060	Shell.exe
4172	IExplorer.exe
1696	Shell.exe
3340	Shell.exe
2172	Shell.exe
2948	Shell.exe
3348	Shell.exe
348	Shell.exe
4688	4k51k4.exe
2784	Shell.exe
2424	Shell.exe
1416	Shell.exe
3132	Shell.exe
4276	Shell.exe
1112	Shell.exe
3868	IExplorer.exe
2572	Shell.exe
644	Shell.exe
892	Shell.exe
4112	Shell.exe
4668	Shell.exe
4048	Shell.exe
372	WINLOGON.EXE
4976	Shell.exe
1444	Shell.exe
2700	Shell.exe
348	Shell.exe
1880	Shell.exe
4952	Shell.exe
2840	CSRSS.EXE
4456	Shell.exe
3020	Shell.exe
2336	Shell.exe
1468	Shell.exe
2008	Shell.exe
1640	Shell.exe
3524	SERVICES.EXE
708	Shell.exe
1112	Shell.exe
4196	Shell.exe
2304	Shell.exe
432	Shell.exe
1168	Shell.exe
4984	LSASS.EXE
3488	Shell.exe
4884	Shell.exe
4188	Shell.exe
2192	Shell.exe
4472	Shell.exe
1800	Shell.exe
2024	SMSS.EXE
1852	Shell.exe
232	Shell.exe
1820	Shell.exe
1612	Shell.exe
2912	Shell.exe
4656	Shell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 1072	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	85
PID 4860 wrote to memory of 1072	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	85
PID 4860 wrote to memory of 1072	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	85
PID 4860 wrote to memory of 4172	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	99
PID 4860 wrote to memory of 4172	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	99
PID 4860 wrote to memory of 4172	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	99
PID 4860 wrote to memory of 4688	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	115
PID 4860 wrote to memory of 4688	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	115
PID 4860 wrote to memory of 4688	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	115
PID 4860 wrote to memory of 3868	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	131
PID 4860 wrote to memory of 3868	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	131
PID 4860 wrote to memory of 3868	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	131
PID 4860 wrote to memory of 372	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	144
PID 4860 wrote to memory of 372	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	144
PID 4860 wrote to memory of 372	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	144
PID 4860 wrote to memory of 2840	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	159
PID 4860 wrote to memory of 2840	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	159
PID 4860 wrote to memory of 2840	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	159
PID 4860 wrote to memory of 3524	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	172
PID 4860 wrote to memory of 3524	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	172
PID 4860 wrote to memory of 3524	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	172
PID 4860 wrote to memory of 4984	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	185
PID 4860 wrote to memory of 4984	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	185
PID 4860 wrote to memory of 4984	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	185
PID 4860 wrote to memory of 2024	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	198
PID 4860 wrote to memory of 2024	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	198
PID 4860 wrote to memory of 2024	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	198
PID 4860 wrote to memory of 2164	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	214
PID 4860 wrote to memory of 2164	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	214
PID 4860 wrote to memory of 2164	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	214
PID 4860 wrote to memory of 432	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	227
PID 4860 wrote to memory of 432	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	227
PID 4860 wrote to memory of 432	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	227
PID 4860 wrote to memory of 4008	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	240
PID 4860 wrote to memory of 4008	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	240
PID 4860 wrote to memory of 4008	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	240
PID 4860 wrote to memory of 2388	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	253
PID 4860 wrote to memory of 2388	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	253
PID 4860 wrote to memory of 2388	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	253
PID 4860 wrote to memory of 4276	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	266
PID 4860 wrote to memory of 4276	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	266
PID 4860 wrote to memory of 4276	4860	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	266

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

C:\Users\Admin\AppData\Local\Temp\df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
"C:\Users\Admin\AppData\Local\Temp\df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4860
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:1072
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 520
    3⤵
    - Program crash
    PID:5020
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:3868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 576
        5⤵
        Program crash
        
        PID:4972
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1452
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4828
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:3488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 496
        5⤵
        Program crash
        
        PID:2128
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:644
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3060
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:4172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 524
    3⤵
    - Program crash
    PID:5036
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:1696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 492
        5⤵
        Program crash
        
        PID:4916
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3340
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2172
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:2948
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 492
        5⤵
        Program crash
        
        PID:2664
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3348
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:348
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:4688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 488
    3⤵
    - Program crash
    PID:3460
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 512
        5⤵
        Program crash
        
        PID:3524
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2424
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1416
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:3132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 512
        5⤵
        Program crash
        
        PID:3644
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4276
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1112
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:3868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 492
    3⤵
    - Program crash
    PID:1800
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:2572
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 512
        5⤵
        Program crash
        
        PID:4072
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:644
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:892
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 516
        5⤵
        Program crash
        
        PID:2232
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4668
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4048
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 496
    3⤵
    - Program crash
    PID:4968
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:4976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 512
        5⤵
        Program crash
        
        PID:1524
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1444
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2700
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 512
        5⤵
        Program crash
        
        PID:1680
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1880
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4952
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:2840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 520
    3⤵
    - Program crash
    PID:1508
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:4456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 496
        5⤵
        Program crash
        
        PID:3368
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:3020
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2336
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 492
        5⤵
        Program crash
        
        PID:5060
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2008
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1640
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:3524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 496
    3⤵
    - Program crash
    PID:3408
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 512
        5⤵
        Program crash
        
        PID:1452
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1112
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4196
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:2304
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 512
        5⤵
        Program crash
        
        PID:4948
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:432
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1168
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:4984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 496
    3⤵
    - Program crash
    PID:4280
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:3488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 512
        5⤵
        Program crash
        
        PID:4500
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4884
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4188
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of SetWindowsHookEx
      PID:2192
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 480
        5⤵
        Program crash
        
        PID:5020
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4472
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1800
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:2024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 520
    3⤵
    - Program crash
    PID:220
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:1852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 496
        5⤵
        Program crash
        
        PID:2664
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:232
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1820
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      PID:1612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 492
        5⤵
        Program crash
        
        PID:4960
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2912
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4656
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 468
    3⤵
    - Program crash
    PID:1484
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      Modifies Control Panel
      PID:3472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 520
        5⤵
        Program crash
        
        PID:4076
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Loads dropped DLL
        
        PID:2608
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Loads dropped DLL
        
        PID:4908
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      Modifies Control Panel
      PID:2676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 516
        5⤵
        Program crash
        
        PID:2884
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3848
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:3808
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Adds Run key to start application
  - Modifies Control Panel
  PID:432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 492
    3⤵
    - Program crash
    PID:3628
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      PID:1784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 516
        5⤵
        Program crash
        
        PID:5092
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      PID:924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 512
        5⤵
        Program crash
        
        PID:1512
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 468
    3⤵
    - Program crash
    PID:4472
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 512
        5⤵
        Program crash
        
        PID:4264
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:816
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      PID:4636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 512
        5⤵
        Program crash
        
        PID:3340
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:2800
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        
        PID:4552
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Adds Run key to start application
  - Modifies Control Panel
  PID:2388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 468
    3⤵
    - Program crash
    PID:4672
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Adds Run key to start application
      Modifies Control Panel
      PID:3000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 512
        5⤵
        Program crash
        
        PID:3204
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:228
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Adds Run key to start application
      Modifies Control Panel
      PID:4456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 512
        5⤵
        Program crash
        
        PID:2424
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:752
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:4276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 492
    3⤵
    - Program crash
    PID:4756
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      PID:4076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 516
        5⤵
        Program crash
        
        PID:468
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:708
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Adds Run key to start application
      Modifies Control Panel
      PID:2884
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 512
        5⤵
        Program crash
        
        PID:1584
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1072 -ip 1072
1⤵
PID:1276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3868 -ip 3868
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3488 -ip 3488
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4172 -ip 4172
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1696 -ip 1696
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2948 -ip 2948
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4688 -ip 4688
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2784 -ip 2784
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3132 -ip 3132
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3868 -ip 3868
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2572 -ip 2572
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4112 -ip 4112
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 372 -ip 372
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4976 -ip 4976
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 348 -ip 348
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2840 -ip 2840
1⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4456 -ip 4456
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1468 -ip 1468
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3524 -ip 3524
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 708 -ip 708
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2304 -ip 2304
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4984 -ip 4984
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3488 -ip 3488
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2192 -ip 2192
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2024 -ip 2024
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1852 -ip 1852
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1612 -ip 1612
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2164 -ip 2164
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3472 -ip 3472
1⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 2676 -ip 2676
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 432 -ip 432
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 1784 -ip 1784
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 924 -ip 924
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4008 -ip 4008
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1800 -ip 1800
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4636 -ip 4636
1⤵
PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2388 -ip 2388
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3000 -ip 3000
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4456 -ip 4456
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4276 -ip 4276
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4076 -ip 4076
1⤵
PID:1112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2884 -ip 2884
1⤵
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
118KB

MD5
b9e9f1e915b0e3a57c24f9d9c0d35052

SHA1
5f2897231f23c83c85f60cfe1ce7d005a48e750c

SHA256
b7c759e64e09e90d056786a4f1fced79fdc86eddf57312c9657c20c73bba1fe4

SHA512
6a935e911dec2d10f78f05adc537338d0b67609f0c5abb7e0e843ff47db0b027724d6742035001802af309684f18fdd008b0b212b611799ce7729737f9114822

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
118KB

MD5
8337ccbf0f07fe774fe402a2f04b8e18

SHA1
f9cc893f7ac72aa430567625ebeff6d7017203e7

SHA256
df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63

SHA512
57b985043ee39c88391ef04f7f7d3de7375ad9e4d8f917448ea317d0b8b74bc00de7cd264937e454d9a16a9b87f8650e251f6af7e1b1b9a2901d8f79ccf38956

Download Submit
C:\Windows\4k51k4.exe

Filesize
118KB

MD5
88d0ca6b649c3ef7ac2032abbdf8fe93

SHA1
79bf95f4f796b32304ccca18480e3d1c85b4b372

SHA256
b434429dfdc1e5a1bb19f8c9abeac2b2aa99084e27dc40e1c4394a2744828ce2

SHA512
d69e4d9b6bab064de7ee83d16b127d61b382e622299d5c9dc8e3b2cebbb70ceecf5ae8878cf33bd3151949cd53b0ec6fe8589c0ad262d018f0a85000464f5a96

Download Submit
C:\Windows\4k51k4.exe

Filesize
118KB

MD5
670fd998874e9f0163c2d9d4ffbdedd2

SHA1
5d55afa2c8030f1b2ae81a3165ee479569f12737

SHA256
b0dab3275f28ab27a5aea582e0236f359a7fdb9f1c7c27d481a1bfcb7fb0f21d

SHA512
3292eed4d8d1d95c4f6728ac14e3204932bfc639f7295de4266950ed33e1d4322cf0de33f6facc17e80e0554c8f4f56a908c201898a5a534506ab705dedc8e74

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
118KB

MD5
f3b40837a8d0009190ad47a26209e8a5

SHA1
17b3219b32202c20b1a53cabf55f07c1b727d9a7

SHA256
6bfd6b18fe828523ec376617b579b4e63ed68545f22ca6889fdf4fc1639f600f

SHA512
68b9fade9b400331bc4fe36f061cd269e0d3f1f80428d8e7f72a728ec742385325e11ef2eca40de5ba1b9872c0406e93355ea695bc5a74c63b602d84d3988ba4

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
118KB

MD5
f45b8047eabc06c5ab31cf398fd21c62

SHA1
d157c39c36e1c4d591589f9947c79b56b2eec4a1

SHA256
6b294ee0d4617b4142993d4b0810439f0c1abeb3f920d57a54a0fb1340993840

SHA512
4cd1a47fd47208b8a35c5376d94422e4d333de66f68e64ae54619352d87a615f6337455cd81a1bc0cb08cd48a2082d0e46b10e65780399e229aca6289d02f8bb

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
118KB

MD5
d4dcad03049e4c2223dfd45a740231eb

SHA1
f08b9b9cc134fe6d6ff884eb56661109ca36e6fd

SHA256
1c1d2cb6ae8f52b3947daef131cfff18a4248db4ed15d6ccf3707a1e63513a8a

SHA512
2c8840254d77b1b932f1aaa9504f22e39c350bd6d0f9c400d1faffe15600275535c828a79a40076ccf94d2f49e07b29c535b23cea6754ba4d0cae9a880af569e

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
118KB

MD5
e1ac267e93a6d6354a9687b94ad8aa53

SHA1
2baa936e3cb15a09ccdf3198c921c0150e61717d

SHA256
f299d8b320b3e7e9895707c7195f11ce46c774d22daab43e24dcd26f9ed20b3a

SHA512
b8a662cd9b6181006aba8f89678fccc4ef53b74895f9bb3f66d5df2d7de9e556637ab519911d916d74eb7d4e8d638c34eeeebad6d1bbc4bb3f7005bff55d3071

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
memory/232-420-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/348-341-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/348-182-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/348-185-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/372-342-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/372-317-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/432-503-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/432-383-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/644-140-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/644-289-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/708-378-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/816-513-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/892-294-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/924-502-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1072-111-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1072-147-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1112-374-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1112-272-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1168-386-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1416-257-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1444-327-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1452-126-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1468-364-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1612-433-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1640-363-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1684-510-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1696-170-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1784-493-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1800-514-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1800-409-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1820-423-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1852-424-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1864-501-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1880-337-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2008-360-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2024-434-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2024-413-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2164-481-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2164-460-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2172-169-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2192-410-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2304-387-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2336-354-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2424-252-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2572-295-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-467-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2676-480-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2700-331-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2784-245-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2784-258-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2800-519-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2840-365-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2840-344-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2900-492-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2912-429-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2948-186-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3016-498-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3020-351-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3060-145-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3132-273-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3340-164-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3348-179-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3472-471-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3488-146-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3488-402-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3488-393-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3524-388-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3524-367-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3808-479-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3848-476-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3868-116-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3868-131-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3868-278-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3868-311-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4048-309-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4112-310-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4172-150-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4172-197-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4188-401-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4196-377-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4276-267-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4456-355-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4656-432-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4668-304-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4680-489-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4688-274-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4688-239-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4828-130-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4860-160-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4860-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4884-398-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4908-470-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4952-340-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4976-332-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4984-390-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4984-411-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download